diff --git a/nursery/check-thread-suspend-count-exceeded.yml b/nursery/check-thread-suspend-count-exceeded.yml new file mode 100644 index 00000000..da2c281e --- /dev/null +++ b/nursery/check-thread-suspend-count-exceeded.yml @@ -0,0 +1,27 @@ +rule: + meta: + name: check thread suspend count exceeded + authors: + - ervinocampo@google.com + scopes: + static: file + dynamic: unsupported #requires mnemonic feature + att&ck: + - Defense Evasion::Debugger Evasion [T1622] + mbc: + - Anti-Behavioral Analysis::Debugger Detection [B0001] + references: + - https://secret.club/2021/01/04/thread-stuff.html + - https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ + features: + - and: + - match: create thread bypassing process freeze + - function: + - and: + - or: + - api: ntdll.NtSuspendThread + - string: "NtSuspendThread" + - basic block: + - and: + - number: 0xc000004a = STATUS_SUSPEND_COUNT_EXCEEDED + - mnemonic: cmp diff --git a/nursery/create-thread-bypassing-process-freeze.yml b/nursery/create-thread-bypassing-process-freeze.yml new file mode 100644 index 00000000..f60e038e --- /dev/null +++ b/nursery/create-thread-bypassing-process-freeze.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: create thread bypassing process freeze + authors: + - ervinocampo@google.com + scopes: + static: basic block + dynamic: call + att&ck: + - Defense Evasion::Debugger Evasion [T1622] + mbc: + - Anti-Behavioral Analysis::Debugger Evasion [B0002] + references: + - https://secret.club/2021/01/04/thread-stuff.html + - https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ + - https://www.pinvoke.dev/ntdll/ntcreatethreadex + - https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntpsapi.h + features: + - and: + - or: + - api: ntdll.NtCreateThreadEx + - string: "NtCreateThreadEx" + - number: 0x40 = Undocumented thread creation flag dubbed as THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE