host-interaction/file-system/windows-file-protection

bypass Windows File Protection

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: bypass Windows File Protection
    namespace: host-interaction/file-system/windows-file-protection
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007]
    examples:
      - Practical Malware Analysis Lab 01-04.exe_:0x401174
  features:
    - and:
      - string: "sfc_os.dll"
        description: System File Checker
      - number: 0x2 = SfcTerminateWatcherThread
      - match: linking/runtime-linking

last edited: 2023-11-24 10:35:00