Update and promote hide-thread-from-debugger.yml

mandiant · Jul 5, 2023 · a8b8558 · a8b8558
1 parent cb3bc24
commit a8b8558
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 13 deletions.
diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
@@ -0,0 +1,33 @@
+rule:
+  meta:
+    name: hide thread from debugger
+    namespace: anti-analysis/anti-debugging/debugger-evasion
+    authors:
+      - [email protected]
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Debugger Evasion [T1622]
+    mbc:
+      - Anti-Behavioral Analysis::Debugger Evasion [B0002]
+    references:
+      - https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp
+      - https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp
+    examples:
+      - 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670
+  features:
+    - or:
+      - basic block:
+        - and:
+          - or:
+            - api: NtSetInformationThread
+            - api: ZwSetInformationThread
+          - number: 0x11 = ThreadHideFromDebugger
+      - and:
+        - or:
+          - string: "NtSetInformationThread"
+          - string: "ZwSetInformationThread"
+        - api: GetProcAddress
+        - api: GetCurrentThread
+        - number: 0x11 = ThreadHideFromDebugger
diff --git a/nursery/hide-thread-from-debugger.yml b/nursery/hide-thread-from-debugger.yml