diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index c21d5aff4..8edfa3fc0 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -19,8 +19,8 @@ rule: - match: link function at runtime on Windows - or: - api: kernel32.VirtualProtect - - api: ntdll.NtProtectVirtualMemory - - api: ntdll.ZwProtectVirtualMemory + - api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl + - api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl - string: "VirtualProtect" - string: "NtProtectVirtualMemory" - string: "ZwProtectVirtualMemory" diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml similarity index 89% rename from anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml rename to anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index d3e3188e8..8a7324bf3 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -1,7 +1,7 @@ # generated using capa explorer for IDA Pro rule: meta: - name: detect VM via disk hardware WMI queries + name: detect VM via disk hardware WMI queries namespace: anti-analysis/anti-vm/vm-detection authors: - anders.vejlby@mandiant.com diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml similarity index 100% rename from anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml rename to anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml diff --git a/nursery/get-windows-directory-from-kuser_shared_data.yml b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml similarity index 100% rename from nursery/get-windows-directory-from-kuser_shared_data.yml rename to host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml diff --git a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml similarity index 91% rename from data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml rename to nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml index c3bfecdf5..03ff61292 100644 --- a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml +++ b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml @@ -10,8 +10,6 @@ rule: mbc: - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] - Data::Encode Data::XOR [C0026.002] - examples: - - 9176F177BD88686C6BEB29D8BB05F20C:0x180001000 features: - and: - match: write file on Windows diff --git a/nursery/encrypt-data-using-aes.yml b/nursery/encrypt-data-using-aes.yml index ef244f013..db463beea 100644 --- a/nursery/encrypt-data-using-aes.yml +++ b/nursery/encrypt-data-using-aes.yml @@ -15,8 +15,6 @@ rule: references: - https://github.com/JusticeRage/Manalyze/blob/8e77642c911d5d82b5f43b198667ab8c77a88763/bin/yara_rules/findcrypt.yara#L351 - https://github.com/creaktive/tsh/blob/53b822b9a07d8cc65f1f31c915cf834a2944e833/aes.c - examples: - - D6EFF9EFA6F93CDE95E7A4194C1BC6EE:0x180002F50 features: - or: - bytes: 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 = AES_SBOX_ENC