hijack thread execution

rule:
  meta:
    name: hijack thread execution
    namespace: host-interaction/process/inject
    authors:
      - 0x534a@mailbox.org
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003]
      - Defense Evasion::Reflective Code Loading [T1620]
    examples:
      - 77d87e9937546aebc1595039d730352b15fab32c72a76913f04262c6802d098f:0x401000
  features:
    - and:
      - optional:
        - or:
          - match: open thread
          - match: create thread
      - match: suspend thread
      - api: kernel32.GetThreadContext
      - optional:
        - match: allocate or change RWX memory
        - match: write process memory
      - api: kernel32.SetThreadContext
      - match: resume thread