(CAPA) CAPA_Unhook-FreeLibrary

Created the . Updated 11 months, 1 week ago.

            rule:
  meta:
    name: API pattern detection for removing EDR/AV hooks
    namespace: anti-analysis/anti-av
    authors: 
      - github.com/west-wind
    scope: basic block
    mbc:
      - Defense Evasion::Disable or Evade Security Tools [F0004]
    examples:
      - 7cacd0b11497bcdd2db0ee3ae9580bdd:0x403ED2
      - 7cacd0b11497bcdd2db0ee3ae9580bdd:0x403ED9
  features:
    - and:
      - api: GetModuleHandleA
      - api: FreeLibrary
      - or:
        - string: /(\w|\d)+\.dll/i
          description: Regex match on AV/EDR dll name
        

Associated Techniques

Technique Name Technique ID's Has Snippet(s)
Unloading Module with FreeLibrary U0519