forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
delay-execution.yml
31 lines (31 loc) · 1.06 KB
/
delay-execution.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rule:
meta:
name: delay execution
authors:
lib: true
scope: basic block
mbc:
- Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003]
references:
- https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp
examples:
- al-khaser_x86.exe_:0x449770
- B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6
features:
- or:
- api: kernel32.Sleep
- api: kernel32.SleepEx
- api: kernel32.WaitForSingleObject
- api: kernel32.SignalObjectAndWait
- api: kernel32.WaitForSingleObjectEx
- api: kernel32.WaitForMultipleObjects
- api: kernel32.WaitForMultipleObjectsEx
- api: kernel32.RegisterWaitForSingleObject
- api: WaitOnAddress
- api: user32.MsgWaitForMultipleObjects
- api: user32.MsgWaitForMultipleObjectsEx
- api: NtDelayExecution
- api: KeWaitForSingleObject
- api: KeDelayExecutionThread