(CAPA) CAPA_ntglobalflag

Download Raw 

rule:
  meta:
    name: check for PEB NtGlobalFlag flag
    namespace: anti-analysis/anti-debugging/debugger-detection
    author: moritz.raabe@fireeye.com
    scope: function
    mbc:
      - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]
    references:
      - Practical Malware Analysis, Chapter 16, p. 355
      - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm
    examples:
      - Practical Malware Analysis Lab 16-01.exe_:0x403530
  features:
    - and:
      - basic block:
        - and:
          - match: PEB access
          - or:
            - or:
              - offset/x32: 0x68 = PEB.NtGlobalFlag
              - offset/x64: 0xBC = PEB.NtGlobalFlag
            - and:
              - mnemonic: add
              - or:
                - number/x32: 0x68 = PEB.NtGlobalFlag
                - number/x64: 0xBC = PEB.NtGlobalFlag
      - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
NtGlobalFlag U0111 B0001.036
Created

June 20, 2022

Last Revised

June 20, 2022