inject thread

rule:
  meta:
    name: inject thread
    namespace: host-interaction/process/inject
    authors:
      - anamaria.martinezgom@mandiant.com
      - 0x534a@mailbox.org
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003]
      - Defense Evasion::Reflective Code Loading [T1620]
    examples:
      - Practical Malware Analysis Lab 12-01.exe_:0x4010D0
      - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF
  features:
    - and:
      - or:
        - match: allocate or change RWX memory
        - match: allocate or change RW memory
      - match: write process memory
      - match: create thread
      - optional:
        - or:
          - match: host-interaction/process/create
          - match: open process
          - number: 0x3000 = MEM_COMMIT or MEM_RESERVE