dzbeck
commented
3 years ago @0x534a thanks for the suggestion - added!
Closed 0x534a closed 3 years ago
dzbeck
commented
3 years ago @0x534a thanks for the suggestion - added!
While expanding the capa rule set, I noticed that there is currently no micro-behavior for resuming a thread. Therefore, I suggest to add this micro-behavior to MBC. Malware typically resumes a thread in order to execute previously injected code (e.g. in the course of the process hollowing technique).
This micro-behavior should fit to the Process Micro-objective where similar behavior like creating or terminating a thread is already located.
In the same turn, suspending a thread can also be added analogously as micro-behaviour.