write process memory

rule:
  meta:
    name: write process memory
    authors:
      - moritz.raabe@mandiant.com
    lib: true
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Defense Evasion::Process Injection [T1055]
    examples:
      - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF
  features:
    - or:
      - api: kernel32.WriteProcessMemory
      - api: ntdll.NtWriteVirtualMemory
      - api: ntdll.ZwWriteVirtualMemory
      - api: NtWow64WriteVirtualMemory64