Modify test executable for screenshot capture

akh7177 · akh7177 · commit ea56ada674ca · 2025-02-26T22:47:20.000+05:30
diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml
@@ -18,8 +18,7 @@ rule:
       - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314610A
       - 7204e3efc2434012e13ca939db0d0b02:0x414070
       - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x406E07
-      - 333cf4a403f2dbd56e2509eb2f1d8922:0x140002180
-      - de5f2dd641b3e75eea6e4575b0ba4a48:0x140002180
+      - 0a30182ff3a6b67beb0f2cda9d0de678:0x407910
   features:
         # Classic GDI Capture
     - or: 
diff --git a/host-interaction/process/create/create-process-suspended.yml b/host-interaction/process/create/create-process-suspended.yml
@@ -16,11 +16,27 @@ rule:
     examples:
       - Practical Malware Analysis Lab 03-03.exe_:0x4010EA
   features:
-    - and:
-      - or:
-        - number: 0x08000004 = CREATE_NO_WINDOW | CREATE_SUSPENDED
-        - number: 4 = CREATE_SUSPENDED
-        - number: 2 = DEBUG_ONLY_THIS_PROCESS
-      - or:
-        - api: kernel32.CreateProcess
-        - api: advapi32.CreateProcessAsUser
+    - or:
+      - and:
+        - or:
+          - number: 0x08000004 = CREATE_NO_WINDOW | CREATE_SUSPENDED
+          - number: 0x800000C = CREATE_SUSPENDED | DETACHED_PROCESS | CREATE_NO_WINDOW
+          - number: 4 = CREATE_SUSPENDED
+          - number: 2 = DEBUG_ONLY_THIS_PROCESS
+        - or:
+          - api: kernel32.CreateProcess
+          - api: kernel32.CreateProcessInternal
+          - api: advapi32.CreateProcessAsUser
+          - api: advapi32.CreateProcessWithLogon
+          - api: advapi32.CreateProcessWithToken
+      - and:
+        - or:
+          - number: 0x10 = PROCESS_CREATE_FLAGS_CREATE_SUSPENDED
+          - number: 0x2000010 = PROCESS_CREATE_FLAGS_CREATE_SUSPENDED | PROCESS_CREATE_FLAGS_NO_WINDOW
+          - number: 0x11 = PROCESS_CREATE_FLAGS_CREATE_SUSPENDED | PROCESS_CREATE_FLAGS_BREAKAWAY
+        - or:
+          - api: ntdll.NtCreateProcessEx
+          - api: ZwCreateProcessEx
+          - api: ntdll.NtCreateUserProcess
+          - api: ntdll.ZwCreateUserProcess
+          - api: ntdll.RtlCreateUserProcess
diff --git a/lib/write-process-memory.yml b/lib/write-process-memory.yml
@@ -5,7 +5,7 @@ rule:
       - moritz.raabe@mandiant.com
     lib: true
     scopes:
-      static: function
+      static: instruction
       dynamic: call
     att&ck:
       - Defense Evasion::Process Injection [T1055]
