fix call/thread scopes manually

mandiant · Oct 26, 2023 · ae84430 · ae84430
1 parent c00ee19
commit ae84430
Show file tree

Hide file tree

Showing 167 changed files with 167 additions and 167 deletions.
diff --git a/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
       - Anti-Behavioral Analysis::Sandbox Detection [B0007]

diff --git a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: thread
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012]
     references:

diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
     references:

diff --git a/anti-analysis/anti-forensic/spoof-parent-pid.yml b/anti-analysis/anti-forensic/spoof-parent-pid.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     att&ck:
       - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]
     references:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: unsupported
     att&ck:
       - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]
     mbc:

diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: unsupported
     att&ck:
       - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
     mbc:

diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004]
     examples:

diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     att&ck:
       - Collection::Input Capture::Keylogging [T1056.001]
     mbc:

diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Discovery::System Network Configuration Discovery [T1016]
     examples:

diff --git a/communication/http/client/get-http-response-content-encoding.yml b/communication/http/client/get-http-response-content-encoding.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     mbc:
       - Communication::HTTP Communication::Get Response [C0002.017]
     examples:

diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Communication::HTTP Communication::Send Data [C0002.005]
     examples:

diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Communication::HTTP Communication::Send Request [C0002.003]
     examples:

diff --git a/communication/http/get-http-content-length.yml b/communication/http/get-http-content-length.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     mbc:
       - Communication::HTTP Communication [C0002]
     examples:

diff --git a/communication/ip/convert-ip-address-from-string.yml b/communication/ip/convert-ip-address-from-string.yml
@@ -7,7 +7,7 @@ rule:
       - "@mr-tz"
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     examples:
       - 0796F1C1EA0A142FC1EB7109A44C86CB:0x405D20
   features:

diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Communication::Interprocess Communication::Write Pipe [C0003.004]
     examples:

diff --git a/communication/receive-data.yml b/communication/receive-data.yml
@@ -7,7 +7,7 @@ rule:
     description: all known techniques for receiving data from a potential C2 server
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Command and Control::C2 Communication::Receive Data [B0030.002]
     examples:

diff --git a/communication/send-data.yml b/communication/send-data.yml
@@ -8,7 +8,7 @@ rule:
     description: all known techniques for sending data to a potential C2 server
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Command and Control::C2 Communication::Send Data [B0030.001]
     examples:

diff --git a/communication/socket/create-raw-socket.yml b/communication/socket/create-raw-socket.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     mbc:
       - Communication::Socket Communication::Create Socket [C0001.003]
     references:

diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Communication::Socket Communication::Create Socket [C0001.003]
     references:

diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml
@@ -8,7 +8,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     mbc:
       - Communication::Socket Communication::Create TCP Socket [C0001.011]
     examples:

diff --git a/communication/socket/udp/send/create-udp-socket.yml b/communication/socket/udp/send/create-udp-socket.yml
@@ -8,7 +8,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     mbc:
       - Communication::Socket Communication::Create UDP Socket [C0001.010]
     examples:

diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Communication::Socket Communication::TCP Client [C0001.008]
     examples:

diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Communication::Socket Communication::Start TCP Server [C0001.005]
     examples:

diff --git a/compiler/py2exe/compiled-with-py2exe.yml b/compiler/py2exe/compiled-with-py2exe.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     examples:
       - ed888dc2f04f5eac83d6d14088d002de:0x40194A
   features:

diff --git a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: unsupported
     mbc:
       - Data::Checksum::Luhn [C0032.002]
     examples:

diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     att&ck:
       - Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
     examples:

diff --git a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     examples:

diff --git a/data-manipulation/encoding/base64/encode-data-using-base64.yml b/data-manipulation/encoding/base64/encode-data-using-base64.yml
@@ -8,7 +8,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: unsupported
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:

diff --git a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     references:

diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     mbc:
       - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]
     references:

diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006]
     examples:

diff --git a/host-interaction/cli/resolve-path-using-msvcrt.yml b/host-interaction/cli/resolve-path-using-msvcrt.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     att&ck:
       - Discovery::File and Directory Discovery [T1083]
     examples:

diff --git a/host-interaction/driver/install-driver.yml b/host-interaction/driver/install-driver.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     att&ck:
       - Persistence::Create or Modify System Process::Windows Service [T1543.003]
     mbc:

diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: thread
     att&ck:
       - Discovery::System Information Discovery [T1082]
     mbc:

diff --git a/host-interaction/file-system/change-file-permission-on-linux.yml b/host-interaction/file-system/change-file-permission-on-linux.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     mbc:
       - File System::Set File Attributes [C0050]
     examples:

diff --git a/host-interaction/file-system/files/list/enumerate-files-recursively.yml b/host-interaction/file-system/files/list/enumerate-files-recursively.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: unsupported
     att&ck:
       - Discovery::File and Directory Discovery [T1083]
     mbc:

diff --git a/host-interaction/file-system/get-file-system-object-information.yml b/host-interaction/file-system/get-file-system-object-information.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: call  # TODO check if scope thread instead
+      dynamic: call
     att&ck:
       - Discovery::File and Directory Discovery [T1083]
     examples:

diff --git a/host-interaction/file-system/get-program-files-directory.yml b/host-interaction/file-system/get-program-files-directory.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread  # TODO check if scope call instead
+      dynamic: call
     att&ck:
       - Discovery::File and Directory Discovery [T1083]
     examples: