From 4dbfebf65c2d8089798ec1b99c3a6f8b1d655683 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Jan 2023 10:35:28 +0100 Subject: [PATCH 1/4] Add proc_access_win_invoke_patchingapi --- .../proc_access_win_invoke_patchingapi.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/windows/process_access/proc_access_win_invoke_patchingapi.yml diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml new file mode 100644 index 000000000..8e7e7a817 --- /dev/null +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -0,0 +1,24 @@ +title: Suspect PatchingAPI +id: b916cba1-b38a-42da-9223-17114d846fd6 +status: experimental +description: Detects suspect access such as that used by PatchingAPI +references: + - https://github.com/D1rkMtr/UnhookingPatch + - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 +author: Tim Burrell +date: 2023/01/07 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + category: process_access + product: windows +detection: + selection: + GrantedAccess: '0x1FFFFF' + CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' + CallTrace|contains: '|UNKNOWN(' + condition: selection +falsepositives: + - Unknown +level: medium From 24264407d932009ee2992b76a7bdc652afad0e5f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Jan 2023 12:32:27 +0100 Subject: [PATCH 2/4] Update detection --- .../process_access/proc_access_win_invoke_patchingapi.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index 8e7e7a817..b2643f4c8 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -18,6 +18,7 @@ detection: GrantedAccess: '0x1FFFFF' CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' + CallTrace|endswith: ')' condition: selection falsepositives: - Unknown From 69dbdc2a3428818ba57bb8850dc695facebe5101 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 7 Jan 2023 13:03:21 +0100 Subject: [PATCH 3/4] fix: apply suggestions from code review --- .../process_access/proc_access_win_invoke_patchingapi.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index b2643f4c8..4c80cd9ce 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -1,7 +1,7 @@ -title: Suspect PatchingAPI +title: Potential NT API Stub Patching id: b916cba1-b38a-42da-9223-17114d846fd6 status: experimental -description: Detects suspect access such as that used by PatchingAPI +description: Detects potential NT API stub patching as seen used by the project PatchingAPI references: - https://github.com/D1rkMtr/UnhookingPatch - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 From f08f3706f7987d15b57082f43c7318c4da0dcbca Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Jan 2023 13:04:57 +0100 Subject: [PATCH 4/4] Update proc_access_win_invoke_patchingapi.yml --- .../process_access/proc_access_win_invoke_patchingapi.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index 4c80cd9ce..a876d74a3 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -5,7 +5,7 @@ description: Detects potential NT API stub patching as seen used by the project references: - https://github.com/D1rkMtr/UnhookingPatch - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 -author: Tim Burrell +author: frack113 date: 2023/01/07 tags: - attack.defense_evasion