security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
69dbdc2a3428818ba57bb8850dc695facebe5101
blue-team-tools/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
T
Nasreddine Bencherchali 69dbdc2a34 fix: apply suggestions from code review
2023-01-07 13:03:21 +01:00

26 lines
738 B
YAML
Raw Blame History

title: Potential NT API Stub Patching
id: b916cba1-b38a-42da-9223-17114d846fd6
status: experimental
description: Detects potential NT API stub patching as seen used by the project PatchingAPI
references:
- https://github.com/D1rkMtr/UnhookingPatch
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: Tim Burrell
date: 2023/01/07
tags:
- attack.defense_evasion
- attack.t1562.002
logsource:
category: process_access
product: windows
detection:
selection:
GrantedAccess: '0x1FFFFF'
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink