From 784c9dca53c203449f8821f2f8b82825f471e30e Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 25 Oct 2023 16:01:12 +0200 Subject: [PATCH 01/15] upgrade rules using updated script --- ...-on-executable-memory-pages-using-arbitrary-code-guard.yml | 4 +++- anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml | 4 +++- .../anti-av/patch-event-tracing-for-windows-function.yml | 4 +++- .../protect-spawned-processes-with-mitigation-policies.yml | 4 +++- .../debugger-detection/check-for-debugger-via-api.yml | 4 +++- .../debugger-detection/check-for-hardware-breakpoints.yml | 4 +++- ...eck-for-kernel-debugger-via-shared-user-data-structure.yml | 4 +++- .../debugger-detection/check-for-outputdebugstring-error.yml | 4 +++- .../debugger-detection/check-for-peb-beingdebugged-flag.yml | 4 +++- .../debugger-detection/check-for-peb-ntglobalflag-flag.yml | 4 +++- .../check-for-protected-handle-exception.yml | 4 +++- .../debugger-detection/check-for-software-breakpoints.yml | 4 +++- .../check-for-time-delay-via-gettickcount.yml | 4 +++- .../check-for-time-delay-via-queryperformancecounter.yml | 4 +++- .../debugger-detection/check-for-trap-flag-exception.yml | 4 +++- .../debugger-detection/check-for-unexpected-memory-writes.yml | 4 +++- .../debugger-detection/check-process-job-object.yml | 4 +++- .../debugger-detection/check-processdebugport.yml | 4 +++- .../execute-anti-debugging-instructions.yml | 4 +++- .../debugger-evasion/hide-thread-from-debugger.yml | 4 +++- .../anti-disasm/64-bit-execution-via-heavens-gate.yml | 4 +++- anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml | 4 +++- .../wine/check-if-process-is-running-under-wine.yml | 4 +++- .../anti-forensic/clear-logs/clear-windows-event-logs.yml | 4 +++- .../anti-forensic/crash-the-windows-event-logging-service.yml | 4 +++- .../anti-forensic/impersonate-file-version-information.yml | 4 +++- anti-analysis/anti-forensic/patch-process-command-line.yml | 4 +++- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 4 +++- anti-analysis/anti-forensic/spoof-parent-pid.yml | 4 +++- anti-analysis/anti-forensic/timestomp/timestomp-file.yml | 4 +++- .../vm-detection/check-for-foreground-window-switch.yml | 4 +++- .../vm-detection/check-for-microsoft-office-emulation.yml | 4 +++- .../vm-detection/check-for-sandbox-username-or-hostname.yml | 4 +++- .../anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml | 4 +++- .../vm-detection/check-for-windows-sandbox-via-device.yml | 4 +++- .../vm-detection/check-for-windows-sandbox-via-dns-suffix.yml | 4 +++- .../check-for-windows-sandbox-via-genuine-state.yml | 4 +++- .../check-for-windows-sandbox-via-process-name.yml | 4 +++- .../vm-detection/check-for-windows-sandbox-via-registry.yml | 4 +++- .../vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml | 4 +++- .../detect-vm-via-motherboard-hardware-wmi-queries.yml | 4 +++- .../reference-anti-vm-strings-targeting-parallels.yml | 4 +++- .../vm-detection/reference-anti-vm-strings-targeting-qemu.yml | 4 +++- .../reference-anti-vm-strings-targeting-virtualbox.yml | 4 +++- .../reference-anti-vm-strings-targeting-virtualpc.yml | 4 +++- .../reference-anti-vm-strings-targeting-vmware.yml | 4 +++- .../vm-detection/reference-anti-vm-strings-targeting-xen.yml | 4 +++- .../anti-vm/vm-detection/reference-anti-vm-strings.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml | 4 +++- .../obfuscation/obfuscated-with-babel-obfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml | 4 +++- .../obfuscation/obfuscated-with-deepsea-obfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-smartassembly.yml | 4 +++- .../obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-yano.yml | 4 +++- .../string/stackstring/contain-obfuscated-stackstrings.yml | 4 +++- anti-analysis/packer/amber/packed-with-amber.yml | 4 +++- anti-analysis/packer/aspack/packed-with-aspack.yml | 4 +++- anti-analysis/packer/confuser/packed-with-confuser.yml | 4 +++- anti-analysis/packer/generic/packed-with-generic-packer.yml | 4 +++- anti-analysis/packer/gopacker/packed-with-gopacker.yml | 4 +++- anti-analysis/packer/huan/packed-with-huan.yml | 4 +++- anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml | 4 +++- anti-analysis/packer/nspack/packed-with-nspack.yml | 4 +++- anti-analysis/packer/pebundle/packed-with-pebundle.yml | 4 +++- anti-analysis/packer/pecompact/packed-with-pecompact.yml | 4 +++- anti-analysis/packer/pelocknt/packed-with-pelocknt.yml | 4 +++- anti-analysis/packer/peshield/packed-with-peshield.yml | 4 +++- anti-analysis/packer/pespin/packed-with-pespin.yml | 4 +++- anti-analysis/packer/petite/packed-with-petite.yml | 4 +++- anti-analysis/packer/rlpack/packed-with-rlpack.yml | 4 +++- anti-analysis/packer/themida/packed-with-themida.yml | 4 +++- anti-analysis/packer/upack/packed-with-upack.yml | 4 +++- anti-analysis/packer/upx/packed-with-upx.yml | 4 +++- anti-analysis/packer/vmprotect/packed-with-vmprotect.yml | 4 +++- anti-analysis/packer/y0da/packed-with-y0da-crypter.yml | 4 +++- anti-analysis/reference-analysis-tools-strings.yml | 4 +++- .../acquire-credentials-from-windows-credential-manager.yml | 4 +++- .../browser/gather-chrome-based-browser-login-information.yml | 4 +++- collection/browser/gather-firefox-profile-information.yml | 4 +++- collection/credit-card/parse-credit-card-information.yml | 4 +++- collection/database/sql/reference-sql-statements.yml | 4 +++- collection/database/wmi/reference-wmi-statements.yml | 4 +++- collection/file-managers/gather-3d-ftp-information.yml | 4 +++- collection/file-managers/gather-alftp-information.yml | 4 +++- collection/file-managers/gather-bitkinex-information.yml | 4 +++- collection/file-managers/gather-blazeftp-information.yml | 4 +++- .../file-managers/gather-bulletproof-ftp-information.yml | 4 +++- collection/file-managers/gather-classicftp-information.yml | 4 +++- collection/file-managers/gather-coreftp-information.yml | 4 +++- collection/file-managers/gather-cuteftp-information.yml | 4 +++- collection/file-managers/gather-cyberduck-information.yml | 4 +++- collection/file-managers/gather-direct-ftp-information.yml | 4 +++- .../file-managers/gather-directory-opus-information.yml | 4 +++- collection/file-managers/gather-expandrive-information.yml | 4 +++- .../file-managers/gather-faststone-browser-information.yml | 4 +++- collection/file-managers/gather-fasttrack-ftp-information.yml | 4 +++- collection/file-managers/gather-ffftp-information.yml | 4 +++- collection/file-managers/gather-filezilla-information.yml | 4 +++- collection/file-managers/gather-flashfxp-information.yml | 4 +++- collection/file-managers/gather-fling-ftp-information.yml | 4 +++- collection/file-managers/gather-freshftp-information.yml | 4 +++- collection/file-managers/gather-frigate3-information.yml | 4 +++- collection/file-managers/gather-ftp-commander-information.yml | 4 +++- collection/file-managers/gather-ftp-explorer-information.yml | 4 +++- collection/file-managers/gather-ftp-voyager-information.yml | 4 +++- collection/file-managers/gather-ftpgetter-information.yml | 4 +++- collection/file-managers/gather-ftpinfo-information.yml | 4 +++- collection/file-managers/gather-ftpnow-information.yml | 4 +++- collection/file-managers/gather-ftprush-information.yml | 4 +++- collection/file-managers/gather-ftpshell-information.yml | 4 +++- .../file-managers/gather-global-downloader-information.yml | 4 +++- collection/file-managers/gather-goftp-information.yml | 4 +++- collection/file-managers/gather-leapftp-information.yml | 4 +++- collection/file-managers/gather-netdrive-information.yml | 4 +++- collection/file-managers/gather-nexusfile-information.yml | 4 +++- collection/file-managers/gather-nova-ftp-information.yml | 4 +++- collection/file-managers/gather-robo-ftp-information.yml | 4 +++- collection/file-managers/gather-securefx-information.yml | 4 +++- collection/file-managers/gather-smart-ftp-information.yml | 4 +++- collection/file-managers/gather-softx-ftp-information.yml | 4 +++- .../file-managers/gather-southriver-webdrive-information.yml | 4 +++- collection/file-managers/gather-staff-ftp-information.yml | 4 +++- .../file-managers/gather-total-commander-information.yml | 4 +++- collection/file-managers/gather-turbo-ftp-information.yml | 4 +++- collection/file-managers/gather-ultrafxp-information.yml | 4 +++- collection/file-managers/gather-winscp-information.yml | 4 +++- collection/file-managers/gather-winzip-information.yml | 4 +++- collection/file-managers/gather-wise-ftp-information.yml | 4 +++- collection/file-managers/gather-ws-ftp-information.yml | 4 +++- collection/file-managers/gather-xftp-information.yml | 4 +++- collection/get-geographical-location.yml | 4 +++- .../group-policy/discover-group-policy-via-gpresult.yml | 4 +++- collection/keylog/log-keystrokes-via-application-hook.yml | 4 +++- collection/keylog/log-keystrokes-via-polling.yml | 4 +++- collection/keylog/log-keystrokes.yml | 4 +++- collection/microphone/capture-microphone-audio.yml | 4 +++- .../network/capture-network-configuration-via-ipconfig.yml | 4 +++- collection/network/capture-packets-using-sharppcap.yml | 4 +++- collection/network/capture-public-ip.yml | 4 +++- collection/network/get-domain-trust-relationships.yml | 4 +++- collection/network/get-mac-address-on-windows.yml | 4 +++- .../steal-keepass-passwords-using-keefarce.yml | 4 +++- collection/screenshot/capture-screenshot-via-keybd-event.yml | 4 +++- collection/screenshot/capture-screenshot.yml | 4 +++- collection/use-dotnet-library-sharpclipboard.yml | 4 +++- collection/webcam/capture-webcam-image.yml | 4 +++- communication/c2/file-transfer/download-and-write-a-file.yml | 4 +++- communication/c2/file-transfer/write-and-execute-a-file.yml | 4 +++- communication/c2/shell/create-reverse-shell-on-linux.yml | 4 +++- communication/c2/shell/create-reverse-shell.yml | 4 +++- .../c2/shell/execute-shell-command-and-capture-output.yml | 4 +++- .../execute-shell-command-received-from-socket-on-linux.yml | 4 +++- communication/dns/reference-dns-over-https-endpoints.yml | 4 +++- communication/dns/resolve-dns.yml | 4 +++- communication/ftp/send/send-file-using-ftp.yml | 4 +++- communication/http/client/check-http-status-code.yml | 4 +++- communication/http/client/connect-to-http-server.yml | 4 +++- communication/http/client/connect-to-url.yml | 4 +++- communication/http/client/create-bits-job.yml | 4 +++- communication/http/client/create-http-request.yml | 4 +++- .../decompress-http-response-via-iencodingfilterfactory.yml | 4 +++- communication/http/client/download-url.yml | 4 +++- communication/http/client/extract-http-body.yml | 4 +++- .../http/client/get-http-document-via-iwebbrowser2.yml | 4 +++- .../http/client/get-http-response-content-encoding.yml | 4 +++- communication/http/client/prepare-http-request.yml | 4 +++- communication/http/client/read-data-from-internet.yml | 4 +++- communication/http/client/receive-http-response.yml | 4 +++- communication/http/client/send-file-via-http.yml | 4 +++- communication/http/client/send-http-request.yml | 4 +++- communication/http/get-http-content-length.yml | 4 +++- communication/http/initialize-iwebbrowser2.yml | 4 +++- communication/http/initialize-winhttp-library.yml | 4 +++- communication/http/read-http-header.yml | 4 +++- communication/http/reference-http-user-agent-string.yml | 4 +++- communication/http/server/receive-http-request.yml | 4 +++- communication/http/server/send-http-response.yml | 4 +++- communication/http/server/start-http-server.yml | 4 +++- communication/http/set-http-header.yml | 4 +++- communication/icmp/send-icmp-echo-request.yml | 4 +++- communication/ip/convert-ip-address-from-string.yml | 4 +++- communication/mailslot/create-mailslot.yml | 4 +++- communication/mailslot/read-from-mailslot.yml | 4 +++- communication/named-pipe/connect/connect-pipe.yml | 4 +++- communication/named-pipe/create/create-pipe.yml | 4 +++- .../named-pipe/create/create-two-anonymous-pipes.yml | 4 +++- communication/named-pipe/read/read-pipe.yml | 4 +++- communication/named-pipe/write/write-pipe.yml | 4 +++- communication/receive-data.yml | 4 +++- communication/send-data.yml | 4 +++- communication/socket/create-raw-socket.yml | 4 +++- communication/socket/create-vmci-socket.yml | 4 +++- communication/socket/get-socket-status.yml | 4 +++- communication/socket/initialize-winsock-library.yml | 4 +++- communication/socket/receive/receive-data-on-socket.yml | 4 +++- communication/socket/send/send-data-on-socket.yml | 4 +++- communication/socket/set-socket-configuration.yml | 4 +++- communication/socket/tcp/connect-tcp-socket.yml | 4 +++- .../socket/tcp/create-tcp-socket-via-raw-afd-driver.yml | 4 +++- communication/socket/tcp/create-tcp-socket.yml | 4 +++- .../obtain-transmitpackets-callback-function-via-wsaioctl.yml | 4 +++- communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml | 4 +++- communication/socket/udp/send/create-udp-socket.yml | 4 +++- communication/tcp/client/act-as-tcp-client.yml | 4 +++- communication/tcp/serve/start-tcp-server.yml | 4 +++- compiler/autohotkey/compiled-with-autohotkey.yml | 4 +++- compiler/autoit/compiled-with-autoit.yml | 4 +++- compiler/cx_freeze/compiled-with-cx_freeze.yml | 4 +++- compiler/d/compiled-with-dmd.yml | 4 +++- compiler/delphi/compiled-with-borland-delphi.yml | 4 +++- compiler/exe4j/compiled-with-exe4j.yml | 4 +++- compiler/go/compiled-with-go.yml | 4 +++- compiler/mingw/compiled-with-mingw-for-windows.yml | 4 +++- compiler/nim/compiled-with-nim.yml | 4 +++- compiler/nuitka/compiled-with-nuitka.yml | 4 +++- compiler/perl2exe/compiled-with-perl2exe.yml | 4 +++- compiler/ps2exe/compiled-with-ps2exe.yml | 4 +++- compiler/py2exe/compiled-with-py2exe.yml | 4 +++- compiler/pyarmor/compiled-with-pyarmor.yml | 4 +++- compiler/rust/compiled-with-rust.yml | 4 +++- compiler/v/compiled-with-v.yml | 4 +++- compiler/vb/compiled-from-visual-basic.yml | 4 +++- compiler/zig/compiled-with-zig.yml | 4 +++- .../checksum/adler32/compute-adler32-checksum.yml | 4 +++- data-manipulation/checksum/crc32/hash-data-with-crc32.yml | 4 +++- .../validate-payment-card-number-using-luhn-algorithm.yml | 4 +++- data-manipulation/compression/compress-data-using-lzo.yml | 4 +++- data-manipulation/compression/compress-data-via-winapi.yml | 4 +++- .../compression/compress-data-via-zlib-inflate-or-deflate.yml | 4 +++- data-manipulation/compression/decompress-data-using-aplib.yml | 4 +++- data-manipulation/compression/decompress-data-using-lzo.yml | 4 +++- .../compression/decompress-data-using-quicklz.yml | 4 +++- data-manipulation/compression/decompress-data-using-ucl.yml | 4 +++- .../decompress-data-via-iencodingfilterfactory.yml | 4 +++- .../decode-data-using-base64-via-dword-translation-table.yml | 4 +++- .../encoding/base64/decode-data-using-base64-via-winapi.yml | 4 +++- .../encoding/base64/encode-data-using-base64-via-winapi.yml | 4 +++- .../encoding/base64/encode-data-using-base64.yml | 4 +++- data-manipulation/encoding/base64/reference-base64-string.yml | 4 +++- data-manipulation/encoding/xor/encode-data-using-xor.yml | 4 +++- .../aes/decrypt-data-using-aes-via-x86-extensions.yml | 4 +++- .../encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml | 4 +++- .../encryption/aes/encrypt-data-using-aes-via-dotnet.yml | 4 +++- .../encryption/aes/encrypt-data-using-aes-via-winapi.yml | 4 +++- .../encryption/aes/manually-build-aes-constants.yml | 4 +++- .../encryption/aes/use-dotnet-library-encryptdecryptutils.yml | 4 +++- .../encryption/blowfish/encrypt-data-using-blowfish.yml | 4 +++- .../encryption/camellia/encrypt-data-using-camellia.yml | 4 +++- .../encryption/create-new-key-via-cryptacquirecontext.yml | 4 +++- .../encryption/des/encrypt-data-using-des-via-winapi.yml | 4 +++- data-manipulation/encryption/des/encrypt-data-using-des.yml | 4 +++- .../encryption/dpapi/encrypt-data-using-dpapi.yml | 4 +++- .../elliptic-curve/encrypt-data-using-curve25519.yml | 4 +++- .../encryption/encrypt-data-using-memfrob-from-glibc.yml | 4 +++- .../encryption/encrypt-or-decrypt-via-wincrypt.yml | 4 +++- .../get-outbound-credentials-handle-via-credssp.yml | 4 +++- .../hc-128/encrypt-data-using-hc-128-via-wolfssl.yml | 4 +++- .../encryption/hc-128/encrypt-data-using-hc-128.yml | 4 +++- data-manipulation/encryption/import-public-key.yml | 4 +++- .../encryption/rc4/encrypt-data-using-rc4-ksa.yml | 4 +++- .../encryption/rc4/encrypt-data-using-rc4-prga.yml | 4 +++- .../encryption/rc4/encrypt-data-using-rc4-via-winapi.yml | 4 +++- .../rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml | 4 +++- data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml | 4 +++- data-manipulation/encryption/rsa/reference-public-rsa-key.yml | 4 +++- .../encryption/skipjack/encrypt-data-using-skipjack.yml | 4 +++- .../encryption/sosemanuk/encrypt-data-using-sosemanuk.yml | 4 +++- data-manipulation/encryption/tea/decrypt-data-using-tea.yml | 4 +++- data-manipulation/encryption/tea/encrypt-data-using-tea.yml | 4 +++- .../encryption/twofish/encrypt-data-using-twofish.yml | 4 +++- data-manipulation/encryption/vest/encrypt-data-using-vest.yml | 4 +++- data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml | 4 +++- .../encryption/xxtea/encrypt-data-using-xxtea.yml | 4 +++- data-manipulation/hashing/djb2/hash-data-using-djb2.yml | 4 +++- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 4 +++- data-manipulation/hashing/hash-data-via-wincrypt.yml | 4 +++- data-manipulation/hashing/md5/hash-data-with-md5.yml | 4 +++- data-manipulation/hashing/murmur/hash-data-using-murmur3.yml | 4 +++- data-manipulation/hashing/sha1/hash-data-using-sha1.yml | 4 +++- data-manipulation/hashing/sha224/hash-data-using-sha224.yml | 4 +++- data-manipulation/hashing/sha256/hash-data-using-sha256.yml | 4 +++- data-manipulation/hashing/sha384/hash-data-using-sha384.yml | 4 +++- data-manipulation/hashing/sha512/hash-data-using-sha512.yml | 4 +++- data-manipulation/hashing/tiger/hash-data-using-tiger.yml | 4 +++- data-manipulation/hmac/authenticate-hmac.yml | 4 +++- data-manipulation/json/use-dotnet-library-newtonsoftjson.yml | 4 +++- .../prng/generate-random-numbers-via-rtlgenrandom.yml | 4 +++- data-manipulation/prng/generate-random-numbers-via-winapi.yml | 4 +++- .../generate-random-numbers-using-a-mersenne-twister.yml | 4 +++- data-manipulation/svg/use-dotnet-library-sharpvectors.yml | 4 +++- .../packaged-as-single-file-dotnet-application.yml | 4 +++- .../packaged-as-an-iexpress-self-extracting-archive.yml | 4 +++- .../inno-setup/packaged-as-an-inno-setup-installer.yml | 4 +++- executable/pe/export/forwarded-export.yml | 4 +++- executable/pe/pdb/contains-pdb-path.yml | 4 +++- .../tls/contain-a-thread-local-storage-tls-section.yml | 4 +++- executable/resource/access-dotnet-resource.yml | 4 +++- .../embed-dependencies-as-resources-using-fodycostura.yml | 4 +++- .../resource/extract-resource-via-kernel32-functions.yml | 4 +++- executable/subfile/pe/contain-an-embedded-pe-file.yml | 4 +++- host-interaction/bootloader/disable-code-signing.yml | 4 +++- host-interaction/bootloader/get-uefi-variable.yml | 4 +++- host-interaction/bootloader/manipulate-boot-configuration.yml | 4 +++- host-interaction/bootloader/manipulate-safe-mode-programs.yml | 4 +++- host-interaction/bootloader/set-uefi-variable.yml | 4 +++- host-interaction/cli/accept-command-line-arguments.yml | 4 +++- host-interaction/cli/resolve-path-using-msvcrt.yml | 4 +++- host-interaction/clipboard/open-clipboard.yml | 4 +++- host-interaction/clipboard/read-clipboard-data.yml | 4 +++- host-interaction/clipboard/write-clipboard-data.yml | 4 +++- host-interaction/console/manipulate-console-buffer.yml | 4 +++- host-interaction/driver/create-device-object.yml | 4 +++- host-interaction/driver/disable-driver-code-integrity.yml | 4 +++- host-interaction/driver/install-driver.yml | 4 +++- .../driver/interact-with-driver-via-control-codes.yml | 4 +++- .../environment-variable/get-comspec-environment-variable.yml | 4 +++- .../environment-variable/query-environment-variable.yml | 4 +++- .../environment-variable/set-environment-variable.yml | 4 +++- host-interaction/file-system/bypass-mark-of-the-web.yml | 4 +++- .../file-system/change-file-permission-on-linux.yml | 4 +++- host-interaction/file-system/copy/copy-file.yml | 4 +++- .../file-system/create-virtual-file-system-in-dotnet.yml | 4 +++- host-interaction/file-system/create/create-directory.yml | 4 +++- host-interaction/file-system/delete/delete-directory.yml | 4 +++- host-interaction/file-system/delete/delete-file.yml | 4 +++- host-interaction/file-system/exists/check-if-file-exists.yml | 4 +++- .../file-system/files/list/enumerate-files-on-linux.yml | 4 +++- .../file-system/files/list/enumerate-files-on-windows.yml | 4 +++- .../file-system/files/list/enumerate-files-recursively.yml | 4 +++- host-interaction/file-system/get-common-file-path.yml | 4 +++- .../file-system/get-file-system-object-information.yml | 4 +++- host-interaction/file-system/get-program-files-directory.yml | 4 +++- .../get-windows-directory-from-kuser_shared_data.yml | 4 +++- host-interaction/file-system/meta/get-file-attributes.yml | 4 +++- host-interaction/file-system/meta/get-file-size.yml | 4 +++- host-interaction/file-system/meta/get-file-version-info.yml | 4 +++- host-interaction/file-system/meta/set-file-attributes.yml | 4 +++- host-interaction/file-system/move/move-file.yml | 4 +++- host-interaction/file-system/read/read-file-on-linux.yml | 4 +++- host-interaction/file-system/read/read-file-on-windows.yml | 4 +++- host-interaction/file-system/read/read-file-via-mapping.yml | 4 +++- host-interaction/file-system/read/read-ini-file.yml | 4 +++- host-interaction/file-system/read/read-virtual-disk.yml | 4 +++- .../file-system/reference-absolute-stream-path-on-windows.yml | 4 +++- .../bypass-windows-file-protection.yml | 4 +++- host-interaction/file-system/write/write-file-on-linux.yml | 4 +++- host-interaction/file-system/write/write-file-on-windows.yml | 4 +++- host-interaction/filter/enumerate-minifilter-drivers.yml | 4 +++- host-interaction/filter/register-minifilter-driver.yml | 4 +++- host-interaction/filter/start-minifilter-driver.yml | 4 +++- .../modify/access-firewall-settings-via-inetfwmgr.yml | 4 +++- host-interaction/gui/console/set-console-window-title.yml | 4 +++- host-interaction/gui/enumerate-gui-resources.yml | 4 +++- host-interaction/gui/logon/references-logon-banner.yml | 4 +++- host-interaction/gui/session/lock/lock-the-desktop.yml | 4 +++- .../gui/session/wallpaper/change-the-wallpaper.yml | 4 +++- host-interaction/gui/set-application-hook.yml | 4 +++- host-interaction/gui/switch-active-desktop.yml | 4 +++- host-interaction/gui/taskbar/find/find-taskbar.yml | 4 +++- .../gui/taskbar/hide/hide-the-windows-taskbar.yml | 4 +++- host-interaction/gui/window/find/find-graphical-window.yml | 4 +++- .../gui/window/get-text/get-graphical-window-text.yml | 4 +++- host-interaction/gui/window/hide/hide-graphical-window.yml | 4 +++- host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml | 4 +++- host-interaction/hardware/cpu/get-cpu-information.yml | 4 +++- .../hardware/cpu/get-number-of-processor-cores.yml | 4 +++- host-interaction/hardware/cpu/get-number-of-processors.yml | 4 +++- host-interaction/hardware/enumerate-devices-by-category.yml | 4 +++- host-interaction/hardware/keyboard/get-keyboard-layout.yml | 4 +++- host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml | 4 +++- host-interaction/hardware/memory/get-memory-capacity.yml | 4 +++- host-interaction/hardware/memory/get-memory-information.yml | 4 +++- host-interaction/hardware/mouse/swap-mouse-buttons.yml | 4 +++- .../hardware/storage/enumerate-disk-properties.yml | 4 +++- host-interaction/hardware/storage/get-disk-information.yml | 4 +++- host-interaction/hardware/storage/get-disk-size.yml | 4 +++- .../log/clfs/read-data-from-clfs-log-container.yml | 4 +++- .../log/debug/write-event/print-debug-messages.yml | 4 +++- .../log/winevt/access/access-the-windows-event-log.yml | 4 +++- .../memory/create-new-application-domain-in-dotnet.yml | 4 +++- host-interaction/mutex/check-mutex-and-exit.yml | 4 +++- host-interaction/mutex/check-mutex.yml | 4 +++- host-interaction/mutex/create-mutex.yml | 4 +++- host-interaction/mutex/create-semaphore-on-linux.yml | 4 +++- host-interaction/mutex/lock-file.yml | 4 +++- host-interaction/mutex/lock-semaphore-on-linux.yml | 4 +++- host-interaction/mutex/unlock-semaphore-on-linux.yml | 4 +++- host-interaction/network/address/get-local-ipv4-addresses.yml | 4 +++- .../connectivity/check-internet-connectivity-via-wininet.yml | 4 +++- .../network/connectivity/set-tcp-connection-state.yml | 4 +++- .../network/domain/enumerate-domain-computers-via-ldap.yml | 4 +++- .../network/domain/get-domain-controller-name.yml | 4 +++- host-interaction/network/domain/get-domain-information.yml | 4 +++- .../network/interface/get-networking-interfaces.yml | 4 +++- .../network/traffic/copy/copy-network-traffic.yml | 4 +++- .../traffic/filter/register-network-filter-via-wfp-api.yml | 4 +++- host-interaction/os/hostname/get-hostname.yml | 4 +++- .../os/info/get-system-information-on-windows.yml | 4 +++- host-interaction/os/shutdown-system.yml | 4 +++- host-interaction/os/version/check-os-version.yml | 4 +++- host-interaction/os/version/get-kernel-version.yml | 4 +++- host-interaction/os/version/get-linux-distribution.yml | 4 +++- host-interaction/process/allocate-thread-local-storage.yml | 4 +++- .../create-a-process-with-modified-io-handles-and-window.yml | 4 +++- host-interaction/process/create/create-process-on-linux.yml | 4 +++- host-interaction/process/create/create-process-on-windows.yml | 4 +++- host-interaction/process/create/create-process-suspended.yml | 4 +++- host-interaction/process/create/execute-command.yml | 4 +++- .../process/dump/create-process-memory-minidump.yml | 4 +++- host-interaction/process/get-process-heap-flags.yml | 4 +++- host-interaction/process/get-process-heap-force-flags.yml | 4 +++- .../process/inject/allocate-or-change-rwx-memory.yml | 4 +++- .../process/inject/allocate-user-process-rwx-memory.yml | 4 +++- .../process/inject/attach-user-process-memory.yml | 4 +++- host-interaction/process/inject/free-user-process-memory.yml | 4 +++- host-interaction/process/inject/hijack-thread-execution.yml | 4 +++- host-interaction/process/inject/inject-apc.yml | 4 +++- host-interaction/process/inject/inject-dll.yml | 4 +++- host-interaction/process/inject/inject-pe.yml | 4 +++- .../inject/inject-shellcode-using-a-file-mapping-object.yml | 4 +++- .../inject/inject-shellcode-using-extra-window-memory.yml | 4 +++- .../inject-shellcode-using-window-subclass-procedure.yml | 4 +++- host-interaction/process/inject/inject-thread.yml | 4 +++- .../process/inject/use-process-doppelg\303\244nging.yml" | 4 +++- host-interaction/process/inject/use-process-replacement.yml | 4 +++- .../enumerate-processes-on-remote-desktop-session-host.yml | 4 +++- .../list/enumerate-processes-via-ntquerysysteminformation.yml | 4 +++- host-interaction/process/list/enumerate-processes.yml | 4 +++- host-interaction/process/list/find-process-by-pid.yml | 4 +++- host-interaction/process/list/get-explorer-pid.yml | 4 +++- host-interaction/process/map-section-object.yml | 4 +++- host-interaction/process/modify/acquire-debug-privileges.yml | 4 +++- host-interaction/process/modify/modify-access-privileges.yml | 4 +++- .../process/modules/list/enumerate-process-modules.yml | 4 +++- host-interaction/process/set-thread-local-storage-value.yml | 4 +++- .../process/terminate/terminate-process-via-kill.yml | 4 +++- host-interaction/process/terminate/terminate-process.yml | 4 +++- host-interaction/recycle-bin/empty-recycle-bin-quietly.yml | 4 +++- .../create-registry-key-via-offline-registry-library.yml | 4 +++- host-interaction/registry/create/set-registry-value.yml | 4 +++- host-interaction/registry/delete/delete-registry-key.yml | 4 +++- host-interaction/registry/delete/delete-registry-value.yml | 4 +++- .../open-registry-key-via-offline-registry-library.yml | 4 +++- host-interaction/registry/query-or-enumerate-registry-key.yml | 4 +++- .../registry/query-or-enumerate-registry-value.yml | 4 +++- .../query-registry-key-via-offline-registry-library.yml | 4 +++- .../set-registry-key-via-offline-registry-library.yml | 4 +++- host-interaction/service/continue-service.yml | 4 +++- host-interaction/service/create/create-service.yml | 4 +++- host-interaction/service/delete/delete-service.yml | 4 +++- host-interaction/service/list/enumerate-services.yml | 4 +++- host-interaction/service/modify/modify-service.yml | 4 +++- host-interaction/service/pause-service.yml | 4 +++- host-interaction/service/query-service-configuration.yml | 4 +++- host-interaction/service/query-service-status.yml | 4 +++- host-interaction/service/run-as-service.yml | 4 +++- host-interaction/service/start/start-service.yml | 4 +++- host-interaction/service/stop/stop-service.yml | 4 +++- host-interaction/session/get-current-user-on-linux.yml | 4 +++- host-interaction/session/get-logon-sessions.yml | 4 +++- host-interaction/session/get-session-integrity-level.yml | 4 +++- host-interaction/session/get-session-user-name.yml | 4 +++- host-interaction/session/get-token-membership.yml | 4 +++- host-interaction/session/get-user-security-identifier.yml | 4 +++- host-interaction/software/get-installed-programs.yml | 4 +++- host-interaction/thread/create/create-thread.yml | 4 +++- host-interaction/thread/list/enumerate-threads.yml | 4 +++- host-interaction/thread/resume/resume-thread.yml | 4 +++- host-interaction/thread/suspend/suspend-thread.yml | 4 +++- host-interaction/thread/terminate/terminate-thread.yml | 4 +++- host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml | 4 +++- host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml | 4 +++- host-interaction/uac/bypass/bypass-uac-via-rpc.yml | 4 +++- .../uac/bypass/bypass-uac-via-token-manipulation.yml | 4 +++- .../wmi/connect-to-wmi-namespace-via-wbemlocator.yml | 4 +++- .../inhibit-system-recovery/delete-volume-shadow-copies.yml | 4 +++- .../wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml | 4 +++- .../limitation/file/internal-autohotkey-file-limitation.yml | 4 +++- internal/limitation/file/internal-autoit-file-limitation.yml | 4 +++- .../limitation/file/internal-installer-file-limitation.yml | 4 +++- internal/limitation/file/internal-packer-file-limitation.yml | 4 +++- .../limitation/file/internal-visual-basic-file-limitation.yml | 4 +++- lib/allocate-memory.yml | 4 +++- lib/allocate-or-change-rw-memory.yml | 4 +++- lib/calculate-modulo-256-via-x86-assembly.yml | 4 +++- lib/change-memory-protection.yml | 4 +++- lib/contain-loop.yml | 4 +++- lib/contain-pusha-popa-sequence.yml | 4 +++- lib/create-or-open-file.yml | 4 +++- lib/create-or-open-registry-key.yml | 4 +++- lib/create-or-open-section-object.yml | 4 +++- lib/delay-execution.yml | 4 +++- lib/duplicate-stdin-and-stdout.yml | 4 +++- lib/get-os-version.yml | 4 +++- lib/get-service-handle.yml | 4 +++- lib/open-process.yml | 4 +++- lib/open-thread.yml | 4 +++- lib/peb-access.yml | 4 +++- ...ent-card-number-using-luhn-algorithm-with-lookup-table.yml | 4 +++- ...-card-number-using-luhn-algorithm-with-no-lookup-table.yml | 4 +++- lib/write-process-memory.yml | 4 +++- linking/runtime-linking/access-peb-ldr_data.yml | 4 +++- linking/runtime-linking/get-kernel32-base-address.yml | 4 +++- linking/runtime-linking/get-ntdll-base-address.yml | 4 +++- .../runtime-linking/link-function-at-runtime-on-windows.yml | 4 +++- linking/runtime-linking/link-many-functions-at-runtime.yml | 4 +++- .../resolve-function-by-brute-ratel-badger-hash.yml | 4 +++- linking/runtime-linking/resolve-function-by-fin8-fasthash.yml | 4 +++- linking/static/aplib/linked-against-aplib.yml | 4 +++- linking/static/cryptopp/linked-against-crypto.yml | 4 +++- linking/static/libcurl/linked-against-libcurl.yml | 4 +++- linking/static/linked-against-cpp-standard-library.yml | 4 +++- linking/static/msdetours/linked-against-microsoft-detours.yml | 4 +++- linking/static/openssl/linked-against-openssl.yml | 4 +++- linking/static/polarssl/linked-against-polarsslmbed-tls.yml | 4 +++- linking/static/sqlite3/linked-against-cppsqlite3.yml | 4 +++- linking/static/sqlite3/linked-against-sqlite3.yml | 4 +++- linking/static/wolfcrypt/linked-against-wolfcrypt.yml | 4 +++- linking/static/wolfssl/linked-against-wolfssl.yml | 4 +++- linking/static/zlib/linked-against-zlib.yml | 4 +++- load-code/dotnet/load-windows-common-language-runtime.yml | 4 +++- .../execute-vbscript-javascript-or-jscript-in-memory.yml | 4 +++- load-code/pe/access-pe-header.yml | 4 +++- load-code/pe/enumerate-pe-sections.yml | 4 +++- load-code/pe/inject-dll-reflectively.yml | 4 +++- load-code/pe/inspect-section-memory-permissions.yml | 4 +++- load-code/pe/parse-pe-header.yml | 4 +++- load-code/pe/rebuild-import-table.yml | 4 +++- load-code/pe/resolve-function-by-parsing-pe-exports.yml | 4 +++- load-code/powershell/run-powershell-expression.yml | 4 +++- load-code/shellcode/execute-shellcode-via-copyfile2.yml | 4 +++- .../shellcode/execute-shellcode-via-createthreadpoolwait.yml | 4 +++- .../execute-shellcode-via-windows-callback-function.yml | 4 +++- load-code/shellcode/execute-shellcode-via-windows-fibers.yml | 4 +++- load-code/shellcode/spawn-thread-to-rwx-shellcode.yml | 4 +++- malware-family/plugx/match-known-plugx-module.yml | 4 +++- nursery/access-wmi-data-in-dotnet.yml | 4 +++- nursery/add-file-to-cabinet-file.yml | 4 +++- nursery/add-user-account-group.yml | 4 +++- nursery/add-user-account-to-group.yml | 4 +++- nursery/add-user-account.yml | 4 +++- nursery/add-value-to-global-atom-table.yml | 4 +++- nursery/allocate-unmanaged-memory-in-dotnet.yml | 4 +++- nursery/append-data-to-clfs-log-container.yml | 4 +++- nursery/authenticate-data-with-md5-mac.yml | 4 +++- nursery/build-docker-image.yml | 4 +++- .../bypass-uac-via-scheduled-task-environment-variable.yml | 4 +++- nursery/capture-network-configuration-via-ifconfig.yml | 4 +++- nursery/capture-process-snapshot-data.yml | 4 +++- nursery/capture-screenshot-in-go.yml | 4 +++- nursery/capture-webcam-video.yml | 4 +++- nursery/change-user-account-password.yml | 4 +++- nursery/check-clipboard-data.yml | 4 +++- nursery/check-file-extension-in-dotnet.yml | 4 +++- nursery/check-for-minimum-number-of-windows-on-screen.yml | 4 +++- nursery/check-for-process-debug-object.yml | 4 +++- nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml | 4 +++- nursery/check-for-vm-using-instruction-vpcext.yml | 4 +++- nursery/check-for-windows-sandbox-via-mutex.yml | 4 +++- nursery/check-for-windows-sandbox-via-subdirectory.yml | 4 +++- nursery/check-if-directory-exists.yml | 4 +++- nursery/check-license-value.yml | 4 +++- nursery/check-processdebugflags.yml | 4 +++- nursery/check-systemkerneldebuggerinformation.yml | 4 +++- nursery/check-thread-yield-allowed.yml | 4 +++- nursery/clear-clipboard-data.yml | 4 +++- nursery/collect-ssh-keys.yml | 4 +++- ...unicate-with-kernel-module-via-netlink-socket-on-linux.yml | 4 +++- nursery/compare-security-identifiers.yml | 4 +++- nursery/compile-csharp-in-dotnet.yml | 4 +++- nursery/compile-dotnet-assembly.yml | 4 +++- nursery/compile-visual-basic-in-dotnet.yml | 4 +++- nursery/compiled-from-epl.yml | 4 +++- nursery/compiled-with-exescript.yml | 4 +++- nursery/compress-data-using-gzip-in-dotnet.yml | 4 +++- nursery/connect-network-resource.yml | 4 +++- .../contain-a-thread-local-storage-tls-section-in-dotnet.yml | 4 +++- ...d-write-data-to-windows-directory-using-indirect-calls.yml | 4 +++- nursery/create-container.yml | 4 +++- nursery/create-process-via-wmi-in-dotnet.yml | 4 +++- nursery/create-registry-key-via-stdregprov.yml | 4 +++- nursery/create-restart-manager-session.yml | 4 +++- nursery/create-zip-archive-in-dotnet.yml | 4 +++- nursery/debug-build.yml | 4 +++- nursery/decode-data-using-base64-in-dotnet.yml | 4 +++- nursery/decode-data-using-url-encoding.yml | 4 +++- nursery/decrypt-data-using-rsa.yml | 4 +++- nursery/decrypt-data-via-sspi.yml | 4 +++- nursery/delete-internet-cache.yml | 4 +++- nursery/delete-registry-key-via-offline-registry-library.yml | 4 +++- nursery/delete-registry-key-via-stdregprov.yml | 4 +++- nursery/delete-registry-value-via-stdregprov.yml | 4 +++- nursery/delete-user-account-from-group.yml | 4 +++- nursery/delete-user-account-group.yml | 4 +++- nursery/delete-user-account.yml | 4 +++- nursery/delete-windows-backup-catalog.yml | 4 +++- nursery/deserialize-json-in-dotnet.yml | 4 +++- nursery/destroy-software-breakpoint-capability.yml | 4 +++- nursery/disable-automatic-windows-recovery-features.yml | 4 +++- nursery/display-service-notification-message-box.yml | 4 +++- nursery/empty-the-recycle-bin.yml | 4 +++- nursery/enable-safe-mode-boot.yml | 4 +++- nursery/encrypt-data-using-aes-via-x86-extensions.yml | 4 +++- nursery/encrypt-data-using-aes.yml | 4 +++- nursery/encrypt-data-using-fakem-cipher.yml | 4 +++- nursery/encrypt-data-using-openssl-dsa.yml | 4 +++- nursery/encrypt-data-using-openssl-ecdsa.yml | 4 +++- nursery/encrypt-data-using-openssl-rsa.yml | 4 +++- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 4 +++- nursery/encrypt-data-using-rsa.yml | 4 +++- nursery/encrypt-data-using-salsa20-or-chacha.yml | 4 +++- nursery/encrypt-data-via-sspi.yml | 4 +++- nursery/encrypt-or-decrypt-data-via-bcrypt.yml | 4 +++- nursery/enumerate-browser-history.yml | 4 +++- nursery/enumerate-device-drivers-on-linux.yml | 4 +++- nursery/enumerate-device-drivers-on-windows.yml | 4 +++- nursery/enumerate-disk-volumes.yml | 4 +++- nursery/enumerate-drives.yml | 4 +++- nursery/enumerate-internet-cache.yml | 4 +++- nursery/enumerate-network-shares.yml | 4 +++- nursery/enumerate-pe-sections-in-dotnet.yml | 4 +++- nursery/enumerate-processes-that-use-resource.yml | 4 +++- nursery/enumerate-processes-via-procfs.yml | 4 +++- nursery/enumerate-system-firmware-tables.yml | 4 +++- nursery/execute-dotnet-assembly.yml | 4 +++- .../execute-shell-command-via-windows-remote-management.yml | 4 +++- nursery/execute-shellcode-via-indirect-call.yml | 4 +++- nursery/execute-sqlite-statement-in-dotnet.yml | 4 +++- nursery/execute-syscall-instruction.yml | 4 +++- nursery/execute-via-asynchronous-task-in-dotnet.yml | 4 +++- nursery/execute-via-timer-in-dotnet.yml | 4 +++- nursery/extract-zip-archive-in-dotnet.yml | 4 +++- nursery/find-data-using-regex-in-dotnet.yml | 4 +++- nursery/find-process-by-name.yml | 4 +++- nursery/flush-cabinet-file.yml | 4 +++- nursery/generate-method-via-reflection-in-dotnet.yml | 4 +++- nursery/generate-random-bytes-in-dotnet.yml | 4 +++- nursery/generate-random-filename-in-dotnet.yml | 4 +++- nursery/generate-random-numbers-in-dotnet.yml | 4 +++- nursery/generate-random-numbers-using-the-delphi-lcg.yml | 4 +++- nursery/get-client-handle-via-schannel.yml | 4 +++- nursery/get-current-pid-on-linux.yml | 4 +++- nursery/get-file-system-information-on-linux.yml | 4 +++- nursery/get-http-request-uri.yml | 4 +++- nursery/get-inbound-credentials-handle-via-credssp.yml | 4 +++- nursery/get-mac-address-on-linux.yml | 4 +++- nursery/get-networking-parameters.yml | 4 +++- nursery/get-ntoskrnl-base-address.yml | 4 +++- nursery/get-os-information-via-kuser_shared_data.yml | 4 +++- nursery/get-os-version-in-dotnet.yml | 4 +++- nursery/get-password-database-entry-on-linux.yml | 4 +++- nursery/get-process-image-filename.yml | 4 +++- nursery/get-proxy.yml | 4 +++- nursery/get-remote-cert-context-via-schannel.yml | 4 +++- nursery/get-routing-table.yml | 4 +++- nursery/get-session-information.yml | 4 +++- nursery/get-socket-information.yml | 4 +++- nursery/get-storage-device-properties.yml | 4 +++- nursery/get-system-firmware-table.yml | 4 +++- nursery/get-system-information-on-linux.yml | 4 +++- nursery/get-system-web-proxy.yml | 4 +++- nursery/get-thread-local-storage-value.yml | 4 +++- nursery/get-token-privileges.yml | 4 +++- nursery/hash-data-using-aphash.yml | 4 +++- nursery/hash-data-using-crc32b.yml | 4 +++- nursery/hash-data-using-jshash.yml | 4 +++- nursery/hash-data-using-md4.yml | 4 +++- nursery/hash-data-using-murmur2.yml | 4 +++- nursery/hash-data-using-ripemd128.yml | 4 +++- nursery/hash-data-using-ripemd256.yml | 4 +++- nursery/hash-data-using-ripemd320.yml | 4 +++- nursery/hash-data-using-rshash.yml | 4 +++- nursery/hash-data-using-sha1-via-wincrypt.yml | 4 +++- nursery/hash-data-using-sha1-via-x86-extensions.yml | 4 +++- nursery/hash-data-using-sha256-via-x86-extensions.yml | 4 +++- nursery/hash-data-using-sha512managed-in-dotnet.yml | 4 +++- nursery/hash-data-using-whirlpool.yml | 4 +++- nursery/hash-data-via-bcrypt.yml | 4 +++- nursery/hook-routines-via-microsoft-detours.yml | 4 +++- nursery/hooked-by-api-override.yml | 4 +++- nursery/impersonate-user.yml | 4 +++- nursery/implement-com-dll.yml | 4 +++- nursery/initialize-hashing-via-wincrypt.yml | 4 +++- nursery/inspect-load-icon-resource.yml | 4 +++- nursery/interact-with-iptables.yml | 4 +++- nursery/invoke-dotnet-assembly-method.yml | 4 +++- nursery/link-function-at-runtime-on-linux.yml | 4 +++- nursery/linked-against-cpp-http-library.yml | 4 +++- nursery/linked-against-cpp-json-library.yml | 4 +++- nursery/linked-against-cpp-regex-library.yml | 4 +++- nursery/linked-against-go-process-enumeration-library.yml | 4 +++- nursery/linked-against-go-registry-library.yml | 4 +++- nursery/linked-against-go-static-asset-library.yml | 4 +++- nursery/linked-against-go-wmi-library.yml | 4 +++- nursery/linked-against-libsodium.yml | 4 +++- nursery/linked-against-xzip.yml | 4 +++- nursery/list-containers.yml | 4 +++- nursery/list-domain-servers.yml | 4 +++- nursery/list-drag-and-drop-files.yml | 4 +++- nursery/list-groups-for-user-account.yml | 4 +++- nursery/list-tcp-connections-and-listeners.yml | 4 +++- nursery/list-udp-connections-and-listeners.yml | 4 +++- nursery/list-user-account-groups.yml | 4 +++- nursery/list-user-accounts-for-group.yml | 4 +++- nursery/list-user-accounts.yml | 4 +++- nursery/listen-for-remote-procedure-calls.yml | 4 +++- nursery/load-dotnet-assembly.yml | 4 +++- nursery/load-xml-in-dotnet.yml | 4 +++- nursery/log-keystrokes-via-input-method-manager.yml | 4 +++- nursery/log-keystrokes-via-raw-input-data.yml | 4 +++- nursery/make-an-http-request-with-a-cookie.yml | 4 +++- nursery/manipulate-console-window.yml | 4 +++- nursery/manipulate-network-credentials-in-dotnet.yml | 4 +++- nursery/manipulate-unmanaged-memory-in-dotnet.yml | 4 +++- nursery/manipulate-user-privileges.yml | 4 +++- nursery/mark-thread-detached-on-linux.yml | 4 +++- nursery/migrate-process-to-active-window-station.yml | 4 +++- nursery/mixed-mode.yml | 4 +++- nursery/monitor-clipboard-content.yml | 4 +++- nursery/monitor-local-ipv4-address-changes.yml | 4 +++- nursery/move-directory.yml | 4 +++- nursery/obfuscated-with-koivm.yml | 4 +++- nursery/open-cabinet-file.yml | 4 +++- nursery/packaged-as-a-createinstall-installer.yml | 4 +++- nursery/packaged-as-a-nsis-installer.yml | 4 +++- nursery/packaged-as-a-pintool.yml | 4 +++- nursery/packaged-as-a-winzip-self-extracting-archive.yml | 4 +++- nursery/packaged-as-a-wise-installer.yml | 4 +++- nursery/packaged-as-an-installshield-installer.yml | 4 +++- nursery/packed-with-ccg.yml | 4 +++- nursery/packed-with-crunch.yml | 4 +++- nursery/packed-with-dragon-armor.yml | 4 +++- nursery/packed-with-enigma.yml | 4 +++- nursery/packed-with-epack.yml | 4 +++- nursery/packed-with-maskpe.yml | 4 +++- nursery/packed-with-mew.yml | 4 +++- nursery/packed-with-mpress.yml | 4 +++- nursery/packed-with-neolite.yml | 4 +++- nursery/packed-with-pepack.yml | 4 +++- nursery/packed-with-perplex.yml | 4 +++- nursery/packed-with-procrypt.yml | 4 +++- nursery/packed-with-rpcrypt.yml | 4 +++- nursery/packed-with-seausfx.yml | 4 +++- nursery/packed-with-shrinker.yml | 4 +++- nursery/packed-with-simple-pack.yml | 4 +++- nursery/packed-with-starforce.yml | 4 +++- nursery/packed-with-svkp.yml | 4 +++- nursery/packed-with-tsuloader.yml | 4 +++- nursery/packed-with-vprotect.yml | 4 +++- nursery/packed-with-wwpack.yml | 4 +++- nursery/parse-url.yml | 4 +++- nursery/persist-via-gnome-autostart-on-linux.yml | 4 +++- nursery/power-down-monitor.yml | 4 +++- nursery/prompt-user-for-credentials.yml | 4 +++- nursery/query-or-enumerate-registry-key-via-stdregprov.yml | 4 +++- nursery/query-or-enumerate-registry-value-via-stdregprov.yml | 4 +++- nursery/query-remote-server-for-available-data.yml | 4 +++- nursery/read-and-send-data-from-client-to-server.yml | 4 +++- nursery/read-process-memory.yml | 4 +++- nursery/read-raw-disk-data.yml | 4 +++- nursery/rebuilt-by-imprec.yml | 4 +++- nursery/receive-and-write-data-from-server-to-client.yml | 4 +++- nursery/reference-114dns-dns-server.yml | 4 +++- nursery/reference-aes-constants.yml | 4 +++- nursery/reference-alidns-dns-server.yml | 4 +++- nursery/reference-base58-string.yml | 4 +++- nursery/reference-cloudflare-dns-server.yml | 4 +++- nursery/reference-comodo-secure-dns-server.yml | 4 +++- nursery/reference-cryptocurrency-strings.yml | 4 +++- nursery/reference-google-public-dns-server.yml | 4 +++- nursery/reference-hurricane-electric-dns-server.yml | 4 +++- nursery/reference-kornet-dns-server.yml | 4 +++- nursery/reference-l3-dns-server.yml | 4 +++- nursery/reference-opendns-dns-server.yml | 4 +++- nursery/reference-processor-manufacturer-constants.yml | 4 +++- nursery/reference-quad9-dns-server.yml | 4 +++- nursery/reference-screen-saver-executable.yml | 4 +++- nursery/reference-startup-folder.yml | 4 +++- nursery/reference-the-vmware-io-port.yml | 4 +++- nursery/reference-verisign-dns-server.yml | 4 +++- nursery/register-http-server-url.yml | 4 +++- nursery/register-raw-input-devices.yml | 4 +++- nursery/resize-volume-shadow-copy-storage.yml | 4 +++- nursery/resolve-function-by-djb2-hash.yml | 4 +++- nursery/resolve-function-by-fnv-1a-hash.yml | 4 +++- nursery/resolve-function-by-hash.yml | 4 +++- nursery/run-in-container.yml | 4 +++- nursery/save-image-in-dotnet.yml | 4 +++- nursery/schedule-task-via-itaskservice.yml | 4 +++- nursery/search-for-credit-card-data.yml | 4 +++- nursery/send-data-to-internet.yml | 4 +++- nursery/send-email-in-dotnet.yml | 4 +++- nursery/send-http-request-with-host-header.yml | 4 +++- nursery/send-keystrokes.yml | 4 +++- nursery/send-request-in-dotnet.yml | 4 +++- nursery/send-sms-on-android.yml | 4 +++- nursery/serialize-json-in-dotnet.yml | 4 +++- nursery/set-current-directory.yml | 4 +++- nursery/set-global-application-hook.yml | 4 +++- nursery/set-http-cookie.yml | 4 +++- nursery/set-http-user-agent-in-dotnet.yml | 4 +++- nursery/set-registry-value-via-stdregprov.yml | 4 +++- nursery/set-thread-name-on-linux.yml | 4 +++- nursery/set-web-proxy-in-dotnet.yml | 4 +++- nursery/terminate-process-by-name-in-dotnet.yml | 4 +++- nursery/terminate-process-by-name.yml | 4 +++- nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml | 4 +++- nursery/unmanaged-call.yml | 4 +++- persistence/act-as-dhcp-server-callout-dll.yml | 4 +++- persistence/act-as-dns-server-plugin-dll.yml | 4 +++- .../authentication-process/act-as-credential-manager-dll.yml | 4 +++- .../authentication-process/act-as-password-filter-dll.yml | 4 +++- .../act-as-security-support-provider-dll.yml | 4 +++- .../act-as-subauthentication-package-dll.yml | 4 +++- persistence/create-shortcut-via-ishelllink.yml | 4 +++- persistence/exchange/act-as-exchange-transport-agent.yml | 4 +++- persistence/iis/persist-via-iis-module.yml | 4 +++- persistence/iis/persist-via-isapi-extension.yml | 4 +++- persistence/office/act-as-excel-xll-add-in.yml | 4 +++- persistence/office/act-as-office-com-add-in.yml | 4 +++- persistence/office/act-as-word-wll-add-in.yml | 4 +++- persistence/persist-via-desktop-autostart.yml | 4 +++- persistence/persist-via-shell-profile-or-rc-file.yml | 4 +++- .../disable-appinit_dlls-code-signature-enforcement.yml | 4 +++- .../appinitdlls/persist-via-appinit_dlls-registry-key.yml | 4 +++- .../registry/ginadll/persist-via-ginadll-registry-key.yml | 4 +++- .../registry/persist-via-active-setup-registry-key.yml | 4 +++- persistence/registry/run/persist-via-run-registry-key.yml | 4 +++- .../persist-via-winlogon-helper-dll-registry-key.yml | 4 +++- persistence/scheduled-tasks/schedule-task-via-at.yml | 4 +++- .../scheduled-tasks/schedule-task-via-itaskscheduler.yml | 4 +++- persistence/scheduled-tasks/schedule-task-via-schtasks.yml | 4 +++- persistence/service/persist-via-rc-script.yml | 4 +++- persistence/service/persist-via-windows-service.yml | 4 +++- persistence/startup-folder/get-startup-folder.yml | 4 +++- persistence/startup-folder/write-file-to-startup-folder.yml | 4 +++- runtime/dotnet/compiled-to-the-dotnet-platform.yml | 4 +++- runtime/dotnet/execute-via-dotnet-startup-hook.yml | 4 +++- .../diebold-nixdorf/load-diebold-nixdorf-atm-library.yml | 4 +++- .../diebold-nixdorf/reference-diebold-atm-routines.yml | 4 +++- .../identify-atm-dispenser-service-provider.yml | 4 +++- .../automated-teller-machine/ncr/load-ncr-atm-library.yml | 4 +++- .../ncr/reference-ncr-atm-library-routines.yml | 4 +++- targeting/language/identify-system-language-via-api.yml | 4 +++- 847 files changed, 2541 insertions(+), 847 deletions(-) diff --git a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml index 0ff303f81..509313e89 100644 --- a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml +++ b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml index 9c7ffc69e..f88c5428f 100644 --- a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml +++ b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] - Anti-Behavioral Analysis::Sandbox Detection [B0007] diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index bce84559c..e6b51df19 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml index e96604b2f..1e23aaeb2 100644 --- a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml +++ b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml index 86b4d7bdb..e82935b8e 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002] - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031] diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml index a053a1731..20f873f12 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml index 8ff372a7a..5232dd9df 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml index 1fd5dc6bb..03726d770 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml index ce30cc8c3..32fc1d127 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires offset features mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml index c0fc48717..9fbffe04e 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 18bc29b2e..f8ff190e6 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml index 9e14035a9..36698f665 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml index ea7651c5a..6d8f7ffb5 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml index fe9520476..f1656e395 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml index c504d5bb3..ba561e738 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml index e2bb60d8d..66dafe3b7 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index 7f1439599..3dd92a349 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml index fc1cbc382..0e49e4792 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml index 857fedb5d..573617ddf 100644 --- a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml +++ b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034] examples: diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index 7f50b0e22..cebab2881 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml index 6cdac8faa..822f1b661 100644 --- a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml +++ b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate) - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008] references: diff --git a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml index e22ec11a6..cf6d86659 100644 --- a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml +++ b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-disasm authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Anti-Static Analysis::Disassembler Evasion [B0012] examples: diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml index 7e3933f02..61e60213c 100644 --- a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml +++ b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-emulation/wine authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index 0b72f2ce2..b7dc9d1e9 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-forensic/clear-logs authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml index 41f4e9fbf..44d865d50 100644 --- a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml +++ b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-forensic authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml index ccf77d086..c21faefe4 100644 --- a/anti-analysis/anti-forensic/impersonate-file-version-information.yml +++ b/anti-analysis/anti-forensic/impersonate-file-version-information.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/anti-analysis/anti-forensic/patch-process-command-line.yml b/anti-analysis/anti-forensic/patch-process-command-line.yml index 12a9f51d8..4a1d0f021 100644 --- a/anti-analysis/anti-forensic/patch-process-command-line.yml +++ b/anti-analysis/anti-forensic/patch-process-command-line.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, offset features att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 0b0b75f14..c467d957d 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/spoof-parent-pid.yml b/anti-analysis/anti-forensic/spoof-parent-pid.yml index 81e4cac36..6b1344d76 100644 --- a/anti-analysis/anti-forensic/spoof-parent-pid.yml +++ b/anti-analysis/anti-forensic/spoof-parent-pid.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis/anti-forensic authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004] references: diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml index f5dfdf481..2041fc937 100644 --- a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml +++ b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-forensic/timestomp authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Indicator Removal::Timestomp [T1070.006] examples: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml index 412bc98e2..1058f48f4 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml @@ -5,7 +5,9 @@ rule: authors: - ervin.ocampo@mandiant.com description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment. - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml index 0aaeadff1..6471461d7 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml index 50a2d18ae..8b7e3e9ad 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - "echernofsky@google.com" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml b/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml index 1fe948375..e9f398a81 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - BitsOfBinary - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml index 7a23ab587..4a5f2492d 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml index f3426eb51..ee9f88c53 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires offset features att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 9d1d548ae..730119f0b 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml index f3fcb7116..b51b7e09b 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml index a529a98d0..a6cbfbec2 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index e19528ffe..2425a19a8 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - anders.vejlby@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index 56c830688..cba1a9eb5 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - anders.vejlby@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml index 33cd55c2c..b25cc26bc 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml index c9ebbf58c..fe62a87d3 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml index 208f7fe5c..2c54cdddb 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml index d5dfab881..69fe0a33e 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml index 71b42490f..04cb942a9 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - "@johnk3r" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml index 04c9e58cf..3beb59be9 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml index b68d3f4b1..100d33574 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml index 547b7354c..9e803df0b 100644 --- a/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml index e664fe3ff..533aed0e9 100644 --- a/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml index 2426a94c2..35c4e0189 100644 --- a/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - johnk3r - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml index d93d12406..2881966f5 100644 --- a/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml index 1758eeff4..0e18b2bf5 100644 --- a/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml b/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml index a3412a291..fb9e7e911 100644 --- a/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml +++ b/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml index 21ea9be4e..ff7115b5e 100644 --- a/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml b/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml index bd4329977..5e3fa94c0 100644 --- a/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml +++ b/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-yano.yml b/anti-analysis/obfuscation/obfuscated-with-yano.yml index ca1dbc27c..d24ac0bfb 100644 --- a/anti-analysis/obfuscation/obfuscated-with-yano.yml +++ b/anti-analysis/obfuscation/obfuscated-with-yano.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml index 9df3b4527..2c038c892 100644 --- a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml +++ b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation/string/stackstring authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/anti-analysis/packer/amber/packed-with-amber.yml b/anti-analysis/packer/amber/packed-with-amber.yml index 946dc2d73..806b6946b 100644 --- a/anti-analysis/packer/amber/packed-with-amber.yml +++ b/anti-analysis/packer/amber/packed-with-amber.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/amber authors: - "john.gorman@mandiant.com" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/aspack/packed-with-aspack.yml b/anti-analysis/packer/aspack/packed-with-aspack.yml index 8b2bb84a4..cf7382f99 100644 --- a/anti-analysis/packer/aspack/packed-with-aspack.yml +++ b/anti-analysis/packer/aspack/packed-with-aspack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/aspack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/confuser/packed-with-confuser.yml b/anti-analysis/packer/confuser/packed-with-confuser.yml index 1139026fb..5ae052104 100644 --- a/anti-analysis/packer/confuser/packed-with-confuser.yml +++ b/anti-analysis/packer/confuser/packed-with-confuser.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/confuser authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires class features att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml index 1a9258d74..bfe3bec6f 100644 --- a/anti-analysis/packer/generic/packed-with-generic-packer.yml +++ b/anti-analysis/packer/generic/packed-with-generic-packer.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/generic authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/gopacker/packed-with-gopacker.yml b/anti-analysis/packer/gopacker/packed-with-gopacker.yml index 47bc95c6d..2ece8830f 100644 --- a/anti-analysis/packer/gopacker/packed-with-gopacker.yml +++ b/anti-analysis/packer/gopacker/packed-with-gopacker.yml @@ -5,7 +5,9 @@ rule: authors: - jared.wilson@mandiant.com description: The sample appears to be packed with GoPacker. - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/huan/packed-with-huan.yml b/anti-analysis/packer/huan/packed-with-huan.yml index d3dbd44d3..f65622051 100644 --- a/anti-analysis/packer/huan/packed-with-huan.yml +++ b/anti-analysis/packer/huan/packed-with-huan.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/huan authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml b/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml index eabe63b76..4eabfa4a8 100644 --- a/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml +++ b/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/kkrunchy authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/nspack/packed-with-nspack.yml b/anti-analysis/packer/nspack/packed-with-nspack.yml index c6070a7aa..9eab472a3 100644 --- a/anti-analysis/packer/nspack/packed-with-nspack.yml +++ b/anti-analysis/packer/nspack/packed-with-nspack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/nspack authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pebundle/packed-with-pebundle.yml b/anti-analysis/packer/pebundle/packed-with-pebundle.yml index 9da8d71ac..68eefea0a 100644 --- a/anti-analysis/packer/pebundle/packed-with-pebundle.yml +++ b/anti-analysis/packer/pebundle/packed-with-pebundle.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pebundle authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pecompact/packed-with-pecompact.yml b/anti-analysis/packer/pecompact/packed-with-pecompact.yml index 0aff39449..a203b3d6b 100644 --- a/anti-analysis/packer/pecompact/packed-with-pecompact.yml +++ b/anti-analysis/packer/pecompact/packed-with-pecompact.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pecompact authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml b/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml index 9a0377482..9a76a5fe7 100644 --- a/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml +++ b/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pelocknt authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/peshield/packed-with-peshield.yml b/anti-analysis/packer/peshield/packed-with-peshield.yml index 2a8ee5deb..e76a283ea 100644 --- a/anti-analysis/packer/peshield/packed-with-peshield.yml +++ b/anti-analysis/packer/peshield/packed-with-peshield.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/peshield authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pespin/packed-with-pespin.yml b/anti-analysis/packer/pespin/packed-with-pespin.yml index 9377a1510..7e3a5dc9e 100644 --- a/anti-analysis/packer/pespin/packed-with-pespin.yml +++ b/anti-analysis/packer/pespin/packed-with-pespin.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pespin authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/petite/packed-with-petite.yml b/anti-analysis/packer/petite/packed-with-petite.yml index 82df3cc23..12dd911b6 100644 --- a/anti-analysis/packer/petite/packed-with-petite.yml +++ b/anti-analysis/packer/petite/packed-with-petite.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/petite authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/rlpack/packed-with-rlpack.yml b/anti-analysis/packer/rlpack/packed-with-rlpack.yml index b6cae30cb..3551dcd31 100644 --- a/anti-analysis/packer/rlpack/packed-with-rlpack.yml +++ b/anti-analysis/packer/rlpack/packed-with-rlpack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/rlpack authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/themida/packed-with-themida.yml b/anti-analysis/packer/themida/packed-with-themida.yml index 758a41f54..9320e4cba 100644 --- a/anti-analysis/packer/themida/packed-with-themida.yml +++ b/anti-analysis/packer/themida/packed-with-themida.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/themida authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/upack/packed-with-upack.yml b/anti-analysis/packer/upack/packed-with-upack.yml index e31c984b7..ea4420ebe 100644 --- a/anti-analysis/packer/upack/packed-with-upack.yml +++ b/anti-analysis/packer/upack/packed-with-upack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/upack authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/upx/packed-with-upx.yml b/anti-analysis/packer/upx/packed-with-upx.yml index ee87c947c..27396d097 100644 --- a/anti-analysis/packer/upx/packed-with-upx.yml +++ b/anti-analysis/packer/upx/packed-with-upx.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/upx authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml b/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml index 68ffb0932..edf1872a3 100644 --- a/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml +++ b/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/vmprotect authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml b/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml index af95dd95c..bcc70ca68 100644 --- a/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml +++ b/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/y0da authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/reference-analysis-tools-strings.yml b/anti-analysis/reference-analysis-tools-strings.yml index b0e80c5c7..22624d9bc 100644 --- a/anti-analysis/reference-analysis-tools-strings.yml +++ b/anti-analysis/reference-analysis-tools-strings.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Discovery::Analysis Tool Discovery::Process detection [B0013.001] references: diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 73777b3b1..2d1dd88b2 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -5,7 +5,9 @@ rule: namespace: collection authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] examples: diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index a2020985b..7fa879acc 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 6e268da2b..e60fae03a 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - still@teamt5.org - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/credit-card/parse-credit-card-information.yml b/collection/credit-card/parse-credit-card-information.yml index cd551c621..855d0686e 100644 --- a/collection/credit-card/parse-credit-card-information.yml +++ b/collection/credit-card/parse-credit-card-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/credit-card authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic, Not features mbc: - Data::Check String [C0019] examples: diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml index 303f7e955..fb7daa570 100644 --- a/collection/database/sql/reference-sql-statements.yml +++ b/collection/database/sql/reference-sql-statements.yml @@ -4,7 +4,9 @@ rule: namespace: collection/database/sql authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml index 6db0b12a1..18bbcf721 100644 --- a/collection/database/wmi/reference-wmi-statements.yml +++ b/collection/database/wmi/reference-wmi-statements.yml @@ -4,7 +4,9 @@ rule: namespace: collection/database/wmi authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml index 1b2637510..183e7e6c6 100644 --- a/collection/file-managers/gather-3d-ftp-information.yml +++ b/collection/file-managers/gather-3d-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml index 0464e22bd..c177630d9 100644 --- a/collection/file-managers/gather-alftp-information.yml +++ b/collection/file-managers/gather-alftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml index f714b513b..610692a2a 100644 --- a/collection/file-managers/gather-bitkinex-information.yml +++ b/collection/file-managers/gather-bitkinex-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml index 900a14e0f..50c464f3c 100644 --- a/collection/file-managers/gather-blazeftp-information.yml +++ b/collection/file-managers/gather-blazeftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml index ddc4d2acb..eff43d32e 100644 --- a/collection/file-managers/gather-bulletproof-ftp-information.yml +++ b/collection/file-managers/gather-bulletproof-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml index bea23c3d6..9fa41274a 100644 --- a/collection/file-managers/gather-classicftp-information.yml +++ b/collection/file-managers/gather-classicftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml index 118827240..052fb224c 100644 --- a/collection/file-managers/gather-coreftp-information.yml +++ b/collection/file-managers/gather-coreftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml index 6bdb13fc6..78c21fd9b 100644 --- a/collection/file-managers/gather-cuteftp-information.yml +++ b/collection/file-managers/gather-cuteftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml index 9e2473e24..dd094e440 100644 --- a/collection/file-managers/gather-cyberduck-information.yml +++ b/collection/file-managers/gather-cyberduck-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml index bee5d1f79..30b4d1b87 100644 --- a/collection/file-managers/gather-direct-ftp-information.yml +++ b/collection/file-managers/gather-direct-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml index 6310f16d8..93e6ca5aa 100644 --- a/collection/file-managers/gather-directory-opus-information.yml +++ b/collection/file-managers/gather-directory-opus-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml index cadd077fc..0fec6df2d 100644 --- a/collection/file-managers/gather-expandrive-information.yml +++ b/collection/file-managers/gather-expandrive-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml index de98c2bf3..94d481207 100644 --- a/collection/file-managers/gather-faststone-browser-information.yml +++ b/collection/file-managers/gather-faststone-browser-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml index 3f699652b..3c210f019 100644 --- a/collection/file-managers/gather-fasttrack-ftp-information.yml +++ b/collection/file-managers/gather-fasttrack-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml index d6082f493..7ab79002c 100644 --- a/collection/file-managers/gather-ffftp-information.yml +++ b/collection/file-managers/gather-ffftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-filezilla-information.yml b/collection/file-managers/gather-filezilla-information.yml index 6409b3aa4..9f9b48e2d 100644 --- a/collection/file-managers/gather-filezilla-information.yml +++ b/collection/file-managers/gather-filezilla-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-flashfxp-information.yml b/collection/file-managers/gather-flashfxp-information.yml index 3f82c5a94..cfd1e836a 100644 --- a/collection/file-managers/gather-flashfxp-information.yml +++ b/collection/file-managers/gather-flashfxp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fling-ftp-information.yml b/collection/file-managers/gather-fling-ftp-information.yml index 266ea83a4..e09ac5ab4 100644 --- a/collection/file-managers/gather-fling-ftp-information.yml +++ b/collection/file-managers/gather-fling-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-freshftp-information.yml b/collection/file-managers/gather-freshftp-information.yml index b77c089c4..74965be6b 100644 --- a/collection/file-managers/gather-freshftp-information.yml +++ b/collection/file-managers/gather-freshftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-frigate3-information.yml b/collection/file-managers/gather-frigate3-information.yml index 742233bfb..cd97ad7f0 100644 --- a/collection/file-managers/gather-frigate3-information.yml +++ b/collection/file-managers/gather-frigate3-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-commander-information.yml b/collection/file-managers/gather-ftp-commander-information.yml index 7bd8bc5eb..49f236baf 100644 --- a/collection/file-managers/gather-ftp-commander-information.yml +++ b/collection/file-managers/gather-ftp-commander-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-explorer-information.yml b/collection/file-managers/gather-ftp-explorer-information.yml index 96d06dbdb..7c4733dbd 100644 --- a/collection/file-managers/gather-ftp-explorer-information.yml +++ b/collection/file-managers/gather-ftp-explorer-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-voyager-information.yml b/collection/file-managers/gather-ftp-voyager-information.yml index e8c1405da..ee724d4c5 100644 --- a/collection/file-managers/gather-ftp-voyager-information.yml +++ b/collection/file-managers/gather-ftp-voyager-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpgetter-information.yml b/collection/file-managers/gather-ftpgetter-information.yml index 3c4393346..3a2412b7d 100644 --- a/collection/file-managers/gather-ftpgetter-information.yml +++ b/collection/file-managers/gather-ftpgetter-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpinfo-information.yml b/collection/file-managers/gather-ftpinfo-information.yml index 0008e9e39..e3fbfe1bc 100644 --- a/collection/file-managers/gather-ftpinfo-information.yml +++ b/collection/file-managers/gather-ftpinfo-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpnow-information.yml b/collection/file-managers/gather-ftpnow-information.yml index d2b21bcb0..5e3fe7045 100644 --- a/collection/file-managers/gather-ftpnow-information.yml +++ b/collection/file-managers/gather-ftpnow-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-ftprush-information.yml b/collection/file-managers/gather-ftprush-information.yml index 117a9e802..9fbb52929 100644 --- a/collection/file-managers/gather-ftprush-information.yml +++ b/collection/file-managers/gather-ftprush-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpshell-information.yml b/collection/file-managers/gather-ftpshell-information.yml index 136a8e5fd..50ff8d90b 100644 --- a/collection/file-managers/gather-ftpshell-information.yml +++ b/collection/file-managers/gather-ftpshell-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-global-downloader-information.yml b/collection/file-managers/gather-global-downloader-information.yml index 9ed4df526..bc3ee4469 100644 --- a/collection/file-managers/gather-global-downloader-information.yml +++ b/collection/file-managers/gather-global-downloader-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-goftp-information.yml b/collection/file-managers/gather-goftp-information.yml index 3462abb3c..c9766053e 100644 --- a/collection/file-managers/gather-goftp-information.yml +++ b/collection/file-managers/gather-goftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-leapftp-information.yml b/collection/file-managers/gather-leapftp-information.yml index 92d696286..425d76676 100644 --- a/collection/file-managers/gather-leapftp-information.yml +++ b/collection/file-managers/gather-leapftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-netdrive-information.yml b/collection/file-managers/gather-netdrive-information.yml index 1b875e136..652e2a1e7 100644 --- a/collection/file-managers/gather-netdrive-information.yml +++ b/collection/file-managers/gather-netdrive-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nexusfile-information.yml b/collection/file-managers/gather-nexusfile-information.yml index 06254cc58..971078177 100644 --- a/collection/file-managers/gather-nexusfile-information.yml +++ b/collection/file-managers/gather-nexusfile-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nova-ftp-information.yml b/collection/file-managers/gather-nova-ftp-information.yml index 09d81b662..d6ef16233 100644 --- a/collection/file-managers/gather-nova-ftp-information.yml +++ b/collection/file-managers/gather-nova-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-robo-ftp-information.yml b/collection/file-managers/gather-robo-ftp-information.yml index 74fb146e1..c35cef851 100644 --- a/collection/file-managers/gather-robo-ftp-information.yml +++ b/collection/file-managers/gather-robo-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-securefx-information.yml b/collection/file-managers/gather-securefx-information.yml index 594631043..90f4a390d 100644 --- a/collection/file-managers/gather-securefx-information.yml +++ b/collection/file-managers/gather-securefx-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-smart-ftp-information.yml b/collection/file-managers/gather-smart-ftp-information.yml index dff32f4a6..abefbdbfb 100644 --- a/collection/file-managers/gather-smart-ftp-information.yml +++ b/collection/file-managers/gather-smart-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-softx-ftp-information.yml b/collection/file-managers/gather-softx-ftp-information.yml index 22c507a9e..e785cfd7b 100644 --- a/collection/file-managers/gather-softx-ftp-information.yml +++ b/collection/file-managers/gather-softx-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-southriver-webdrive-information.yml b/collection/file-managers/gather-southriver-webdrive-information.yml index 5197b0903..7bb733d87 100644 --- a/collection/file-managers/gather-southriver-webdrive-information.yml +++ b/collection/file-managers/gather-southriver-webdrive-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-staff-ftp-information.yml b/collection/file-managers/gather-staff-ftp-information.yml index 6ee5de75c..a4ed16d6b 100644 --- a/collection/file-managers/gather-staff-ftp-information.yml +++ b/collection/file-managers/gather-staff-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-total-commander-information.yml b/collection/file-managers/gather-total-commander-information.yml index e2256187a..a8375545e 100644 --- a/collection/file-managers/gather-total-commander-information.yml +++ b/collection/file-managers/gather-total-commander-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-turbo-ftp-information.yml b/collection/file-managers/gather-turbo-ftp-information.yml index 1c9b8473f..5ee2ebe9d 100644 --- a/collection/file-managers/gather-turbo-ftp-information.yml +++ b/collection/file-managers/gather-turbo-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ultrafxp-information.yml b/collection/file-managers/gather-ultrafxp-information.yml index dc0e57cdd..6476c708f 100644 --- a/collection/file-managers/gather-ultrafxp-information.yml +++ b/collection/file-managers/gather-ultrafxp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-winscp-information.yml b/collection/file-managers/gather-winscp-information.yml index 81152c90d..d6266afbb 100644 --- a/collection/file-managers/gather-winscp-information.yml +++ b/collection/file-managers/gather-winscp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-winzip-information.yml b/collection/file-managers/gather-winzip-information.yml index 59f79aad5..775f081d3 100644 --- a/collection/file-managers/gather-winzip-information.yml +++ b/collection/file-managers/gather-winzip-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-wise-ftp-information.yml b/collection/file-managers/gather-wise-ftp-information.yml index 2d80d3330..1cb33b96e 100644 --- a/collection/file-managers/gather-wise-ftp-information.yml +++ b/collection/file-managers/gather-wise-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ws-ftp-information.yml b/collection/file-managers/gather-ws-ftp-information.yml index ce2c27b36..c6f3fbfb4 100644 --- a/collection/file-managers/gather-ws-ftp-information.yml +++ b/collection/file-managers/gather-ws-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-xftp-information.yml b/collection/file-managers/gather-xftp-information.yml index 484a27944..838fa9282 100644 --- a/collection/file-managers/gather-xftp-information.yml +++ b/collection/file-managers/gather-xftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/get-geographical-location.yml b/collection/get-geographical-location.yml index 35d9e78d1..761ba38f0 100644 --- a/collection/get-geographical-location.yml +++ b/collection/get-geographical-location.yml @@ -6,7 +6,9 @@ rule: authors: - moritz.raabe - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Location Discovery [T1614] examples: diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index 867cfe5b3..f14212761 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -4,7 +4,9 @@ rule: namespace: collection/group-policy authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Group Policy Discovery [T1615] examples: diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml index 9f47b93ab..9473791f2 100644 --- a/collection/keylog/log-keystrokes-via-application-hook.yml +++ b/collection/keylog/log-keystrokes-via-application-hook.yml @@ -4,7 +4,9 @@ rule: namespace: collection/keylog authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Collection::Input Capture::Keylogging [T1056.001] mbc: diff --git a/collection/keylog/log-keystrokes-via-polling.yml b/collection/keylog/log-keystrokes-via-polling.yml index 3c1b6b955..772928645 100644 --- a/collection/keylog/log-keystrokes-via-polling.yml +++ b/collection/keylog/log-keystrokes-via-polling.yml @@ -4,7 +4,9 @@ rule: namespace: collection/keylog authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Collection::Input Capture::Keylogging [T1056.001] mbc: diff --git a/collection/keylog/log-keystrokes.yml b/collection/keylog/log-keystrokes.yml index 0853e2dd8..9caf9e255 100644 --- a/collection/keylog/log-keystrokes.yml +++ b/collection/keylog/log-keystrokes.yml @@ -4,7 +4,9 @@ rule: namespace: collection/keylog authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Input Capture::Keylogging [T1056.001] examples: diff --git a/collection/microphone/capture-microphone-audio.yml b/collection/microphone/capture-microphone-audio.yml index f3cb212dc..a85996905 100644 --- a/collection/microphone/capture-microphone-audio.yml +++ b/collection/microphone/capture-microphone-audio.yml @@ -4,7 +4,9 @@ rule: namespace: collection/microphone authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Audio Capture [T1123] examples: diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml index ee6c87ac9..1135d4c28 100644 --- a/collection/network/capture-network-configuration-via-ipconfig.yml +++ b/collection/network/capture-network-configuration-via-ipconfig.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml index 853016008..4d8c60fcb 100644 --- a/collection/network/capture-packets-using-sharppcap.yml +++ b/collection/network/capture-packets-using-sharppcap.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Network Sniffing [T1040] references: diff --git a/collection/network/capture-public-ip.yml b/collection/network/capture-public-ip.yml index 5c00ad6bf..fa3fdea76 100644 --- a/collection/network/capture-public-ip.yml +++ b/collection/network/capture-public-ip.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/get-domain-trust-relationships.yml b/collection/network/get-domain-trust-relationships.yml index d57f98027..9af3d1df5 100644 --- a/collection/network/get-domain-trust-relationships.yml +++ b/collection/network/get-domain-trust-relationships.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Domain Trust Discovery [T1482] examples: diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml index 3dc73645d..6ded3c61e 100644 --- a/collection/network/get-mac-address-on-windows.yml +++ b/collection/network/get-mac-address-on-windows.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - echernofsky@google.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/collection/password-manager/steal-keepass-passwords-using-keefarce.yml b/collection/password-manager/steal-keepass-passwords-using-keefarce.yml index e3f0bb491..bbc2420ac 100644 --- a/collection/password-manager/steal-keepass-passwords-using-keefarce.yml +++ b/collection/password-manager/steal-keepass-passwords-using-keefarce.yml @@ -4,7 +4,9 @@ rule: namespace: collection/password-manager authors: - "@Ana06" - scope: file + scopes: + static: file + dynamic: file att&ck: - Credential Access::Credentials from Password Stores::Password Managers [T1555.005] references: diff --git a/collection/screenshot/capture-screenshot-via-keybd-event.yml b/collection/screenshot/capture-screenshot-via-keybd-event.yml index 1f783513b..604f182d6 100644 --- a/collection/screenshot/capture-screenshot-via-keybd-event.yml +++ b/collection/screenshot/capture-screenshot-via-keybd-event.yml @@ -4,7 +4,9 @@ rule: namespace: collection/screenshot authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[0].number features att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index fe9ef9e37..175e1a151 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - "@_re_fox" - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/use-dotnet-library-sharpclipboard.yml b/collection/use-dotnet-library-sharpclipboard.yml index 8e881a36a..e4822902b 100644 --- a/collection/use-dotnet-library-sharpclipboard.yml +++ b/collection/use-dotnet-library-sharpclipboard.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: file att&ck: - Collection::Clipboard Data [T1115] mbc: diff --git a/collection/webcam/capture-webcam-image.yml b/collection/webcam/capture-webcam-image.yml index 173baa0bf..987c6dfee 100644 --- a/collection/webcam/capture-webcam-image.yml +++ b/collection/webcam/capture-webcam-image.yml @@ -4,7 +4,9 @@ rule: namespace: collection/webcam authors: - johnk3r - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Collection::Video Capture [T1125] examples: diff --git a/communication/c2/file-transfer/download-and-write-a-file.yml b/communication/c2/file-transfer/download-and-write-a-file.yml index f78cc532a..42f305d89 100644 --- a/communication/c2/file-transfer/download-and-write-a-file.yml +++ b/communication/c2/file-transfer/download-and-write-a-file.yml @@ -5,7 +5,9 @@ rule: maec/malware-category: downloader authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Command and Control::Ingress Tool Transfer [T1105] mbc: diff --git a/communication/c2/file-transfer/write-and-execute-a-file.yml b/communication/c2/file-transfer/write-and-execute-a-file.yml index aed75a191..dd9740533 100644 --- a/communication/c2/file-transfer/write-and-execute-a-file.yml +++ b/communication/c2/file-transfer/write-and-execute-a-file.yml @@ -5,7 +5,9 @@ rule: maec/malware-category: launcher authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/communication/c2/shell/create-reverse-shell-on-linux.yml b/communication/c2/shell/create-reverse-shell-on-linux.yml index 0ed07655f..3197bcf74 100644 --- a/communication/c2/shell/create-reverse-shell-on-linux.yml +++ b/communication/c2/shell/create-reverse-shell-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] mbc: diff --git a/communication/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml index a6748b36e..34c0f7aa7 100644 --- a/communication/c2/shell/create-reverse-shell.yml +++ b/communication/c2/shell/create-reverse-shell.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/communication/c2/shell/execute-shell-command-and-capture-output.yml b/communication/c2/shell/execute-shell-command-and-capture-output.yml index 1653efcaf..a5c49df29 100644 --- a/communication/c2/shell/execute-shell-command-and-capture-output.yml +++ b/communication/c2/shell/execute-shell-command-and-capture-output.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] references: diff --git a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml index f8b7688ed..b3869dca7 100644 --- a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml +++ b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] examples: diff --git a/communication/dns/reference-dns-over-https-endpoints.yml b/communication/dns/reference-dns-over-https-endpoints.yml index 1a82e4f46..c25544145 100644 --- a/communication/dns/reference-dns-over-https-endpoints.yml +++ b/communication/dns/reference-dns-over-https-endpoints.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - markus.neis@swisscom.com / @markus_neis - scope: file + scopes: + static: file + dynamic: file mbc: - Communication::DNS Communication::Server Connect [C0011.002] references: diff --git a/communication/dns/resolve-dns.yml b/communication/dns/resolve-dns.yml index ff86f9d1a..84ae20a39 100644 --- a/communication/dns/resolve-dns.yml +++ b/communication/dns/resolve-dns.yml @@ -7,7 +7,9 @@ rule: - johnk3r - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::DNS Communication::Resolve [C0011.001] examples: diff --git a/communication/ftp/send/send-file-using-ftp.yml b/communication/ftp/send/send-file-using-ftp.yml index a0903f86f..43a92868c 100644 --- a/communication/ftp/send/send-file-using-ftp.yml +++ b/communication/ftp/send/send-file-using-ftp.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::FTP Communication::Send File [C0004.001] - Communication::FTP Communication::WinINet [C0004.002] diff --git a/communication/http/client/check-http-status-code.yml b/communication/http/client/check-http-status-code.yml index c1d74ab2f..e5d031a01 100644 --- a/communication/http/client/check-http-status-code.yml +++ b/communication/http/client/check-http-status-code.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Communication::HTTP Communication::Read Header [C0002.014] examples: diff --git a/communication/http/client/connect-to-http-server.yml b/communication/http/client/connect-to-http-server.yml index a679d89ef..8f958bfbd 100644 --- a/communication/http/client/connect-to-http-server.yml +++ b/communication/http/client/connect-to-http-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Connect to Server [C0002.009] examples: diff --git a/communication/http/client/connect-to-url.yml b/communication/http/client/connect-to-url.yml index 076d063bc..918fbadbe 100644 --- a/communication/http/client/connect-to-url.yml +++ b/communication/http/client/connect-to-url.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Open URL [C0002.004] examples: diff --git a/communication/http/client/create-bits-job.yml b/communication/http/client/create-bits-job.yml index a63f85de2..85ad67047 100644 --- a/communication/http/client/create-bits-job.yml +++ b/communication/http/client/create-bits-job.yml @@ -6,7 +6,9 @@ rule: authors: - "@mr-tz" description: BITS jobs can be used to download data or achieve persistence (via SetNotifyCmdLine) - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features att&ck: - Defense Evasion::BITS Jobs [T1197] - Persistence::BITS Jobs [T1197] diff --git a/communication/http/client/create-http-request.yml b/communication/http/client/create-http-request.yml index 3ce2e5633..f86d66993 100644 --- a/communication/http/client/create-http-request.yml +++ b/communication/http/client/create-http-request.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml index 4d50aba6c..52a7b68a2 100644 --- a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml +++ b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/download-url.yml b/communication/http/client/download-url.yml index 27e3147df..bacf293d0 100644 --- a/communication/http/client/download-url.yml +++ b/communication/http/client/download-url.yml @@ -6,7 +6,9 @@ rule: - matthew.williams@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::HTTP Communication::Download URL [C0002.006] examples: diff --git a/communication/http/client/extract-http-body.yml b/communication/http/client/extract-http-body.yml index 25b03b4aa..7ae94c209 100644 --- a/communication/http/client/extract-http-body.yml +++ b/communication/http/client/extract-http-body.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features mbc: - Communication::HTTP Communication::Extract Body [C0002.011] references: diff --git a/communication/http/client/get-http-document-via-iwebbrowser2.yml b/communication/http/client/get-http-document-via-iwebbrowser2.yml index 14a26ac74..0414fecf0 100644 --- a/communication/http/client/get-http-document-via-iwebbrowser2.yml +++ b/communication/http/client/get-http-document-via-iwebbrowser2.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, offset features mbc: - Communication::HTTP Communication::Get Response [C0002.017] - Communication::HTTP Communication::IWebBrowser [C0002.010] diff --git a/communication/http/client/get-http-response-content-encoding.yml b/communication/http/client/get-http-response-content-encoding.yml index 0dd996d58..af83f7e07 100644 --- a/communication/http/client/get-http-response-content-encoding.yml +++ b/communication/http/client/get-http-response-content-encoding.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/prepare-http-request.yml b/communication/http/client/prepare-http-request.yml index 904ab80eb..0215ad4e8 100644 --- a/communication/http/client/prepare-http-request.yml +++ b/communication/http/client/prepare-http-request.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/read-data-from-internet.yml b/communication/http/client/read-data-from-internet.yml index da502cafe..4c48f76bb 100644 --- a/communication/http/client/read-data-from-internet.yml +++ b/communication/http/client/read-data-from-internet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/receive-http-response.yml b/communication/http/client/receive-http-response.yml index fb8d080b3..ccabd60dc 100644 --- a/communication/http/client/receive-http-response.yml +++ b/communication/http/client/receive-http-response.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml index c6038f8ae..30b277cdb 100644 --- a/communication/http/client/send-file-via-http.yml +++ b/communication/http/client/send-file-via-http.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Communication::HTTP Communication::Send Data [C0002.005] examples: diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml index 164bcfe20..1e3c06c87 100644 --- a/communication/http/client/send-http-request.yml +++ b/communication/http/client/send-http-request.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Communication::HTTP Communication::Send Request [C0002.003] examples: diff --git a/communication/http/get-http-content-length.yml b/communication/http/get-http-content-length.yml index 666121769..2f55ea338 100644 --- a/communication/http/get-http-content-length.yml +++ b/communication/http/get-http-content-length.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::HTTP Communication [C0002] examples: diff --git a/communication/http/initialize-iwebbrowser2.yml b/communication/http/initialize-iwebbrowser2.yml index 03c5ecfe7..4d7be0e15 100644 --- a/communication/http/initialize-iwebbrowser2.yml +++ b/communication/http/initialize-iwebbrowser2.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes features mbc: - Communication::HTTP Communication::IWebBrowser [C0002.010] references: diff --git a/communication/http/initialize-winhttp-library.yml b/communication/http/initialize-winhttp-library.yml index a58b6d9f8..067f18421 100644 --- a/communication/http/initialize-winhttp-library.yml +++ b/communication/http/initialize-winhttp-library.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::HTTP Communication::WinHTTP [C0002.008] examples: diff --git a/communication/http/read-http-header.yml b/communication/http/read-http-header.yml index f9ecd0b98..680574f7c 100644 --- a/communication/http/read-http-header.yml +++ b/communication/http/read-http-header.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::HTTP Communication::Read Header [C0002.014] examples: diff --git a/communication/http/reference-http-user-agent-string.yml b/communication/http/reference-http-user-agent-string.yml index 672dd614b..4607be797 100644 --- a/communication/http/reference-http-user-agent-string.yml +++ b/communication/http/reference-http-user-agent-string.yml @@ -5,7 +5,9 @@ rule: namespace: communication/http authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication [C0002] references: diff --git a/communication/http/server/receive-http-request.yml b/communication/http/server/receive-http-request.yml index 404957723..15fe28119 100644 --- a/communication/http/server/receive-http-request.yml +++ b/communication/http/server/receive-http-request.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/server authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Receive Request [C0002.015] examples: diff --git a/communication/http/server/send-http-response.yml b/communication/http/server/send-http-response.yml index 14495c4b6..7ecc81c4c 100644 --- a/communication/http/server/send-http-response.yml +++ b/communication/http/server/send-http-response.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/server authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::HTTP Communication::Send Response [C0002.016] examples: diff --git a/communication/http/server/start-http-server.yml b/communication/http/server/start-http-server.yml index 7bfe1e0a8..c6fe087cb 100644 --- a/communication/http/server/start-http-server.yml +++ b/communication/http/server/start-http-server.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Start Server [C0002.018] examples: diff --git a/communication/http/set-http-header.yml b/communication/http/set-http-header.yml index 8a669336e..9500b92af 100644 --- a/communication/http/set-http-header.yml +++ b/communication/http/set-http-header.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Set Header [C0002.013] examples: diff --git a/communication/icmp/send-icmp-echo-request.yml b/communication/icmp/send-icmp-echo-request.yml index b8dbf7613..31a777d7c 100644 --- a/communication/icmp/send-icmp-echo-request.yml +++ b/communication/icmp/send-icmp-echo-request.yml @@ -4,7 +4,9 @@ rule: namespace: communication/icmp authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::ICMP Communication::Echo Request [C0014.002] references: diff --git a/communication/ip/convert-ip-address-from-string.yml b/communication/ip/convert-ip-address-from-string.yml index 0a00e2fe1..99225e7dc 100644 --- a/communication/ip/convert-ip-address-from-string.yml +++ b/communication/ip/convert-ip-address-from-string.yml @@ -5,7 +5,9 @@ rule: namespace: communication/ip authors: - "@mr-tz" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead examples: - 0796F1C1EA0A142FC1EB7109A44C86CB:0x405D20 features: diff --git a/communication/mailslot/create-mailslot.yml b/communication/mailslot/create-mailslot.yml index 9f9f69017..8cf723f3f 100644 --- a/communication/mailslot/create-mailslot.yml +++ b/communication/mailslot/create-mailslot.yml @@ -4,7 +4,9 @@ rule: namespace: communication/mailslot authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/mailslot/read-from-mailslot.yml b/communication/mailslot/read-from-mailslot.yml index 2e3090104..25b72f130 100644 --- a/communication/mailslot/read-from-mailslot.yml +++ b/communication/mailslot/read-from-mailslot.yml @@ -4,7 +4,9 @@ rule: namespace: communication/mailslot authors: - nick.simonian@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/named-pipe/connect/connect-pipe.yml b/communication/named-pipe/connect/connect-pipe.yml index 117b4dd37..d13574eac 100644 --- a/communication/named-pipe/connect/connect-pipe.yml +++ b/communication/named-pipe/connect/connect-pipe.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::Interprocess Communication::Connect Pipe [C0003.002] examples: diff --git a/communication/named-pipe/create/create-pipe.yml b/communication/named-pipe/create/create-pipe.yml index c0b687989..df3fdc3f3 100644 --- a/communication/named-pipe/create/create-pipe.yml +++ b/communication/named-pipe/create/create-pipe.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/create/create-two-anonymous-pipes.yml b/communication/named-pipe/create/create-two-anonymous-pipes.yml index 42ec62a29..3a0ae45d0 100644 --- a/communication/named-pipe/create/create-two-anonymous-pipes.yml +++ b/communication/named-pipe/create/create-two-anonymous-pipes.yml @@ -4,7 +4,9 @@ rule: namespace: communication/named-pipe/create authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/read/read-pipe.yml b/communication/named-pipe/read/read-pipe.yml index 21e7e0cc4..6347df841 100644 --- a/communication/named-pipe/read/read-pipe.yml +++ b/communication/named-pipe/read/read-pipe.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output. - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication::Read Pipe [C0003.003] examples: diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml index 60a179e67..f3d78dd2c 100644 --- a/communication/named-pipe/write/write-pipe.yml +++ b/communication/named-pipe/write/write-pipe.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Communication::Interprocess Communication::Write Pipe [C0003.004] examples: diff --git a/communication/receive-data.yml b/communication/receive-data.yml index c914b56b3..29d801784 100644 --- a/communication/receive-data.yml +++ b/communication/receive-data.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: all known techniques for receiving data from a potential C2 server - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Command and Control::C2 Communication::Receive Data [B0030.002] examples: diff --git a/communication/send-data.yml b/communication/send-data.yml index d0bcb9ec3..b972686a4 100644 --- a/communication/send-data.yml +++ b/communication/send-data.yml @@ -6,7 +6,9 @@ rule: - william.ballenthin@mandiant.com - joakim@intezer.com description: all known techniques for sending data to a potential C2 server - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Command and Control::C2 Communication::Send Data [B0030.001] examples: diff --git a/communication/socket/create-raw-socket.yml b/communication/socket/create-raw-socket.yml index 4e5185b94..758e1c58f 100644 --- a/communication/socket/create-raw-socket.yml +++ b/communication/socket/create-raw-socket.yml @@ -5,7 +5,9 @@ rule: namespace: communication/socket authors: - blas.kojusner@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index 784fe3a5d..d040d94ed 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - jakub.jozwiak@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/get-socket-status.yml b/communication/socket/get-socket-status.yml index 01f849fdc..17a2de872 100644 --- a/communication/socket/get-socket-status.yml +++ b/communication/socket/get-socket-status.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] mbc: diff --git a/communication/socket/initialize-winsock-library.yml b/communication/socket/initialize-winsock-library.yml index 31e3b46cc..11af376f3 100644 --- a/communication/socket/initialize-winsock-library.yml +++ b/communication/socket/initialize-winsock-library.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::Socket Communication::Initialize Winsock Library [C0001.009] examples: diff --git a/communication/socket/receive/receive-data-on-socket.yml b/communication/socket/receive/receive-data-on-socket.yml index 556df036a..fee90dc03 100644 --- a/communication/socket/receive/receive-data-on-socket.yml +++ b/communication/socket/receive/receive-data-on-socket.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::Socket Communication::Receive Data [C0001.006] examples: diff --git a/communication/socket/send/send-data-on-socket.yml b/communication/socket/send/send-data-on-socket.yml index dd876cfd0..2960cc784 100644 --- a/communication/socket/send/send-data-on-socket.yml +++ b/communication/socket/send/send-data-on-socket.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::Socket Communication::Send Data [C0001.007] examples: diff --git a/communication/socket/set-socket-configuration.yml b/communication/socket/set-socket-configuration.yml index 624f5a7f0..38fbe506b 100644 --- a/communication/socket/set-socket-configuration.yml +++ b/communication/socket/set-socket-configuration.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Communication::Socket Communication::Set Socket Config [C0001.001] examples: diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 17e597e60..312f975b0 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Communication::Socket Communication::Connect Socket [C0001.004] examples: diff --git a/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml b/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml index 4c1b1c30f..ee02f8ccf 100644 --- a/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml +++ b/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket/tcp authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] references: diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml index 936ab0aa7..3c8eb1273 100644 --- a/communication/socket/tcp/create-tcp-socket.yml +++ b/communication/socket/tcp/create-tcp-socket.yml @@ -7,7 +7,9 @@ rule: - joakim@intezer.com - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] examples: diff --git a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml index c49460ad8..d41a3040f 100644 --- a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml +++ b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml @@ -5,7 +5,9 @@ rule: authors: - jonathan.lepore@mandiant.com description: The TransmitPackets function transmits in-memory data or file data over a connected socket. The TransmitPackets function uses the operating system cache manager to retrieve file data, locking memory for the minimum time required to transmit and resulting in efficient, high-performance transmission. - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes, mnemonic features mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] references: diff --git a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml index 9ee59420f..a409c5834 100644 --- a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml +++ b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket/tcp/send authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] examples: diff --git a/communication/socket/udp/send/create-udp-socket.yml b/communication/socket/udp/send/create-udp-socket.yml index f51b639bf..573cf910d 100644 --- a/communication/socket/udp/send/create-udp-socket.yml +++ b/communication/socket/udp/send/create-udp-socket.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Communication::Socket Communication::Create UDP Socket [C0001.010] examples: diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml index 1757a3c90..4c07ba005 100644 --- a/communication/tcp/client/act-as-tcp-client.yml +++ b/communication/tcp/client/act-as-tcp-client.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Communication::Socket Communication::TCP Client [C0001.008] examples: diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml index f1a07a75b..86a2fc1d9 100644 --- a/communication/tcp/serve/start-tcp-server.yml +++ b/communication/tcp/serve/start-tcp-server.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Communication::Socket Communication::Start TCP Server [C0001.005] examples: diff --git a/compiler/autohotkey/compiled-with-autohotkey.yml b/compiler/autohotkey/compiled-with-autohotkey.yml index a4f1a683c..14c719b54 100644 --- a/compiler/autohotkey/compiled-with-autohotkey.yml +++ b/compiler/autohotkey/compiled-with-autohotkey.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/autohotkey authors: - awillia2@cisco.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter [T1059] references: diff --git a/compiler/autoit/compiled-with-autoit.yml b/compiler/autoit/compiled-with-autoit.yml index 24b0c1a28..a9b5be674 100644 --- a/compiler/autoit/compiled-with-autoit.yml +++ b/compiler/autoit/compiled-with-autoit.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/autoit authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter [T1059] references: diff --git a/compiler/cx_freeze/compiled-with-cx_freeze.yml b/compiler/cx_freeze/compiled-with-cx_freeze.yml index bb5689e1e..c14e78153 100644 --- a/compiler/cx_freeze/compiled-with-cx_freeze.yml +++ b/compiler/cx_freeze/compiled-with-cx_freeze.yml @@ -5,7 +5,9 @@ rule: authors: - "@mr-tz" - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter::Python [T1059.006] - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] diff --git a/compiler/d/compiled-with-dmd.yml b/compiler/d/compiled-with-dmd.yml index af7a01ffd..88a57328f 100644 --- a/compiler/d/compiled-with-dmd.yml +++ b/compiler/d/compiled-with-dmd.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/d authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/dlang/dmd examples: diff --git a/compiler/delphi/compiled-with-borland-delphi.yml b/compiler/delphi/compiled-with-borland-delphi.yml index 7b0a5decc..0ecf28a0d 100644 --- a/compiler/delphi/compiled-with-borland-delphi.yml +++ b/compiler/delphi/compiled-with-borland-delphi.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file examples: - 4BDD67FF852C221112337FECD0681EAC features: diff --git a/compiler/exe4j/compiled-with-exe4j.yml b/compiler/exe4j/compiled-with-exe4j.yml index a193fd0ee..d6290b7f9 100644 --- a/compiler/exe4j/compiled-with-exe4j.yml +++ b/compiler/exe4j/compiled-with-exe4j.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/exe4j authors: - johnk3r - scope: file + scopes: + static: file + dynamic: file examples: - 6b25f1e754ef486bbb28a66d46bababe:0x404EDE features: diff --git a/compiler/go/compiled-with-go.yml b/compiler/go/compiled-with-go.yml index 5e35e9f76..12d70d35e 100644 --- a/compiler/go/compiled-with-go.yml +++ b/compiler/go/compiled-with-go.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/go authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 49a34cfbeed733c24392c9217ef46bb6 features: diff --git a/compiler/mingw/compiled-with-mingw-for-windows.yml b/compiler/mingw/compiled-with-mingw-for-windows.yml index 34f677621..560a14913 100644 --- a/compiler/mingw/compiled-with-mingw-for-windows.yml +++ b/compiler/mingw/compiled-with-mingw-for-windows.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/mingw authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 5b3968b47eb16a1cb88525e3b565eab1 features: diff --git a/compiler/nim/compiled-with-nim.yml b/compiler/nim/compiled-with-nim.yml index bd82dbe66..928f6e8f4 100644 --- a/compiler/nim/compiled-with-nim.yml +++ b/compiler/nim/compiled-with-nim.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/nim authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 580c37831fe98a254eb6c61c692c70d8.exe_ features: diff --git a/compiler/nuitka/compiled-with-nuitka.yml b/compiler/nuitka/compiled-with-nuitka.yml index 5953a6bbe..933a7043b 100644 --- a/compiler/nuitka/compiled-with-nuitka.yml +++ b/compiler/nuitka/compiled-with-nuitka.yml @@ -5,7 +5,9 @@ rule: authors: - "@williballenthin" - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file examples: - 39ce034911a6ebd482af5893f9bdbd95 features: diff --git a/compiler/perl2exe/compiled-with-perl2exe.yml b/compiler/perl2exe/compiled-with-perl2exe.yml index 3900292cd..b0e667c9e 100644 --- a/compiler/perl2exe/compiled-with-perl2exe.yml +++ b/compiler/perl2exe/compiled-with-perl2exe.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/perl2exe authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope examples: - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 features: diff --git a/compiler/ps2exe/compiled-with-ps2exe.yml b/compiler/ps2exe/compiled-with-ps2exe.yml index fdf8812cf..695c70065 100644 --- a/compiler/ps2exe/compiled-with-ps2exe.yml +++ b/compiler/ps2exe/compiled-with-ps2exe.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/ikarstein/ps2exe - https://github.com/MScholtes/PS2EXE diff --git a/compiler/py2exe/compiled-with-py2exe.yml b/compiler/py2exe/compiled-with-py2exe.yml index 88debc2fa..7d096c846 100644 --- a/compiler/py2exe/compiled-with-py2exe.yml +++ b/compiler/py2exe/compiled-with-py2exe.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/py2exe authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead examples: - ed888dc2f04f5eac83d6d14088d002de:0x40194A features: diff --git a/compiler/pyarmor/compiled-with-pyarmor.yml b/compiler/pyarmor/compiled-with-pyarmor.yml index 5f174c807..76aff3fe1 100644 --- a/compiler/pyarmor/compiled-with-pyarmor.yml +++ b/compiler/pyarmor/compiled-with-pyarmor.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/pyarmor authors: - "@stvemillertime, @itreallynick" - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter::Python [T1059.006] - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] diff --git a/compiler/rust/compiled-with-rust.yml b/compiler/rust/compiled-with-rust.yml index 0d61cf450..8a6cebcd2 100644 --- a/compiler/rust/compiled-with-rust.yml +++ b/compiler/rust/compiled-with-rust.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x45F490 features: diff --git a/compiler/v/compiled-with-v.yml b/compiler/v/compiled-with-v.yml index b7df07d46..6a6c645b0 100644 --- a/compiler/v/compiled-with-v.yml +++ b/compiler/v/compiled-with-v.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/v authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://vlang.io - https://github.com/vlang/v diff --git a/compiler/vb/compiled-from-visual-basic.yml b/compiler/vb/compiled-from-visual-basic.yml index 75077783d..65a557e20 100644 --- a/compiler/vb/compiled-from-visual-basic.yml +++ b/compiler/vb/compiled-from-visual-basic.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/vb authors: - "@williballenthin" - scope: file + scopes: + static: file + dynamic: unsupported # requires import features examples: - 9bca6b99e7981208af4c7925b96fb9cf features: diff --git a/compiler/zig/compiled-with-zig.yml b/compiler/zig/compiled-with-zig.yml index 3ff240efd..d36e03dc0 100644 --- a/compiler/zig/compiled-with-zig.yml +++ b/compiler/zig/compiled-with-zig.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/zig authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://ziglang.org - https://github.com/ziglang/zig diff --git a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml b/data-manipulation/checksum/adler32/compute-adler32-checksum.yml index 111338dae..246e8d27a 100644 --- a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml +++ b/data-manipulation/checksum/adler32/compute-adler32-checksum.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/adler32 authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, mnemonic features mbc: - Data::Checksum::Adler [C0032.005] references: diff --git a/data-manipulation/checksum/crc32/hash-data-with-crc32.yml b/data-manipulation/checksum/crc32/hash-data-with-crc32.yml index d8a9a623c..f258a193a 100644 --- a/data-manipulation/checksum/crc32/hash-data-with-crc32.yml +++ b/data-manipulation/checksum/crc32/hash-data-with-crc32.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/crc32 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, bytes, mnemonic features mbc: - Data::Checksum::CRC32 [C0032.001] examples: diff --git a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml index 494d9bf1d..262e534e2 100644 --- a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml +++ b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/luhn authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/data-manipulation/compression/compress-data-using-lzo.yml b/data-manipulation/compression/compress-data-using-lzo.yml index 8f82579e7..f16c75171 100644 --- a/data-manipulation/compression/compress-data-using-lzo.yml +++ b/data-manipulation/compression/compress-data-using-lzo.yml @@ -6,7 +6,9 @@ rule: - david@edeca.net - david.cannings@pwc.com description: detects the compression routine from LZO - scope: function + scopes: + static: function + dynamic: thread mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/compress-data-via-winapi.yml b/data-manipulation/compression/compress-data-via-winapi.yml index be953f263..3fad47530 100644 --- a/data-manipulation/compression/compress-data-via-winapi.yml +++ b/data-manipulation/compression/compress-data-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml b/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml index f6d36ea11..94a9fb820 100644 --- a/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml +++ b/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml @@ -5,7 +5,9 @@ rule: namespace: data-manipulation/compression authors: - blas.kojusner@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, bytes, mnemonic features mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/decompress-data-using-aplib.yml b/data-manipulation/compression/decompress-data-using-aplib.yml index 59949e6e8..6f6f4b58c 100644 --- a/data-manipulation/compression/decompress-data-using-aplib.yml +++ b/data-manipulation/compression/decompress-data-using-aplib.yml @@ -7,7 +7,9 @@ rule: - moritz.raabe@mandiant.com - cdong49@gatech.edu description: detects decompression function of library aPLib - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Data::Decompress Data::aPLib [C0025.003] references: diff --git a/data-manipulation/compression/decompress-data-using-lzo.yml b/data-manipulation/compression/decompress-data-using-lzo.yml index 1383cf59b..7e76fa567 100644 --- a/data-manipulation/compression/decompress-data-using-lzo.yml +++ b/data-manipulation/compression/decompress-data-using-lzo.yml @@ -6,7 +6,9 @@ rule: - david@edeca.net - david.cannings@pwc.com description: detects the decompression routine from LZO - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Data::Decompress Data [C0025] references: diff --git a/data-manipulation/compression/decompress-data-using-quicklz.yml b/data-manipulation/compression/decompress-data-using-quicklz.yml index a9cb92cd1..5272a17a5 100644 --- a/data-manipulation/compression/decompress-data-using-quicklz.yml +++ b/data-manipulation/compression/decompress-data-using-quicklz.yml @@ -5,7 +5,9 @@ rule: authors: - david@edeca.net description: detects the inner decompression loop from QuickLZ - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Data::Decompress Data::QuickLZ [C0025.001] references: diff --git a/data-manipulation/compression/decompress-data-using-ucl.yml b/data-manipulation/compression/decompress-data-using-ucl.yml index 024616235..937e644da 100644 --- a/data-manipulation/compression/decompress-data-using-ucl.yml +++ b/data-manipulation/compression/decompress-data-using-ucl.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Data::Decompress Data [C0025] references: diff --git a/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml b/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml index e12a2d6e6..7c9efd270 100644 --- a/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml +++ b/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features mbc: - Data::Decompress Data::IEncodingFilterFactory [C0025.002] references: diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index 877f551c0..d8c1b9e6b 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -5,7 +5,9 @@ rule: authors: - gilbert.elliot@mandiant.com - sara.rincon@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml index d5f401434..107c5cdcd 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] examples: diff --git a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml index c987cfd6f..af2237c86 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] examples: diff --git a/data-manipulation/encoding/base64/encode-data-using-base64.yml b/data-manipulation/encoding/base64/encode-data-using-base64.yml index 582fd51b6..ea1d673b7 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encoding/base64/reference-base64-string.yml b/data-manipulation/encoding/base64/reference-base64-string.yml index 7713d1df0..b1eb67f22 100644 --- a/data-manipulation/encoding/base64/reference-base64-string.yml +++ b/data-manipulation/encoding/base64/reference-base64-string.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encoding/xor/encode-data-using-xor.yml b/data-manipulation/encoding/xor/encode-data-using-xor.yml index b96be1417..526335497 100644 --- a/data-manipulation/encoding/xor/encode-data-using-xor.yml +++ b/data-manipulation/encoding/xor/encode-data-using-xor.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/xor authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, Not features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml b/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml index f2c0164fd..5ff4b3859 100644 --- a/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml +++ b/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml index 768aa7c3d..0a0917634 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml @@ -5,7 +5,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, mnemonic, operand[0].offset features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml index af0163420..085fc38ce 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires class features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml index e62b8e602..86c78647c 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/manually-build-aes-constants.yml b/data-manipulation/encryption/aes/manually-build-aes-constants.yml index a0acbc184..b49ac0b69 100644 --- a/data-manipulation/encryption/aes/manually-build-aes-constants.yml +++ b/data-manipulation/encryption/aes/manually-build-aes-constants.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - huynh.t.nhan@gmail.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml b/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml index 4076aa167..55d659f2e 100644 --- a/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml +++ b/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml b/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml index 1ae18757b..e54ec23c2 100644 --- a/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml +++ b/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/blowfish authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml b/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml index 8456f1b0c..9146a2c71 100644 --- a/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml +++ b/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/camellia authors: - '@_re_fox' - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml b/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml index 665a815ef..15aeabe45 100644 --- a/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml +++ b/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - chuong.dong@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml index 4e5207b9b..f84760fcb 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/des authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des.yml b/data-manipulation/encryption/des/encrypt-data-using-des.yml index eb0ae8cb7..b858eb6fd 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, bytes, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml index aed6fbbec..637160e51 100644 --- a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml +++ b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml b/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml index 6efdfa87b..16a5cda99 100644 --- a/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml +++ b/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml @@ -5,7 +5,9 @@ rule: authors: - dimiter.andonov@mandiant.com description: Targets code that enforces Curve25519's secret key restrictions. The specification states "The legitimate users are assumed to generate independent uniform random secret keys. A user can, for example, generate 32 uniform random bytes, clear bits 0, 1, 2 of the first byte, clear bit 7 of the last byte, and set bit 6 of the last byte." - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] examples: diff --git a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml index 97c8afb8d..b96a7f5df 100644 --- a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml +++ b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - zander.work@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml index 744a16ab1..d73c6d35b 100644 --- a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml +++ b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml index 1eb5145b8..e882c0bb5 100644 --- a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml +++ b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml index d079f522c..31a17bf32 100755 --- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml +++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml @@ -5,7 +5,9 @@ rule: namespace: data-manipulation/encryption/hc-128 authors: - blaine.stancill@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml index 7db6103e1..a401c9c05 100644 --- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml +++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for instruction mnemonics associated with initialization of the HC-128 stream cipher - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/import-public-key.yml b/data-manipulation/encryption/import-public-key.yml index 6bf44a538..53764f55e 100644 --- a/data-manipulation/encryption/import-public-key.yml +++ b/data-manipulation/encryption/import-public-key.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Encryption Key::Import Public Key [C0028.001] examples: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml index 516444e29..d0a9fa269 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic, Not features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml index 93c17aa47..9066f37e0 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic, basicblock features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml index c1354f466..582a627e3 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml index 7dfc24222..18c466553 100755 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - blaine.stancill@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml index d571b8033..8fd7578b0 100644 --- a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml +++ b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc6 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml index 05cdcba17..f4d96a983 100644 --- a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml +++ b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Encryption Key [C0028] references: diff --git a/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml b/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml index eb1763e7d..ecd0b2715 100644 --- a/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml +++ b/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/skipjack authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml index dbda8d117..a13a20860 100644 --- a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml +++ b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for cryptographic constants associated with the Sosemanuk stream cipher - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml index 887ba2c95..97d826fa9 100755 --- a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml +++ b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, mnemonic, Not features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml index ffe8c60f7..7262cb1db 100755 --- a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml +++ b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, mnemonic, Not features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml b/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml index 4ee2c821b..e370ac2ef 100644 --- a/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml +++ b/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/twofish authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/vest/encrypt-data-using-vest.yml b/data-manipulation/encryption/vest/encrypt-data-using-vest.yml index ceda4cfb8..7c159070e 100644 --- a/data-manipulation/encryption/vest/encrypt-data-using-vest.yml +++ b/data-manipulation/encryption/vest/encrypt-data-using-vest.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/vest authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml b/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml index 4f51a9f09..27d99fb8b 100755 --- a/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml +++ b/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/xtea authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml index bd99f80a6..565256c6f 100755 --- a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml +++ b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/xxtea authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[1].number, characteristic, mnemonic, Not features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/hashing/djb2/hash-data-using-djb2.yml b/data-manipulation/hashing/djb2/hash-data-using-djb2.yml index acdfe958b..43a178796 100644 --- a/data-manipulation/hashing/djb2/hash-data-using-djb2.yml +++ b/data-manipulation/hashing/djb2/hash-data-using-djb2.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com - still@teamt5.org - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Data::Non-Cryptographic Hash::djb2 [C0030.006] references: diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 825be537a..40ddfa616 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -7,7 +7,9 @@ rule: - "@_re_fox" - michael.hunhoff@mandiant.com description: can be any Fowler-Noll-Vo (FNV) hash variant, including FNV-1, FNV-1a, FNV-0 - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Data::Non-Cryptographic Hash::FNV [C0030.005] references: diff --git a/data-manipulation/hashing/hash-data-via-wincrypt.yml b/data-manipulation/hashing/hash-data-via-wincrypt.yml index ae8572c5c..6402d0afd 100644 --- a/data-manipulation/hashing/hash-data-via-wincrypt.yml +++ b/data-manipulation/hashing/hash-data-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Cryptography::Cryptographic Hash [C0029] examples: diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml index 9bf05b933..e270bc0df 100644 --- a/data-manipulation/hashing/md5/hash-data-with-md5.yml +++ b/data-manipulation/hashing/md5/hash-data-with-md5.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, Not features mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml b/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml index da88c86fa..4b87aca3f 100644 --- a/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml +++ b/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/murmur authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Data::Non-Cryptographic Hash::MurmurHash [C0030.001] references: diff --git a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml index d5d0644df..76a8cbbe8 100644 --- a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml +++ b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Cryptography::Cryptographic Hash::SHA1 [C0029.002] examples: diff --git a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml index 205b69cb3..cfaa86e26 100644 --- a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml +++ b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha224 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Cryptographic Hash::SHA224 [C0029.004] references: diff --git a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml index 9f3400f97..4da48ab32 100644 --- a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml +++ b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Cryptographic Hash::SHA256 [C0029.003] references: diff --git a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml index 1a723cef2..d4ed183cf 100644 --- a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml +++ b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha384 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml index 1b09d83f5..02bbe90cf 100644 --- a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml +++ b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha512 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/tiger/hash-data-using-tiger.yml b/data-manipulation/hashing/tiger/hash-data-using-tiger.yml index 8be819bb8..10c49d239 100644 --- a/data-manipulation/hashing/tiger/hash-data-using-tiger.yml +++ b/data-manipulation/hashing/tiger/hash-data-using-tiger.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/tiger authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, bytes, mnemonic features mbc: - Cryptography::Cryptographic Hash::Tiger [C0029.005] examples: diff --git a/data-manipulation/hmac/authenticate-hmac.yml b/data-manipulation/hmac/authenticate-hmac.yml index 8956e1049..c82f61a0c 100644 --- a/data-manipulation/hmac/authenticate-hmac.yml +++ b/data-manipulation/hmac/authenticate-hmac.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hmac authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features mbc: - Cryptography::Hashed Message Authentication Code [C0061] references: diff --git a/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml b/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml index 08d8b1146..4fbffcbe6 100644 --- a/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml +++ b/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/json authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: file references: - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ examples: diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index cd6b6e57a..d94275d8e 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - richard.weiss@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] references: diff --git a/data-manipulation/prng/generate-random-numbers-via-winapi.yml b/data-manipulation/prng/generate-random-numbers-via-winapi.yml index 13670595d..1bca70b83 100644 --- a/data-manipulation/prng/generate-random-numbers-via-winapi.yml +++ b/data-manipulation/prng/generate-random-numbers-via-winapi.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] examples: diff --git a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml index 5f8a68b6c..ab35eff57 100644 --- a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml +++ b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/prng/mersenne authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] examples: diff --git a/data-manipulation/svg/use-dotnet-library-sharpvectors.yml b/data-manipulation/svg/use-dotnet-library-sharpvectors.yml index b6cd87e52..9353bbe59 100644 --- a/data-manipulation/svg/use-dotnet-library-sharpvectors.yml +++ b/data-manipulation/svg/use-dotnet-library-sharpvectors.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/svg authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: file references: - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ examples: diff --git a/executable/dotnet-singlefile/packaged-as-single-file-dotnet-application.yml b/executable/dotnet-singlefile/packaged-as-single-file-dotnet-application.yml index ce43fd24b..a07018e28 100644 --- a/executable/dotnet-singlefile/packaged-as-single-file-dotnet-application.yml +++ b/executable/dotnet-singlefile/packaged-as-single-file-dotnet-application.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Single binary containing target .NET application and all application-dependent files - scope: file + scopes: + static: file + dynamic: file references: - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli examples: diff --git a/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml b/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml index 5d47d5838..80c50f418 100644 --- a/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml +++ b/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/iexpress authors: - awillia2@cisco.com - scope: file + scopes: + static: file + dynamic: file references: - https://en.wikipedia.org/wiki/IExpress examples: diff --git a/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml b/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml index dd7a3e228..547a96858 100644 --- a/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml +++ b/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/inno-setup authors: - awillia2@cisco.com - scope: file + scopes: + static: file + dynamic: file references: - https://jrsoftware.org/isinfo.php examples: diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 9e7495c94..bdd929c41 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/export authors: - ronnie.salomonsen@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/executable/pe/pdb/contains-pdb-path.yml b/executable/pe/pdb/contains-pdb-path.yml index 38d7d72f4..efb1b946f 100644 --- a/executable/pe/pdb/contains-pdb-path.yml +++ b/executable/pe/pdb/contains-pdb-path.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/pdb authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 464EF2CA59782CE697BC329713698CCC # level32.exe features: diff --git a/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml b/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml index b66885524..d1d81b18e 100644 --- a/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml +++ b/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/section/tls authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - Practical Malware Analysis Lab 16-02.exe_ features: diff --git a/executable/resource/access-dotnet-resource.yml b/executable/resource/access-dotnet-resource.yml index 93aaf14ec..c8c7726fc 100644 --- a/executable/resource/access-dotnet-resource.yml +++ b/executable/resource/access-dotnet-resource.yml @@ -4,7 +4,9 @@ rule: namespace: executable/resource authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread examples: - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173:0x06000084 features: diff --git a/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml b/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml index 3289c035f..7d0e4cca2 100644 --- a/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml +++ b/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml @@ -5,7 +5,9 @@ rule: authors: - "@johnk3r" - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ examples: diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml index beddea449..92513950a 100644 --- a/executable/resource/extract-resource-via-kernel32-functions.yml +++ b/executable/resource/extract-resource-via-kernel32-functions.yml @@ -4,7 +4,9 @@ rule: namespace: executable/resource authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread examples: - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000 - Practical Malware Analysis Lab 01-04.exe_:0x4011FC diff --git a/executable/subfile/pe/contain-an-embedded-pe-file.yml b/executable/subfile/pe/contain-an-embedded-pe-file.yml index 72760f0e8..42a75b6ee 100644 --- a/executable/subfile/pe/contain-an-embedded-pe-file.yml +++ b/executable/subfile/pe/contain-an-embedded-pe-file.yml @@ -4,7 +4,9 @@ rule: namespace: executable/subfile/pe authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml index 28d8ff528..468d98dd5 100644 --- a/host-interaction/bootloader/disable-code-signing.yml +++ b/host-interaction/bootloader/disable-code-signing.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] examples: diff --git a/host-interaction/bootloader/get-uefi-variable.yml b/host-interaction/bootloader/get-uefi-variable.yml index 24eed7cdd..a165f80e2 100644 --- a/host-interaction/bootloader/get-uefi-variable.yml +++ b/host-interaction/bootloader/get-uefi-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Persistence::Pre-OS Boot::System Firmware [T1542.001] references: diff --git a/host-interaction/bootloader/manipulate-boot-configuration.yml b/host-interaction/bootloader/manipulate-boot-configuration.yml index 60b1409bb..b91396ed9 100644 --- a/host-interaction/bootloader/manipulate-boot-configuration.yml +++ b/host-interaction/bootloader/manipulate-boot-configuration.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options examples: diff --git a/host-interaction/bootloader/manipulate-safe-mode-programs.yml b/host-interaction/bootloader/manipulate-safe-mode-programs.yml index 150ff9b16..145f0fb4e 100644 --- a/host-interaction/bootloader/manipulate-safe-mode-programs.yml +++ b/host-interaction/bootloader/manipulate-safe-mode-programs.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] examples: diff --git a/host-interaction/bootloader/set-uefi-variable.yml b/host-interaction/bootloader/set-uefi-variable.yml index d4c669423..c9d7d52df 100644 --- a/host-interaction/bootloader/set-uefi-variable.yml +++ b/host-interaction/bootloader/set-uefi-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Persistence::Pre-OS Boot::System Firmware [T1542.001] references: diff --git a/host-interaction/cli/accept-command-line-arguments.yml b/host-interaction/cli/accept-command-line-arguments.yml index e4fcebd5e..bf56e4369 100644 --- a/host-interaction/cli/accept-command-line-arguments.yml +++ b/host-interaction/cli/accept-command-line-arguments.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Execution::Command and Scripting Interpreter [T1059] mbc: diff --git a/host-interaction/cli/resolve-path-using-msvcrt.yml b/host-interaction/cli/resolve-path-using-msvcrt.yml index 90e700fe1..943b6ec45 100644 --- a/host-interaction/cli/resolve-path-using-msvcrt.yml +++ b/host-interaction/cli/resolve-path-using-msvcrt.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/cli authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/clipboard/open-clipboard.yml b/host-interaction/clipboard/open-clipboard.yml index b973bf6e3..5765585a7 100644 --- a/host-interaction/clipboard/open-clipboard.yml +++ b/host-interaction/clipboard/open-clipboard.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/clipboard authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] examples: diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index f920f8f65..14f30d661 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Collection::Clipboard Data [T1115] references: diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml index cbc655c0e..dead8a809 100644 --- a/host-interaction/clipboard/write-clipboard-data.yml +++ b/host-interaction/clipboard/write-clipboard-data.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Impact::Clipboard Modification [E1510] references: diff --git a/host-interaction/console/manipulate-console-buffer.yml b/host-interaction/console/manipulate-console-buffer.yml index d5a09408d..21fa1f524 100644 --- a/host-interaction/console/manipulate-console-buffer.yml +++ b/host-interaction/console/manipulate-console-buffer.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Operating System::Console [C0033] references: diff --git a/host-interaction/driver/create-device-object.yml b/host-interaction/driver/create-device-object.yml index 5f5c82a0c..894d95b45 100644 --- a/host-interaction/driver/create-device-object.yml +++ b/host-interaction/driver/create-device-object.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread examples: - Practical Malware Analysis Lab 10-03.sys_:0x00010706 features: diff --git a/host-interaction/driver/disable-driver-code-integrity.yml b/host-interaction/driver/disable-driver-code-integrity.yml index 05948e6eb..bbc6e07c5 100644 --- a/host-interaction/driver/disable-driver-code-integrity.yml +++ b/host-interaction/driver/disable-driver-code-integrity.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/host-interaction/driver/install-driver.yml b/host-interaction/driver/install-driver.yml index a7a7f5e0f..dd719578b 100644 --- a/host-interaction/driver/install-driver.yml +++ b/host-interaction/driver/install-driver.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] mbc: diff --git a/host-interaction/driver/interact-with-driver-via-control-codes.yml b/host-interaction/driver/interact-with-driver-via-control-codes.yml index d54015a58..45dd6d377 100644 --- a/host-interaction/driver/interact-with-driver-via-control-codes.yml +++ b/host-interaction/driver/interact-with-driver-via-control-codes.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::System Services::Service Execution [T1569.002] examples: diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml index 360570d71..c112635d3 100644 --- a/host-interaction/environment-variable/get-comspec-environment-variable.yml +++ b/host-interaction/environment-variable/get-comspec-environment-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/environment-variable authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/environment-variable/query-environment-variable.yml b/host-interaction/environment-variable/query-environment-variable.yml index 4ef54c8c0..c1981db62 100644 --- a/host-interaction/environment-variable/query-environment-variable.yml +++ b/host-interaction/environment-variable/query-environment-variable.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - "@_re_fox" - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/environment-variable/set-environment-variable.yml b/host-interaction/environment-variable/set-environment-variable.yml index 897aed271..1aa080dfb 100644 --- a/host-interaction/environment-variable/set-environment-variable.yml +++ b/host-interaction/environment-variable/set-environment-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/environment-variable authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Operating System::Environment Variable::Set Variable [C0034.001] examples: diff --git a/host-interaction/file-system/bypass-mark-of-the-web.yml b/host-interaction/file-system/bypass-mark-of-the-web.yml index 0f5c40f94..11759fb77 100644 --- a/host-interaction/file-system/bypass-mark-of-the-web.yml +++ b/host-interaction/file-system/bypass-mark-of-the-web.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005] examples: diff --git a/host-interaction/file-system/change-file-permission-on-linux.yml b/host-interaction/file-system/change-file-permission-on-linux.yml index 872badff6..1426972d5 100644 --- a/host-interaction/file-system/change-file-permission-on-linux.yml +++ b/host-interaction/file-system/change-file-permission-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - File System::Set File Attributes [C0050] examples: diff --git a/host-interaction/file-system/copy/copy-file.yml b/host-interaction/file-system/copy/copy-file.yml index 2b3913a4b..5040e739e 100644 --- a/host-interaction/file-system/copy/copy-file.yml +++ b/host-interaction/file-system/copy/copy-file.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - File System::Copy File [C0045] examples: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index 79474ebb8..3f47b1b8e 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] mbc: diff --git a/host-interaction/file-system/create/create-directory.yml b/host-interaction/file-system/create/create-directory.yml index d43de4d33..bfa2bd536 100644 --- a/host-interaction/file-system/create/create-directory.yml +++ b/host-interaction/file-system/create/create-directory.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - File System::Create Directory [C0046] examples: diff --git a/host-interaction/file-system/delete/delete-directory.yml b/host-interaction/file-system/delete/delete-directory.yml index 41edc033e..e1147883b 100644 --- a/host-interaction/file-system/delete/delete-directory.yml +++ b/host-interaction/file-system/delete/delete-directory.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - File System::Delete Directory [C0048] examples: diff --git a/host-interaction/file-system/delete/delete-file.yml b/host-interaction/file-system/delete/delete-file.yml index 95f4d1df9..81c4494d7 100644 --- a/host-interaction/file-system/delete/delete-file.yml +++ b/host-interaction/file-system/delete/delete-file.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - File System::Delete File [C0047] examples: diff --git a/host-interaction/file-system/exists/check-if-file-exists.yml b/host-interaction/file-system/exists/check-if-file-exists.yml index 9891433be..fd2d5f109 100644 --- a/host-interaction/file-system/exists/check-if-file-exists.yml +++ b/host-interaction/file-system/exists/check-if-file-exists.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml index ff6c579b3..75f7a94a7 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/files/list authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index 3b9a4179d..c5c495b97 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-recursively.yml b/host-interaction/file-system/files/list/enumerate-files-recursively.yml index f80a082cc..da40c643b 100644 --- a/host-interaction/file-system/files/list/enumerate-files-recursively.yml +++ b/host-interaction/file-system/files/list/enumerate-files-recursively.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/get-common-file-path.yml b/host-interaction/file-system/get-common-file-path.yml index 13ca9804f..6c1a32907 100644 --- a/host-interaction/file-system/get-common-file-path.yml +++ b/host-interaction/file-system/get-common-file-path.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/get-file-system-object-information.yml b/host-interaction/file-system/get-file-system-object-information.yml index a5a9d5a54..302b337df 100644 --- a/host-interaction/file-system/get-file-system-object-information.yml +++ b/host-interaction/file-system/get-file-system-object-information.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/file-system/get-program-files-directory.yml b/host-interaction/file-system/get-program-files-directory.yml index 88dfead36..a6d5e30c6 100644 --- a/host-interaction/file-system/get-program-files-directory.yml +++ b/host-interaction/file-system/get-program-files-directory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml index acd2d387f..8620abefb 100644 --- a/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml +++ b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - david.cannings@pwc.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead references: - http://www.rohitab.com/discuss/topic/42325-the-kuser-shared-data-structure/ - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm diff --git a/host-interaction/file-system/meta/get-file-attributes.yml b/host-interaction/file-system/meta/get-file-attributes.yml index a1b929a1e..327674dfb 100644 --- a/host-interaction/file-system/meta/get-file-attributes.yml +++ b/host-interaction/file-system/meta/get-file-attributes.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - File System::Get File Attributes [C0049] examples: diff --git a/host-interaction/file-system/meta/get-file-size.yml b/host-interaction/file-system/meta/get-file-size.yml index 2d212bfab..3a1630ef8 100644 --- a/host-interaction/file-system/meta/get-file-size.yml +++ b/host-interaction/file-system/meta/get-file-size.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/get-file-version-info.yml b/host-interaction/file-system/meta/get-file-version-info.yml index 5bd99c1cc..c61ccc59f 100644 --- a/host-interaction/file-system/meta/get-file-version-info.yml +++ b/host-interaction/file-system/meta/get-file-version-info.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/set-file-attributes.yml b/host-interaction/file-system/meta/set-file-attributes.yml index 53ea96eed..228946c36 100644 --- a/host-interaction/file-system/meta/set-file-attributes.yml +++ b/host-interaction/file-system/meta/set-file-attributes.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::File and Directory Permissions Modification [T1222] mbc: diff --git a/host-interaction/file-system/move/move-file.yml b/host-interaction/file-system/move/move-file.yml index 9e8b23f45..8564ee8c5 100644 --- a/host-interaction/file-system/move/move-file.yml +++ b/host-interaction/file-system/move/move-file.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - File System::Move File [C0063] examples: diff --git a/host-interaction/file-system/read/read-file-on-linux.yml b/host-interaction/file-system/read/read-file-on-linux.yml index 6b1db96b6..00af92f36 100644 --- a/host-interaction/file-system/read/read-file-on-linux.yml +++ b/host-interaction/file-system/read/read-file-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/read authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml index f971aca77..484eead05 100644 --- a/host-interaction/file-system/read/read-file-on-windows.yml +++ b/host-interaction/file-system/read/read-file-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-via-mapping.yml b/host-interaction/file-system/read/read-file-via-mapping.yml index d7aea180e..dc4ef966d 100644 --- a/host-interaction/file-system/read/read-file-via-mapping.yml +++ b/host-interaction/file-system/read/read-file-via-mapping.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/read authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-ini-file.yml b/host-interaction/file-system/read/read-ini-file.yml index 3de512a26..cd5d89845 100644 --- a/host-interaction/file-system/read/read-ini-file.yml +++ b/host-interaction/file-system/read/read-ini-file.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-virtual-disk.yml b/host-interaction/file-system/read/read-virtual-disk.yml index b1e72d214..b81bdc4ed 100644 --- a/host-interaction/file-system/read/read-virtual-disk.yml +++ b/host-interaction/file-system/read/read-virtual-disk.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/read authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Read Virtual Disk [C0056] references: diff --git a/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml b/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml index 3b571d84c..3a1f2939d 100644 --- a/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml +++ b/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - blas.kojusner@mandiant.com - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead references: - https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams examples: diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml index 67c13e022..3a346b8ca 100644 --- a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml +++ b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/windows-file-protection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007] examples: diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml index ea501c4a0..80e551d13 100644 --- a/host-interaction/file-system/write/write-file-on-linux.yml +++ b/host-interaction/file-system/write/write-file-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/write authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/file-system/write/write-file-on-windows.yml b/host-interaction/file-system/write/write-file-on-windows.yml index d380d53f1..cc9e75250 100644 --- a/host-interaction/file-system/write/write-file-on-windows.yml +++ b/host-interaction/file-system/write/write-file-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/filter/enumerate-minifilter-drivers.yml b/host-interaction/filter/enumerate-minifilter-drivers.yml index 46c3dcd37..bac74e8f2 100644 --- a/host-interaction/filter/enumerate-minifilter-drivers.yml +++ b/host-interaction/filter/enumerate-minifilter-drivers.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/filter authors: - aseel.kayal@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts diff --git a/host-interaction/filter/register-minifilter-driver.yml b/host-interaction/filter/register-minifilter-driver.yml index 71e80fc7e..1da57ba45 100644 --- a/host-interaction/filter/register-minifilter-driver.yml +++ b/host-interaction/filter/register-minifilter-driver.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/filter authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Hardware::Install Driver::Minifilter [C0037.001] references: diff --git a/host-interaction/filter/start-minifilter-driver.yml b/host-interaction/filter/start-minifilter-driver.yml index b62e44c00..ab1318f8d 100644 --- a/host-interaction/filter/start-minifilter-driver.yml +++ b/host-interaction/filter/start-minifilter-driver.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/filter authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Hardware::Load Driver::Minifilter [C0023.001] references: diff --git a/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml b/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml index 56976b9dc..3c5fb77b2 100644 --- a/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml +++ b/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/firewall/modify authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] diff --git a/host-interaction/gui/console/set-console-window-title.yml b/host-interaction/gui/console/set-console-window-title.yml index c89d7fe3a..6111a779d 100644 --- a/host-interaction/gui/console/set-console-window-title.yml +++ b/host-interaction/gui/console/set-console-window-title.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/console authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Operating System::Console [C0033] examples: diff --git a/host-interaction/gui/enumerate-gui-resources.yml b/host-interaction/gui/enumerate-gui-resources.yml index 3926f4eeb..ef4a136e3 100644 --- a/host-interaction/gui/enumerate-gui-resources.yml +++ b/host-interaction/gui/enumerate-gui-resources.yml @@ -5,7 +5,9 @@ rule: authors: - johnk3r - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::Application Window Discovery [T1010] examples: diff --git a/host-interaction/gui/logon/references-logon-banner.yml b/host-interaction/gui/logon/references-logon-banner.yml index 3f6114e72..bcff45f2d 100644 --- a/host-interaction/gui/logon/references-logon-banner.yml +++ b/host-interaction/gui/logon/references-logon-banner.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/logon authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC features: diff --git a/host-interaction/gui/session/lock/lock-the-desktop.yml b/host-interaction/gui/session/lock/lock-the-desktop.yml index a9343b930..af0d10427 100644 --- a/host-interaction/gui/session/lock/lock-the-desktop.yml +++ b/host-interaction/gui/session/lock/lock-the-desktop.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/session/lock authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::Endpoint Denial of Service [T1499] examples: diff --git a/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml b/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml index ebe0dc9a6..68486ff38 100644 --- a/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml +++ b/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/session authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Operating System::Wallpaper [C0035] examples: diff --git a/host-interaction/gui/set-application-hook.yml b/host-interaction/gui/set-application-hook.yml index 530a8ab9f..52299cbb0 100644 --- a/host-interaction/gui/set-application-hook.yml +++ b/host-interaction/gui/set-application-hook.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread examples: - Practical Malware Analysis Lab 12-03.exe_:0x401000 features: diff --git a/host-interaction/gui/switch-active-desktop.yml b/host-interaction/gui/switch-active-desktop.yml index 54d3ac48e..5160f6bb1 100644 --- a/host-interaction/gui/switch-active-desktop.yml +++ b/host-interaction/gui/switch-active-desktop.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/host-interaction/gui/taskbar/find/find-taskbar.yml b/host-interaction/gui/taskbar/find/find-taskbar.yml index 324f02f83..ec3210aba 100644 --- a/host-interaction/gui/taskbar/find/find-taskbar.yml +++ b/host-interaction/gui/taskbar/find/find-taskbar.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/taskbar/find authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Discovery::Taskbar Discovery [B0043] examples: diff --git a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml index 5e670e5b6..cc6b2e634 100644 --- a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml +++ b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/taskbar/hide authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Hide Artifacts [T1564] examples: diff --git a/host-interaction/gui/window/find/find-graphical-window.yml b/host-interaction/gui/window/find/find-graphical-window.yml index 7113a1bc7..e44cec352 100644 --- a/host-interaction/gui/window/find/find-graphical-window.yml +++ b/host-interaction/gui/window/find/find-graphical-window.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/window/find authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::Application Window Discovery [T1010] examples: diff --git a/host-interaction/gui/window/get-text/get-graphical-window-text.yml b/host-interaction/gui/window/get-text/get-graphical-window-text.yml index 97dd4565b..f7f25a049 100644 --- a/host-interaction/gui/window/get-text/get-graphical-window-text.yml +++ b/host-interaction/gui/window/get-text/get-graphical-window-text.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/window/get-text authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Discovery::Application Window Discovery [E1010] examples: diff --git a/host-interaction/gui/window/hide/hide-graphical-window.yml b/host-interaction/gui/window/hide/hide-graphical-window.yml index da4ae933b..d08248103 100644 --- a/host-interaction/gui/window/hide/hide-graphical-window.yml +++ b/host-interaction/gui/window/hide/hide-graphical-window.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/window/hide authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003] examples: diff --git a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml index e1239ce63..0673777cb 100644 --- a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml +++ b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/cdrom authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Impact::Modify Hardware::CDROM [B0042.001] examples: diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index 5704b98f4..653d595b1 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml index b87620209..73693717e 100644 --- a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml +++ b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/cpu authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/cpu/get-number-of-processors.yml b/host-interaction/hardware/cpu/get-number-of-processors.yml index 4001c4c04..7499ac7c0 100644 --- a/host-interaction/hardware/cpu/get-number-of-processors.yml +++ b/host-interaction/hardware/cpu/get-number-of-processors.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/enumerate-devices-by-category.yml b/host-interaction/hardware/enumerate-devices-by-category.yml index 50e1b7368..12b0b8a23 100644 --- a/host-interaction/hardware/enumerate-devices-by-category.yml +++ b/host-interaction/hardware/enumerate-devices-by-category.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/hardware authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features references: - https://learn.microsoft.com/en-us/windows/win32/api/strmif/nf-strmif-icreatedevenum-createclassenumerator examples: diff --git a/host-interaction/hardware/keyboard/get-keyboard-layout.yml b/host-interaction/hardware/keyboard/get-keyboard-layout.yml index 5bbc21025..b31c61415 100644 --- a/host-interaction/hardware/keyboard/get-keyboard-layout.yml +++ b/host-interaction/hardware/keyboard/get-keyboard-layout.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/keyboard authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: diff --git a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml index 2d9bf4626..4264488f8 100644 --- a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml +++ b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001] examples: diff --git a/host-interaction/hardware/memory/get-memory-capacity.yml b/host-interaction/hardware/memory/get-memory-capacity.yml index 017640ecb..432cd5f08 100644 --- a/host-interaction/hardware/memory/get-memory-capacity.yml +++ b/host-interaction/hardware/memory/get-memory-capacity.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/memory authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml index 8827b4075..fcc653fee 100644 --- a/host-interaction/hardware/memory/get-memory-information.yml +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/memory authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/mouse/swap-mouse-buttons.yml b/host-interaction/hardware/mouse/swap-mouse-buttons.yml index f53901622..bf1073346 100644 --- a/host-interaction/hardware/mouse/swap-mouse-buttons.yml +++ b/host-interaction/hardware/mouse/swap-mouse-buttons.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/mouse authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Impact::Modify Hardware::Mouse [B0042.002] examples: diff --git a/host-interaction/hardware/storage/enumerate-disk-properties.yml b/host-interaction/hardware/storage/enumerate-disk-properties.yml index 90ad23d51..dfd58387c 100644 --- a/host-interaction/hardware/storage/enumerate-disk-properties.yml +++ b/host-interaction/hardware/storage/enumerate-disk-properties.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/storage authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/storage/get-disk-information.yml b/host-interaction/hardware/storage/get-disk-information.yml index 187f98995..706887ab8 100644 --- a/host-interaction/hardware/storage/get-disk-information.yml +++ b/host-interaction/hardware/storage/get-disk-information.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index a5a865d17..c5198c860 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml index 1b308263b..6bc8f8185 100755 --- a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml +++ b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/log/clfs/read authors: - blaine.stancill@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] references: diff --git a/host-interaction/log/debug/write-event/print-debug-messages.yml b/host-interaction/log/debug/write-event/print-debug-messages.yml index 67fe5b278..434825738 100644 --- a/host-interaction/log/debug/write-event/print-debug-messages.yml +++ b/host-interaction/log/debug/write-event/print-debug-messages.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/log/debug/write-event authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call examples: - 493167E85E45363D09495D0841C30648:0x401000 features: diff --git a/host-interaction/log/winevt/access/access-the-windows-event-log.yml b/host-interaction/log/winevt/access/access-the-windows-event-log.yml index 8d86a2198..2703b752c 100644 --- a/host-interaction/log/winevt/access/access-the-windows-event-log.yml +++ b/host-interaction/log/winevt/access/access-the-windows-event-log.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/log/winevt/access authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] examples: diff --git a/host-interaction/memory/create-new-application-domain-in-dotnet.yml b/host-interaction/memory/create-new-application-domain-in-dotnet.yml index 8626dfdab..73e234671 100644 --- a/host-interaction/memory/create-new-application-domain-in-dotnet.yml +++ b/host-interaction/memory/create-new-application-domain-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/memory authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires class features att&ck: - Persistence::Hijack Execution Flow [T1574] mbc: diff --git a/host-interaction/mutex/check-mutex-and-exit.yml b/host-interaction/mutex/check-mutex-and-exit.yml index 37a3ba08a..58a5f43d4 100644 --- a/host-interaction/mutex/check-mutex-and-exit.yml +++ b/host-interaction/mutex/check-mutex-and-exit.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Process::Check Mutex [C0043] - Process::Terminate Process [C0018] diff --git a/host-interaction/mutex/check-mutex.yml b/host-interaction/mutex/check-mutex.yml index 21c5ac08b..ff5528a6d 100644 --- a/host-interaction/mutex/check-mutex.yml +++ b/host-interaction/mutex/check-mutex.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Process::Check Mutex [C0043] examples: diff --git a/host-interaction/mutex/create-mutex.yml b/host-interaction/mutex/create-mutex.yml index 7cb7472f3..7858ab4ee 100644 --- a/host-interaction/mutex/create-mutex.yml +++ b/host-interaction/mutex/create-mutex.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Process::Create Mutex [C0042] examples: diff --git a/host-interaction/mutex/create-semaphore-on-linux.yml b/host-interaction/mutex/create-semaphore-on-linux.yml index 1a8469d52..5adb80524 100644 --- a/host-interaction/mutex/create-semaphore-on-linux.yml +++ b/host-interaction/mutex/create-semaphore-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - "@ramen0x3f" - scope: function + scopes: + static: function + dynamic: thread examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0 features: diff --git a/host-interaction/mutex/lock-file.yml b/host-interaction/mutex/lock-file.yml index cac4863fc..795e862ce 100644 --- a/host-interaction/mutex/lock-file.yml +++ b/host-interaction/mutex/lock-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Mutex [C0042] examples: diff --git a/host-interaction/mutex/lock-semaphore-on-linux.yml b/host-interaction/mutex/lock-semaphore-on-linux.yml index 04e10c726..301927621 100644 --- a/host-interaction/mutex/lock-semaphore-on-linux.yml +++ b/host-interaction/mutex/lock-semaphore-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - "@ramen0x3f" - scope: function + scopes: + static: function + dynamic: thread examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/mutex/unlock-semaphore-on-linux.yml b/host-interaction/mutex/unlock-semaphore-on-linux.yml index 62ae268cc..b33ff115c 100644 --- a/host-interaction/mutex/unlock-semaphore-on-linux.yml +++ b/host-interaction/mutex/unlock-semaphore-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - "@ramen0x3f" - scope: function + scopes: + static: function + dynamic: thread examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/network/address/get-local-ipv4-addresses.yml b/host-interaction/network/address/get-local-ipv4-addresses.yml index 92afbadfc..4b57f8cda 100644 --- a/host-interaction/network/address/get-local-ipv4-addresses.yml +++ b/host-interaction/network/address/get-local-ipv4-addresses.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml b/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml index 685a7e719..564aceec6 100644 --- a/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml +++ b/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml @@ -5,7 +5,9 @@ rule: authors: - matthew.williams@mandiant.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features att&ck: - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] examples: diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml index 4c8d87a49..44fa848b4 100644 --- a/host-interaction/network/connectivity/set-tcp-connection-state.yml +++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml @@ -5,7 +5,9 @@ rule: authors: - "@johnk3r" description: The SetTcpEntry function sets the state of a TCP connection. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses [T1562] references: diff --git a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml index 2cb447de3..a176f31f5 100644 --- a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml +++ b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for an LDAP query and related Windows API calls used to enumerate other computers on the Windows domain that a computer is connected to. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-controller-name.yml b/host-interaction/network/domain/get-domain-controller-name.yml index 028a98728..43768e97f 100644 --- a/host-interaction/network/domain/get-domain-controller-name.yml +++ b/host-interaction/network/domain/get-domain-controller-name.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for calls to Windows APIs that can be used to determine the name of the domain controller for a Windows domain that a computer is connected to. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-information.yml b/host-interaction/network/domain/get-domain-information.yml index 7e9999e78..29d43bdef 100644 --- a/host-interaction/network/domain/get-domain-information.yml +++ b/host-interaction/network/domain/get-domain-information.yml @@ -7,7 +7,9 @@ rule: - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com description: Detect collection of Windows domain information - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/interface/get-networking-interfaces.yml b/host-interaction/network/interface/get-networking-interfaces.yml index dfcee3545..b807c106c 100644 --- a/host-interaction/network/interface/get-networking-interfaces.yml +++ b/host-interaction/network/interface/get-networking-interfaces.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/traffic/copy/copy-network-traffic.yml b/host-interaction/network/traffic/copy/copy-network-traffic.yml index 0747b5c1e..0267bb659 100644 --- a/host-interaction/network/traffic/copy/copy-network-traffic.yml +++ b/host-interaction/network/traffic/copy/copy-network-traffic.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/traffic/copy authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::Network Sniffing [T1040] examples: diff --git a/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml b/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml index 9a3a89be6..d7966c00f 100644 --- a/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml +++ b/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/traffic/filter authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002] examples: diff --git a/host-interaction/os/hostname/get-hostname.yml b/host-interaction/os/hostname/get-hostname.yml index fe3681451..5e2257342 100644 --- a/host-interaction/os/hostname/get-hostname.yml +++ b/host-interaction/os/hostname/get-hostname.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/os/info/get-system-information-on-windows.yml b/host-interaction/os/info/get-system-information-on-windows.yml index ee8bdb495..4520cf7ca 100644 --- a/host-interaction/os/info/get-system-information-on-windows.yml +++ b/host-interaction/os/info/get-system-information-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/shutdown-system.yml b/host-interaction/os/shutdown-system.yml index c1fa5e9a2..56e14f94f 100644 --- a/host-interaction/os/shutdown-system.yml +++ b/host-interaction/os/shutdown-system.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Impact::System Shutdown/Reboot [T1529] examples: diff --git a/host-interaction/os/version/check-os-version.yml b/host-interaction/os/version/check-os-version.yml index 66402d52a..1f7202342 100644 --- a/host-interaction/os/version/check-os-version.yml +++ b/host-interaction/os/version/check-os-version.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/os/version/get-kernel-version.yml b/host-interaction/os/version/get-kernel-version.yml index cc39769b3..f68f290e0 100644 --- a/host-interaction/os/version/get-kernel-version.yml +++ b/host-interaction/os/version/get-kernel-version.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/version authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml index a5ab0ce4f..a1a02e723 100644 --- a/host-interaction/os/version/get-linux-distribution.yml +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/version authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/process/allocate-thread-local-storage.yml b/host-interaction/process/allocate-thread-local-storage.yml index 0313f726a..fe13e83c8 100644 --- a/host-interaction/process/allocate-thread-local-storage.yml +++ b/host-interaction/process/allocate-thread-local-storage.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Process::Allocate Thread Local Storage [C0040] examples: diff --git a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml index c8a7adeef..292df5a22 100644 --- a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml +++ b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml @@ -5,7 +5,9 @@ rule: authors: - matthew.williams@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features mbc: - Process::Create Process [C0017] references: diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml index 44987b88d..9126da316 100644 --- a/host-interaction/process/create/create-process-on-linux.yml +++ b/host-interaction/process/create/create-process-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/create/create-process-on-windows.yml b/host-interaction/process/create/create-process-on-windows.yml index 1f3dcd75f..c72689fca 100644 --- a/host-interaction/process/create/create-process-on-windows.yml +++ b/host-interaction/process/create/create-process-on-windows.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/create/create-process-suspended.yml b/host-interaction/process/create/create-process-suspended.yml index 63e50e719..92f12702a 100644 --- a/host-interaction/process/create/create-process-suspended.yml +++ b/host-interaction/process/create/create-process-suspended.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Process::Create Process::Create Suspended Process [C0017.003] examples: diff --git a/host-interaction/process/create/execute-command.yml b/host-interaction/process/create/execute-command.yml index 1ca1d9fdb..365ed5301 100644 --- a/host-interaction/process/create/execute-command.yml +++ b/host-interaction/process/create/execute-command.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: call mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/dump/create-process-memory-minidump.yml b/host-interaction/process/dump/create-process-memory-minidump.yml index 14e5d39ca..caf81379e 100644 --- a/host-interaction/process/dump/create-process-memory-minidump.yml +++ b/host-interaction/process/dump/create-process-memory-minidump.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/process/dump authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/process/get-process-heap-flags.yml b/host-interaction/process/get-process-heap-flags.yml index 8dee6840e..2a097d7ee 100644 --- a/host-interaction/process/get-process-heap-flags.yml +++ b/host-interaction/process/get-process-heap-flags.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/get-process-heap-force-flags.yml b/host-interaction/process/get-process-heap-force-flags.yml index b2240ba64..3aac485f2 100644 --- a/host-interaction/process/get-process-heap-force-flags.yml +++ b/host-interaction/process/get-process-heap-force-flags.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml index 6e5d06848..1b5fdcb99 100644 --- a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - "@mr-tz" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml index cd2c3bda9..3dc6af4c2 100644 --- a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/host-interaction/process/inject/attach-user-process-memory.yml b/host-interaction/process/inject/attach-user-process-memory.yml index 4cb52d706..4f8fa5c00 100644 --- a/host-interaction/process/inject/attach-user-process-memory.yml +++ b/host-interaction/process/inject/attach-user-process-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/free-user-process-memory.yml b/host-interaction/process/inject/free-user-process-memory.yml index eb5ec915f..f42f7a3d3 100644 --- a/host-interaction/process/inject/free-user-process-memory.yml +++ b/host-interaction/process/inject/free-user-process-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/hijack-thread-execution.yml b/host-interaction/process/inject/hijack-thread-execution.yml index d60daa4bb..9a43ccfce 100644 --- a/host-interaction/process/inject/hijack-thread-execution.yml +++ b/host-interaction/process/inject/hijack-thread-execution.yml @@ -5,7 +5,9 @@ rule: authors: - 0x534a@mailbox.org - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml index 6f803b9da..da9102f87 100644 --- a/host-interaction/process/inject/inject-apc.yml +++ b/host-interaction/process/inject/inject-apc.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004] examples: diff --git a/host-interaction/process/inject/inject-dll.yml b/host-interaction/process/inject/inject-dll.yml index d1ceb6b81..adc9c90a0 100644 --- a/host-interaction/process/inject/inject-dll.yml +++ b/host-interaction/process/inject/inject-dll.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] references: diff --git a/host-interaction/process/inject/inject-pe.yml b/host-interaction/process/inject/inject-pe.yml index 333f831ed..5a57a520a 100644 --- a/host-interaction/process/inject/inject-pe.yml +++ b/host-interaction/process/inject/inject-pe.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features att&ck: - Defense Evasion::Process Injection::Portable Executable Injection [T1055.002] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml index 7bf617d35..9f7be243e 100644 --- a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml +++ b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml index f500f3e7d..3add357bf 100644 --- a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml +++ b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml index ba0ebdacc..2d10da4df 100644 --- a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-thread.yml b/host-interaction/process/inject/inject-thread.yml index f6e25e16e..b83848f2f 100644 --- a/host-interaction/process/inject/inject-thread.yml +++ b/host-interaction/process/inject/inject-thread.yml @@ -5,7 +5,9 @@ rule: authors: - anamaria.martinezgom@mandiant.com - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git "a/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" "b/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" index 866ced9b4..01bd3a732 100644 --- "a/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" +++ "b/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Process Injection::Process Doppelgänging [T1055.013] examples: diff --git a/host-interaction/process/inject/use-process-replacement.yml b/host-interaction/process/inject/use-process-replacement.yml index 1f11157ab..18e5c0c66 100644 --- a/host-interaction/process/inject/use-process-replacement.yml +++ b/host-interaction/process/inject/use-process-replacement.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection::Process Hollowing [T1055.012] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml index 7f32dd57b..a25910247 100644 --- a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml +++ b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml b/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml index ef325cc6f..256f8fd21 100644 --- a/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml +++ b/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/enumerate-processes.yml b/host-interaction/process/list/enumerate-processes.yml index 59e618880..3325a93fe 100644 --- a/host-interaction/process/list/enumerate-processes.yml +++ b/host-interaction/process/list/enumerate-processes.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/find-process-by-pid.yml b/host-interaction/process/list/find-process-by-pid.yml index dc33f7f59..881be3f33 100644 --- a/host-interaction/process/list/find-process-by-pid.yml +++ b/host-interaction/process/list/find-process-by-pid.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/get-explorer-pid.yml b/host-interaction/process/list/get-explorer-pid.yml index 0d3e888eb..06877e821 100644 --- a/host-interaction/process/list/get-explorer-pid.yml +++ b/host-interaction/process/list/get-explorer-pid.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/map-section-object.yml b/host-interaction/process/map-section-object.yml index e76816331..52fbac7ad 100644 --- a/host-interaction/process/map-section-object.yml +++ b/host-interaction/process/map-section-object.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread examples: - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0 features: diff --git a/host-interaction/process/modify/acquire-debug-privileges.yml b/host-interaction/process/modify/acquire-debug-privileges.yml index 35893a611..73422e1a1 100644 --- a/host-interaction/process/modify/acquire-debug-privileges.yml +++ b/host-interaction/process/modify/acquire-debug-privileges.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/modify authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modify/modify-access-privileges.yml b/host-interaction/process/modify/modify-access-privileges.yml index e127f503a..49f989714 100644 --- a/host-interaction/process/modify/modify-access-privileges.yml +++ b/host-interaction/process/modify/modify-access-privileges.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/modify authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml index d588a51e8..4a4db4e15 100644 --- a/host-interaction/process/modules/list/enumerate-process-modules.yml +++ b/host-interaction/process/modules/list/enumerate-process-modules.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/set-thread-local-storage-value.yml b/host-interaction/process/set-thread-local-storage-value.yml index edb7329ac..0afad717a 100644 --- a/host-interaction/process/set-thread-local-storage-value.yml +++ b/host-interaction/process/set-thread-local-storage-value.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Process::Set Thread Local Storage Value [C0041] examples: diff --git a/host-interaction/process/terminate/terminate-process-via-kill.yml b/host-interaction/process/terminate/terminate-process-via-kill.yml index b9140122a..75ff517d5 100644 --- a/host-interaction/process/terminate/terminate-process-via-kill.yml +++ b/host-interaction/process/terminate/terminate-process-via-kill.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/terminate authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index 6d80122fe..c29a3c300 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml b/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml index 4c3c5cd8d..70110f299 100644 --- a/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml +++ b/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/recycle-bin authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires offset, mnemonic features att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/host-interaction/registry/create-registry-key-via-offline-registry-library.yml b/host-interaction/registry/create-registry-key-via-offline-registry-library.yml index 654693767..b9093d56e 100644 --- a/host-interaction/registry/create-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/create-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/create/set-registry-value.yml b/host-interaction/registry/create/set-registry-value.yml index 63236890d..c2091ed78 100644 --- a/host-interaction/registry/create/set-registry-value.yml +++ b/host-interaction/registry/create/set-registry-value.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead mbc: - Operating System::Registry::Set Registry Key [C0036.001] examples: diff --git a/host-interaction/registry/delete/delete-registry-key.yml b/host-interaction/registry/delete/delete-registry-key.yml index f702e7a14..0760a49e1 100644 --- a/host-interaction/registry/delete/delete-registry-key.yml +++ b/host-interaction/registry/delete/delete-registry-key.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/delete/delete-registry-value.yml b/host-interaction/registry/delete/delete-registry-value.yml index f61c0461a..39a77d941 100644 --- a/host-interaction/registry/delete/delete-registry-value.yml +++ b/host-interaction/registry/delete/delete-registry-value.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/open-registry-key-via-offline-registry-library.yml b/host-interaction/registry/open-registry-key-via-offline-registry-library.yml index 7baadd03b..2a8d3c011 100644 --- a/host-interaction/registry/open-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/open-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: call mbc: - Operating System::Registry::Open Registry Key [C0036.003] examples: diff --git a/host-interaction/registry/query-or-enumerate-registry-key.yml b/host-interaction/registry/query-or-enumerate-registry-key.yml index 5644e6431..62d672d1e 100644 --- a/host-interaction/registry/query-or-enumerate-registry-key.yml +++ b/host-interaction/registry/query-or-enumerate-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-value.yml b/host-interaction/registry/query-or-enumerate-registry-value.yml index 5eaa5b664..855da49ed 100644 --- a/host-interaction/registry/query-or-enumerate-registry-value.yml +++ b/host-interaction/registry/query-or-enumerate-registry-value.yml @@ -6,7 +6,9 @@ rule: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-registry-key-via-offline-registry-library.yml b/host-interaction/registry/query-registry-key-via-offline-registry-library.yml index 6092ed4cf..6cf99f168 100644 --- a/host-interaction/registry/query-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/query-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml index dc1e84388..66b1a58dc 100644 --- a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index dd481e8b0..2d1e5f62b 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml index 5987994d7..6358c083d 100644 --- a/host-interaction/service/create/create-service.yml +++ b/host-interaction/service/create/create-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/create authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/delete/delete-service.yml b/host-interaction/service/delete/delete-service.yml index b704dd523..6aa8fe162 100644 --- a/host-interaction/service/delete/delete-service.yml +++ b/host-interaction/service/delete/delete-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/delete authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/list/enumerate-services.yml b/host-interaction/service/list/enumerate-services.yml index 6c4bd7c6d..d35e4a12d 100644 --- a/host-interaction/service/list/enumerate-services.yml +++ b/host-interaction/service/list/enumerate-services.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Service Discovery [T1007] examples: diff --git a/host-interaction/service/modify/modify-service.yml b/host-interaction/service/modify/modify-service.yml index 2ada512ed..18297751a 100644 --- a/host-interaction/service/modify/modify-service.yml +++ b/host-interaction/service/modify/modify-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/modify authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index 91bbafe99..9a0350dd2 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/query-service-configuration.yml b/host-interaction/service/query-service-configuration.yml index 539aab630..c77b5f8f3 100644 --- a/host-interaction/service/query-service-configuration.yml +++ b/host-interaction/service/query-service-configuration.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Service Discovery [T1007] examples: diff --git a/host-interaction/service/query-service-status.yml b/host-interaction/service/query-service-status.yml index 0d7293103..ed2eccb23 100644 --- a/host-interaction/service/query-service-status.yml +++ b/host-interaction/service/query-service-status.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Service Discovery [T1007] examples: diff --git a/host-interaction/service/run-as-service.yml b/host-interaction/service/run-as-service.yml index d2fa5d425..a20c9c335 100644 --- a/host-interaction/service/run-as-service.yml +++ b/host-interaction/service/run-as-service.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Anti-Behavioral Analysis::Conditional Execution::Runs as Service [B0025.007] examples: diff --git a/host-interaction/service/start/start-service.yml b/host-interaction/service/start/start-service.yml index a8ff5f63d..33d110b9f 100644 --- a/host-interaction/service/start/start-service.yml +++ b/host-interaction/service/start/start-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/start authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index d1426f20b..9caa6d575 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/stop authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Impact::Service Stop [T1489] diff --git a/host-interaction/session/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml index 06a668dbd..29f7a424a 100644 --- a/host-interaction/session/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-logon-sessions.yml b/host-interaction/session/get-logon-sessions.yml index 227959188..709563420 100644 --- a/host-interaction/session/get-logon-sessions.yml +++ b/host-interaction/session/get-logon-sessions.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for imported Windows APIs being called to enumerate user sessions. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/session/get-session-integrity-level.yml b/host-interaction/session/get-session-integrity-level.yml index 7a5cd2a57..a07c7a25f 100644 --- a/host-interaction/session/get-session-integrity-level.yml +++ b/host-interaction/session/get-session-integrity-level.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml index 4938f799c..685652d16 100644 --- a/host-interaction/session/get-session-user-name.yml +++ b/host-interaction/session/get-session-user-name.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::System Owner/User Discovery [T1033] - Discovery::Account Discovery [T1087] diff --git a/host-interaction/session/get-token-membership.yml b/host-interaction/session/get-token-membership.yml index 731a695d2..54b399b12 100644 --- a/host-interaction/session/get-token-membership.yml +++ b/host-interaction/session/get-token-membership.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-user-security-identifier.yml b/host-interaction/session/get-user-security-identifier.yml index 587c114ff..bf2c6ea4b 100644 --- a/host-interaction/session/get-user-security-identifier.yml +++ b/host-interaction/session/get-user-security-identifier.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/software/get-installed-programs.yml b/host-interaction/software/get-installed-programs.yml index a91827675..cab7d83d6 100644 --- a/host-interaction/software/get-installed-programs.yml +++ b/host-interaction/software/get-installed-programs.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features att&ck: - Discovery::Software Discovery [T1518] examples: diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml index bba2ea2eb..3351bfb4a 100644 --- a/host-interaction/thread/create/create-thread.yml +++ b/host-interaction/thread/create/create-thread.yml @@ -7,7 +7,9 @@ rule: - michael.hunhoff@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Process::Create Thread [C0038] examples: diff --git a/host-interaction/thread/list/enumerate-threads.yml b/host-interaction/thread/list/enumerate-threads.yml index 5b3757640..c445f568d 100644 --- a/host-interaction/thread/list/enumerate-threads.yml +++ b/host-interaction/thread/list/enumerate-threads.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread/list authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Discovery::Process Discovery [T1057] mbc: diff --git a/host-interaction/thread/resume/resume-thread.yml b/host-interaction/thread/resume/resume-thread.yml index 2fa1c118f..26a4ee934 100644 --- a/host-interaction/thread/resume/resume-thread.yml +++ b/host-interaction/thread/resume/resume-thread.yml @@ -5,7 +5,9 @@ rule: authors: - 0x534a@mailbox.org - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Resume Thread [C0054] examples: diff --git a/host-interaction/thread/suspend/suspend-thread.yml b/host-interaction/thread/suspend/suspend-thread.yml index 563591c51..f3edf003c 100644 --- a/host-interaction/thread/suspend/suspend-thread.yml +++ b/host-interaction/thread/suspend/suspend-thread.yml @@ -5,7 +5,9 @@ rule: authors: - 0x534a@mailbox.org - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Suspend Thread [C0055] examples: diff --git a/host-interaction/thread/terminate/terminate-thread.yml b/host-interaction/thread/terminate/terminate-thread.yml index cfc7e63ce..3bf7356c8 100644 --- a/host-interaction/thread/terminate/terminate-thread.yml +++ b/host-interaction/thread/terminate/terminate-thread.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Terminate Thread [C0039] examples: diff --git a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml index 83748e71d..7ffef285f 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/uac/bypass authors: - richard.cole@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml index 2b1b3a3f6..7e90cb1be 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/uac/bypass authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml index e8d34bf7d..27fcaf277 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml @@ -5,7 +5,9 @@ rule: authors: - david.cannings@pwc.com - david@edeca.net - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml index 241175562..7a9795b1d 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml @@ -5,7 +5,9 @@ rule: authors: - richard.cole@mandiant.com - david.cannings@pwc.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml index 2aac42794..4f5c52d69 100644 --- a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml +++ b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/wmi authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features att&ck: - Execution::Windows Management Instrumentation [T1047] examples: diff --git a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml index 47db03ce7..3f09f5379 100644 --- a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml +++ b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml @@ -4,7 +4,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::Inhibit System Recovery [T1490] - Defense Evasion::Indicator Removal::File Deletion [T1070.004] diff --git a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml index 7fd1819f7..3257c3f07 100644 --- a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml +++ b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml @@ -4,7 +4,9 @@ rule: namespace: impact/wipe-disk/wipe-mbr authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::Disk Wipe::Disk Structure Wipe [T1561.002] mbc: diff --git a/internal/limitation/file/internal-autohotkey-file-limitation.yml b/internal/limitation/file/internal-autohotkey-file-limitation.yml index 3a82e33d6..e68932daf 100644 --- a/internal/limitation/file/internal-autohotkey-file-limitation.yml +++ b/internal/limitation/file/internal-autohotkey-file-limitation.yml @@ -11,7 +11,9 @@ rule: AutoHotkey was developed from AutoIT and the scripts may be similar. capa cannot handle AutoHotkey scripts. This means that the results will be misleading or incomplete. You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe. - scope: file + scopes: + static: file + dynamic: file examples: - 92D8EA10EA30E8B534334A1C9857A455 features: diff --git a/internal/limitation/file/internal-autoit-file-limitation.yml b/internal/limitation/file/internal-autoit-file-limitation.yml index 1d11979c7..c687e4c83 100644 --- a/internal/limitation/file/internal-autoit-file-limitation.yml +++ b/internal/limitation/file/internal-autoit-file-limitation.yml @@ -13,7 +13,9 @@ rule: AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI. capa cannot handle AutoIt scripts. This means that the results will be misleading or incomplete. You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe. - scope: file + scopes: + static: file + dynamic: file examples: - 55D77AB16377A8A314982F723FCC6FAE features: diff --git a/internal/limitation/file/internal-installer-file-limitation.yml b/internal/limitation/file/internal-installer-file-limitation.yml index c12eaed29..0499a1386 100644 --- a/internal/limitation/file/internal-installer-file-limitation.yml +++ b/internal/limitation/file/internal-installer-file-limitation.yml @@ -11,7 +11,9 @@ rule: capa cannot handle installers well. This means the results may be misleading or incomplete. You should try to understand the install mechanism and analyze created files with capa. - scope: file + scopes: + static: file + dynamic: file examples: - 70FD3347786ED7A4A43910E6778EF296 features: diff --git a/internal/limitation/file/internal-packer-file-limitation.yml b/internal/limitation/file/internal-packer-file-limitation.yml index 9789d54e3..5e87b7e56 100644 --- a/internal/limitation/file/internal-packer-file-limitation.yml +++ b/internal/limitation/file/internal-packer-file-limitation.yml @@ -10,7 +10,9 @@ rule: Packed samples have often been obfuscated to hide their logic. capa cannot handle obfuscation well. This means the results may be misleading or incomplete. If possible, you should try to unpack this input file before analyzing it with capa. - scope: file + scopes: + static: file + dynamic: file examples: - CD2CBA9E6313E8DF2C1273593E649682 features: diff --git a/internal/limitation/file/internal-visual-basic-file-limitation.yml b/internal/limitation/file/internal-visual-basic-file-limitation.yml index 20cc6dc4c..2eba6c040 100644 --- a/internal/limitation/file/internal-visual-basic-file-limitation.yml +++ b/internal/limitation/file/internal-visual-basic-file-limitation.yml @@ -11,7 +11,9 @@ rule: representation called P-Code. capa cannot handle Visual Basic executables well. This means that the results will be misleading or incomplete. You may have to analyze the file manually, for example using a tool like VB Decompiler. - scope: file + scopes: + static: file + dynamic: file examples: - 9bca6b99e7981208af4c7925b96fb9cf features: diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index 13c2dde10..729b15d50 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -5,7 +5,9 @@ rule: - 0x534a@mailbox.org - "@mr-tz" lib: true - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/lib/allocate-or-change-rw-memory.yml b/lib/allocate-or-change-rw-memory.yml index b67f25c3f..bd304b725 100644 --- a/lib/allocate-or-change-rw-memory.yml +++ b/lib/allocate-or-change-rw-memory.yml @@ -5,7 +5,9 @@ rule: - 0x534a@mailbox.org - "@mr-tz" lib: true - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/lib/calculate-modulo-256-via-x86-assembly.yml b/lib/calculate-modulo-256-via-x86-assembly.yml index 694a307d6..d089e144e 100644 --- a/lib/calculate-modulo-256-via-x86-assembly.yml +++ b/lib/calculate-modulo-256-via-x86-assembly.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: instruction + scopes: + static: instruction + dynamic: unsupported # requires mnemonic features mbc: - Data::Modulo [C0058] examples: diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml index 05301e1ad..3544fefa8 100644 --- a/lib/change-memory-protection.yml +++ b/lib/change-memory-protection.yml @@ -4,7 +4,9 @@ rule: authors: - "@mr-tz" lib: true - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Memory::Change Memory Protection [C0008] examples: diff --git a/lib/contain-loop.yml b/lib/contain-loop.yml index 6dcf5fdac..05db44657 100644 --- a/lib/contain-loop.yml +++ b/lib/contain-loop.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features examples: - 08AC667C65D36D6542917655571E61C8:0x406EAA features: diff --git a/lib/contain-pusha-popa-sequence.yml b/lib/contain-pusha-popa-sequence.yml index 1fbe9b256..1c368029e 100644 --- a/lib/contain-pusha-popa-sequence.yml +++ b/lib/contain-pusha-popa-sequence.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features examples: - a5c70086b3bc4fe64f4e7a0aa452e620:0x35007200 features: diff --git a/lib/create-or-open-file.yml b/lib/create-or-open-file.yml index 8cbc7f309..def162e81 100644 --- a/lib/create-or-open-file.yml +++ b/lib/create-or-open-file.yml @@ -5,7 +5,9 @@ rule: - michael.hunhoff@mandiant.com - joakim@intezer.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - File System::Create File [C0016] examples: diff --git a/lib/create-or-open-registry-key.yml b/lib/create-or-open-registry-key.yml index 3c2f6d566..58c2a1436 100644 --- a/lib/create-or-open-registry-key.yml +++ b/lib/create-or-open-registry-key.yml @@ -5,7 +5,9 @@ rule: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Operating System::Registry::Create Registry Key [C0036.004] - Operating System::Registry::Open Registry Key [C0036.003] diff --git a/lib/create-or-open-section-object.yml b/lib/create-or-open-section-object.yml index 75968e983..6def76aeb 100644 --- a/lib/create-or-open-section-object.yml +++ b/lib/create-or-open-section-object.yml @@ -4,7 +4,9 @@ rule: authors: - william.ballenthin@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: thread examples: - daa13ae302fe8b618ddbf590537443ef:0x401116 features: diff --git a/lib/delay-execution.yml b/lib/delay-execution.yml index 14448a5b6..35079b7fa 100644 --- a/lib/delay-execution.yml +++ b/lib/delay-execution.yml @@ -5,7 +5,9 @@ rule: - michael.hunhoff@mandiant.com - "@ramen0x3f" lib: true - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003] references: diff --git a/lib/duplicate-stdin-and-stdout.yml b/lib/duplicate-stdin-and-stdout.yml index ed94dbf69..84091724a 100644 --- a/lib/duplicate-stdin-and-stdout.yml +++ b/lib/duplicate-stdin-and-stdout.yml @@ -4,7 +4,9 @@ rule: authors: - joakim@intezer.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead examples: - 7351f8a40c5450557b24622417fc478d:0x40236D features: diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml index 4ef45d0c1..ffae798ca 100644 --- a/lib/get-os-version.yml +++ b/lib/get-os-version.yml @@ -4,7 +4,9 @@ rule: authors: - "@mr-tz" lib: true - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead examples: - 493167E85E45363D09495D0841C30648:0x401000 - 5f66b82558ca92e54e77f216ef4c066c:0x44580A diff --git a/lib/get-service-handle.yml b/lib/get-service-handle.yml index 703555c7b..55aacba8a 100644 --- a/lib/get-service-handle.yml +++ b/lib/get-service-handle.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: call examples: - Practical Malware Analysis Lab 03-02.dll_:0x10004706 features: diff --git a/lib/open-process.yml b/lib/open-process.yml index 684fc4fa6..7981b6891 100644 --- a/lib/open-process.yml +++ b/lib/open-process.yml @@ -4,7 +4,9 @@ rule: authors: - 0x534a@mailbox.org lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Open Process [C0065] examples: diff --git a/lib/open-thread.yml b/lib/open-thread.yml index 60b0aca59..a08e99cad 100644 --- a/lib/open-thread.yml +++ b/lib/open-thread.yml @@ -4,7 +4,9 @@ rule: authors: - 0x534a@mailbox.org lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Open Thread [C0066] examples: diff --git a/lib/peb-access.yml b/lib/peb-access.yml index 00a76905b..1490de8c5 100644 --- a/lib/peb-access.yml +++ b/lib/peb-access.yml @@ -4,7 +4,9 @@ rule: authors: - michael.hunhoff@mandiant.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, offset, mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block [B0001.019] references: diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml index df9a211a7..a498fafcc 100644 --- a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml +++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml @@ -4,7 +4,9 @@ rule: authors: - "@_re_fox" lib: true - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, offset, mnemonic, Not features mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml index 576ba2e52..c190adaa1 100644 --- a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml +++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml @@ -4,7 +4,9 @@ rule: authors: - "@_re_fox" lib: true - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, offset, mnemonic features mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/lib/write-process-memory.yml b/lib/write-process-memory.yml index e5e2dd368..54690c302 100644 --- a/lib/write-process-memory.yml +++ b/lib/write-process-memory.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/linking/runtime-linking/access-peb-ldr_data.yml b/linking/runtime-linking/access-peb-ldr_data.yml index 1dbce3e2b..3fa40062a 100644 --- a/linking/runtime-linking/access-peb-ldr_data.yml +++ b/linking/runtime-linking/access-peb-ldr_data.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires offset features att&ck: - Execution::Shared Modules [T1129] references: diff --git a/linking/runtime-linking/get-kernel32-base-address.yml b/linking/runtime-linking/get-kernel32-base-address.yml index c8d89557e..e897783f9 100644 --- a/linking/runtime-linking/get-kernel32-base-address.yml +++ b/linking/runtime-linking/get-kernel32-base-address.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires offset features att&ck: - Execution::Shared Modules [T1129] references: diff --git a/linking/runtime-linking/get-ntdll-base-address.yml b/linking/runtime-linking/get-ntdll-base-address.yml index bddd293cf..74106ccf0 100644 --- a/linking/runtime-linking/get-ntdll-base-address.yml +++ b/linking/runtime-linking/get-ntdll-base-address.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires offset features att&ck: - Execution::Shared Modules [T1129] references: diff --git a/linking/runtime-linking/link-function-at-runtime-on-windows.yml b/linking/runtime-linking/link-function-at-runtime-on-windows.yml index fabedd42b..58846573d 100644 --- a/linking/runtime-linking/link-function-at-runtime-on-windows.yml +++ b/linking/runtime-linking/link-function-at-runtime-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index b5b765918..2e14ff7fd 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml index f7a79c99c..e55293a6a 100644 --- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml +++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml @@ -5,7 +5,9 @@ rule: authors: - jakub.jozwiak@mandiant.com description: Custom API hashing algorithm used in Brute Ratel Badger (version 1.3 or higher) - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007] mbc: diff --git a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml index 6b9a3a710..a181ce876 100644 --- a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml +++ b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml @@ -5,7 +5,9 @@ rule: authors: - "@r3c0nst (Frank Boldewin)" description: APIHashing algorithm derived from a fasthash implementation in OpenCPN using seeds - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Cryptography::Cryptographic Hash [C0029] references: diff --git a/linking/static/aplib/linked-against-aplib.yml b/linking/static/aplib/linked-against-aplib.yml index 481c8c2a7..c0198168a 100644 --- a/linking/static/aplib/linked-against-aplib.yml +++ b/linking/static/aplib/linked-against-aplib.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/aplib authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file mbc: - Data::Compression Library [C0060] examples: diff --git a/linking/static/cryptopp/linked-against-crypto.yml b/linking/static/cryptopp/linked-against-crypto.yml index 3e021972b..9de6aada8 100644 --- a/linking/static/cryptopp/linked-against-crypto.yml +++ b/linking/static/cryptopp/linked-against-crypto.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/cryptopp authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] examples: diff --git a/linking/static/libcurl/linked-against-libcurl.yml b/linking/static/libcurl/linked-against-libcurl.yml index d6dcbaca3..6f1bfc0a8 100644 --- a/linking/static/libcurl/linked-against-libcurl.yml +++ b/linking/static/libcurl/linked-against-libcurl.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/libcurl authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - A90E5B3454AA71D9700B2EA54615F44B features: diff --git a/linking/static/linked-against-cpp-standard-library.yml b/linking/static/linked-against-cpp-standard-library.yml index e76823970..cb889b5af 100644 --- a/linking/static/linked-against-cpp-standard-library.yml +++ b/linking/static/linked-against-cpp-standard-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static authors: - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://en.wikipedia.org/wiki/P._J._Plauger - https://www.dinkumware.com/ diff --git a/linking/static/msdetours/linked-against-microsoft-detours.yml b/linking/static/msdetours/linked-against-microsoft-detours.yml index 7b3fee0dd..41b7ae5fa 100644 --- a/linking/static/msdetours/linked-against-microsoft-detours.yml +++ b/linking/static/msdetours/linked-against-microsoft-detours.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/msdetours authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Hijack Execution Flow [T1574] references: diff --git a/linking/static/openssl/linked-against-openssl.yml b/linking/static/openssl/linked-against-openssl.yml index 495191269..4f49aea81 100644 --- a/linking/static/openssl/linked-against-openssl.yml +++ b/linking/static/openssl/linked-against-openssl.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] examples: diff --git a/linking/static/polarssl/linked-against-polarsslmbed-tls.yml b/linking/static/polarssl/linked-against-polarsslmbed-tls.yml index 6d2fa7e1a..59e0fb72d 100644 --- a/linking/static/polarssl/linked-against-polarsslmbed-tls.yml +++ b/linking/static/polarssl/linked-against-polarsslmbed-tls.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/polarssl authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] examples: diff --git a/linking/static/sqlite3/linked-against-cppsqlite3.yml b/linking/static/sqlite3/linked-against-cppsqlite3.yml index 43d3c5f6d..4ecd58605 100644 --- a/linking/static/sqlite3/linked-against-cppsqlite3.yml +++ b/linking/static/sqlite3/linked-against-cppsqlite3.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/sqlite3 authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file examples: - 253309d8b3675d3cc61d4bf23aa15d4b features: diff --git a/linking/static/sqlite3/linked-against-sqlite3.yml b/linking/static/sqlite3/linked-against-sqlite3.yml index ee20789b4..71512cf73 100644 --- a/linking/static/sqlite3/linked-against-sqlite3.yml +++ b/linking/static/sqlite3/linked-against-sqlite3.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/sqlite3 authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file examples: - 253309d8b3675d3cc61d4bf23aa15d4b features: diff --git a/linking/static/wolfcrypt/linked-against-wolfcrypt.yml b/linking/static/wolfcrypt/linked-against-wolfcrypt.yml index fb8690291..c5b84f04b 100644 --- a/linking/static/wolfcrypt/linked-against-wolfcrypt.yml +++ b/linking/static/wolfcrypt/linked-against-wolfcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/wolfcrypt authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] references: diff --git a/linking/static/wolfssl/linked-against-wolfssl.yml b/linking/static/wolfssl/linked-against-wolfssl.yml index f520af08f..b27f04957 100644 --- a/linking/static/wolfssl/linked-against-wolfssl.yml +++ b/linking/static/wolfssl/linked-against-wolfssl.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/wolfssl authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] references: diff --git a/linking/static/zlib/linked-against-zlib.yml b/linking/static/zlib/linked-against-zlib.yml index 072a489b0..e4a0ce80d 100644 --- a/linking/static/zlib/linked-against-zlib.yml +++ b/linking/static/zlib/linked-against-zlib.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/zlib authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Data::Compression Library [C0060] examples: diff --git a/load-code/dotnet/load-windows-common-language-runtime.yml b/load-code/dotnet/load-windows-common-language-runtime.yml index de821ea11..2dae108ec 100644 --- a/load-code/dotnet/load-windows-common-language-runtime.yml +++ b/load-code/dotnet/load-windows-common-language-runtime.yml @@ -7,7 +7,9 @@ rule: - michael.hunhoff@mandiant.com - blas.kojusner@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead references: - https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ - https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c diff --git a/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml b/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml index 0c157efb9..52640f992 100644 --- a/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml +++ b/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml @@ -6,7 +6,9 @@ rule: authors: - blas.kojusner@mandiant.com description: the sample may execute 32-bit VBScript, JavaScript, or JScript (32-bit) - scope: function + scopes: + static: function + dynamic: unsupported # requires operand[0].number, bytes, operand[1].offset features references: - https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063 examples: diff --git a/load-code/pe/access-pe-header.yml b/load-code/pe/access-pe-header.yml index 25976dad8..926024dfb 100644 --- a/load-code/pe/access-pe-header.yml +++ b/load-code/pe/access-pe-header.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections.yml index f9cc1eb08..d2d4c2f41 100644 --- a/load-code/pe/enumerate-pe-sections.yml +++ b/load-code/pe/enumerate-pe-sections.yml @@ -5,7 +5,9 @@ rule: authors: - "@Ana06" - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, Not, operand[1].offset, characteristic, mnemonic, basicblock features mbc: - Discovery::Code Discovery::Enumerate PE Sections [B0046.001] references: diff --git a/load-code/pe/inject-dll-reflectively.yml b/load-code/pe/inject-dll-reflectively.yml index 210a16d68..04160ab10 100644 --- a/load-code/pe/inject-dll-reflectively.yml +++ b/load-code/pe/inject-dll-reflectively.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - "@Ana06" - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, offset features att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/load-code/pe/inspect-section-memory-permissions.yml b/load-code/pe/inspect-section-memory-permissions.yml index 499d334da..1c5383ad5 100644 --- a/load-code/pe/inspect-section-memory-permissions.yml +++ b/load-code/pe/inspect-section-memory-permissions.yml @@ -5,7 +5,9 @@ rule: authors: - "@Ana06" description: "translate section memory permissions (specified in the 'Characteristics' field of the image section header) into page protection constants" - scope: function + scopes: + static: function + dynamic: thread mbc: - Discovery::Code Discovery::Inspect Section Memory Permissions [B0046.002] examples: diff --git a/load-code/pe/parse-pe-header.yml b/load-code/pe/parse-pe-header.yml index 5820c0a3c..20dc691b1 100644 --- a/load-code/pe/parse-pe-header.yml +++ b/load-code/pe/parse-pe-header.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic, operand[1].offset features att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/rebuild-import-table.yml b/load-code/pe/rebuild-import-table.yml index 93782a13d..8dd4eae12 100644 --- a/load-code/pe/rebuild-import-table.yml +++ b/load-code/pe/rebuild-import-table.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - "@Ana06" - scope: function + scopes: + static: function + dynamic: unsupported # requires offset features mbc: - Defense Evasion::Hijack Execution Flow::Import Address Table Hooking [F0015.003] references: diff --git a/load-code/pe/resolve-function-by-parsing-pe-exports.yml b/load-code/pe/resolve-function-by-parsing-pe-exports.yml index f5b15bf76..a32978499 100755 --- a/load-code/pe/resolve-function-by-parsing-pe-exports.yml +++ b/load-code/pe/resolve-function-by-parsing-pe-exports.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - sara-rn - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, offset, mnemonic features examples: - 73CE04892E5F39EC82B00C02FC04C70F:0x406BA1 features: diff --git a/load-code/powershell/run-powershell-expression.yml b/load-code/powershell/run-powershell-expression.yml index 00d86d983..1c35b86d3 100644 --- a/load-code/powershell/run-powershell-expression.yml +++ b/load-code/powershell/run-powershell-expression.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/powershell/ authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-copyfile2.yml b/load-code/shellcode/execute-shellcode-via-copyfile2.yml index ffd16299c..023c49583 100644 --- a/load-code/shellcode/execute-shellcode-via-copyfile2.yml +++ b/load-code/shellcode/execute-shellcode-via-copyfile2.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CopyFile2/CopyFile2.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml index 063c5249e..70006b7df 100644 --- a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml +++ b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CreateThreadPoolWait/CreateThreadPoolWait.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml index bd012419e..108db0b31 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml @@ -6,7 +6,9 @@ rule: - ervin.ocampo@mandiant.com - jakub.jozwiak@mandiant.com description: Detect usage of various WinAPI functions that accept callback functions as parameters in order to execute arbitrary shellcode - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Reflective Code Loading [T1620] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml index 7ff68d7d2..5dbb1f4cb 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Defense Evasion::Process Injection::Injection via Windows Fibers [E1055.m05] references: diff --git a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml index 3bdd878b3..d165499a9 100644 --- a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml +++ b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Memory::Allocate Memory [C0007] - Process::Create Thread [C0038] diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml index 278087363..a0acd2514 100644 --- a/malware-family/plugx/match-known-plugx-module.yml +++ b/malware-family/plugx/match-known-plugx-module.yml @@ -6,7 +6,9 @@ rule: authors: - still@teamt5.org description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode) - scope: basic block + scopes: + static: function + dynamic: thread references: - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html diff --git a/nursery/access-wmi-data-in-dotnet.yml b/nursery/access-wmi-data-in-dotnet.yml index 589a18b0f..1ea66ad56 100644 --- a/nursery/access-wmi-data-in-dotnet.yml +++ b/nursery/access-wmi-data-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/wmi authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/add-file-to-cabinet-file.yml b/nursery/add-file-to-cabinet-file.yml index 5988a5180..aafd5c234 100644 --- a/nursery/add-file-to-cabinet-file.yml +++ b/nursery/add-file-to-cabinet-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files features: diff --git a/nursery/add-user-account-group.yml b/nursery/add-user-account-group.yml index 3e2da64ba..cd994eeb0 100644 --- a/nursery/add-user-account-group.yml +++ b/nursery/add-user-account-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/add-user-account-to-group.yml b/nursery/add-user-account-to-group.yml index 220820755..e3f1bf243 100644 --- a/nursery/add-user-account-to-group.yml +++ b/nursery/add-user-account-to-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/add-user-account.yml b/nursery/add-user-account.yml index a1941a4ec..75ddd15f1 100644 --- a/nursery/add-user-account.yml +++ b/nursery/add-user-account.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Create Account [T1136] features: diff --git a/nursery/add-value-to-global-atom-table.yml b/nursery/add-value-to-global-atom-table.yml index 2cc527b55..9e338a0b9 100644 --- a/nursery/add-value-to-global-atom-table.yml +++ b/nursery/add-value-to-global-atom-table.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread references: - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows - https://github.com/BreakingMalwareResearch/atom-bombing diff --git a/nursery/allocate-unmanaged-memory-in-dotnet.yml b/nursery/allocate-unmanaged-memory-in-dotnet.yml index fc9042faf..5a0f1c19d 100644 --- a/nursery/allocate-unmanaged-memory-in-dotnet.yml +++ b/nursery/allocate-unmanaged-memory-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/memory authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Runtime.InteropServices.Marshal::AllocHGlobal diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml index 10d585e0f..07ecd9e58 100755 --- a/nursery/append-data-to-clfs-log-container.yml +++ b/nursery/append-data-to-clfs-log-container.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/log/clfs/append authors: - blaine.stancill@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows/win32/api/clfsw32/ - https://github.com/libyal/libfsclfs/blob/main/documenation/Common%20Log%20File%20System%20(CLFS).asciidoc diff --git a/nursery/authenticate-data-with-md5-mac.yml b/nursery/authenticate-data-with-md5-mac.yml index 78766a9fa..161c70678 100644 --- a/nursery/authenticate-data-with-md5-mac.yml +++ b/nursery/authenticate-data-with-md5-mac.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/md5 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/nursery/build-docker-image.yml b/nursery/build-docker-image.yml index 2a20b4cd0..7616ae77b 100644 --- a/nursery/build-docker-image.yml +++ b/nursery/build-docker-image.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Build Image on Host [T1612] references: diff --git a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml index ffe9bdf62..ec31d517d 100644 --- a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml +++ b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/uac/bypass authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/nursery/capture-network-configuration-via-ifconfig.yml b/nursery/capture-network-configuration-via-ifconfig.yml index e6a073cfa..42db889cd 100644 --- a/nursery/capture-network-configuration-via-ifconfig.yml +++ b/nursery/capture-network-configuration-via-ifconfig.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - joakim@intezeer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/capture-process-snapshot-data.yml b/nursery/capture-process-snapshot-data.yml index 526aa1096..17fee289f 100644 --- a/nursery/capture-process-snapshot-data.yml +++ b/nursery/capture-process-snapshot-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/dump authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: call features: - or: - api: PssCaptureSnapshot diff --git a/nursery/capture-screenshot-in-go.yml b/nursery/capture-screenshot-in-go.yml index 7dca50c9b..84fd7d17d 100644 --- a/nursery/capture-screenshot-in-go.yml +++ b/nursery/capture-screenshot-in-go.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Detects screenshot capability via WinAPI for Go files. - scope: file + scopes: + static: file + dynamic: file att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/nursery/capture-webcam-video.yml b/nursery/capture-webcam-video.yml index e41a3ad3b..5f25248bc 100644 --- a/nursery/capture-webcam-video.yml +++ b/nursery/capture-webcam-video.yml @@ -5,7 +5,9 @@ rule: authors: - "@johnk3r" description: Rule that detects a system's webcam being used to capture video - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Collection::Video Capture [T1125] features: diff --git a/nursery/change-user-account-password.yml b/nursery/change-user-account-password.yml index 1de2ea6bc..613c92d74 100644 --- a/nursery/change-user-account-password.yml +++ b/nursery/change-user-account-password.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/check-clipboard-data.yml b/nursery/check-clipboard-data.yml index b3c00610c..5759df255 100644 --- a/nursery/check-clipboard-data.yml +++ b/nursery/check-clipboard-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/clipboard authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/check-file-extension-in-dotnet.yml b/nursery/check-file-extension-in-dotnet.yml index 0b9b48113..7941725d8 100644 --- a/nursery/check-file-extension-in-dotnet.yml +++ b/nursery/check-file-extension-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.IO.Path::GetExtension diff --git a/nursery/check-for-minimum-number-of-windows-on-screen.yml b/nursery/check-for-minimum-number-of-windows-on-screen.yml index cc986f1b8..25d5a8790 100644 --- a/nursery/check-for-minimum-number-of-windows-on-screen.yml +++ b/nursery/check-for-minimum-number-of-windows-on-screen.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - echernofsky@google.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/check-for-process-debug-object.yml b/nursery/check-for-process-debug-object.yml index 17d51481d..2b1c941a7 100644 --- a/nursery/check-for-process-debug-object.yml +++ b/nursery/check-for-process-debug-object.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml b/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml index 20a593822..e18528f9d 100644 --- a/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml +++ b/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - jonathanlepore@google.com description: detects sandbox detection via mac address organizationally unique identifiers (OUIs). Based off publicly available CSharpShooter/CheckPlease.cs - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-for-vm-using-instruction-vpcext.yml b/nursery/check-for-vm-using-instruction-vpcext.yml index 619dd4540..a51332e97 100644 --- a/nursery/check-for-vm-using-instruction-vpcext.yml +++ b/nursery/check-for-vm-using-instruction-vpcext.yml @@ -6,7 +6,9 @@ rule: authors: - richard.weiss@mandiant.com description: Detects virtualization using VPCEXT (visual property container extender) instruction. Execution of this instruction will cause an illegal instruction exception outside of a virtual environment otherwise return 0 - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/nursery/check-for-windows-sandbox-via-mutex.yml b/nursery/check-for-windows-sandbox-via-mutex.yml index 0e6fe3ac5..ea7c20da1 100644 --- a/nursery/check-for-windows-sandbox-via-mutex.yml +++ b/nursery/check-for-windows-sandbox-via-mutex.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-for-windows-sandbox-via-subdirectory.yml b/nursery/check-for-windows-sandbox-via-subdirectory.yml index d073f4454..6fd4a564b 100644 --- a/nursery/check-for-windows-sandbox-via-subdirectory.yml +++ b/nursery/check-for-windows-sandbox-via-subdirectory.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "echernofsky@google.com" - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-if-directory-exists.yml b/nursery/check-if-directory-exists.yml index 8cc5b3ac3..411e277f7 100644 --- a/nursery/check-if-directory-exists.yml +++ b/nursery/check-if-directory-exists.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/exists authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] features: diff --git a/nursery/check-license-value.yml b/nursery/check-license-value.yml index e6d979eef..bcf84c1e1 100644 --- a/nursery/check-license-value.yml +++ b/nursery/check-license-value.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/check-processdebugflags.yml b/nursery/check-processdebugflags.yml index e9989d6d0..da33fa7d2 100644 --- a/nursery/check-processdebugflags.yml +++ b/nursery/check-processdebugflags.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-systemkerneldebuggerinformation.yml b/nursery/check-systemkerneldebuggerinformation.yml index 5d5c7282e..6efbce87c 100644 --- a/nursery/check-systemkerneldebuggerinformation.yml +++ b/nursery/check-systemkerneldebuggerinformation.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/nursery/check-thread-yield-allowed.yml b/nursery/check-thread-yield-allowed.yml index c13f61a8a..2528c6ac7 100644 --- a/nursery/check-thread-yield-allowed.yml +++ b/nursery/check-thread-yield-allowed.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features mbc: - Anti-Behavioral Analysis::Debugger Detection::NtYieldExecution/SwitchToThread [B0001.015] references: diff --git a/nursery/clear-clipboard-data.yml b/nursery/clear-clipboard-data.yml index dba3bbbc9..2cf49a024 100644 --- a/nursery/clear-clipboard-data.yml +++ b/nursery/clear-clipboard-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/clipboard authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml index 0001f9295..f388e18fb 100644 --- a/nursery/collect-ssh-keys.yml +++ b/nursery/collect-ssh-keys.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Credential Access::Unsecured Credentials::Private Keys [T1552.004] features: diff --git a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml index 1c0b9f1a2..76f9cbd9a 100644 --- a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml +++ b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html) - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/compare-security-identifiers.yml b/nursery/compare-security-identifiers.yml index 4da0abd3d..31e8aec81 100644 --- a/nursery/compare-security-identifiers.yml +++ b/nursery/compare-security-identifiers.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/sid authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: advapi32.EqualSid diff --git a/nursery/compile-csharp-in-dotnet.yml b/nursery/compile-csharp-in-dotnet.yml index e910bc3a4..e9b1ae933 100644 --- a/nursery/compile-csharp-in-dotnet.yml +++ b/nursery/compile-csharp-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet/csharp authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-dotnet-assembly.yml b/nursery/compile-dotnet-assembly.yml index c26b5cd94..20ad425cd 100644 --- a/nursery/compile-dotnet-assembly.yml +++ b/nursery/compile-dotnet-assembly.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-visual-basic-in-dotnet.yml b/nursery/compile-visual-basic-in-dotnet.yml index 4958676d7..d14c489a9 100644 --- a/nursery/compile-visual-basic-in-dotnet.yml +++ b/nursery/compile-visual-basic-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet/vb authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compiled-from-epl.yml b/nursery/compiled-from-epl.yml index e9a8f3b9f..b3db95f3a 100644 --- a/nursery/compiled-from-epl.yml +++ b/nursery/compiled-from-epl.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/epl authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2019/02/13/pe-files-and-the-easy-programming-language-epl/ features: diff --git a/nursery/compiled-with-exescript.yml b/nursery/compiled-with-exescript.yml index 4a50df497..4acb9ddb3 100644 --- a/nursery/compiled-with-exescript.yml +++ b/nursery/compiled-with-exescript.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/exescript authors: - jonathanlepore@google.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hide-folder.com/overview/hf_7.html features: diff --git a/nursery/compress-data-using-gzip-in-dotnet.yml b/nursery/compress-data-using-gzip-in-dotnet.yml index ad9b473a6..af27bb18b 100644 --- a/nursery/compress-data-using-gzip-in-dotnet.yml +++ b/nursery/compress-data-using-gzip-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/nursery/connect-network-resource.yml b/nursery/connect-network-resource.yml index d8bf343c9..2394a08a0 100644 --- a/nursery/connect-network-resource.yml +++ b/nursery/connect-network-resource.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: connect to disk or print resource - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml b/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml index 76bec757f..ede0fc8dd 100644 --- a/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml +++ b/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: .NET file contains uncommon TLS section - scope: file + scopes: + static: file + dynamic: file references: - https://washi.dev/blog/posts/entry-points/ features: diff --git a/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml index 03ff61292..20e41ef84 100644 --- a/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml +++ b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/xor authors: - dan.kelly@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/create-container.yml b/nursery/create-container.yml index 52a025f18..8198ff92f 100644 --- a/nursery/create-container.yml +++ b/nursery/create-container.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Execution::Deploy Container [T1610] references: diff --git a/nursery/create-process-via-wmi-in-dotnet.yml b/nursery/create-process-via-wmi-in-dotnet.yml index d03178ec1..92d4d7764 100644 --- a/nursery/create-process-via-wmi-in-dotnet.yml +++ b/nursery/create-process-via-wmi-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/wmi authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/create-registry-key-via-stdregprov.yml b/nursery/create-registry-key-via-stdregprov.yml index c5b7558dd..41d27b5b5 100644 --- a/nursery/create-registry-key-via-stdregprov.yml +++ b/nursery/create-registry-key-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/create-restart-manager-session.yml b/nursery/create-restart-manager-session.yml index 434c2e278..3204b7772 100644 --- a/nursery/create-restart-manager-session.yml +++ b/nursery/create-restart-manager-session.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Windows Restart Manager can be used to close/unlock specific files, often abused by Ransomware - scope: function + scopes: + static: function + dynamic: call references: - https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ features: diff --git a/nursery/create-zip-archive-in-dotnet.yml b/nursery/create-zip-archive-in-dotnet.yml index 3025a14b7..e2ab4ca80 100644 --- a/nursery/create-zip-archive-in-dotnet.yml +++ b/nursery/create-zip-archive-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead features: - and: - optional: diff --git a/nursery/debug-build.yml b/nursery/debug-build.yml index 020d6f822..e3cd54cf1 100644 --- a/nursery/debug-build.yml +++ b/nursery/debug-build.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/debug authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - string: "Assertion failed!" diff --git a/nursery/decode-data-using-base64-in-dotnet.yml b/nursery/decode-data-using-base64-in-dotnet.yml index 4037304fd..cafc25c2e 100644 --- a/nursery/decode-data-using-base64-in-dotnet.yml +++ b/nursery/decode-data-using-base64-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/nursery/decode-data-using-url-encoding.yml b/nursery/decode-data-using-url-encoding.yml index 87d9e45e8..4d9ad47aa 100644 --- a/nursery/decode-data-using-url-encoding.yml +++ b/nursery/decode-data-using-url-encoding.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/url authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/decrypt-data-using-rsa.yml b/nursery/decrypt-data-using-rsa.yml index 63e3fde98..9c89b2556 100644 --- a/nursery/decrypt-data-using-rsa.yml +++ b/nursery/decrypt-data-using-rsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/nursery/decrypt-data-via-sspi.yml b/nursery/decrypt-data-via-sspi.yml index 4d3435050..acf79c52a 100644 --- a/nursery/decrypt-data-via-sspi.yml +++ b/nursery/decrypt-data-via-sspi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] references: diff --git a/nursery/delete-internet-cache.yml b/nursery/delete-internet-cache.yml index e7e96112d..47ac9b54d 100644 --- a/nursery/delete-internet-cache.yml +++ b/nursery/delete-internet-cache.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/internet/cache authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - match: enumerate internet cache diff --git a/nursery/delete-registry-key-via-offline-registry-library.yml b/nursery/delete-registry-key-via-offline-registry-library.yml index ce67f0ff7..eb5cd8208 100644 --- a/nursery/delete-registry-key-via-offline-registry-library.yml +++ b/nursery/delete-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/nursery/delete-registry-key-via-stdregprov.yml b/nursery/delete-registry-key-via-stdregprov.yml index 93f218fe3..2db744a1d 100644 --- a/nursery/delete-registry-key-via-stdregprov.yml +++ b/nursery/delete-registry-key-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-registry-value-via-stdregprov.yml b/nursery/delete-registry-value-via-stdregprov.yml index 946da742c..3ac76ac57 100644 --- a/nursery/delete-registry-value-via-stdregprov.yml +++ b/nursery/delete-registry-value-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-user-account-from-group.yml b/nursery/delete-user-account-from-group.yml index 6b5038712..fbe55d0b3 100644 --- a/nursery/delete-user-account-from-group.yml +++ b/nursery/delete-user-account-from-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/delete-user-account-group.yml b/nursery/delete-user-account-group.yml index 4cec4502f..29a88fe3f 100644 --- a/nursery/delete-user-account-group.yml +++ b/nursery/delete-user-account-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/delete-user-account.yml b/nursery/delete-user-account.yml index 0c9242819..7c7756a86 100644 --- a/nursery/delete-user-account.yml +++ b/nursery/delete-user-account.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Impact::Account Access Removal [T1531] features: diff --git a/nursery/delete-windows-backup-catalog.yml b/nursery/delete-windows-backup-catalog.yml index 964984739..a2b5955ed 100644 --- a/nursery/delete-windows-backup-catalog.yml +++ b/nursery/delete-windows-backup-catalog.yml @@ -4,7 +4,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Impact::Inhibit System Recovery [T1490] features: diff --git a/nursery/deserialize-json-in-dotnet.yml b/nursery/deserialize-json-in-dotnet.yml index e9f458988..b93e225ef 100644 --- a/nursery/deserialize-json-in-dotnet.yml +++ b/nursery/deserialize-json-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/json authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Web.Script.Serialization.JavaScriptSerializer::Deserialize diff --git a/nursery/destroy-software-breakpoint-capability.yml b/nursery/destroy-software-breakpoint-capability.yml index 3a6499bc5..dca3106c9 100644 --- a/nursery/destroy-software-breakpoint-capability.yml +++ b/nursery/destroy-software-breakpoint-capability.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging authors: - echernofsky@google.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.microsoft.com/en-us/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ - https://anti-debug.checkpoint.com/techniques/assembly.html diff --git a/nursery/disable-automatic-windows-recovery-features.yml b/nursery/disable-automatic-windows-recovery-features.yml index d58513ddd..7b09ae60a 100644 --- a/nursery/disable-automatic-windows-recovery-features.yml +++ b/nursery/disable-automatic-windows-recovery-features.yml @@ -4,7 +4,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Impact::Inhibit System Recovery [T1490] features: diff --git a/nursery/display-service-notification-message-box.yml b/nursery/display-service-notification-message-box.yml index ae3ca40a4..7bf65439a 100644 --- a/nursery/display-service-notification-message-box.yml +++ b/nursery/display-service-notification-message-box.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - number: 0x200000 = service notification diff --git a/nursery/empty-the-recycle-bin.yml b/nursery/empty-the-recycle-bin.yml index 051486aa4..70712af01 100644 --- a/nursery/empty-the-recycle-bin.yml +++ b/nursery/empty-the-recycle-bin.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/recycle-bin authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: SHEmptyRecycleBin diff --git a/nursery/enable-safe-mode-boot.yml b/nursery/enable-safe-mode-boot.yml index 7fea17952..1807ee023 100644 --- a/nursery/enable-safe-mode-boot.yml +++ b/nursery/enable-safe-mode-boot.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] features: diff --git a/nursery/encrypt-data-using-aes-via-x86-extensions.yml b/nursery/encrypt-data-using-aes-via-x86-extensions.yml index 778dfabb6..f00a55ced 100644 --- a/nursery/encrypt-data-using-aes-via-x86-extensions.yml +++ b/nursery/encrypt-data-using-aes-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-aes.yml b/nursery/encrypt-data-using-aes.yml index db463beea..9a595b073 100644 --- a/nursery/encrypt-data-using-aes.yml +++ b/nursery/encrypt-data-using-aes.yml @@ -6,7 +6,9 @@ rule: authors: - william.ballenthin@mandiant.com - Ivan Kwiatkowski (@JusticeRage) - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-fakem-cipher.yml b/nursery/encrypt-data-using-fakem-cipher.yml index af5189ef6..b859a8647 100644 --- a/nursery/encrypt-data-using-fakem-cipher.yml +++ b/nursery/encrypt-data-using-fakem-cipher.yml @@ -6,7 +6,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Detect custom encryption cipher used by FAKEM malware family - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-openssl-dsa.yml b/nursery/encrypt-data-using-openssl-dsa.yml index cbb259b83..56f9a2532 100644 --- a/nursery/encrypt-data-using-openssl-dsa.yml +++ b/nursery/encrypt-data-using-openssl-dsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/dsa authors: - "Ana06" - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features references: - https://github.com/openssl/openssl/blob/fdc5043d58900663b493147298e64f11353b35fe/crypto/objects/obj_dat.h features: diff --git a/nursery/encrypt-data-using-openssl-ecdsa.yml b/nursery/encrypt-data-using-openssl-ecdsa.yml index 141c9a5f6..4c944b752 100644 --- a/nursery/encrypt-data-using-openssl-ecdsa.yml +++ b/nursery/encrypt-data-using-openssl-ecdsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/ecdsa authors: - "Ana06" - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features references: - https://github.com/openssl/openssl/blob/fdc5043d58900663b493147298e64f11353b35fe/crypto/objects/obj_dat.h features: diff --git a/nursery/encrypt-data-using-openssl-rsa.yml b/nursery/encrypt-data-using-openssl-rsa.yml index 9821861a8..07f8d742a 100644 --- a/nursery/encrypt-data-using-openssl-rsa.yml +++ b/nursery/encrypt-data-using-openssl-rsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - "Ana06" - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features mbc: - Cryptography::Encrypt Data::RSA [C0027.011] references: diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index ffa79dd05..5339b2fa1 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - richard.weiss@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-rsa.yml b/nursery/encrypt-data-using-rsa.yml index 39d06b378..a54e898ad 100644 --- a/nursery/encrypt-data-using-rsa.yml +++ b/nursery/encrypt-data-using-rsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-salsa20-or-chacha.yml b/nursery/encrypt-data-using-salsa20-or-chacha.yml index 44df19d40..09322591f 100644 --- a/nursery/encrypt-data-using-salsa20-or-chacha.yml +++ b/nursery/encrypt-data-using-salsa20-or-chacha.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/salsa20 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-data-via-sspi.yml b/nursery/encrypt-data-via-sspi.yml index c9dd53d99..74f979956 100644 --- a/nursery/encrypt-data-via-sspi.yml +++ b/nursery/encrypt-data-via-sspi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml index 635cb53f5..02fb47b41 100644 --- a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml +++ b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/enumerate-browser-history.yml b/nursery/enumerate-browser-history.yml index f9044e901..4118baeb6 100644 --- a/nursery/enumerate-browser-history.yml +++ b/nursery/enumerate-browser-history.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/browser/history/list authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features features: - and: - api: ole32.CoCreateInstance diff --git a/nursery/enumerate-device-drivers-on-linux.yml b/nursery/enumerate-device-drivers-on-linux.yml index 481f5dd43..c73df788d 100644 --- a/nursery/enumerate-device-drivers-on-linux.yml +++ b/nursery/enumerate-device-drivers-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Device Driver Discovery [T1652] features: diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml index ad159db18..2c74149d0 100644 --- a/nursery/enumerate-device-drivers-on-windows.yml +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::Device Driver Discovery [T1652] references: diff --git a/nursery/enumerate-disk-volumes.yml b/nursery/enumerate-disk-volumes.yml index cca3030a9..c8c8c085f 100644 --- a/nursery/enumerate-disk-volumes.yml +++ b/nursery/enumerate-disk-volumes.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/storage authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/enumerate-drives.yml b/nursery/enumerate-drives.yml index 451f443f9..f10e7b637 100644 --- a/nursery/enumerate-drives.yml +++ b/nursery/enumerate-drives.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.IO.DriveInfo::GetDrives diff --git a/nursery/enumerate-internet-cache.yml b/nursery/enumerate-internet-cache.yml index c9d22bb2a..759366dd2 100644 --- a/nursery/enumerate-internet-cache.yml +++ b/nursery/enumerate-internet-cache.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/internet/cache authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: wininet.FindFirstUrlCacheEntry diff --git a/nursery/enumerate-network-shares.yml b/nursery/enumerate-network-shares.yml index bb06b367f..25f5e92bb 100644 --- a/nursery/enumerate-network-shares.yml +++ b/nursery/enumerate-network-shares.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Network Share Discovery [T1135] features: diff --git a/nursery/enumerate-pe-sections-in-dotnet.yml b/nursery/enumerate-pe-sections-in-dotnet.yml index bd5becadf..a03750bd1 100644 --- a/nursery/enumerate-pe-sections-in-dotnet.yml +++ b/nursery/enumerate-pe-sections-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires property features mbc: - Discovery::Code Discovery::Enumerate PE Sections [B0046.001] features: diff --git a/nursery/enumerate-processes-that-use-resource.yml b/nursery/enumerate-processes-that-use-resource.yml index 41a3d5cf7..4b9f30335 100644 --- a/nursery/enumerate-processes-that-use-resource.yml +++ b/nursery/enumerate-processes-that-use-resource.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - "@Ana06" - scope: function + scopes: + static: function + dynamic: thread references: - https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners # examples: diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml index fe7380459..91f9e8ba6 100644 --- a/nursery/enumerate-processes-via-procfs.yml +++ b/nursery/enumerate-processes-via-procfs.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/enumerate-system-firmware-tables.yml b/nursery/enumerate-system-firmware-tables.yml index 414592e94..9d6b41bed 100644 --- a/nursery/enumerate-system-firmware-tables.yml +++ b/nursery/enumerate-system-firmware-tables.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/firmware authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call references: - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L843 features: diff --git a/nursery/execute-dotnet-assembly.yml b/nursery/execute-dotnet-assembly.yml index 9c10ded24..44b6e3d5d 100644 --- a/nursery/execute-dotnet-assembly.yml +++ b/nursery/execute-dotnet-assembly.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Reflective Code Loading [T1620] features: diff --git a/nursery/execute-shell-command-via-windows-remote-management.yml b/nursery/execute-shell-command-via-windows-remote-management.yml index 8f69608a1..b5281be3f 100644 --- a/nursery/execute-shell-command-via-windows-remote-management.yml +++ b/nursery/execute-shell-command-via-windows-remote-management.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/process/create authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/execute-shellcode-via-indirect-call.yml b/nursery/execute-shellcode-via-indirect-call.yml index b2a39fe2c..818dd7cdf 100644 --- a/nursery/execute-shellcode-via-indirect-call.yml +++ b/nursery/execute-shellcode-via-indirect-call.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - ronnie.salomonsen@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features mbc: - Memory::Allocate Memory [C0007] features: diff --git a/nursery/execute-sqlite-statement-in-dotnet.yml b/nursery/execute-sqlite-statement-in-dotnet.yml index 02263b3c3..72533ea8c 100644 --- a/nursery/execute-sqlite-statement-in-dotnet.yml +++ b/nursery/execute-sqlite-statement-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/database/sql authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/execute-syscall-instruction.yml b/nursery/execute-syscall-instruction.yml index cba27d2c1..fa284e5da 100644 --- a/nursery/execute-syscall-instruction.yml +++ b/nursery/execute-syscall-instruction.yml @@ -6,7 +6,9 @@ rule: - "@kulinacs" - "@mr-tz" description: may be used to evade hooks or hinder analysis - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features references: - https://github.com/j00ru/windows-syscalls features: diff --git a/nursery/execute-via-asynchronous-task-in-dotnet.yml b/nursery/execute-via-asynchronous-task-in-dotnet.yml index 729b451d7..3a7a1cef0 100644 --- a/nursery/execute-via-asynchronous-task-in-dotnet.yml +++ b/nursery/execute-via-asynchronous-task-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread/task authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Threading.Tasks.Task::ctor diff --git a/nursery/execute-via-timer-in-dotnet.yml b/nursery/execute-via-timer-in-dotnet.yml index 494d98ccc..c0c60b665 100644 --- a/nursery/execute-via-timer-in-dotnet.yml +++ b/nursery/execute-via-timer-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread/timer authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Threading.Timer::ctor diff --git a/nursery/extract-zip-archive-in-dotnet.yml b/nursery/extract-zip-archive-in-dotnet.yml index ccdefd420..383bc4903 100644 --- a/nursery/extract-zip-archive-in-dotnet.yml +++ b/nursery/extract-zip-archive-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] features: diff --git a/nursery/find-data-using-regex-in-dotnet.yml b/nursery/find-data-using-regex-in-dotnet.yml index 7345f1665..8fd2619bf 100644 --- a/nursery/find-data-using-regex-in-dotnet.yml +++ b/nursery/find-data-using-regex-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/regex authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Text.RegularExpressions.Regex::Matches diff --git a/nursery/find-process-by-name.yml b/nursery/find-process-by-name.yml index a6f6ddee2..b92ea1161 100644 --- a/nursery/find-process-by-name.yml +++ b/nursery/find-process-by-name.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::Process Discovery [T1057] features: diff --git a/nursery/flush-cabinet-file.yml b/nursery/flush-cabinet-file.yml index b75ec4f63..26182c061 100644 --- a/nursery/flush-cabinet-file.yml +++ b/nursery/flush-cabinet-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files features: diff --git a/nursery/generate-method-via-reflection-in-dotnet.yml b/nursery/generate-method-via-reflection-in-dotnet.yml index 7eb4e8932..47bfd90a3 100644 --- a/nursery/generate-method-via-reflection-in-dotnet.yml +++ b/nursery/generate-method-via-reflection-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: https://github.com/bohops/DynamicDotNet/blob/main/assembly_loader/DynamicAssemblyLoader.cs - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Reflection.Emit.DynamicMethod::ctor diff --git a/nursery/generate-random-bytes-in-dotnet.yml b/nursery/generate-random-bytes-in-dotnet.yml index 02788ba16..49ef04925 100644 --- a/nursery/generate-random-bytes-in-dotnet.yml +++ b/nursery/generate-random-bytes-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/prng authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] features: diff --git a/nursery/generate-random-filename-in-dotnet.yml b/nursery/generate-random-filename-in-dotnet.yml index 6d81c8379..8bf08afd1 100644 --- a/nursery/generate-random-filename-in-dotnet.yml +++ b/nursery/generate-random-filename-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.IO.Path::GetRandomFileName diff --git a/nursery/generate-random-numbers-in-dotnet.yml b/nursery/generate-random-numbers-in-dotnet.yml index 732ccf707..564d85b4d 100644 --- a/nursery/generate-random-numbers-in-dotnet.yml +++ b/nursery/generate-random-numbers-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] features: diff --git a/nursery/generate-random-numbers-using-the-delphi-lcg.yml b/nursery/generate-random-numbers-using-the-delphi-lcg.yml index 75ae1fd6e..0822f01a4 100644 --- a/nursery/generate-random-numbers-using-the-delphi-lcg.yml +++ b/nursery/generate-random-numbers-using-the-delphi-lcg.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/prng/lcg authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] references: diff --git a/nursery/get-client-handle-via-schannel.yml b/nursery/get-client-handle-via-schannel.yml index b90b27c7e..e51616f24 100644 --- a/nursery/get-client-handle-via-schannel.yml +++ b/nursery/get-client-handle-via-schannel.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-current-pid-on-linux.yml b/nursery/get-current-pid-on-linux.yml index 7694d69cf..407dba18a 100644 --- a/nursery/get-current-pid-on-linux.yml +++ b/nursery/get-current-pid-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead features: - and: - os: linux diff --git a/nursery/get-file-system-information-on-linux.yml b/nursery/get-file-system-information-on-linux.yml index 1893ef422..0e8c1d518 100644 --- a/nursery/get-file-system-information-on-linux.yml +++ b/nursery/get-file-system-information-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead features: - and: - os: linux diff --git a/nursery/get-http-request-uri.yml b/nursery/get-http-request-uri.yml index 1be9fc1f9..2cc5d889d 100644 --- a/nursery/get-http-request-uri.yml +++ b/nursery/get-http-request-uri.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::HTTP Communication [C0002] features: diff --git a/nursery/get-inbound-credentials-handle-via-credssp.yml b/nursery/get-inbound-credentials-handle-via-credssp.yml index c948dc8d6..7f32cc04a 100644 --- a/nursery/get-inbound-credentials-handle-via-credssp.yml +++ b/nursery/get-inbound-credentials-handle-via-credssp.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-mac-address-on-linux.yml b/nursery/get-mac-address-on-linux.yml index 93d9b023d..daebee538 100644 --- a/nursery/get-mac-address-on-linux.yml +++ b/nursery/get-mac-address-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-networking-parameters.yml b/nursery/get-networking-parameters.yml index ff45d1720..6dbb13cbf 100644 --- a/nursery/get-networking-parameters.yml +++ b/nursery/get-networking-parameters.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-ntoskrnl-base-address.yml b/nursery/get-ntoskrnl-base-address.yml index 0f2686ab3..157d9bc96 100644 --- a/nursery/get-ntoskrnl-base-address.yml +++ b/nursery/get-ntoskrnl-base-address.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires offset features att&ck: - Execution::Shared Modules [T1129] references: diff --git a/nursery/get-os-information-via-kuser_shared_data.yml b/nursery/get-os-information-via-kuser_shared_data.yml index c2a690e29..ed0d6f8f3 100644 --- a/nursery/get-os-information-via-kuser_shared_data.yml +++ b/nursery/get-os-information-via-kuser_shared_data.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/os/version authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/nursery/get-os-version-in-dotnet.yml b/nursery/get-os-version-in-dotnet.yml index fc9f4cf8f..eb7b2d021 100644 --- a/nursery/get-os-version-in-dotnet.yml +++ b/nursery/get-os-version-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/version authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires property features att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-password-database-entry-on-linux.yml b/nursery/get-password-database-entry-on-linux.yml index e776243fd..ec53699e2 100644 --- a/nursery/get-password-database-entry-on-linux.yml +++ b/nursery/get-password-database-entry-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead features: - and: - os: linux diff --git a/nursery/get-process-image-filename.yml b/nursery/get-process-image-filename.yml index 97a33a93c..9b7d2f52e 100644 --- a/nursery/get-process-image-filename.yml +++ b/nursery/get-process-image-filename.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead features: - or: - and: diff --git a/nursery/get-proxy.yml b/nursery/get-proxy.yml index a4bb4dfcf..cf9d556a8 100644 --- a/nursery/get-proxy.yml +++ b/nursery/get-proxy.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/proxy authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-remote-cert-context-via-schannel.yml b/nursery/get-remote-cert-context-via-schannel.yml index a45e4fdfa..28cd7243c 100644 --- a/nursery/get-remote-cert-context-via-schannel.yml +++ b/nursery/get-remote-cert-context-via-schannel.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-routing-table.yml b/nursery/get-routing-table.yml index d6302cb79..16314c057 100644 --- a/nursery/get-routing-table.yml +++ b/nursery/get-routing-table.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/routing-table authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-session-information.yml b/nursery/get-session-information.yml index 714bebe70..23d33682c 100644 --- a/nursery/get-session-information.yml +++ b/nursery/get-session-information.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] features: diff --git a/nursery/get-socket-information.yml b/nursery/get-socket-information.yml index 7e9ad1e13..68ce590c7 100644 --- a/nursery/get-socket-information.yml +++ b/nursery/get-socket-information.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index e95eb85e4..dac25951c 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/hardware/storage authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead references: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: diff --git a/nursery/get-system-firmware-table.yml b/nursery/get-system-firmware-table.yml index 315843909..717a987f3 100644 --- a/nursery/get-system-firmware-table.yml +++ b/nursery/get-system-firmware-table.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/firmware authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call references: - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L854 features: diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index dcdf9369e..3d8294694 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-system-web-proxy.yml b/nursery/get-system-web-proxy.yml index dae322577..ed6329f97 100644 --- a/nursery/get-system-web-proxy.yml +++ b/nursery/get-system-web-proxy.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/nursery/get-thread-local-storage-value.yml b/nursery/get-thread-local-storage-value.yml index 20ea67fd7..d2c824d49 100644 --- a/nursery/get-thread-local-storage-value.yml +++ b/nursery/get-thread-local-storage-value.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - and: - api: kernel32.TlsGetValue diff --git a/nursery/get-token-privileges.yml b/nursery/get-token-privileges.yml index d1c6c7ead..6029ebd44 100644 --- a/nursery/get-token-privileges.yml +++ b/nursery/get-token-privileges.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope features: - and: - basic block: diff --git a/nursery/hash-data-using-aphash.yml b/nursery/hash-data-using-aphash.yml index 513577ed2..40cca7dc4 100644 --- a/nursery/hash-data-using-aphash.yml +++ b/nursery/hash-data-using-aphash.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/aphash authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Data::Non-Cryptographic Hash [C0030] references: diff --git a/nursery/hash-data-using-crc32b.yml b/nursery/hash-data-using-crc32b.yml index b39e8c446..1bd8e1477 100644 --- a/nursery/hash-data-using-crc32b.yml +++ b/nursery/hash-data-using-crc32b.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/crc32 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features features: - and: - number: 0x4C11DB7 diff --git a/nursery/hash-data-using-jshash.yml b/nursery/hash-data-using-jshash.yml index ccdd0fb98..e4f9ea502 100644 --- a/nursery/hash-data-using-jshash.yml +++ b/nursery/hash-data-using-jshash.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/jshash authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic, mnemonic features mbc: - Data::Non-Cryptographic Hash [C0030] references: diff --git a/nursery/hash-data-using-md4.yml b/nursery/hash-data-using-md4.yml index ef482ce4d..54bc21519 100644 --- a/nursery/hash-data-using-md4.yml +++ b/nursery/hash-data-using-md4.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/md4 authors: - anamaria.martinezgom@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - number: 0x8002 = CALG_MD4 diff --git a/nursery/hash-data-using-murmur2.yml b/nursery/hash-data-using-murmur2.yml index 0cec679a9..c13a65455 100644 --- a/nursery/hash-data-using-murmur2.yml +++ b/nursery/hash-data-using-murmur2.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/murmur authors: - william.ballenthin@mandiant.com - scope: instruction + scopes: + static: instruction + dynamic: unsupported # requires mnemonic features references: - https://github.com/abrandoned/murmur2/blob/master/MurmurHash2.c features: diff --git a/nursery/hash-data-using-ripemd128.yml b/nursery/hash-data-using-ripemd128.yml index cd3035fbd..747736351 100755 --- a/nursery/hash-data-using-ripemd128.yml +++ b/nursery/hash-data-using-ripemd128.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/ripemd128 authors: - raymond.leong@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains subscope references: - https://en.wikipedia.org/wiki/RIPEMD-128 features: diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml index 5353fb9e7..6cc08aaf1 100755 --- a/nursery/hash-data-using-ripemd256.yml +++ b/nursery/hash-data-using-ripemd256.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/ripemd256 authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://en.wikipedia.org/wiki/RIPEMD-256 features: diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml index 0b537a127..a8fc6f672 100755 --- a/nursery/hash-data-using-ripemd320.yml +++ b/nursery/hash-data-using-ripemd320.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/ripemd320 authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://en.wikipedia.org/wiki/RIPEMD-320 features: diff --git a/nursery/hash-data-using-rshash.yml b/nursery/hash-data-using-rshash.yml index a8da14a3f..7afc52f43 100644 --- a/nursery/hash-data-using-rshash.yml +++ b/nursery/hash-data-using-rshash.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/rshash authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unsupported # requires characteristic features mbc: - Data::Non-Cryptographic Hash [C0030] references: diff --git a/nursery/hash-data-using-sha1-via-wincrypt.yml b/nursery/hash-data-using-sha1-via-wincrypt.yml index 7df3f5b03..821a368a3 100644 --- a/nursery/hash-data-using-sha1-via-wincrypt.yml +++ b/nursery/hash-data-using-sha1-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha1 authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead features: - or: - and: diff --git a/nursery/hash-data-using-sha1-via-x86-extensions.yml b/nursery/hash-data-using-sha1-via-x86-extensions.yml index 34e22fbeb..95cb78fb6 100644 --- a/nursery/hash-data-using-sha1-via-x86-extensions.yml +++ b/nursery/hash-data-using-sha1-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha1 authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features features: - or: - mnemonic: sha1rnds4 = Perform Four Rounds of SHA1 Operation diff --git a/nursery/hash-data-using-sha256-via-x86-extensions.yml b/nursery/hash-data-using-sha256-via-x86-extensions.yml index 8c6b5045d..08cec0f1e 100644 --- a/nursery/hash-data-using-sha256-via-x86-extensions.yml +++ b/nursery/hash-data-using-sha256-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha256 authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features features: - or: - mnemonic: sha256rnds2 = Perform Two Rounds of SHA256 Operation diff --git a/nursery/hash-data-using-sha512managed-in-dotnet.yml b/nursery/hash-data-using-sha512managed-in-dotnet.yml index b2fb012bd..16886f25e 100644 --- a/nursery/hash-data-using-sha512managed-in-dotnet.yml +++ b/nursery/hash-data-using-sha512managed-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha512 authors: - jonathanlepore@google.com - scope: function + scopes: + static: function + dynamic: thread references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha512managed features: diff --git a/nursery/hash-data-using-whirlpool.yml b/nursery/hash-data-using-whirlpool.yml index 22a11905f..390727747 100644 --- a/nursery/hash-data-using-whirlpool.yml +++ b/nursery/hash-data-using-whirlpool.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/whirlpool authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features mbc: - Cryptography::Cryptographic Hash [C0029] references: diff --git a/nursery/hash-data-via-bcrypt.yml b/nursery/hash-data-via-bcrypt.yml index bb87c81e4..34e14c978 100644 --- a/nursery/hash-data-via-bcrypt.yml +++ b/nursery/hash-data-via-bcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/hook-routines-via-microsoft-detours.yml b/nursery/hook-routines-via-microsoft-detours.yml index b00acc304..b93980461 100644 --- a/nursery/hook-routines-via-microsoft-detours.yml +++ b/nursery/hook-routines-via-microsoft-detours.yml @@ -4,7 +4,9 @@ rule: # namespace: linking/hooking authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf features: diff --git a/nursery/hooked-by-api-override.yml b/nursery/hooked-by-api-override.yml index a7832c0fd..24d63b6cd 100644 --- a/nursery/hooked-by-api-override.yml +++ b/nursery/hooked-by-api-override.yml @@ -4,7 +4,9 @@ rule: namespace: executable/hooked/api-override authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ - http://jacquelin.potier.free.fr/winapioverride32/ diff --git a/nursery/impersonate-user.yml b/nursery/impersonate-user.yml index dd9286c31..c6f6f4510 100644 --- a/nursery/impersonate-user.yml +++ b/nursery/impersonate-user.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/user authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001] features: diff --git a/nursery/implement-com-dll.yml b/nursery/implement-com-dll.yml index 9cf2167b5..15bb34522 100644 --- a/nursery/implement-com-dll.yml +++ b/nursery/implement-com-dll.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features references: - https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-dllgetclassobject features: diff --git a/nursery/initialize-hashing-via-wincrypt.yml b/nursery/initialize-hashing-via-wincrypt.yml index cbd1b389a..b57975301 100644 --- a/nursery/initialize-hashing-via-wincrypt.yml +++ b/nursery/initialize-hashing-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: advapi32.CryptCreateHash diff --git a/nursery/inspect-load-icon-resource.yml b/nursery/inspect-load-icon-resource.yml index afa1ad45e..eecd9f1fc 100644 --- a/nursery/inspect-load-icon-resource.yml +++ b/nursery/inspect-load-icon-resource.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires Not, mnemonic features features: # check if call to LoadIcon fails when first argument is NULL # and second argument is not a valid predefined icon - LoadIcon diff --git a/nursery/interact-with-iptables.yml b/nursery/interact-with-iptables.yml index fefe34750..f60567e89 100644 --- a/nursery/interact-with-iptables.yml +++ b/nursery/interact-with-iptables.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/firewall authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] diff --git a/nursery/invoke-dotnet-assembly-method.yml b/nursery/invoke-dotnet-assembly-method.yml index ccee9d26e..c33dc3989 100644 --- a/nursery/invoke-dotnet-assembly-method.yml +++ b/nursery/invoke-dotnet-assembly-method.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Reflective Code Loading [T1620] features: diff --git a/nursery/link-function-at-runtime-on-linux.yml b/nursery/link-function-at-runtime-on-linux.yml index db6acb21a..62c383a9a 100644 --- a/nursery/link-function-at-runtime-on-linux.yml +++ b/nursery/link-function-at-runtime-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Shared Modules [T1129] features: diff --git a/nursery/linked-against-cpp-http-library.yml b/nursery/linked-against-cpp-http-library.yml index 0f248f141..8a3ca603c 100644 --- a/nursery/linked-against-cpp-http-library.yml +++ b/nursery/linked-against-cpp-http-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/httplib authors: - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/yhirose/cpp-httplib features: diff --git a/nursery/linked-against-cpp-json-library.yml b/nursery/linked-against-cpp-json-library.yml index 44ed90e7e..580373db9 100644 --- a/nursery/linked-against-cpp-json-library.yml +++ b/nursery/linked-against-cpp-json-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/jsoncpp authors: - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/open-source-parsers/jsoncpp features: diff --git a/nursery/linked-against-cpp-regex-library.yml b/nursery/linked-against-cpp-regex-library.yml index 907481982..9fbea2e21 100644 --- a/nursery/linked-against-cpp-regex-library.yml +++ b/nursery/linked-against-cpp-regex-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/cppregex authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - http://www.cplusplus.com/reference/regex/regex_error/ features: diff --git a/nursery/linked-against-go-process-enumeration-library.yml b/nursery/linked-against-go-process-enumeration-library.yml index c50655cb0..3a2d54bcd 100644 --- a/nursery/linked-against-go-process-enumeration-library.yml +++ b/nursery/linked-against-go-process-enumeration-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Enumerating processes using a Go library - scope: file + scopes: + static: file + dynamic: file att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/linked-against-go-registry-library.yml b/nursery/linked-against-go-registry-library.yml index eb7ed878f..d79ab7d3d 100644 --- a/nursery/linked-against-go-registry-library.yml +++ b/nursery/linked-against-go-registry-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Uses a Go library for interacting with the Windows registry. - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/golang/sys features: diff --git a/nursery/linked-against-go-static-asset-library.yml b/nursery/linked-against-go-static-asset-library.yml index 060d2ce81..097030db4 100644 --- a/nursery/linked-against-go-static-asset-library.yml +++ b/nursery/linked-against-go-static-asset-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Detects if the Go file includes an static assets. - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/rakyll/statik - https://github.com/gobuffalo/packr diff --git a/nursery/linked-against-go-wmi-library.yml b/nursery/linked-against-go-wmi-library.yml index 1e635c0ff..52a869c3d 100644 --- a/nursery/linked-against-go-wmi-library.yml +++ b/nursery/linked-against-go-wmi-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: StackExchange's WMI library is used to interact with WMI. - scope: file + scopes: + static: file + dynamic: file att&ck: - Collection::Data from Information Repositories [T1213] references: diff --git a/nursery/linked-against-libsodium.yml b/nursery/linked-against-libsodium.yml index 81b0539bd..9782dc646 100644 --- a/nursery/linked-against-libsodium.yml +++ b/nursery/linked-against-libsodium.yml @@ -5,7 +5,9 @@ rule: authors: - "@mr-tz" description: Sodium is a software library for encryption, decryption, signatures, password hashing and more. - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] features: diff --git a/nursery/linked-against-xzip.yml b/nursery/linked-against-xzip.yml index 1b9b5c668..5d17ae09c 100644 --- a/nursery/linked-against-xzip.yml +++ b/nursery/linked-against-xzip.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/xzip authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Data::Compression Library [C0060] references: diff --git a/nursery/list-containers.yml b/nursery/list-containers.yml index 198beb437..98e11cc4e 100644 --- a/nursery/list-containers.yml +++ b/nursery/list-containers.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Discovery::Container and Resource Discovery [T1613] references: diff --git a/nursery/list-domain-servers.yml b/nursery/list-domain-servers.yml index 73f893664..11030930f 100644 --- a/nursery/list-domain-servers.yml +++ b/nursery/list-domain-servers.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/domain authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] features: diff --git a/nursery/list-drag-and-drop-files.yml b/nursery/list-drag-and-drop-files.yml index b726f9617..f9b0dfe42 100644 --- a/nursery/list-drag-and-drop-files.yml +++ b/nursery/list-drag-and-drop-files.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/clipboard authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/list-groups-for-user-account.yml b/nursery/list-groups-for-user-account.yml index 3e0c06e90..c9c0c0da0 100644 --- a/nursery/list-groups-for-user-account.yml +++ b/nursery/list-groups-for-user-account.yml @@ -6,7 +6,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: enumerates all the groups to which a user account belongs - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Account Discovery [T1087] features: diff --git a/nursery/list-tcp-connections-and-listeners.yml b/nursery/list-tcp-connections-and-listeners.yml index 356c20790..04cef09d4 100644 --- a/nursery/list-tcp-connections-and-listeners.yml +++ b/nursery/list-tcp-connections-and-listeners.yml @@ -5,7 +5,9 @@ rule: namespace: collection/network authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: iphlpapi.GetExtendedTcpTable diff --git a/nursery/list-udp-connections-and-listeners.yml b/nursery/list-udp-connections-and-listeners.yml index b975e8180..20d50cc29 100644 --- a/nursery/list-udp-connections-and-listeners.yml +++ b/nursery/list-udp-connections-and-listeners.yml @@ -5,7 +5,9 @@ rule: namespace: collection/network authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: iphlpapi.GetExtendedUdpTable diff --git a/nursery/list-user-account-groups.yml b/nursery/list-user-account-groups.yml index 3e4040e80..918fedaf9 100644 --- a/nursery/list-user-account-groups.yml +++ b/nursery/list-user-account-groups.yml @@ -6,7 +6,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: enumerates all the groups present on the system/domain - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Permission Groups Discovery [T1069] features: diff --git a/nursery/list-user-accounts-for-group.yml b/nursery/list-user-accounts-for-group.yml index 172b6a939..4c76247b4 100644 --- a/nursery/list-user-accounts-for-group.yml +++ b/nursery/list-user-accounts-for-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Permission Groups Discovery [T1069] features: diff --git a/nursery/list-user-accounts.yml b/nursery/list-user-accounts.yml index 066f2328e..ea41e4cda 100644 --- a/nursery/list-user-accounts.yml +++ b/nursery/list-user-accounts.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Account Discovery [T1087] features: diff --git a/nursery/listen-for-remote-procedure-calls.yml b/nursery/listen-for-remote-procedure-calls.yml index e32f0e889..c5449d2e8 100644 --- a/nursery/listen-for-remote-procedure-calls.yml +++ b/nursery/listen-for-remote-procedure-calls.yml @@ -5,7 +5,9 @@ rule: namespace: communication/rpc/server authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: rpcrt4.RpcServerListen diff --git a/nursery/load-dotnet-assembly.yml b/nursery/load-dotnet-assembly.yml index efc65e138..82deea7d7 100644 --- a/nursery/load-dotnet-assembly.yml +++ b/nursery/load-dotnet-assembly.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Defense Evasion::Reflective Code Loading [T1620] features: diff --git a/nursery/load-xml-in-dotnet.yml b/nursery/load-xml-in-dotnet.yml index 5c3e8528a..c4e34ccb5 100644 --- a/nursery/load-xml-in-dotnet.yml +++ b/nursery/load-xml-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/xml authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Xml.XmlDocument::Load diff --git a/nursery/log-keystrokes-via-input-method-manager.yml b/nursery/log-keystrokes-via-input-method-manager.yml index 0a266d237..ef23de6e0 100644 --- a/nursery/log-keystrokes-via-input-method-manager.yml +++ b/nursery/log-keystrokes-via-input-method-manager.yml @@ -5,7 +5,9 @@ rule: namespace: collection/keylog authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/log-keystrokes-via-raw-input-data.yml b/nursery/log-keystrokes-via-raw-input-data.yml index 8a98532d3..d3508c6e2 100644 --- a/nursery/log-keystrokes-via-raw-input-data.yml +++ b/nursery/log-keystrokes-via-raw-input-data.yml @@ -5,7 +5,9 @@ rule: namespace: collection/keylog authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, mnemonic features att&ck: - Collection::Input Capture::Keylogging [T1056.001] features: diff --git a/nursery/make-an-http-request-with-a-cookie.yml b/nursery/make-an-http-request-with-a-cookie.yml index f5f4c83a6..3bbd22294 100644 --- a/nursery/make-an-http-request-with-a-cookie.yml +++ b/nursery/make-an-http-request-with-a-cookie.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead features: - and: - match: send HTTP request diff --git a/nursery/manipulate-console-window.yml b/nursery/manipulate-console-window.yml index 0a272ee66..0f042bdd7 100644 --- a/nursery/manipulate-console-window.yml +++ b/nursery/manipulate-console-window.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/console authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call mbc: - Operating System::Console [C0033] features: diff --git a/nursery/manipulate-network-credentials-in-dotnet.yml b/nursery/manipulate-network-credentials-in-dotnet.yml index 38a2df967..b14ca77e8 100644 --- a/nursery/manipulate-network-credentials-in-dotnet.yml +++ b/nursery/manipulate-network-credentials-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/authentication authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - and: - api: System.Net.NetworkCredential::ctor diff --git a/nursery/manipulate-unmanaged-memory-in-dotnet.yml b/nursery/manipulate-unmanaged-memory-in-dotnet.yml index a754e3695..ab56f4ea9 100644 --- a/nursery/manipulate-unmanaged-memory-in-dotnet.yml +++ b/nursery/manipulate-unmanaged-memory-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/memory authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires class features features: - or: - class: System.Runtime.InteropServices.Marshal diff --git a/nursery/manipulate-user-privileges.yml b/nursery/manipulate-user-privileges.yml index d1745f9a9..125c51380 100644 --- a/nursery/manipulate-user-privileges.yml +++ b/nursery/manipulate-user-privileges.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/user authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - and: - api: advapi32.LsaAddAccountRights diff --git a/nursery/mark-thread-detached-on-linux.yml b/nursery/mark-thread-detached-on-linux.yml index 3eb0e5f5b..2ab087a1e 100644 --- a/nursery/mark-thread-detached-on-linux.yml +++ b/nursery/mark-thread-detached-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/migrate-process-to-active-window-station.yml b/nursery/migrate-process-to-active-window-station.yml index 3c22d61e5..541b4a68b 100644 --- a/nursery/migrate-process-to-active-window-station.yml +++ b/nursery/migrate-process-to-active-window-station.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: set process to the active window station so it can receive GUI events. commonly seen in keyloggers. - scope: function + scopes: + static: function + dynamic: thread references: - https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html - https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops diff --git a/nursery/mixed-mode.yml b/nursery/mixed-mode.yml index fb328ae8c..d0e31b151 100644 --- a/nursery/mixed-mode.yml +++ b/nursery/mixed-mode.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: file contains managed and unmanaged (native) code, often seen in .NET - scope: file + scopes: + static: file + dynamic: unsupported # requires characteristic features features: - or: - characteristic: mixed mode diff --git a/nursery/monitor-clipboard-content.yml b/nursery/monitor-clipboard-content.yml index 7dafdb82a..8ff22f39f 100644 --- a/nursery/monitor-clipboard-content.yml +++ b/nursery/monitor-clipboard-content.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/clipboard authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/monitor-local-ipv4-address-changes.yml b/nursery/monitor-local-ipv4-address-changes.yml index fdcab2c28..f95169c97 100644 --- a/nursery/monitor-local-ipv4-address-changes.yml +++ b/nursery/monitor-local-ipv4-address-changes.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/network/address authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/move-directory.yml b/nursery/move-directory.yml index 469200c40..45385e190 100644 --- a/nursery/move-directory.yml +++ b/nursery/move-directory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/move authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.IO.DirectoryInfo::MoveTo diff --git a/nursery/obfuscated-with-koivm.yml b/nursery/obfuscated-with-koivm.yml index bbbe82ed4..7e7edb7be 100644 --- a/nursery/obfuscated-with-koivm.yml +++ b/nursery/obfuscated-with-koivm.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires namespace, class features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/open-cabinet-file.yml b/nursery/open-cabinet-file.yml index 2ee425ee4..1e0ac4076 100644 --- a/nursery/open-cabinet-file.yml +++ b/nursery/open-cabinet-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files features: diff --git a/nursery/packaged-as-a-createinstall-installer.yml b/nursery/packaged-as-a-createinstall-installer.yml index 6a4e4af55..e9d130189 100644 --- a/nursery/packaged-as-a-createinstall-installer.yml +++ b/nursery/packaged-as-a-createinstall-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/createinstall authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.createinstall.com/ - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ diff --git a/nursery/packaged-as-a-nsis-installer.yml b/nursery/packaged-as-a-nsis-installer.yml index ed7518dc1..825d120be 100644 --- a/nursery/packaged-as-a-nsis-installer.yml +++ b/nursery/packaged-as-a-nsis-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/nsis authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://nsis.sourceforge.io/Main_Page features: diff --git a/nursery/packaged-as-a-pintool.yml b/nursery/packaged-as-a-pintool.yml index 5c8903417..8f75ad933 100644 --- a/nursery/packaged-as-a-pintool.yml +++ b/nursery/packaged-as-a-pintool.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pintool authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://software.intel.com/content/www/us/en/develop/articles/pin-a-dynamic-binary-instrumentation-tool.html - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ diff --git a/nursery/packaged-as-a-winzip-self-extracting-archive.yml b/nursery/packaged-as-a-winzip-self-extracting-archive.yml index 1282614da..b3b7313ae 100644 --- a/nursery/packaged-as-a-winzip-self-extracting-archive.yml +++ b/nursery/packaged-as-a-winzip-self-extracting-archive.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/winzip authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ features: diff --git a/nursery/packaged-as-a-wise-installer.yml b/nursery/packaged-as-a-wise-installer.yml index 1faf43be4..ff81ba786 100644 --- a/nursery/packaged-as-a-wise-installer.yml +++ b/nursery/packaged-as-a-wise-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/wiseinstall authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - string: "WiseMain" diff --git a/nursery/packaged-as-an-installshield-installer.yml b/nursery/packaged-as-an-installshield-installer.yml index e2cd630fc..a3e07e127 100644 --- a/nursery/packaged-as-an-installshield-installer.yml +++ b/nursery/packaged-as-an-installshield-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/installshield authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: # AppHelp has an export ApphelpCheckInstallShieldPackage, diff --git a/nursery/packed-with-ccg.yml b/nursery/packed-with-ccg.yml index e2e9ef89a..553dcb36f 100644 --- a/nursery/packed-with-ccg.yml +++ b/nursery/packed-with-ccg.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/ccg authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-crunch.yml b/nursery/packed-with-crunch.yml index 1e53d7540..db8391f83 100644 --- a/nursery/packed-with-crunch.yml +++ b/nursery/packed-with-crunch.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/crunch authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-dragon-armor.yml b/nursery/packed-with-dragon-armor.yml index 8999d02f7..8794419a8 100644 --- a/nursery/packed-with-dragon-armor.yml +++ b/nursery/packed-with-dragon-armor.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/dragon-armor authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-enigma.yml b/nursery/packed-with-enigma.yml index 2428c6dc5..026aa523d 100644 --- a/nursery/packed-with-enigma.yml +++ b/nursery/packed-with-enigma.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/enigma authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-epack.yml b/nursery/packed-with-epack.yml index b67409549..4ac81187e 100644 --- a/nursery/packed-with-epack.yml +++ b/nursery/packed-with-epack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/epack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-maskpe.yml b/nursery/packed-with-maskpe.yml index 220319159..cbacd7829 100644 --- a/nursery/packed-with-maskpe.yml +++ b/nursery/packed-with-maskpe.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/maskpe authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-mew.yml b/nursery/packed-with-mew.yml index c5a180e73..a4fd10a82 100644 --- a/nursery/packed-with-mew.yml +++ b/nursery/packed-with-mew.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/mew authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-mpress.yml b/nursery/packed-with-mpress.yml index f2427db92..0ee836c3e 100644 --- a/nursery/packed-with-mpress.yml +++ b/nursery/packed-with-mpress.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/mpress authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-neolite.yml b/nursery/packed-with-neolite.yml index aa707a904..5c4685686 100644 --- a/nursery/packed-with-neolite.yml +++ b/nursery/packed-with-neolite.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/neolite authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-pepack.yml b/nursery/packed-with-pepack.yml index 5f7d607dd..29a817317 100644 --- a/nursery/packed-with-pepack.yml +++ b/nursery/packed-with-pepack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pepack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-perplex.yml b/nursery/packed-with-perplex.yml index bffad089a..ed883ddf8 100644 --- a/nursery/packed-with-perplex.yml +++ b/nursery/packed-with-perplex.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/perplex authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-procrypt.yml b/nursery/packed-with-procrypt.yml index f843bbbe7..2d6e1cf99 100644 --- a/nursery/packed-with-procrypt.yml +++ b/nursery/packed-with-procrypt.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/procrypt authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-rpcrypt.yml b/nursery/packed-with-rpcrypt.yml index fbe023f6f..2571e3fe8 100644 --- a/nursery/packed-with-rpcrypt.yml +++ b/nursery/packed-with-rpcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/rpcrypt authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-seausfx.yml b/nursery/packed-with-seausfx.yml index a2fb371bd..e11fb96fa 100644 --- a/nursery/packed-with-seausfx.yml +++ b/nursery/packed-with-seausfx.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/seausfx authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-shrinker.yml b/nursery/packed-with-shrinker.yml index 00d0c48ec..ecd1fca54 100644 --- a/nursery/packed-with-shrinker.yml +++ b/nursery/packed-with-shrinker.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/shrinker authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-simple-pack.yml b/nursery/packed-with-simple-pack.yml index 2c55466f2..6fa09cc60 100644 --- a/nursery/packed-with-simple-pack.yml +++ b/nursery/packed-with-simple-pack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/simple-pack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-starforce.yml b/nursery/packed-with-starforce.yml index 4eccdc8dc..3f57a90f6 100644 --- a/nursery/packed-with-starforce.yml +++ b/nursery/packed-with-starforce.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/starforce authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-svkp.yml b/nursery/packed-with-svkp.yml index 5630dec5d..7af4feda6 100644 --- a/nursery/packed-with-svkp.yml +++ b/nursery/packed-with-svkp.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/svkp authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-tsuloader.yml b/nursery/packed-with-tsuloader.yml index 16f175499..289bb3a2f 100644 --- a/nursery/packed-with-tsuloader.yml +++ b/nursery/packed-with-tsuloader.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/tsuloader authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-vprotect.yml b/nursery/packed-with-vprotect.yml index 284ba0545..5fedd9817 100644 --- a/nursery/packed-with-vprotect.yml +++ b/nursery/packed-with-vprotect.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/vprotect authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-wwpack.yml b/nursery/packed-with-wwpack.yml index 2228228ef..88dd88a4e 100644 --- a/nursery/packed-with-wwpack.yml +++ b/nursery/packed-with-wwpack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/wwpack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/parse-url.yml b/nursery/parse-url.yml index 4e1577d1c..82c81fcf4 100644 --- a/nursery/parse-url.yml +++ b/nursery/parse-url.yml @@ -5,7 +5,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: wininet.InternetCrackUrl diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml index 74f3cc92f..80a712f80 100644 --- a/nursery/persist-via-gnome-autostart-on-linux.yml +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead features: - and: - os: linux diff --git a/nursery/power-down-monitor.yml b/nursery/power-down-monitor.yml index 4522e9beb..fdcf13ee5 100644 --- a/nursery/power-down-monitor.yml +++ b/nursery/power-down-monitor.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/monitor authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - api: user32.SendMessage diff --git a/nursery/prompt-user-for-credentials.yml b/nursery/prompt-user-for-credentials.yml index 7fc786ec8..303c4ced4 100644 --- a/nursery/prompt-user-for-credentials.yml +++ b/nursery/prompt-user-for-credentials.yml @@ -5,7 +5,9 @@ rule: namespace: collection/credentials authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials features: diff --git a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml index 25c1472fc..1dc167b9a 100644 --- a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml index 363084680..063f4234e 100644 --- a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-remote-server-for-available-data.yml b/nursery/query-remote-server-for-available-data.yml index af757da5c..cf98c8bc2 100644 --- a/nursery/query-remote-server-for-available-data.yml +++ b/nursery/query-remote-server-for-available-data.yml @@ -5,7 +5,9 @@ rule: namespace: communication authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: wininet.InternetQueryDataAvailable diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml index 7b2d870b7..6d181534c 100644 --- a/nursery/read-and-send-data-from-client-to-server.yml +++ b/nursery/read-and-send-data-from-client-to-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/file-transfer authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - match: host-interaction/file-system/read diff --git a/nursery/read-process-memory.yml b/nursery/read-process-memory.yml index 4796d5f5b..db460b902 100644 --- a/nursery/read-process-memory.yml +++ b/nursery/read-process-memory.yml @@ -6,7 +6,9 @@ rule: - matthew.williams@mandiant.com - "@_re_fox" - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: kernel32.ReadProcessMemory diff --git a/nursery/read-raw-disk-data.yml b/nursery/read-raw-disk-data.yml index 8a4d1a4b5..91b928742 100644 --- a/nursery/read-raw-disk-data.yml +++ b/nursery/read-raw-disk-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - string: "\\\\.\\PhysicalDrive0" diff --git a/nursery/rebuilt-by-imprec.yml b/nursery/rebuilt-by-imprec.yml index 6afe346ab..5fd0b9a0a 100644 --- a/nursery/rebuilt-by-imprec.yml +++ b/nursery/rebuilt-by-imprec.yml @@ -4,7 +4,9 @@ rule: namespace: executable/imprec authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ features: diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml index 09e72dbbc..369dbf194 100644 --- a/nursery/receive-and-write-data-from-server-to-client.yml +++ b/nursery/receive-and-write-data-from-server-to-client.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/file-transfer authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - match: receive data diff --git a/nursery/reference-114dns-dns-server.yml b/nursery/reference-114dns-dns-server.yml index 276169dd6..c1ac922a2 100644 --- a/nursery/reference-114dns-dns-server.yml +++ b/nursery/reference-114dns-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.114dns.com/ - https://www.amazon.com/ask/questions/Tx27CUHKMM403NP diff --git a/nursery/reference-aes-constants.yml b/nursery/reference-aes-constants.yml index f523e98d9..3240fb62e 100644 --- a/nursery/reference-aes-constants.yml +++ b/nursery/reference-aes-constants.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires bytes features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] features: diff --git a/nursery/reference-alidns-dns-server.yml b/nursery/reference-alidns-dns-server.yml index 45f30f1b9..1a35101ae 100644 --- a/nursery/reference-alidns-dns-server.yml +++ b/nursery/reference-alidns-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.alidns.com/ # examples: diff --git a/nursery/reference-base58-string.yml b/nursery/reference-base58-string.yml index f1d2e324d..608376784 100644 --- a/nursery/reference-base58-string.yml +++ b/nursery/reference-base58-string.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0, I, O, and l). Base58 is used to represent bitcoin addresses. - scope: file + scopes: + static: file + dynamic: unsupported # requires features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/reference-cloudflare-dns-server.yml b/nursery/reference-cloudflare-dns-server.yml index e3db38007..dd7e512cc 100644 --- a/nursery/reference-cloudflare-dns-server.yml +++ b/nursery/reference-cloudflare-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-comodo-secure-dns-server.yml b/nursery/reference-comodo-secure-dns-server.yml index af5beb86a..b7664ff2c 100644 --- a/nursery/reference-comodo-secure-dns-server.yml +++ b/nursery/reference-comodo-secure-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-cryptocurrency-strings.yml b/nursery/reference-cryptocurrency-strings.yml index 3d0f2c630..f727819fd 100644 --- a/nursery/reference-cryptocurrency-strings.yml +++ b/nursery/reference-cryptocurrency-strings.yml @@ -4,7 +4,9 @@ rule: namespace: impact/cryptocurrency authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Impact::Resource Hijacking [T1496] references: diff --git a/nursery/reference-google-public-dns-server.yml b/nursery/reference-google-public-dns-server.yml index ea5d54eab..fccdc8e79 100644 --- a/nursery/reference-google-public-dns-server.yml +++ b/nursery/reference-google-public-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server - https://developers.google.com/speed/public-dns/docs/using diff --git a/nursery/reference-hurricane-electric-dns-server.yml b/nursery/reference-hurricane-electric-dns-server.yml index bb772d8a2..c90176fe0 100644 --- a/nursery/reference-hurricane-electric-dns-server.yml +++ b/nursery/reference-hurricane-electric-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://dns.he.net/ - https://dnslytics.com/ip/216.66.1.2 diff --git a/nursery/reference-kornet-dns-server.yml b/nursery/reference-kornet-dns-server.yml index e02deda01..f08d6b3c5 100644 --- a/nursery/reference-kornet-dns-server.yml +++ b/nursery/reference-kornet-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://whatismyipaddress.com/ip/168.126.63.1 # examples: diff --git a/nursery/reference-l3-dns-server.yml b/nursery/reference-l3-dns-server.yml index b570ed360..0a0f1f98e 100644 --- a/nursery/reference-l3-dns-server.yml +++ b/nursery/reference-l3-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.quora.com/What-is-a-4-2-2-1-DNS-server features: diff --git a/nursery/reference-opendns-dns-server.yml b/nursery/reference-opendns-dns-server.yml index 02f1449c6..128ed6171 100644 --- a/nursery/reference-opendns-dns-server.yml +++ b/nursery/reference-opendns-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-processor-manufacturer-constants.yml b/nursery/reference-processor-manufacturer-constants.yml index 34aef0c97..1002ba4c6 100644 --- a/nursery/reference-processor-manufacturer-constants.yml +++ b/nursery/reference-processor-manufacturer-constants.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/reference-quad9-dns-server.yml b/nursery/reference-quad9-dns-server.yml index c1b715bcb..74188a337 100644 --- a/nursery/reference-quad9-dns-server.yml +++ b/nursery/reference-quad9-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/reference-screen-saver-executable.yml index 5c3ffe4c0..35cd13b0c 100644 --- a/nursery/reference-screen-saver-executable.yml +++ b/nursery/reference-screen-saver-executable.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Event Triggered Execution::Screensaver [T1546.002] features: diff --git a/nursery/reference-startup-folder.yml b/nursery/reference-startup-folder.yml index bdc762f6d..1ea425441 100644 --- a/nursery/reference-startup-folder.yml +++ b/nursery/reference-startup-folder.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] features: diff --git a/nursery/reference-the-vmware-io-port.yml b/nursery/reference-the-vmware-io-port.yml index 668ee70fb..3c111813f 100644 --- a/nursery/reference-the-vmware-io-port.yml +++ b/nursery/reference-the-vmware-io-port.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/reference-verisign-dns-server.yml b/nursery/reference-verisign-dns-server.yml index 721abdc24..626ae4b99 100644 --- a/nursery/reference-verisign-dns-server.yml +++ b/nursery/reference-verisign-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/register-http-server-url.yml b/nursery/register-http-server-url.yml index 241cff21a..7eec08e4c 100644 --- a/nursery/register-http-server-url.yml +++ b/nursery/register-http-server-url.yml @@ -5,7 +5,9 @@ rule: namespace: communication/http/server authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: httpapi.HttpAddUrl diff --git a/nursery/register-raw-input-devices.yml b/nursery/register-raw-input-devices.yml index 90dc25fea..ddfed489c 100644 --- a/nursery/register-raw-input-devices.yml +++ b/nursery/register-raw-input-devices.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/hardware authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: user32.RegisterRawInputDevices diff --git a/nursery/resize-volume-shadow-copy-storage.yml b/nursery/resize-volume-shadow-copy-storage.yml index e22bf7dba..13c390757 100644 --- a/nursery/resize-volume-shadow-copy-storage.yml +++ b/nursery/resize-volume-shadow-copy-storage.yml @@ -5,7 +5,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - api: kernel32.DeviceIoControl diff --git a/nursery/resolve-function-by-djb2-hash.yml b/nursery/resolve-function-by-djb2-hash.yml index 744e3edf1..49d405084 100644 --- a/nursery/resolve-function-by-djb2-hash.yml +++ b/nursery/resolve-function-by-djb2-hash.yml @@ -5,7 +5,9 @@ rule: authors: - still@teamt5.org description: known import name hashes calculated using the non-cryptographic djb2 hashing algorithm - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/nursery/resolve-function-by-fnv-1a-hash.yml b/nursery/resolve-function-by-fnv-1a-hash.yml index 4973735ea..7f323956a 100644 --- a/nursery/resolve-function-by-fnv-1a-hash.yml +++ b/nursery/resolve-function-by-fnv-1a-hash.yml @@ -5,7 +5,9 @@ rule: authors: - still@teamt5.org description: known import name hashes calculated using the non-cryptographic FNV-1a hashing algorithm - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/resolve-function-by-hash.yml b/nursery/resolve-function-by-hash.yml index 61bcc2f99..9e84d6a67 100644 --- a/nursery/resolve-function-by-hash.yml +++ b/nursery/resolve-function-by-hash.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/run-in-container.yml b/nursery/run-in-container.yml index 374d4b2cc..2f8a096cf 100644 --- a/nursery/run-in-container.yml +++ b/nursery/run-in-container.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Execution::Container Administration Command [T1609] references: diff --git a/nursery/save-image-in-dotnet.yml b/nursery/save-image-in-dotnet.yml index 7cedd61a1..b00b38ede 100644 --- a/nursery/save-image-in-dotnet.yml +++ b/nursery/save-image-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires class features features: - and: - api: System.Drawing.Image::Save diff --git a/nursery/schedule-task-via-itaskservice.yml b/nursery/schedule-task-via-itaskservice.yml index 09c84745b..919ee97c1 100644 --- a/nursery/schedule-task-via-itaskservice.yml +++ b/nursery/schedule-task-via-itaskservice.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] features: diff --git a/nursery/search-for-credit-card-data.yml b/nursery/search-for-credit-card-data.yml index 1c90a1942..6d183270a 100644 --- a/nursery/search-for-credit-card-data.yml +++ b/nursery/search-for-credit-card-data.yml @@ -4,7 +4,9 @@ rule: namespace: collection/credit-card authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires mnemonic features features: - and: - instruction: diff --git a/nursery/send-data-to-internet.yml b/nursery/send-data-to-internet.yml index 899ade401..44e1a3a66 100644 --- a/nursery/send-data-to-internet.yml +++ b/nursery/send-data-to-internet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - optional: diff --git a/nursery/send-email-in-dotnet.yml b/nursery/send-email-in-dotnet.yml index 4576c7253..39cba5916 100644 --- a/nursery/send-email-in-dotnet.yml +++ b/nursery/send-email-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/smtp/send authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Web.Mail.SmtpMail::Send diff --git a/nursery/send-http-request-with-host-header.yml b/nursery/send-http-request-with-host-header.yml index 4646f8932..6a63cbd32 100644 --- a/nursery/send-http-request-with-host-header.yml +++ b/nursery/send-http-request-with-host-header.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead features: - and: - match: send HTTP request diff --git a/nursery/send-keystrokes.yml b/nursery/send-keystrokes.yml index 0fc5eea3b..8d449c4bc 100644 --- a/nursery/send-keystrokes.yml +++ b/nursery/send-keystrokes.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/keyboard authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Windows.Forms.SendKeys::Send diff --git a/nursery/send-request-in-dotnet.yml b/nursery/send-request-in-dotnet.yml index b186b92a2..9c66ac39a 100644 --- a/nursery/send-request-in-dotnet.yml +++ b/nursery/send-request-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - anushka.virgaonakr@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc: diff --git a/nursery/send-sms-on-android.yml b/nursery/send-sms-on-android.yml index 825432752..1d47168db 100644 --- a/nursery/send-sms-on-android.yml +++ b/nursery/send-sms-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: communication/sms authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unsupported # requires offset features # att&ck: # - Mobile::SMS Control [T1582] features: diff --git a/nursery/serialize-json-in-dotnet.yml b/nursery/serialize-json-in-dotnet.yml index b23f85ed1..930f19a9d 100644 --- a/nursery/serialize-json-in-dotnet.yml +++ b/nursery/serialize-json-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/json authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.Web.Script.Serialization.JavaScriptSerializer::Serialize diff --git a/nursery/set-current-directory.yml b/nursery/set-current-directory.yml index 6102bd4e7..d1f55eed8 100644 --- a/nursery/set-current-directory.yml +++ b/nursery/set-current-directory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: call features: - or: - api: System.IO.Directory::SetCurrentDirectory diff --git a/nursery/set-global-application-hook.yml b/nursery/set-global-application-hook.yml index d634231cd..c4fe59616 100644 --- a/nursery/set-global-application-hook.yml +++ b/nursery/set-global-application-hook.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - api: user32.SetWindowsHookEx diff --git a/nursery/set-http-cookie.yml b/nursery/set-http-cookie.yml index 91cc5844f..66740c190 100644 --- a/nursery/set-http-cookie.yml +++ b/nursery/set-http-cookie.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: call att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] references: diff --git a/nursery/set-http-user-agent-in-dotnet.yml b/nursery/set-http-user-agent-in-dotnet.yml index 8634da64d..90bb3bae0 100644 --- a/nursery/set-http-user-agent-in-dotnet.yml +++ b/nursery/set-http-user-agent-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features features: - or: - property/write: System.Net.HttpWebRequest::UserAgent diff --git a/nursery/set-registry-value-via-stdregprov.yml b/nursery/set-registry-value-via-stdregprov.yml index 1f194339a..ecc12bb55 100644 --- a/nursery/set-registry-value-via-stdregprov.yml +++ b/nursery/set-registry-value-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml index 9c9694da0..24aebf610 100644 --- a/nursery/set-thread-name-on-linux.yml +++ b/nursery/set-thread-name-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead features: - and: - os: linux diff --git a/nursery/set-web-proxy-in-dotnet.yml b/nursery/set-web-proxy-in-dotnet.yml index 415c5b60a..e0bdc2df0 100644 --- a/nursery/set-web-proxy-in-dotnet.yml +++ b/nursery/set-web-proxy-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features features: - and: - property/write: System.Net.WebRequest::Proxy diff --git a/nursery/terminate-process-by-name-in-dotnet.yml b/nursery/terminate-process-by-name-in-dotnet.yml index 4dbeeb16f..d54e5029b 100644 --- a/nursery/terminate-process-by-name-in-dotnet.yml +++ b/nursery/terminate-process-by-name-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/terminate authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: System.Diagnostics.Process::GetProcessesByName diff --git a/nursery/terminate-process-by-name.yml b/nursery/terminate-process-by-name.yml index 7b0df849d..e71800525 100644 --- a/nursery/terminate-process-by-name.yml +++ b/nursery/terminate-process-by-name.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/terminate authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset features # examples: # - unpacked Cl0p ransomware features: diff --git a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml index bb317854f..2f5426f23 100644 --- a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml +++ b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/unmanaged-call.yml b/nursery/unmanaged-call.yml index bb07ed993..32b0069aa 100644 --- a/nursery/unmanaged-call.yml +++ b/nursery/unmanaged-call.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: managed code calls unmanaged (native) code, often seen in .NET - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead features: - or: - characteristic: unmanaged call diff --git a/persistence/act-as-dhcp-server-callout-dll.yml b/persistence/act-as-dhcp-server-callout-dll.yml index 4a3096325..854058a4b 100644 --- a/persistence/act-as-dhcp-server-callout-dll.yml +++ b/persistence/act-as-dhcp-server-callout-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Server Software Component [T1505] references: diff --git a/persistence/act-as-dns-server-plugin-dll.yml b/persistence/act-as-dns-server-plugin-dll.yml index b458b41e3..b827b2226 100644 --- a/persistence/act-as-dns-server-plugin-dll.yml +++ b/persistence/act-as-dns-server-plugin-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Server Software Component [T1505] references: diff --git a/persistence/authentication-process/act-as-credential-manager-dll.yml b/persistence/authentication-process/act-as-credential-manager-dll.yml index 476b650ca..720198bf0 100644 --- a/persistence/authentication-process/act-as-credential-manager-dll.yml +++ b/persistence/authentication-process/act-as-credential-manager-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008] examples: diff --git a/persistence/authentication-process/act-as-password-filter-dll.yml b/persistence/authentication-process/act-as-password-filter-dll.yml index a8cbeeb1a..9524402b8 100644 --- a/persistence/authentication-process/act-as-password-filter-dll.yml +++ b/persistence/authentication-process/act-as-password-filter-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Modify Authentication Process::Password Filter DLL [T1556.002] examples: diff --git a/persistence/authentication-process/act-as-security-support-provider-dll.yml b/persistence/authentication-process/act-as-security-support-provider-dll.yml index 9776f1f03..81200674b 100644 --- a/persistence/authentication-process/act-as-security-support-provider-dll.yml +++ b/persistence/authentication-process/act-as-security-support-provider-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005] references: diff --git a/persistence/authentication-process/act-as-subauthentication-package-dll.yml b/persistence/authentication-process/act-as-subauthentication-package-dll.yml index c0def1dd4..e27f1753f 100644 --- a/persistence/authentication-process/act-as-subauthentication-package-dll.yml +++ b/persistence/authentication-process/act-as-subauthentication-package-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002] references: diff --git a/persistence/create-shortcut-via-ishelllink.yml b/persistence/create-shortcut-via-ishelllink.yml index 94c2cbdad..e102cdc2e 100644 --- a/persistence/create-shortcut-via-ishelllink.yml +++ b/persistence/create-shortcut-via-ishelllink.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features att&ck: - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009] references: diff --git a/persistence/exchange/act-as-exchange-transport-agent.yml b/persistence/exchange/act-as-exchange-transport-agent.yml index ae24c8096..e61481268 100644 --- a/persistence/exchange/act-as-exchange-transport-agent.yml +++ b/persistence/exchange/act-as-exchange-transport-agent.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/exchange authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Server Software Component::Transport Agent [T1505.002] references: diff --git a/persistence/iis/persist-via-iis-module.yml b/persistence/iis/persist-via-iis-module.yml index cee74ded4..6e5f0f917 100644 --- a/persistence/iis/persist-via-iis-module.yml +++ b/persistence/iis/persist-via-iis-module.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Server Software Component::IIS Components [T1505.004] examples: diff --git a/persistence/iis/persist-via-isapi-extension.yml b/persistence/iis/persist-via-isapi-extension.yml index 89230c9b8..36ab99e5c 100644 --- a/persistence/iis/persist-via-isapi-extension.yml +++ b/persistence/iis/persist-via-isapi-extension.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Server Software Component::IIS Components [T1505.004] examples: diff --git a/persistence/office/act-as-excel-xll-add-in.yml b/persistence/office/act-as-excel-xll-add-in.yml index 446bdcb92..e08ca0ba2 100644 --- a/persistence/office/act-as-excel-xll-add-in.yml +++ b/persistence/office/act-as-excel-xll-add-in.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/office authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/office/act-as-office-com-add-in.yml b/persistence/office/act-as-office-com-add-in.yml index bfb1dd094..d5004be97 100644 --- a/persistence/office/act-as-office-com-add-in.yml +++ b/persistence/office/act-as-office-com-add-in.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/office authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires class features att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/office/act-as-word-wll-add-in.yml b/persistence/office/act-as-word-wll-add-in.yml index 74bebc560..17e31d3b7 100644 --- a/persistence/office/act-as-word-wll-add-in.yml +++ b/persistence/office/act-as-word-wll-add-in.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/office authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires export features att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml index 3a1ed3423..801c1f052 100644 --- a/persistence/persist-via-desktop-autostart.yml +++ b/persistence/persist-via-desktop-autostart.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] examples: diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml index 73ecb0f2c..1032e253f 100644 --- a/persistence/persist-via-shell-profile-or-rc-file.yml +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] examples: diff --git a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml index 42872d58f..148fe4b14 100644 --- a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml +++ b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/appinitdlls authors: - william.ballenthin@fireye.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] diff --git a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml index 69863387c..cfb1434d4 100644 --- a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml +++ b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/appinitdlls authors: - michael.hunhoff@fireye.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] references: diff --git a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml index 0ae9335ed..baefc359f 100644 --- a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml +++ b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/ginadll authors: - michael.hunhoff@fireye.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Event Triggered Execution [T1546] examples: diff --git a/persistence/registry/persist-via-active-setup-registry-key.yml b/persistence/registry/persist-via-active-setup-registry-key.yml index 64628d2a9..ea62c7538 100644 --- a/persistence/registry/persist-via-active-setup-registry-key.yml +++ b/persistence/registry/persist-via-active-setup-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014] references: diff --git a/persistence/registry/run/persist-via-run-registry-key.yml b/persistence/registry/run/persist-via-run-registry-key.yml index 0f11f5228..578104933 100644 --- a/persistence/registry/run/persist-via-run-registry-key.yml +++ b/persistence/registry/run/persist-via-run-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/run authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] mbc: diff --git a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml index b11e8819e..57d7e4cf7 100644 --- a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml +++ b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/winlogon-helper authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-at.yml b/persistence/scheduled-tasks/schedule-task-via-at.yml index ad25216ed..612feb848 100644 --- a/persistence/scheduled-tasks/schedule-task-via-at.yml +++ b/persistence/scheduled-tasks/schedule-task-via-at.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - joren485 - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Scheduled Task/Job::At [T1053.002] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml b/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml index 5c20d31d3..b7dccb4c6 100644 --- a/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml +++ b/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires offset, bytes features att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index da75b2be9..a6f229805 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml index 1d4c6b0a0..c4b87720e 100644 --- a/persistence/service/persist-via-rc-script.yml +++ b/persistence/service/persist-via-rc-script.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/service authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] examples: diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml index a7b307866..f9fb74848 100644 --- a/persistence/service/persist-via-windows-service.yml +++ b/persistence/service/persist-via-windows-service.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/service authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains subscope att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/persistence/startup-folder/get-startup-folder.yml b/persistence/startup-folder/get-startup-folder.yml index bc6717947..a2bf3100b 100644 --- a/persistence/startup-folder/get-startup-folder.yml +++ b/persistence/startup-folder/get-startup-folder.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: thread # TODO check if scope call instead att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 7ac1c0597..88a649597 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/runtime/dotnet/compiled-to-the-dotnet-platform.yml b/runtime/dotnet/compiled-to-the-dotnet-platform.yml index 661c7fa6f..869a0918a 100644 --- a/runtime/dotnet/compiled-to-the-dotnet-platform.yml +++ b/runtime/dotnet/compiled-to-the-dotnet-platform.yml @@ -4,7 +4,9 @@ rule: namespace: runtime/dotnet authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - b9f5bd514485fb06da39beff051b9fdc features: diff --git a/runtime/dotnet/execute-via-dotnet-startup-hook.yml b/runtime/dotnet/execute-via-dotnet-startup-hook.yml index f3e1b6bbe..ad5e3cd80 100644 --- a/runtime/dotnet/execute-via-dotnet-startup-hook.yml +++ b/runtime/dotnet/execute-via-dotnet-startup-hook.yml @@ -4,7 +4,9 @@ rule: namespace: runtime/dotnet authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: unsupported # requires function-name features references: - https://rastamouse.me/net-startup-hooks/ - https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md diff --git a/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml b/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml index 2d150e12a..d82caa4a6 100644 --- a/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml +++ b/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/diebold-nixdorf authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html examples: diff --git a/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml b/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml index 4d455449e..5988d1b16 100644 --- a/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml +++ b/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/diebold-nixdorf authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.mandiant.com/resources/new-ploutus-variant examples: diff --git a/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml b/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml index 4c8b495a6..52cea4958 100644 --- a/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml +++ b/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://doc.axxonsoft.com/confluence/display/atm70en/Configuring+the+connection+to+the+dispenser+service+provider examples: diff --git a/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml b/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml index bd47629a7..5d733dd4b 100644 --- a/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml +++ b/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/ncr authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml index a0973a996..7354fd6e4 100644 --- a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml +++ b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/ncr authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/language/identify-system-language-via-api.yml b/targeting/language/identify-system-language-via-api.yml index 6645fc322..7ba9a0a21 100644 --- a/targeting/language/identify-system-language-via-api.yml +++ b/targeting/language/identify-system-language-via-api.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/language authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: From e18704545a6ed99b00c96ac581d857e3735c83f6 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Thu, 26 Oct 2023 10:26:08 +0200 Subject: [PATCH 02/15] fix call/thread scopes manually --- ...ns-on-executable-memory-pages-using-arbitrary-code-guard.yml | 2 +- anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml | 2 +- .../protect-spawned-processes-with-mitigation-policies.yml | 2 +- .../debugger-detection/check-for-outputdebugstring-error.yml | 2 +- .../debugger-detection/check-for-unexpected-memory-writes.yml | 2 +- .../debugger-detection/check-processdebugport.yml | 2 +- .../anti-forensic/crash-the-windows-event-logging-service.yml | 2 +- anti-analysis/anti-forensic/spoof-parent-pid.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-device.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-process-name.yml | 2 +- .../string/stackstring/contain-obfuscated-stackstrings.yml | 2 +- anti-analysis/packer/generic/packed-with-generic-packer.yml | 2 +- .../acquire-credentials-from-windows-credential-manager.yml | 2 +- collection/keylog/log-keystrokes-via-application-hook.yml | 2 +- .../network/capture-network-configuration-via-ipconfig.yml | 2 +- .../http/client/get-http-response-content-encoding.yml | 2 +- communication/http/client/send-file-via-http.yml | 2 +- communication/http/client/send-http-request.yml | 2 +- communication/http/get-http-content-length.yml | 2 +- communication/ip/convert-ip-address-from-string.yml | 2 +- communication/named-pipe/write/write-pipe.yml | 2 +- communication/receive-data.yml | 2 +- communication/send-data.yml | 2 +- communication/socket/create-raw-socket.yml | 2 +- communication/socket/create-vmci-socket.yml | 2 +- communication/socket/tcp/create-tcp-socket.yml | 2 +- communication/socket/udp/send/create-udp-socket.yml | 2 +- communication/tcp/client/act-as-tcp-client.yml | 2 +- communication/tcp/serve/start-tcp-server.yml | 2 +- compiler/py2exe/compiled-with-py2exe.yml | 2 +- .../luhn/validate-payment-card-number-using-luhn-algorithm.yml | 2 +- .../encoding/base64/decode-data-using-base64-via-winapi.yml | 2 +- .../encoding/base64/encode-data-using-base64-via-winapi.yml | 2 +- data-manipulation/encoding/base64/encode-data-using-base64.yml | 2 +- .../encryption/get-outbound-credentials-handle-via-credssp.yml | 2 +- .../prng/generate-random-numbers-via-rtlgenrandom.yml | 2 +- host-interaction/bootloader/disable-code-signing.yml | 2 +- host-interaction/cli/resolve-path-using-msvcrt.yml | 2 +- host-interaction/driver/install-driver.yml | 2 +- .../environment-variable/get-comspec-environment-variable.yml | 2 +- .../file-system/change-file-permission-on-linux.yml | 2 +- .../file-system/files/list/enumerate-files-recursively.yml | 2 +- .../file-system/get-file-system-object-information.yml | 2 +- host-interaction/file-system/get-program-files-directory.yml | 2 +- .../get-windows-directory-from-kuser_shared_data.yml | 2 +- host-interaction/file-system/meta/get-file-attributes.yml | 2 +- host-interaction/file-system/meta/set-file-attributes.yml | 2 +- host-interaction/file-system/read/read-file-on-windows.yml | 2 +- .../file-system/reference-absolute-stream-path-on-windows.yml | 2 +- .../windows-file-protection/bypass-windows-file-protection.yml | 2 +- host-interaction/filter/register-minifilter-driver.yml | 2 +- host-interaction/filter/start-minifilter-driver.yml | 2 +- host-interaction/gui/logon/references-logon-banner.yml | 2 +- host-interaction/gui/session/wallpaper/change-the-wallpaper.yml | 2 +- host-interaction/gui/taskbar/find/find-taskbar.yml | 2 +- host-interaction/gui/window/hide/hide-graphical-window.yml | 2 +- host-interaction/hardware/cpu/get-cpu-information.yml | 2 +- host-interaction/hardware/memory/get-memory-information.yml | 2 +- host-interaction/mutex/check-mutex.yml | 2 +- host-interaction/mutex/lock-file.yml | 2 +- host-interaction/os/version/get-linux-distribution.yml | 2 +- host-interaction/process/create/create-process-on-linux.yml | 2 +- host-interaction/process/create/create-process-on-windows.yml | 2 +- host-interaction/process/create/create-process-suspended.yml | 2 +- .../process/dump/create-process-memory-minidump.yml | 2 +- host-interaction/process/get-process-heap-flags.yml | 2 +- host-interaction/process/get-process-heap-force-flags.yml | 2 +- .../list/enumerate-processes-via-ntquerysysteminformation.yml | 2 +- host-interaction/process/list/get-explorer-pid.yml | 2 +- host-interaction/process/modify/acquire-debug-privileges.yml | 2 +- .../process/terminate/terminate-process-via-kill.yml | 2 +- host-interaction/process/terminate/terminate-process.yml | 2 +- host-interaction/registry/create/set-registry-value.yml | 2 +- host-interaction/session/get-user-security-identifier.yml | 2 +- host-interaction/thread/create/create-thread.yml | 2 +- host-interaction/thread/resume/resume-thread.yml | 2 +- host-interaction/thread/suspend/suspend-thread.yml | 2 +- host-interaction/thread/terminate/terminate-thread.yml | 2 +- lib/allocate-memory.yml | 2 +- lib/change-memory-protection.yml | 2 +- lib/create-or-open-file.yml | 2 +- lib/create-or-open-registry-key.yml | 2 +- lib/delay-execution.yml | 2 +- lib/duplicate-stdin-and-stdout.yml | 2 +- lib/get-os-version.yml | 2 +- lib/open-process.yml | 2 +- lib/open-thread.yml | 2 +- linking/runtime-linking/link-many-functions-at-runtime.yml | 2 +- load-code/dotnet/load-windows-common-language-runtime.yml | 2 +- nursery/add-user-account-group.yml | 2 +- nursery/add-user-account-to-group.yml | 2 +- nursery/add-user-account.yml | 2 +- nursery/build-docker-image.yml | 2 +- nursery/capture-network-configuration-via-ifconfig.yml | 2 +- nursery/change-user-account-password.yml | 2 +- nursery/check-for-windows-sandbox-via-mutex.yml | 2 +- nursery/check-for-windows-sandbox-via-subdirectory.yml | 2 +- nursery/check-processdebugflags.yml | 2 +- nursery/check-systemkerneldebuggerinformation.yml | 2 +- nursery/collect-ssh-keys.yml | 2 +- ...mmunicate-with-kernel-module-via-netlink-socket-on-linux.yml | 2 +- nursery/compare-security-identifiers.yml | 2 +- nursery/create-container.yml | 2 +- nursery/create-zip-archive-in-dotnet.yml | 2 +- nursery/decrypt-data-via-sspi.yml | 2 +- nursery/delete-user-account-from-group.yml | 2 +- nursery/delete-user-account-group.yml | 2 +- nursery/delete-user-account.yml | 2 +- nursery/delete-windows-backup-catalog.yml | 2 +- nursery/disable-automatic-windows-recovery-features.yml | 2 +- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 2 +- nursery/encrypt-data-via-sspi.yml | 2 +- nursery/enumerate-device-drivers-on-windows.yml | 2 +- nursery/enumerate-processes-via-procfs.yml | 2 +- nursery/extract-zip-archive-in-dotnet.yml | 2 +- nursery/get-client-handle-via-schannel.yml | 2 +- nursery/get-current-pid-on-linux.yml | 2 +- nursery/get-file-system-information-on-linux.yml | 2 +- nursery/get-http-request-uri.yml | 2 +- nursery/get-inbound-credentials-handle-via-credssp.yml | 2 +- nursery/get-mac-address-on-linux.yml | 2 +- nursery/get-password-database-entry-on-linux.yml | 2 +- nursery/get-process-image-filename.yml | 2 +- nursery/get-proxy.yml | 2 +- nursery/get-remote-cert-context-via-schannel.yml | 2 +- nursery/get-storage-device-properties.yml | 2 +- nursery/hash-data-using-md4.yml | 2 +- nursery/hash-data-using-sha1-via-wincrypt.yml | 2 +- nursery/interact-with-iptables.yml | 2 +- nursery/list-containers.yml | 2 +- nursery/list-domain-servers.yml | 2 +- nursery/list-groups-for-user-account.yml | 2 +- nursery/list-tcp-connections-and-listeners.yml | 2 +- nursery/list-udp-connections-and-listeners.yml | 2 +- nursery/list-user-account-groups.yml | 2 +- nursery/list-user-accounts-for-group.yml | 2 +- nursery/list-user-accounts.yml | 2 +- nursery/listen-for-remote-procedure-calls.yml | 2 +- nursery/make-an-http-request-with-a-cookie.yml | 2 +- nursery/mark-thread-detached-on-linux.yml | 2 +- nursery/monitor-clipboard-content.yml | 2 +- nursery/monitor-local-ipv4-address-changes.yml | 2 +- nursery/parse-url.yml | 2 +- nursery/persist-via-gnome-autostart-on-linux.yml | 2 +- nursery/power-down-monitor.yml | 2 +- nursery/query-remote-server-for-available-data.yml | 2 +- nursery/reference-screen-saver-executable.yml | 2 +- nursery/register-http-server-url.yml | 2 +- nursery/register-raw-input-devices.yml | 2 +- nursery/resize-volume-shadow-copy-storage.yml | 2 +- nursery/run-in-container.yml | 2 +- nursery/send-http-request-with-host-header.yml | 2 +- nursery/set-global-application-hook.yml | 2 +- nursery/set-thread-name-on-linux.yml | 2 +- nursery/unmanaged-call.yml | 2 +- persistence/persist-via-desktop-autostart.yml | 2 +- persistence/persist-via-shell-profile-or-rc-file.yml | 2 +- .../disable-appinit_dlls-code-signature-enforcement.yml | 2 +- .../appinitdlls/persist-via-appinit_dlls-registry-key.yml | 2 +- .../registry/ginadll/persist-via-ginadll-registry-key.yml | 2 +- persistence/registry/persist-via-active-setup-registry-key.yml | 2 +- persistence/registry/run/persist-via-run-registry-key.yml | 2 +- .../persist-via-winlogon-helper-dll-registry-key.yml | 2 +- persistence/scheduled-tasks/schedule-task-via-at.yml | 2 +- persistence/scheduled-tasks/schedule-task-via-schtasks.yml | 2 +- persistence/service/persist-via-rc-script.yml | 2 +- persistence/startup-folder/get-startup-folder.yml | 2 +- 167 files changed, 167 insertions(+), 167 deletions(-) diff --git a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml index 509313e89..3d19579e7 100644 --- a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml +++ b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml index f88c5428f..b8d988045 100644 --- a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml +++ b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] - Anti-Behavioral Analysis::Sandbox Detection [B0007] diff --git a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml index 1e23aaeb2..25e47fbb2 100644 --- a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml +++ b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml index 03726d770..22a2cbc99 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml index 66dafe3b7..99cc8a35e 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml index 0e49e4792..f689e95bc 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml index 44d865d50..5f0ad7240 100644 --- a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml +++ b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: diff --git a/anti-analysis/anti-forensic/spoof-parent-pid.yml b/anti-analysis/anti-forensic/spoof-parent-pid.yml index 6b1344d76..44aab7dd1 100644 --- a/anti-analysis/anti-forensic/spoof-parent-pid.yml +++ b/anti-analysis/anti-forensic/spoof-parent-pid.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004] references: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml index 4a5f2492d..387e61430 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml index b51b7e09b..cb7272951 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml index 2c038c892..5f112fa8d 100644 --- a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml +++ b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: unsupported att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml index bfe3bec6f..f388bfddc 100644 --- a/anti-analysis/packer/generic/packed-with-generic-packer.yml +++ b/anti-analysis/packer/generic/packed-with-generic-packer.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: unsupported att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 2d1dd88b2..7097dced6 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] examples: diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml index 9473791f2..12b6e475e 100644 --- a/collection/keylog/log-keystrokes-via-application-hook.yml +++ b/collection/keylog/log-keystrokes-via-application-hook.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Collection::Input Capture::Keylogging [T1056.001] mbc: diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml index 1135d4c28..f5733c488 100644 --- a/collection/network/capture-network-configuration-via-ipconfig.yml +++ b/collection/network/capture-network-configuration-via-ipconfig.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/communication/http/client/get-http-response-content-encoding.yml b/communication/http/client/get-http-response-content-encoding.yml index af83f7e07..00ee6b6ad 100644 --- a/communication/http/client/get-http-response-content-encoding.yml +++ b/communication/http/client/get-http-response-content-encoding.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml index 30b277cdb..ef552a977 100644 --- a/communication/http/client/send-file-via-http.yml +++ b/communication/http/client/send-file-via-http.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Communication::HTTP Communication::Send Data [C0002.005] examples: diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml index 1e3c06c87..8bc1aaf32 100644 --- a/communication/http/client/send-http-request.yml +++ b/communication/http/client/send-http-request.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Communication::HTTP Communication::Send Request [C0002.003] examples: diff --git a/communication/http/get-http-content-length.yml b/communication/http/get-http-content-length.yml index 2f55ea338..0e061db48 100644 --- a/communication/http/get-http-content-length.yml +++ b/communication/http/get-http-content-length.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Communication::HTTP Communication [C0002] examples: diff --git a/communication/ip/convert-ip-address-from-string.yml b/communication/ip/convert-ip-address-from-string.yml index 99225e7dc..9008c8f5d 100644 --- a/communication/ip/convert-ip-address-from-string.yml +++ b/communication/ip/convert-ip-address-from-string.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call examples: - 0796F1C1EA0A142FC1EB7109A44C86CB:0x405D20 features: diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml index f3d78dd2c..53735f634 100644 --- a/communication/named-pipe/write/write-pipe.yml +++ b/communication/named-pipe/write/write-pipe.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Communication::Interprocess Communication::Write Pipe [C0003.004] examples: diff --git a/communication/receive-data.yml b/communication/receive-data.yml index 29d801784..8e52081fc 100644 --- a/communication/receive-data.yml +++ b/communication/receive-data.yml @@ -7,7 +7,7 @@ rule: description: all known techniques for receiving data from a potential C2 server scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Command and Control::C2 Communication::Receive Data [B0030.002] examples: diff --git a/communication/send-data.yml b/communication/send-data.yml index b972686a4..04982deaf 100644 --- a/communication/send-data.yml +++ b/communication/send-data.yml @@ -8,7 +8,7 @@ rule: description: all known techniques for sending data to a potential C2 server scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Command and Control::C2 Communication::Send Data [B0030.001] examples: diff --git a/communication/socket/create-raw-socket.yml b/communication/socket/create-raw-socket.yml index 758e1c58f..a22b5d84a 100644 --- a/communication/socket/create-raw-socket.yml +++ b/communication/socket/create-raw-socket.yml @@ -7,7 +7,7 @@ rule: - blas.kojusner@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index d040d94ed..ae3892249 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml index 3c8eb1273..3e5d0b5e7 100644 --- a/communication/socket/tcp/create-tcp-socket.yml +++ b/communication/socket/tcp/create-tcp-socket.yml @@ -9,7 +9,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] examples: diff --git a/communication/socket/udp/send/create-udp-socket.yml b/communication/socket/udp/send/create-udp-socket.yml index 573cf910d..039d6ee13 100644 --- a/communication/socket/udp/send/create-udp-socket.yml +++ b/communication/socket/udp/send/create-udp-socket.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Communication::Socket Communication::Create UDP Socket [C0001.010] examples: diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml index 4c07ba005..f89560e99 100644 --- a/communication/tcp/client/act-as-tcp-client.yml +++ b/communication/tcp/client/act-as-tcp-client.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Communication::Socket Communication::TCP Client [C0001.008] examples: diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml index 86a2fc1d9..f3996f22d 100644 --- a/communication/tcp/serve/start-tcp-server.yml +++ b/communication/tcp/serve/start-tcp-server.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Communication::Socket Communication::Start TCP Server [C0001.005] examples: diff --git a/compiler/py2exe/compiled-with-py2exe.yml b/compiler/py2exe/compiled-with-py2exe.yml index 7d096c846..7cee2f145 100644 --- a/compiler/py2exe/compiled-with-py2exe.yml +++ b/compiler/py2exe/compiled-with-py2exe.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call examples: - ed888dc2f04f5eac83d6d14088d002de:0x40194A features: diff --git a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml index 262e534e2..e2764498f 100644 --- a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml +++ b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: unsupported mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml index 107c5cdcd..d50f6c5b7 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] examples: diff --git a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml index af2237c86..6e064c168 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] examples: diff --git a/data-manipulation/encoding/base64/encode-data-using-base64.yml b/data-manipulation/encoding/base64/encode-data-using-base64.yml index ea1d673b7..14588443a 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: unsupported att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml index e882c0bb5..e6cb95b26 100644 --- a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml +++ b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index d94275d8e..8e125230e 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -7,7 +7,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] references: diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml index 468d98dd5..d116b6e0c 100644 --- a/host-interaction/bootloader/disable-code-signing.yml +++ b/host-interaction/bootloader/disable-code-signing.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] examples: diff --git a/host-interaction/cli/resolve-path-using-msvcrt.yml b/host-interaction/cli/resolve-path-using-msvcrt.yml index 943b6ec45..1bd6919b1 100644 --- a/host-interaction/cli/resolve-path-using-msvcrt.yml +++ b/host-interaction/cli/resolve-path-using-msvcrt.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/driver/install-driver.yml b/host-interaction/driver/install-driver.yml index dd719578b..1a721a75e 100644 --- a/host-interaction/driver/install-driver.yml +++ b/host-interaction/driver/install-driver.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] mbc: diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml index c112635d3..f5afed211 100644 --- a/host-interaction/environment-variable/get-comspec-environment-variable.yml +++ b/host-interaction/environment-variable/get-comspec-environment-variable.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/file-system/change-file-permission-on-linux.yml b/host-interaction/file-system/change-file-permission-on-linux.yml index 1426972d5..29bd1a331 100644 --- a/host-interaction/file-system/change-file-permission-on-linux.yml +++ b/host-interaction/file-system/change-file-permission-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - File System::Set File Attributes [C0050] examples: diff --git a/host-interaction/file-system/files/list/enumerate-files-recursively.yml b/host-interaction/file-system/files/list/enumerate-files-recursively.yml index da40c643b..f995d147f 100644 --- a/host-interaction/file-system/files/list/enumerate-files-recursively.yml +++ b/host-interaction/file-system/files/list/enumerate-files-recursively.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: unsupported att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/get-file-system-object-information.yml b/host-interaction/file-system/get-file-system-object-information.yml index 302b337df..88da44796 100644 --- a/host-interaction/file-system/get-file-system-object-information.yml +++ b/host-interaction/file-system/get-file-system-object-information.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/file-system/get-program-files-directory.yml b/host-interaction/file-system/get-program-files-directory.yml index a6d5e30c6..5f8418b87 100644 --- a/host-interaction/file-system/get-program-files-directory.yml +++ b/host-interaction/file-system/get-program-files-directory.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml index 8620abefb..d45d2cc95 100644 --- a/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml +++ b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml @@ -6,7 +6,7 @@ rule: - david.cannings@pwc.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: unsupported references: - http://www.rohitab.com/discuss/topic/42325-the-kuser-shared-data-structure/ - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm diff --git a/host-interaction/file-system/meta/get-file-attributes.yml b/host-interaction/file-system/meta/get-file-attributes.yml index 327674dfb..5d84150cc 100644 --- a/host-interaction/file-system/meta/get-file-attributes.yml +++ b/host-interaction/file-system/meta/get-file-attributes.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - File System::Get File Attributes [C0049] examples: diff --git a/host-interaction/file-system/meta/set-file-attributes.yml b/host-interaction/file-system/meta/set-file-attributes.yml index 228946c36..52b57bfec 100644 --- a/host-interaction/file-system/meta/set-file-attributes.yml +++ b/host-interaction/file-system/meta/set-file-attributes.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::File and Directory Permissions Modification [T1222] mbc: diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml index 484eead05..e04212ade 100644 --- a/host-interaction/file-system/read/read-file-on-windows.yml +++ b/host-interaction/file-system/read/read-file-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml b/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml index 3a1f2939d..599f9b5fd 100644 --- a/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml +++ b/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml @@ -7,7 +7,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call references: - https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams examples: diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml index 3a346b8ca..e6ccaa074 100644 --- a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml +++ b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007] examples: diff --git a/host-interaction/filter/register-minifilter-driver.yml b/host-interaction/filter/register-minifilter-driver.yml index 1da57ba45..01e106ed6 100644 --- a/host-interaction/filter/register-minifilter-driver.yml +++ b/host-interaction/filter/register-minifilter-driver.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Hardware::Install Driver::Minifilter [C0037.001] references: diff --git a/host-interaction/filter/start-minifilter-driver.yml b/host-interaction/filter/start-minifilter-driver.yml index ab1318f8d..efb3f314a 100644 --- a/host-interaction/filter/start-minifilter-driver.yml +++ b/host-interaction/filter/start-minifilter-driver.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Hardware::Load Driver::Minifilter [C0023.001] references: diff --git a/host-interaction/gui/logon/references-logon-banner.yml b/host-interaction/gui/logon/references-logon-banner.yml index bcff45f2d..b05623f14 100644 --- a/host-interaction/gui/logon/references-logon-banner.yml +++ b/host-interaction/gui/logon/references-logon-banner.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC features: diff --git a/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml b/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml index 68486ff38..f8999877b 100644 --- a/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml +++ b/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Operating System::Wallpaper [C0035] examples: diff --git a/host-interaction/gui/taskbar/find/find-taskbar.yml b/host-interaction/gui/taskbar/find/find-taskbar.yml index ec3210aba..8e6bb7450 100644 --- a/host-interaction/gui/taskbar/find/find-taskbar.yml +++ b/host-interaction/gui/taskbar/find/find-taskbar.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Discovery::Taskbar Discovery [B0043] examples: diff --git a/host-interaction/gui/window/hide/hide-graphical-window.yml b/host-interaction/gui/window/hide/hide-graphical-window.yml index d08248103..be2c1a666 100644 --- a/host-interaction/gui/window/hide/hide-graphical-window.yml +++ b/host-interaction/gui/window/hide/hide-graphical-window.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003] examples: diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index 653d595b1..fce00394c 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml index fcc653fee..37203b52b 100644 --- a/host-interaction/hardware/memory/get-memory-information.yml +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/mutex/check-mutex.yml b/host-interaction/mutex/check-mutex.yml index ff5528a6d..c9929ff95 100644 --- a/host-interaction/mutex/check-mutex.yml +++ b/host-interaction/mutex/check-mutex.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Process::Check Mutex [C0043] examples: diff --git a/host-interaction/mutex/lock-file.yml b/host-interaction/mutex/lock-file.yml index 795e862ce..280ceb7f6 100644 --- a/host-interaction/mutex/lock-file.yml +++ b/host-interaction/mutex/lock-file.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Create Mutex [C0042] examples: diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml index a1a02e723..12b0cfdab 100644 --- a/host-interaction/os/version/get-linux-distribution.yml +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml index 9126da316..7fdd46a6d 100644 --- a/host-interaction/process/create/create-process-on-linux.yml +++ b/host-interaction/process/create/create-process-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/create/create-process-on-windows.yml b/host-interaction/process/create/create-process-on-windows.yml index c72689fca..385e69d94 100644 --- a/host-interaction/process/create/create-process-on-windows.yml +++ b/host-interaction/process/create/create-process-on-windows.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/create/create-process-suspended.yml b/host-interaction/process/create/create-process-suspended.yml index 92f12702a..e321877fe 100644 --- a/host-interaction/process/create/create-process-suspended.yml +++ b/host-interaction/process/create/create-process-suspended.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Process::Create Process::Create Suspended Process [C0017.003] examples: diff --git a/host-interaction/process/dump/create-process-memory-minidump.yml b/host-interaction/process/dump/create-process-memory-minidump.yml index caf81379e..27b7f4959 100644 --- a/host-interaction/process/dump/create-process-memory-minidump.yml +++ b/host-interaction/process/dump/create-process-memory-minidump.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/process/get-process-heap-flags.yml b/host-interaction/process/get-process-heap-flags.yml index 2a097d7ee..f5ac9a96e 100644 --- a/host-interaction/process/get-process-heap-flags.yml +++ b/host-interaction/process/get-process-heap-flags.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: unsupported att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/get-process-heap-force-flags.yml b/host-interaction/process/get-process-heap-force-flags.yml index 3aac485f2..9ffc6cc47 100644 --- a/host-interaction/process/get-process-heap-force-flags.yml +++ b/host-interaction/process/get-process-heap-force-flags.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: unsupported att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml b/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml index 256f8fd21..54eb9adcb 100644 --- a/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml +++ b/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/get-explorer-pid.yml b/host-interaction/process/list/get-explorer-pid.yml index 06877e821..1ec555cb0 100644 --- a/host-interaction/process/list/get-explorer-pid.yml +++ b/host-interaction/process/list/get-explorer-pid.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/modify/acquire-debug-privileges.yml b/host-interaction/process/modify/acquire-debug-privileges.yml index 73422e1a1..97bc43ea8 100644 --- a/host-interaction/process/modify/acquire-debug-privileges.yml +++ b/host-interaction/process/modify/acquire-debug-privileges.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/terminate/terminate-process-via-kill.yml b/host-interaction/process/terminate/terminate-process-via-kill.yml index 75ff517d5..6d957da69 100644 --- a/host-interaction/process/terminate/terminate-process-via-kill.yml +++ b/host-interaction/process/terminate/terminate-process-via-kill.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index c29a3c300..5e5197c48 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/registry/create/set-registry-value.yml b/host-interaction/registry/create/set-registry-value.yml index c2091ed78..866a753b3 100644 --- a/host-interaction/registry/create/set-registry-value.yml +++ b/host-interaction/registry/create/set-registry-value.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Operating System::Registry::Set Registry Key [C0036.001] examples: diff --git a/host-interaction/session/get-user-security-identifier.yml b/host-interaction/session/get-user-security-identifier.yml index bf2c6ea4b..5cad60c86 100644 --- a/host-interaction/session/get-user-security-identifier.yml +++ b/host-interaction/session/get-user-security-identifier.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml index 3351bfb4a..ba08897e8 100644 --- a/host-interaction/thread/create/create-thread.yml +++ b/host-interaction/thread/create/create-thread.yml @@ -9,7 +9,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Process::Create Thread [C0038] examples: diff --git a/host-interaction/thread/resume/resume-thread.yml b/host-interaction/thread/resume/resume-thread.yml index 26a4ee934..546c57fa5 100644 --- a/host-interaction/thread/resume/resume-thread.yml +++ b/host-interaction/thread/resume/resume-thread.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Resume Thread [C0054] examples: diff --git a/host-interaction/thread/suspend/suspend-thread.yml b/host-interaction/thread/suspend/suspend-thread.yml index f3edf003c..e7c8c3143 100644 --- a/host-interaction/thread/suspend/suspend-thread.yml +++ b/host-interaction/thread/suspend/suspend-thread.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Suspend Thread [C0055] examples: diff --git a/host-interaction/thread/terminate/terminate-thread.yml b/host-interaction/thread/terminate/terminate-thread.yml index 3bf7356c8..ecc91665e 100644 --- a/host-interaction/thread/terminate/terminate-thread.yml +++ b/host-interaction/thread/terminate/terminate-thread.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Terminate Thread [C0039] examples: diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index 729b15d50..def1265d1 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -7,7 +7,7 @@ rule: lib: true scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml index 3544fefa8..229fd754f 100644 --- a/lib/change-memory-protection.yml +++ b/lib/change-memory-protection.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread mbc: - Memory::Change Memory Protection [C0008] examples: diff --git a/lib/create-or-open-file.yml b/lib/create-or-open-file.yml index def162e81..a8d99ab95 100644 --- a/lib/create-or-open-file.yml +++ b/lib/create-or-open-file.yml @@ -7,7 +7,7 @@ rule: lib: true scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - File System::Create File [C0016] examples: diff --git a/lib/create-or-open-registry-key.yml b/lib/create-or-open-registry-key.yml index 58c2a1436..b5a49ff88 100644 --- a/lib/create-or-open-registry-key.yml +++ b/lib/create-or-open-registry-key.yml @@ -7,7 +7,7 @@ rule: lib: true scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Operating System::Registry::Create Registry Key [C0036.004] - Operating System::Registry::Open Registry Key [C0036.003] diff --git a/lib/delay-execution.yml b/lib/delay-execution.yml index 35079b7fa..50da58610 100644 --- a/lib/delay-execution.yml +++ b/lib/delay-execution.yml @@ -7,7 +7,7 @@ rule: lib: true scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003] references: diff --git a/lib/duplicate-stdin-and-stdout.yml b/lib/duplicate-stdin-and-stdout.yml index 84091724a..0af79eafb 100644 --- a/lib/duplicate-stdin-and-stdout.yml +++ b/lib/duplicate-stdin-and-stdout.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call examples: - 7351f8a40c5450557b24622417fc478d:0x40236D features: diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml index ffae798ca..2cb26218d 100644 --- a/lib/get-os-version.yml +++ b/lib/get-os-version.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: call examples: - 493167E85E45363D09495D0841C30648:0x401000 - 5f66b82558ca92e54e77f216ef4c066c:0x44580A diff --git a/lib/open-process.yml b/lib/open-process.yml index 7981b6891..4abc2a2d1 100644 --- a/lib/open-process.yml +++ b/lib/open-process.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Open Process [C0065] examples: diff --git a/lib/open-thread.yml b/lib/open-thread.yml index a08e99cad..e24517b0d 100644 --- a/lib/open-thread.yml +++ b/lib/open-thread.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Process::Open Thread [C0066] examples: diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index 2e14ff7fd..4ac809efe 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/dotnet/load-windows-common-language-runtime.yml b/load-code/dotnet/load-windows-common-language-runtime.yml index 2dae108ec..361969837 100644 --- a/load-code/dotnet/load-windows-common-language-runtime.yml +++ b/load-code/dotnet/load-windows-common-language-runtime.yml @@ -9,7 +9,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: unsupported references: - https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ - https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c diff --git a/nursery/add-user-account-group.yml b/nursery/add-user-account-group.yml index cd994eeb0..9ff12252d 100644 --- a/nursery/add-user-account-group.yml +++ b/nursery/add-user-account-group.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/add-user-account-to-group.yml b/nursery/add-user-account-to-group.yml index e3f1bf243..fb4993a7b 100644 --- a/nursery/add-user-account-to-group.yml +++ b/nursery/add-user-account-to-group.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/add-user-account.yml b/nursery/add-user-account.yml index 75ddd15f1..540561736 100644 --- a/nursery/add-user-account.yml +++ b/nursery/add-user-account.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Create Account [T1136] features: diff --git a/nursery/build-docker-image.yml b/nursery/build-docker-image.yml index 7616ae77b..cdf1dc0e5 100644 --- a/nursery/build-docker-image.yml +++ b/nursery/build-docker-image.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Build Image on Host [T1612] references: diff --git a/nursery/capture-network-configuration-via-ifconfig.yml b/nursery/capture-network-configuration-via-ifconfig.yml index 42db889cd..8a4b2b806 100644 --- a/nursery/capture-network-configuration-via-ifconfig.yml +++ b/nursery/capture-network-configuration-via-ifconfig.yml @@ -6,7 +6,7 @@ rule: - joakim@intezeer.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/change-user-account-password.yml b/nursery/change-user-account-password.yml index 613c92d74..f33875769 100644 --- a/nursery/change-user-account-password.yml +++ b/nursery/change-user-account-password.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/check-for-windows-sandbox-via-mutex.yml b/nursery/check-for-windows-sandbox-via-mutex.yml index ea7c20da1..9e16518a0 100644 --- a/nursery/check-for-windows-sandbox-via-mutex.yml +++ b/nursery/check-for-windows-sandbox-via-mutex.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-for-windows-sandbox-via-subdirectory.yml b/nursery/check-for-windows-sandbox-via-subdirectory.yml index 6fd4a564b..d5dba2457 100644 --- a/nursery/check-for-windows-sandbox-via-subdirectory.yml +++ b/nursery/check-for-windows-sandbox-via-subdirectory.yml @@ -6,7 +6,7 @@ rule: - "echernofsky@google.com" scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-processdebugflags.yml b/nursery/check-processdebugflags.yml index da33fa7d2..1b1609a72 100644 --- a/nursery/check-processdebugflags.yml +++ b/nursery/check-processdebugflags.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-systemkerneldebuggerinformation.yml b/nursery/check-systemkerneldebuggerinformation.yml index 6efbce87c..81b565fac 100644 --- a/nursery/check-systemkerneldebuggerinformation.yml +++ b/nursery/check-systemkerneldebuggerinformation.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml index f388e18fb..644e61aed 100644 --- a/nursery/collect-ssh-keys.yml +++ b/nursery/collect-ssh-keys.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Credential Access::Unsecured Credentials::Private Keys [T1552.004] features: diff --git a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml index 76f9cbd9a..f8edc1d8e 100644 --- a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml +++ b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml @@ -7,7 +7,7 @@ rule: description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html) scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - and: - os: linux diff --git a/nursery/compare-security-identifiers.yml b/nursery/compare-security-identifiers.yml index 31e8aec81..382ca67ed 100644 --- a/nursery/compare-security-identifiers.yml +++ b/nursery/compare-security-identifiers.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: advapi32.EqualSid diff --git a/nursery/create-container.yml b/nursery/create-container.yml index 8198ff92f..e047c0977 100644 --- a/nursery/create-container.yml +++ b/nursery/create-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Execution::Deploy Container [T1610] references: diff --git a/nursery/create-zip-archive-in-dotnet.yml b/nursery/create-zip-archive-in-dotnet.yml index e2ab4ca80..efa390387 100644 --- a/nursery/create-zip-archive-in-dotnet.yml +++ b/nursery/create-zip-archive-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: unsupported features: - and: - optional: diff --git a/nursery/decrypt-data-via-sspi.yml b/nursery/decrypt-data-via-sspi.yml index acf79c52a..18bf9802c 100644 --- a/nursery/decrypt-data-via-sspi.yml +++ b/nursery/decrypt-data-via-sspi.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] references: diff --git a/nursery/delete-user-account-from-group.yml b/nursery/delete-user-account-from-group.yml index fbe55d0b3..e4dba36c0 100644 --- a/nursery/delete-user-account-from-group.yml +++ b/nursery/delete-user-account-from-group.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/delete-user-account-group.yml b/nursery/delete-user-account-group.yml index 29a88fe3f..e31981d58 100644 --- a/nursery/delete-user-account-group.yml +++ b/nursery/delete-user-account-group.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/delete-user-account.yml b/nursery/delete-user-account.yml index 7c7756a86..bb6ec1665 100644 --- a/nursery/delete-user-account.yml +++ b/nursery/delete-user-account.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Impact::Account Access Removal [T1531] features: diff --git a/nursery/delete-windows-backup-catalog.yml b/nursery/delete-windows-backup-catalog.yml index a2b5955ed..992ade400 100644 --- a/nursery/delete-windows-backup-catalog.yml +++ b/nursery/delete-windows-backup-catalog.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Impact::Inhibit System Recovery [T1490] features: diff --git a/nursery/disable-automatic-windows-recovery-features.yml b/nursery/disable-automatic-windows-recovery-features.yml index 7b09ae60a..090c0d756 100644 --- a/nursery/disable-automatic-windows-recovery-features.yml +++ b/nursery/disable-automatic-windows-recovery-features.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Impact::Inhibit System Recovery [T1490] features: diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index 5339b2fa1..094e83d2a 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -6,7 +6,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-via-sspi.yml b/nursery/encrypt-data-via-sspi.yml index 74f979956..2a888525a 100644 --- a/nursery/encrypt-data-via-sspi.yml +++ b/nursery/encrypt-data-via-sspi.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml index 2c74149d0..8288e507b 100644 --- a/nursery/enumerate-device-drivers-on-windows.yml +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::Device Driver Discovery [T1652] references: diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml index 91f9e8ba6..3914c2a87 100644 --- a/nursery/enumerate-processes-via-procfs.yml +++ b/nursery/enumerate-processes-via-procfs.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/extract-zip-archive-in-dotnet.yml b/nursery/extract-zip-archive-in-dotnet.yml index 383bc4903..56805ee3f 100644 --- a/nursery/extract-zip-archive-in-dotnet.yml +++ b/nursery/extract-zip-archive-in-dotnet.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: unsupported att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] features: diff --git a/nursery/get-client-handle-via-schannel.yml b/nursery/get-client-handle-via-schannel.yml index e51616f24..ae2eb5dfd 100644 --- a/nursery/get-client-handle-via-schannel.yml +++ b/nursery/get-client-handle-via-schannel.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-current-pid-on-linux.yml b/nursery/get-current-pid-on-linux.yml index 407dba18a..c90b87f9d 100644 --- a/nursery/get-current-pid-on-linux.yml +++ b/nursery/get-current-pid-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call features: - and: - os: linux diff --git a/nursery/get-file-system-information-on-linux.yml b/nursery/get-file-system-information-on-linux.yml index 0e8c1d518..b65b3f909 100644 --- a/nursery/get-file-system-information-on-linux.yml +++ b/nursery/get-file-system-information-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call features: - and: - os: linux diff --git a/nursery/get-http-request-uri.yml b/nursery/get-http-request-uri.yml index 2cc5d889d..30f172dbc 100644 --- a/nursery/get-http-request-uri.yml +++ b/nursery/get-http-request-uri.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call mbc: - Communication::HTTP Communication [C0002] features: diff --git a/nursery/get-inbound-credentials-handle-via-credssp.yml b/nursery/get-inbound-credentials-handle-via-credssp.yml index 7f32cc04a..365005ad7 100644 --- a/nursery/get-inbound-credentials-handle-via-credssp.yml +++ b/nursery/get-inbound-credentials-handle-via-credssp.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-mac-address-on-linux.yml b/nursery/get-mac-address-on-linux.yml index daebee538..ffcafe352 100644 --- a/nursery/get-mac-address-on-linux.yml +++ b/nursery/get-mac-address-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-password-database-entry-on-linux.yml b/nursery/get-password-database-entry-on-linux.yml index ec53699e2..b57892c5e 100644 --- a/nursery/get-password-database-entry-on-linux.yml +++ b/nursery/get-password-database-entry-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call features: - and: - os: linux diff --git a/nursery/get-process-image-filename.yml b/nursery/get-process-image-filename.yml index 9b7d2f52e..fc250690e 100644 --- a/nursery/get-process-image-filename.yml +++ b/nursery/get-process-image-filename.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread features: - or: - and: diff --git a/nursery/get-proxy.yml b/nursery/get-proxy.yml index cf9d556a8..7f4956754 100644 --- a/nursery/get-proxy.yml +++ b/nursery/get-proxy.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-remote-cert-context-via-schannel.yml b/nursery/get-remote-cert-context-via-schannel.yml index 28cd7243c..2c0bf8cd7 100644 --- a/nursery/get-remote-cert-context-via-schannel.yml +++ b/nursery/get-remote-cert-context-via-schannel.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index dac25951c..d7fbad949 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread references: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: diff --git a/nursery/hash-data-using-md4.yml b/nursery/hash-data-using-md4.yml index 54bc21519..f1f4310d2 100644 --- a/nursery/hash-data-using-md4.yml +++ b/nursery/hash-data-using-md4.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - and: - number: 0x8002 = CALG_MD4 diff --git a/nursery/hash-data-using-sha1-via-wincrypt.yml b/nursery/hash-data-using-sha1-via-wincrypt.yml index 821a368a3..3be8c8f89 100644 --- a/nursery/hash-data-using-sha1-via-wincrypt.yml +++ b/nursery/hash-data-using-sha1-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread features: - or: - and: diff --git a/nursery/interact-with-iptables.yml b/nursery/interact-with-iptables.yml index f60567e89..49c767329 100644 --- a/nursery/interact-with-iptables.yml +++ b/nursery/interact-with-iptables.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] diff --git a/nursery/list-containers.yml b/nursery/list-containers.yml index 98e11cc4e..0c6c38c19 100644 --- a/nursery/list-containers.yml +++ b/nursery/list-containers.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Discovery::Container and Resource Discovery [T1613] references: diff --git a/nursery/list-domain-servers.yml b/nursery/list-domain-servers.yml index 11030930f..9ec269db2 100644 --- a/nursery/list-domain-servers.yml +++ b/nursery/list-domain-servers.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] features: diff --git a/nursery/list-groups-for-user-account.yml b/nursery/list-groups-for-user-account.yml index c9c0c0da0..a6151a152 100644 --- a/nursery/list-groups-for-user-account.yml +++ b/nursery/list-groups-for-user-account.yml @@ -8,7 +8,7 @@ rule: description: enumerates all the groups to which a user account belongs scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::Account Discovery [T1087] features: diff --git a/nursery/list-tcp-connections-and-listeners.yml b/nursery/list-tcp-connections-and-listeners.yml index 04cef09d4..ec3e3dd88 100644 --- a/nursery/list-tcp-connections-and-listeners.yml +++ b/nursery/list-tcp-connections-and-listeners.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: iphlpapi.GetExtendedTcpTable diff --git a/nursery/list-udp-connections-and-listeners.yml b/nursery/list-udp-connections-and-listeners.yml index 20d50cc29..472ee13ed 100644 --- a/nursery/list-udp-connections-and-listeners.yml +++ b/nursery/list-udp-connections-and-listeners.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: iphlpapi.GetExtendedUdpTable diff --git a/nursery/list-user-account-groups.yml b/nursery/list-user-account-groups.yml index 918fedaf9..2388e4687 100644 --- a/nursery/list-user-account-groups.yml +++ b/nursery/list-user-account-groups.yml @@ -8,7 +8,7 @@ rule: description: enumerates all the groups present on the system/domain scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::Permission Groups Discovery [T1069] features: diff --git a/nursery/list-user-accounts-for-group.yml b/nursery/list-user-accounts-for-group.yml index 4c76247b4..970e74ea3 100644 --- a/nursery/list-user-accounts-for-group.yml +++ b/nursery/list-user-accounts-for-group.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::Permission Groups Discovery [T1069] features: diff --git a/nursery/list-user-accounts.yml b/nursery/list-user-accounts.yml index ea41e4cda..80e85c3f1 100644 --- a/nursery/list-user-accounts.yml +++ b/nursery/list-user-accounts.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::Account Discovery [T1087] features: diff --git a/nursery/listen-for-remote-procedure-calls.yml b/nursery/listen-for-remote-procedure-calls.yml index c5449d2e8..180c46a92 100644 --- a/nursery/listen-for-remote-procedure-calls.yml +++ b/nursery/listen-for-remote-procedure-calls.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: rpcrt4.RpcServerListen diff --git a/nursery/make-an-http-request-with-a-cookie.yml b/nursery/make-an-http-request-with-a-cookie.yml index 3bbd22294..c056237ff 100644 --- a/nursery/make-an-http-request-with-a-cookie.yml +++ b/nursery/make-an-http-request-with-a-cookie.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread features: - and: - match: send HTTP request diff --git a/nursery/mark-thread-detached-on-linux.yml b/nursery/mark-thread-detached-on-linux.yml index 2ab087a1e..a619229df 100644 --- a/nursery/mark-thread-detached-on-linux.yml +++ b/nursery/mark-thread-detached-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - and: - os: linux diff --git a/nursery/monitor-clipboard-content.yml b/nursery/monitor-clipboard-content.yml index 8ff22f39f..a61d51ca3 100644 --- a/nursery/monitor-clipboard-content.yml +++ b/nursery/monitor-clipboard-content.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/monitor-local-ipv4-address-changes.yml b/nursery/monitor-local-ipv4-address-changes.yml index f95169c97..91dcf4321 100644 --- a/nursery/monitor-local-ipv4-address-changes.yml +++ b/nursery/monitor-local-ipv4-address-changes.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/parse-url.yml b/nursery/parse-url.yml index 82c81fcf4..a4b4b8541 100644 --- a/nursery/parse-url.yml +++ b/nursery/parse-url.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: wininet.InternetCrackUrl diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml index 80a712f80..320481703 100644 --- a/nursery/persist-via-gnome-autostart-on-linux.yml +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread features: - and: - os: linux diff --git a/nursery/power-down-monitor.yml b/nursery/power-down-monitor.yml index fdcf13ee5..7f8b2a380 100644 --- a/nursery/power-down-monitor.yml +++ b/nursery/power-down-monitor.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - and: - api: user32.SendMessage diff --git a/nursery/query-remote-server-for-available-data.yml b/nursery/query-remote-server-for-available-data.yml index cf98c8bc2..a8de83767 100644 --- a/nursery/query-remote-server-for-available-data.yml +++ b/nursery/query-remote-server-for-available-data.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: wininet.InternetQueryDataAvailable diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/reference-screen-saver-executable.yml index 35cd13b0c..f7cfd02ad 100644 --- a/nursery/reference-screen-saver-executable.yml +++ b/nursery/reference-screen-saver-executable.yml @@ -7,7 +7,7 @@ rule: description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Event Triggered Execution::Screensaver [T1546.002] features: diff --git a/nursery/register-http-server-url.yml b/nursery/register-http-server-url.yml index 7eec08e4c..359699117 100644 --- a/nursery/register-http-server-url.yml +++ b/nursery/register-http-server-url.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: httpapi.HttpAddUrl diff --git a/nursery/register-raw-input-devices.yml b/nursery/register-raw-input-devices.yml index ddfed489c..2e5cb96da 100644 --- a/nursery/register-raw-input-devices.yml +++ b/nursery/register-raw-input-devices.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - or: - api: user32.RegisterRawInputDevices diff --git a/nursery/resize-volume-shadow-copy-storage.yml b/nursery/resize-volume-shadow-copy-storage.yml index 13c390757..d04913951 100644 --- a/nursery/resize-volume-shadow-copy-storage.yml +++ b/nursery/resize-volume-shadow-copy-storage.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - and: - api: kernel32.DeviceIoControl diff --git a/nursery/run-in-container.yml b/nursery/run-in-container.yml index 2f8a096cf..dd96985a7 100644 --- a/nursery/run-in-container.yml +++ b/nursery/run-in-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Execution::Container Administration Command [T1609] references: diff --git a/nursery/send-http-request-with-host-header.yml b/nursery/send-http-request-with-host-header.yml index 6a63cbd32..4e54322f1 100644 --- a/nursery/send-http-request-with-host-header.yml +++ b/nursery/send-http-request-with-host-header.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread features: - and: - match: send HTTP request diff --git a/nursery/set-global-application-hook.yml b/nursery/set-global-application-hook.yml index c4fe59616..d791d64f1 100644 --- a/nursery/set-global-application-hook.yml +++ b/nursery/set-global-application-hook.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: call # TODO check if scope thread instead + dynamic: call features: - and: - api: user32.SetWindowsHookEx diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml index 24aebf610..35dd4eae7 100644 --- a/nursery/set-thread-name-on-linux.yml +++ b/nursery/set-thread-name-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: thread features: - and: - os: linux diff --git a/nursery/unmanaged-call.yml b/nursery/unmanaged-call.yml index 32b0069aa..6c327013e 100644 --- a/nursery/unmanaged-call.yml +++ b/nursery/unmanaged-call.yml @@ -7,7 +7,7 @@ rule: description: managed code calls unmanaged (native) code, often seen in .NET scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: unsupported features: - or: - characteristic: unmanaged call diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml index 801c1f052..13809bb36 100644 --- a/persistence/persist-via-desktop-autostart.yml +++ b/persistence/persist-via-desktop-autostart.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] examples: diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml index 1032e253f..b4d149f42 100644 --- a/persistence/persist-via-shell-profile-or-rc-file.yml +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] examples: diff --git a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml index 148fe4b14..2f4b7292e 100644 --- a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml +++ b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@fireye.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] diff --git a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml index cfb1434d4..3e4c1481c 100644 --- a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml +++ b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@fireye.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] references: diff --git a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml index baefc359f..f947da933 100644 --- a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml +++ b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@fireye.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Event Triggered Execution [T1546] examples: diff --git a/persistence/registry/persist-via-active-setup-registry-key.yml b/persistence/registry/persist-via-active-setup-registry-key.yml index ea62c7538..54b8f0cf8 100644 --- a/persistence/registry/persist-via-active-setup-registry-key.yml +++ b/persistence/registry/persist-via-active-setup-registry-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014] references: diff --git a/persistence/registry/run/persist-via-run-registry-key.yml b/persistence/registry/run/persist-via-run-registry-key.yml index 578104933..0d7dbf59d 100644 --- a/persistence/registry/run/persist-via-run-registry-key.yml +++ b/persistence/registry/run/persist-via-run-registry-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] mbc: diff --git a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml index 57d7e4cf7..93da27e90 100644 --- a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml +++ b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-at.yml b/persistence/scheduled-tasks/schedule-task-via-at.yml index 612feb848..c2476e3c3 100644 --- a/persistence/scheduled-tasks/schedule-task-via-at.yml +++ b/persistence/scheduled-tasks/schedule-task-via-at.yml @@ -6,7 +6,7 @@ rule: - joren485 scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Scheduled Task/Job::At [T1053.002] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index a6f229805..4d7f58a38 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml index c4b87720e..11c4c0fad 100644 --- a/persistence/service/persist-via-rc-script.yml +++ b/persistence/service/persist-via-rc-script.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread # TODO check if scope call instead + dynamic: thread att&ck: - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] examples: diff --git a/persistence/startup-folder/get-startup-folder.yml b/persistence/startup-folder/get-startup-folder.yml index a2bf3100b..af5b3a6fb 100644 --- a/persistence/startup-folder/get-startup-folder.yml +++ b/persistence/startup-folder/get-startup-folder.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: thread # TODO check if scope call instead + dynamic: call att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: From 5076cf4b6c3b6c9f6edb13add527305ff5532b1b Mon Sep 17 00:00:00 2001 From: mr-tz Date: Thu, 26 Oct 2023 10:47:11 +0200 Subject: [PATCH 03/15] fix scopes for rules with subscopes --- .../check-for-protected-handle-exception.yml | 15 +++++--- .../check-process-job-object.yml | 34 +++++++++++++------ .../hide-thread-from-debugger.yml | 8 ++++- .../clear-logs/clear-windows-event-logs.yml | 5 ++- ...-for-windows-sandbox-via-genuine-state.yml | 11 +++++- collection/screenshot/capture-screenshot.yml | 5 ++- 6 files changed, 58 insertions(+), 20 deletions(-) diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index f8ff190e6..1d2324893 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: @@ -15,8 +15,13 @@ rule: - al-khaser_x86.exe_:0x430D20 features: - and: - - basic block: - - and: - - count(number(2)): 2 or more - - api: SetHandleInformation + - or: + - basic block: + - and: + - count(number(2)): 2 or more + - api: SetHandleInformation + - call: + - and: + - count(number(2)): 2 or more + - api: SetHandleInformation - api: CloseHandle diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index 3dd92a349..a7ab788d2 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: @@ -14,13 +14,25 @@ rule: examples: - al-khaser_x86.exe_:0x426730 features: - - and: - - match: contain loop - - basic block: - - and: - - api: kernel32.QueryInformationJobObject - - number: 0x3 = JobObjectBasicProcessIdList - - basic block: - - and: - - api: kernel32.OpenProcess - - number: 0x400 = PROCESS_QUERY_INFORMATION + - or: + # static + - and: + - match: contain loop + - basic block: + - and: + - api: kernel32.QueryInformationJobObject + - number: 0x3 = JobObjectBasicProcessIdList + - basic block: + - and: + - api: kernel32.OpenProcess + - number: 0x400 = PROCESS_QUERY_INFORMATION + # dynamic + - and: + - call: + - and: + - api: kernel32.QueryInformationJobObject + - number: 0x3 = JobObjectBasicProcessIdList + - call: + - and: + - api: kernel32.OpenProcess + - number: 0x400 = PROCESS_QUERY_INFORMATION \ No newline at end of file diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index cebab2881..fe4208219 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: @@ -26,6 +26,12 @@ rule: - api: NtSetInformationThread - api: ZwSetInformationThread - number: 0x11 = ThreadHideFromDebugger + - call: + - and: + - or: + - api: NtSetInformationThread + - api: ZwSetInformationThread + - number: 0x11 = ThreadHideFromDebugger - and: - or: - string: "NtSetInformationThread" diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index b7dc9d1e9..797171c94 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: @@ -26,3 +26,6 @@ rule: - basic block: - and: - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i + - call: + - and: + - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 730119f0b..075c4f934 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: @@ -17,6 +17,7 @@ rule: - 773290480d5445f11d3dc1b800728966:0x140001140 features: - and: + # static - basic block: - and: - api: SLIsGenuineLocal @@ -24,3 +25,11 @@ rule: - and: - api: UuidFromString - string: "55c92734-d682-4d71-983e-d6ec3f16059f" + # dynamic + - call: + - and: + - api: SLIsGenuineLocal + - call: + - and: + - api: UuidFromString + - string: "55c92734-d682-4d71-983e-d6ec3f16059f" diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index 175e1a151..bbba94419 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Collection::Screen Capture [T1113] mbc: @@ -39,4 +39,7 @@ rule: - and: - api: BitBlt - characteristic: tight loop + - call: + - and: + - api: BitBlt - api: System.Drawing.Graphics::CopyFromScreen From 8a3623102551ed322bd354aed929db29bed40443 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Thu, 26 Oct 2023 14:14:49 +0200 Subject: [PATCH 04/15] fix scopes for rules with subscopes 2 --- collection/webcam/capture-webcam-image.yml | 19 +++++- .../c2/shell/create-reverse-shell.yml | 15 +++-- .../socket/tcp/connect-tcp-socket.yml | 58 ++++++++++++------- .../create-tcp-socket-via-raw-afd-driver.yml | 2 +- compiler/perl2exe/compiled-with-perl2exe.yml | 15 +++-- .../decompress-data-using-quicklz.yml | 2 +- .../hashing/hash-data-via-wincrypt.yml | 9 ++- .../hashing/sha1/hash-data-using-sha1.yml | 6 +- .../clipboard/read-clipboard-data.yml | 9 ++- .../file-system/copy/copy-file.yml | 7 ++- .../file-system/delete/delete-file.yml | 14 ++++- .../exists/check-if-file-exists.yml | 2 +- .../files/list/enumerate-files-on-windows.yml | 15 +++-- .../file-system/move/move-file.yml | 6 +- .../read/read-file-via-mapping.yml | 20 ++++++- .../write/write-file-on-windows.yml | 7 ++- .../get-text/get-graphical-window-text.yml | 15 +++-- .../keyboard/simulate-ctrl-alt-del.yml | 27 ++++++--- .../hardware/storage/get-disk-size.yml | 6 +- .../inject/allocate-or-change-rwx-memory.yml | 2 +- .../process/list/enumerate-processes.yml | 8 ++- .../list/enumerate-process-modules.yml | 9 ++- host-interaction/service/continue-service.yml | 21 ++++--- host-interaction/service/pause-service.yml | 21 ++++--- .../service/stop/stop-service.yml | 21 ++++--- .../session/get-session-user-name.yml | 6 +- .../thread/list/enumerate-threads.yml | 7 ++- lib/allocate-or-change-rw-memory.yml | 2 +- ...ve-function-by-brute-ratel-badger-hash.yml | 2 +- .../resolve-function-by-fin8-fasthash.yml | 2 +- nursery/capture-webcam-video.yml | 43 ++++++++++---- nursery/check-for-process-debug-object.yml | 21 ++++--- ...sandbox-via-mac-address-ouis-in-dotnet.yml | 2 +- nursery/get-token-privileges.yml | 15 +++-- nursery/hash-data-using-ripemd128.yml | 2 +- .../service/persist-via-windows-service.yml | 15 +++-- 36 files changed, 332 insertions(+), 121 deletions(-) diff --git a/collection/webcam/capture-webcam-image.yml b/collection/webcam/capture-webcam-image.yml index 987c6dfee..8783c61e7 100644 --- a/collection/webcam/capture-webcam-image.yml +++ b/collection/webcam/capture-webcam-image.yml @@ -6,13 +6,14 @@ rule: - johnk3r scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Collection::Video Capture [T1125] examples: - a30101595f6f28ab2f4b0b2cd177c3c4d2ab34a355ab7761a3795d0887c24ada:0x4011C0 features: - or: + # static - and: - api: capCreateCaptureWindow - basic block: @@ -28,3 +29,19 @@ rule: - and: - api: SendMessage - number: 0x419 = WM_CAP_FILE_SAVEDIB + # dynamic + - and: + - api: capCreateCaptureWindow + - call: + - and: + - api: SendMessage + - number: 0x40a = WM_CAP_DRIVER_CONNECT + - optional: + - call: + - and: + - api: SendMessage + - number: 0x40B = WM_CAP_DRIVER_DISCONNECT + - call: + - and: + - api: SendMessage + - number: 0x419 = WM_CAP_FILE_SAVEDIB diff --git a/communication/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml index 34c0f7aa7..a05615e5a 100644 --- a/communication/c2/shell/create-reverse-shell.yml +++ b/communication/c2/shell/create-reverse-shell.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: @@ -28,7 +28,12 @@ rule: - and: - match: create pipe - match: host-interaction/process/create - - basic block: - - and: - - count(api(SetHandleInformation)): 2 or more - - number: 1 = HANDLE_FLAG_INHERIT + - or: + - basic block: + - and: + - count(api(SetHandleInformation)): 2 or more + - number: 1 = HANDLE_FLAG_INHERIT + - call: + - and: + - count(api(SetHandleInformation)): 2 or more + - number: 1 = HANDLE_FLAG_INHERIT diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 312f975b0..2dd7df614 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Communication::Socket Communication::Connect Socket [C0001.004] examples: @@ -20,23 +20,39 @@ rule: - api: ws2_32.connect - api: ws2_32.WSAConnect - api: ConnectEx - - and: - - basic block: - # candidate for GUID: WSAID_CONNECTEX/25a207b9-ddf3-4660-8ee9-76e58c74063e - - and: - - number: 0x25A207B9 - - number: 0x4660DDF3 - - number: 0xE576E98E - - number: 0x3E06748C - - basic block: - - and: - - api: WSAIoctl - - number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER - - basic block: - - and: - - api: setsockopt - - number: 0xFFFF = SOL_SOCKET - - number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT - # socket must be bound to ConnectEx - # https://gist.github.com/joeyadams/4158972 - - api: bind + - or: + - and: + # static + - basic block: + # candidate for GUID: WSAID_CONNECTEX/25a207b9-ddf3-4660-8ee9-76e58c74063e + - and: + - number: 0x25A207B9 + - number: 0x4660DDF3 + - number: 0xE576E98E + - number: 0x3E06748C + - basic block: + - and: + - api: WSAIoctl + - number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER + - basic block: + - and: + - api: setsockopt + - number: 0xFFFF = SOL_SOCKET + - number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT + # socket must be bound to ConnectEx + # https://gist.github.com/joeyadams/4158972 + - api: bind + - and: + # dynamic + - call: + - and: + - api: WSAIoctl + - number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER + - call: + - and: + - api: setsockopt + - number: 0xFFFF = SOL_SOCKET + - number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT + # socket must be bound to ConnectEx + # https://gist.github.com/joeyadams/4158972 + - api: bind diff --git a/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml b/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml index ee02f8ccf..03510fd7e 100644 --- a/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml +++ b/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] references: diff --git a/compiler/perl2exe/compiled-with-perl2exe.yml b/compiler/perl2exe/compiled-with-perl2exe.yml index b0e667c9e..b8724e472 100644 --- a/compiler/perl2exe/compiled-with-perl2exe.yml +++ b/compiler/perl2exe/compiled-with-perl2exe.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread examples: - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 features: @@ -14,7 +14,12 @@ rule: - api: LoadLibrary - api: FreeLibrary - string: /^p2x[a-z0-9]{1,10}\.dll/i - - basic block: - - and: - - api: GetProcAddress - - string: "RunPerl" + - or: + - basic block: + - and: + - api: GetProcAddress + - string: "RunPerl" + - call: + - and: + - api: GetProcAddress + - string: "RunPerl" diff --git a/data-manipulation/compression/decompress-data-using-quicklz.yml b/data-manipulation/compression/decompress-data-using-quicklz.yml index 5272a17a5..b8bf22b0c 100644 --- a/data-manipulation/compression/decompress-data-using-quicklz.yml +++ b/data-manipulation/compression/decompress-data-using-quicklz.yml @@ -7,7 +7,7 @@ rule: description: detects the inner decompression loop from QuickLZ scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported mbc: - Data::Decompress Data::QuickLZ [C0025.001] references: diff --git a/data-manipulation/hashing/hash-data-via-wincrypt.yml b/data-manipulation/hashing/hash-data-via-wincrypt.yml index 6402d0afd..d84ae236c 100644 --- a/data-manipulation/hashing/hash-data-via-wincrypt.yml +++ b/data-manipulation/hashing/hash-data-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Cryptography::Cryptographic Hash [C0029] examples: @@ -22,3 +22,10 @@ rule: - number: 1 = HP_ALGID - number: 2 = HP_HASHVAL - number: 4 = HP_HASHSIZE + - call: + - and: + - api: advapi32.CryptGetHashParam + - or: + - number: 1 = HP_ALGID + - number: 2 = HP_HASHVAL + - number: 4 = HP_HASHSIZE diff --git a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml index 76a8cbbe8..35503c977 100644 --- a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml +++ b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Cryptography::Cryptographic Hash::SHA1 [C0029.002] examples: @@ -32,6 +32,10 @@ rule: - and: - number: 0x8004 = CALG_SHA1 - api: advapi32.CryptCreateHash + - call: + - and: + - number: 0x8004 = CALG_SHA1 + - api: advapi32.CryptCreateHash - and: - api: System.Security.Cryptography.SHA1Managed::ctor - optional: diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index 14f30d661..37ae798af 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] references: @@ -31,6 +31,13 @@ rule: - number: 0x1 = CF_TEXT - number: 0x7 = CF_OEMTEXT - number: 0xD = CF_UNICODETEXT + - call: + - and: + - api: user32.GetClipboardData + - optional: + - number: 0x1 = CF_TEXT + - number: 0x7 = CF_OEMTEXT + - number: 0xD = CF_UNICODETEXT - api: System.Windows.Forms.Clipboard::GetAudioStream - api: System.Windows.Forms.Clipboard::GetData - api: System.Windows.Forms.Clipboard::GetDataObject diff --git a/host-interaction/file-system/copy/copy-file.yml b/host-interaction/file-system/copy/copy-file.yml index 5040e739e..ff047b0e2 100644 --- a/host-interaction/file-system/copy/copy-file.yml +++ b/host-interaction/file-system/copy/copy-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - File System::Copy File [C0045] examples: @@ -26,3 +26,8 @@ rule: - number: 2 = FO_COPY - or: - api: kernel32.SHFileOperation + - call: + - and: + - number: 2 = FO_COPY + - or: + - api: kernel32.SHFileOperation diff --git a/host-interaction/file-system/delete/delete-file.yml b/host-interaction/file-system/delete/delete-file.yml index 81c4494d7..2e945c9d8 100644 --- a/host-interaction/file-system/delete/delete-file.yml +++ b/host-interaction/file-system/delete/delete-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - File System::Delete File [C0047] examples: @@ -26,6 +26,7 @@ rule: - api: _wremove - api: System.IO.File::Delete - api: System.IO.FileSystemInfo::Delete + # static - basic block: - and: - number: 3 = FO_DELETE @@ -36,3 +37,14 @@ rule: - number: 4 = MOVEFILE_DELAY_UNTIL_REBOOT - number: 0 = NULL - api: MoveFileEx + # dynamic + - call: + - and: + - number: 3 = FO_DELETE + - or: + - api: kernel32.SHFileOperation + - call: + - and: + - number: 4 = MOVEFILE_DELAY_UNTIL_REBOOT + - number: 0 = NULL + - api: MoveFileEx diff --git a/host-interaction/file-system/exists/check-if-file-exists.yml b/host-interaction/file-system/exists/check-if-file-exists.yml index fd2d5f109..8a98ca569 100644 --- a/host-interaction/file-system/exists/check-if-file-exists.yml +++ b/host-interaction/file-system/exists/check-if-file-exists.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported # TODO dynamic scope could be adjusted att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index c5c495b97..5922183a0 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Discovery::File and Directory Discovery [T1083] mbc: @@ -34,10 +34,15 @@ rule: - api: kernel32.FindClose - match: contain loop - and: - - basic block: - - and: - - number: 1 = DIRECTORY_QUERY - - api: ntdll.NtOpenDirectoryObject + - or: + - basic block: + - and: + - number: 1 = DIRECTORY_QUERY + - api: ntdll.NtOpenDirectoryObject + - call: + - and: + - number: 1 = DIRECTORY_QUERY + - api: ntdll.NtOpenDirectoryObject - api: ntdll.NtQueryDirectoryObject - optional: - api: RtlAllocateHeap diff --git a/host-interaction/file-system/move/move-file.yml b/host-interaction/file-system/move/move-file.yml index 8564ee8c5..757bcf34c 100644 --- a/host-interaction/file-system/move/move-file.yml +++ b/host-interaction/file-system/move/move-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - File System::Move File [C0063] examples: @@ -27,3 +27,7 @@ rule: - number: 1 = FO_MOVE - or: - api: kernel32.SHFileOperation + - call: + - and: + - number: 1 = FO_MOVE + - api: kernel32.SHFileOperation diff --git a/host-interaction/file-system/read/read-file-via-mapping.yml b/host-interaction/file-system/read/read-file-via-mapping.yml index dc4ef966d..41de967f6 100644 --- a/host-interaction/file-system/read/read-file-via-mapping.yml +++ b/host-interaction/file-system/read/read-file-via-mapping.yml @@ -6,13 +6,14 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - File System::Read File [C0051] examples: - Practical Malware Analysis Lab 01-01.exe_:0x401440 features: - and: + # static - basic block: - and: - api: kernel32.MapViewOfFile @@ -29,3 +30,20 @@ rule: - or: - number: 2 = PAGE_READONLY - number: 4 = PAGE_READWRITE + # dynamic + - call: + - and: + - api: kernel32.MapViewOfFile + - or: + - number: 4 = FILE_MAP_READ + - number: 6 = FILE_MAP_WRITE | FILE_MAP_READ + - optional: + - api: kernel32.UnmapViewOfFile + - and: + - match: get file size + - call: + - and: + - api: kernel32.CreateFileMapping + - or: + - number: 2 = PAGE_READONLY + - number: 4 = PAGE_READWRITE diff --git a/host-interaction/file-system/write/write-file-on-windows.yml b/host-interaction/file-system/write/write-file-on-windows.yml index cc9e75250..d1cd4c8be 100644 --- a/host-interaction/file-system/write/write-file-on-windows.yml +++ b/host-interaction/file-system/write/write-file-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - File System::Writes File [C0052] examples: @@ -24,6 +24,11 @@ rule: - number: 0x40000000 = GENERIC_WRITE - number: 0x2 = FILE_WRITE_DATA - match: create or open file + - call: + - or: + - number: 0x40000000 = GENERIC_WRITE + - number: 0x2 = FILE_WRITE_DATA + - match: create or open file - or: - api: kernel32.WriteFile - api: kernel32.WriteFileEx diff --git a/host-interaction/gui/window/get-text/get-graphical-window-text.yml b/host-interaction/gui/window/get-text/get-graphical-window-text.yml index f7f25a049..2dd99b57c 100644 --- a/host-interaction/gui/window/get-text/get-graphical-window-text.yml +++ b/host-interaction/gui/window/get-text/get-graphical-window-text.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Discovery::Application Window Discovery [E1010] examples: @@ -17,10 +17,15 @@ rule: - and: - optional: - api: user32.IsWindowVisible - - basic block: - - and: - - number: 0xD = WM_GETTEXT - - api: user32.SendMessage + - or: + - basic block: + - and: + - number: 0xD = WM_GETTEXT + - api: user32.SendMessage + - call: + - and: + - number: 0xD = WM_GETTEXT + - api: user32.SendMessage - and: - optional: - api: user32.GetForegroundWindow diff --git a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml index 4264488f8..794d2000f 100644 --- a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml +++ b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001] examples: @@ -21,9 +21,22 @@ rule: - api: OpenDesktop - api: OpenInputDesktop - string: "Winlogon" - - basic block: - - and: - - api: PostMessage - - number: 0x2E0003 = (MOD_ALT | MOD_CONTROL | VK_DELETE) - - number: 0x312 = WM_HOTKEY - - number: 0xFFFF = HWND_BROADCAST + - call: + - and: + - or: + - api: OpenDesktop + - api: OpenInputDesktop + - string: "Winlogon" + - or: + - basic block: + - and: + - api: PostMessage + - number: 0x2E0003 = (MOD_ALT | MOD_CONTROL | VK_DELETE) + - number: 0x312 = WM_HOTKEY + - number: 0xFFFF = HWND_BROADCAST + - call: + - and: + - api: PostMessage + - number: 0x2E0003 = (MOD_ALT | MOD_CONTROL | VK_DELETE) + - number: 0x312 = WM_HOTKEY + - number: 0xFFFF = HWND_BROADCAST diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index c5198c860..ab314cd50 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] mbc: @@ -28,6 +28,10 @@ rule: - and: - api: DeviceIoControl - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO + - call: + - and: + - api: DeviceIoControl + - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO - and: - or: - string: /SELECT\s+\*\s+FROM\s+Win32_LogicalDisk/i diff --git a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml index 1b5fdcb99..1393a89d3 100644 --- a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: basic block - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/host-interaction/process/list/enumerate-processes.yml b/host-interaction/process/list/enumerate-processes.yml index 3325a93fe..d790b129a 100644 --- a/host-interaction/process/list/enumerate-processes.yml +++ b/host-interaction/process/list/enumerate-processes.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] @@ -27,3 +27,9 @@ rule: - number: 0xF = TH32CS_SNAPALL - number: 0x2 = TH32CS_SNAPPROCESS - api: kernel32.CreateToolhelp32Snapshot + - call: + - and: + - or: + - number: 0xF = TH32CS_SNAPALL + - number: 0x2 = TH32CS_SNAPPROCESS + - api: kernel32.CreateToolhelp32Snapshot diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml index 4a4db4e15..10ee51ca0 100644 --- a/host-interaction/process/modules/list/enumerate-process-modules.yml +++ b/host-interaction/process/modules/list/enumerate-process-modules.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] examples: @@ -39,6 +39,13 @@ rule: - number: 0x10 = TH32CS_SNAPMODULE32 - number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32 - api: kernel32.CreateToolhelp32Snapshot + - call: + - and: + - or: + - number: 0x8 = TH32CS_SNAPMODULE + - number: 0x10 = TH32CS_SNAPMODULE32 + - number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32 + - api: kernel32.CreateToolhelp32Snapshot - and: - property/read: System.Diagnostics.Process::Modules - property/read: System.Diagnostics.ProcessModuleCollection::Item diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index 2d1e5f62b..5715989a3 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: @@ -15,9 +15,16 @@ rule: - and: - optional: - match: get service handle - - basic block: - - and: - - number: 0x3 = SERVICE_CONTROL_CONTINUE - - or: - - api: advapi32.ControlService - - api: advapi32.ControlServiceEx + - or: + - basic block: + - and: + - number: 0x3 = SERVICE_CONTROL_CONTINUE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx + - call: + - and: + - number: 0x3 = SERVICE_CONTROL_CONTINUE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index 9a0350dd2..c4667131b 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: @@ -15,9 +15,16 @@ rule: - and: - optional: - match: get service handle - - basic block: - - and: - - number: 0x2 = SERVICE_CONTROL_PAUSE - - or: - - api: advapi32.ControlService - - api: advapi32.ControlServiceEx + - or: + - basic block: + - and: + - number: 0x2 = SERVICE_CONTROL_PAUSE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx + - call: + - and: + - number: 0x2 = SERVICE_CONTROL_PAUSE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index 9caa6d575..dcd6ebacb 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Impact::Service Stop [T1489] @@ -16,9 +16,16 @@ rule: - and: - optional: - match: get service handle - - basic block: - - and: - - number: 0x1 = SERVICE_CONTROL_STOP - - or: - - api: advapi32.ControlService - - api: advapi32.ControlServiceEx + - or: + - basic block: + - and: + - number: 0x1 = SERVICE_CONTROL_STOP + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx + - call: + - and: + - number: 0x1 = SERVICE_CONTROL_STOP + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml index 685652d16..f9673dfb8 100644 --- a/host-interaction/session/get-session-user-name.yml +++ b/host-interaction/session/get-session-user-name.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] - Discovery::Account Discovery [T1087] @@ -22,5 +22,9 @@ rule: # - match: get session information (see #463) - api: wtsapi32.WTSQuerySessionInformation - number: 5 = WTSUserName + - call: + - and: + - api: wtsapi32.WTSQuerySessionInformation + - number: 5 = WTSUserName - api: System.Security.Principal.WindowsIdentity::GetCurrent - property/read: System.Environment::UserName diff --git a/host-interaction/thread/list/enumerate-threads.yml b/host-interaction/thread/list/enumerate-threads.yml index c445f568d..cdf6ddf54 100644 --- a/host-interaction/thread/list/enumerate-threads.yml +++ b/host-interaction/thread/list/enumerate-threads.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] mbc: @@ -24,3 +24,8 @@ rule: - number: 0x4 = TH32CS_SNAPTHREAD # TH32CS_SNAPTHREAD includes all threads in the system in the snapshot - api: kernel32.CreateToolhelp32Snapshot + - call: + - and: + - or: + - number: 0x4 = TH32CS_SNAPTHREAD + - api: kernel32.CreateToolhelp32Snapshot diff --git a/lib/allocate-or-change-rw-memory.yml b/lib/allocate-or-change-rw-memory.yml index bd304b725..4d2b2d066 100644 --- a/lib/allocate-or-change-rw-memory.yml +++ b/lib/allocate-or-change-rw-memory.yml @@ -7,7 +7,7 @@ rule: lib: true scopes: static: basic block - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml index e55293a6a..807f4b8d2 100644 --- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml +++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml @@ -7,7 +7,7 @@ rule: description: Custom API hashing algorithm used in Brute Ratel Badger (version 1.3 or higher) scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported att&ck: - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007] mbc: diff --git a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml index a181ce876..a4c9f239d 100644 --- a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml +++ b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml @@ -7,7 +7,7 @@ rule: description: APIHashing algorithm derived from a fasthash implementation in OpenCPN using seeds scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported mbc: - Cryptography::Cryptographic Hash [C0029] references: diff --git a/nursery/capture-webcam-video.yml b/nursery/capture-webcam-video.yml index 5f25248bc..e1dd86c55 100644 --- a/nursery/capture-webcam-video.yml +++ b/nursery/capture-webcam-video.yml @@ -7,23 +7,42 @@ rule: description: Rule that detects a system's webcam being used to capture video scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Collection::Video Capture [T1125] features: - - and: - - os: windows - - api: capCreateCaptureWindow - - basic block: - - and: - - api: SendMessage - - number: 0x43E = WM_CAP_SEQUENCE - - or: + - or: + # static + - and: + - os: windows + - api: capCreateCaptureWindow - basic block: - and: - api: SendMessage - - number: 0x417 = WM_CAP_FILE_SAVEAS - - basic block: + - number: 0x43E = WM_CAP_SEQUENCE + - or: + - basic block: + - and: + - api: SendMessage + - number: 0x417 = WM_CAP_FILE_SAVEAS + - basic block: + - and: + - api: SendMessage + - number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE + # dynamic + - and: + - os: windows + - api: capCreateCaptureWindow + - call: - and: - api: SendMessage - - number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE + - number: 0x43E = WM_CAP_SEQUENCE + - or: + - call: + - and: + - api: SendMessage + - number: 0x417 = WM_CAP_FILE_SAVEAS + - call: + - and: + - api: SendMessage + - number: 0x414 = WM_CAP_FILE_SET_CAPTURE_FILE diff --git a/nursery/check-for-process-debug-object.yml b/nursery/check-for-process-debug-object.yml index 2b1c941a7..ba44d8c16 100644 --- a/nursery/check-for-process-debug-object.yml +++ b/nursery/check-for-process-debug-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: @@ -16,9 +16,16 @@ rule: - or: - api: kernel32.GetCurrentProcess - api: System.Diagnostics.Process::GetCurrentProcess - - basic block: - - and: - - or: - - api: NtQueryInformationProcess - - api: ZwQueryInformationProcess - - number: 0x1E = ProcessDebugObjectHandle + - or: + - basic block: + - and: + - or: + - api: NtQueryInformationProcess + - api: ZwQueryInformationProcess + - number: 0x1E = ProcessDebugObjectHandle + - call: + - and: + - or: + - api: NtQueryInformationProcess + - api: ZwQueryInformationProcess + - number: 0x1E = ProcessDebugObjectHandle diff --git a/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml b/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml index e18528f9d..ed99d4498 100644 --- a/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml +++ b/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml @@ -7,7 +7,7 @@ rule: description: detects sandbox detection via mac address organizationally unique identifiers (OUIs). Based off publicly available CSharpShooter/CheckPlease.cs scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/get-token-privileges.yml b/nursery/get-token-privileges.yml index 6029ebd44..bc64f7deb 100644 --- a/nursery/get-token-privileges.yml +++ b/nursery/get-token-privileges.yml @@ -7,12 +7,17 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread features: - and: - - basic block: - - and: - - api: advapi32.GetTokenInformation - - number: 0x3 = TokenPrivileges + - or: + - basic block: + - and: + - api: advapi32.GetTokenInformation + - number: 0x3 = TokenPrivileges + - call: + - and: + - api: advapi32.GetTokenInformation + - number: 0x3 = TokenPrivileges - optional: - api: advapi32.LookupPrivilegeName diff --git a/nursery/hash-data-using-ripemd128.yml b/nursery/hash-data-using-ripemd128.yml index 747736351..05c5d029b 100755 --- a/nursery/hash-data-using-ripemd128.yml +++ b/nursery/hash-data-using-ripemd128.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: file - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: unsupported references: - https://en.wikipedia.org/wiki/RIPEMD-128 features: diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml index f9fb74848..041e2425c 100644 --- a/persistence/service/persist-via-windows-service.yml +++ b/persistence/service/persist-via-windows-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] @@ -16,10 +16,15 @@ rule: features: - or: - and: - - basic block: - - and: - - number: 2 = SERVICE_AUTO_START - - api: advapi32.CreateService + - or: + - basic block: + - and: + - number: 2 = SERVICE_AUTO_START + - api: advapi32.CreateService + - call: + - and: + - number: 2 = SERVICE_AUTO_START + - api: advapi32.CreateService - optional: - or: - api: advapi32.OpenService From 2d3be8ec38931fc52f8fe085203f6a671d9113b1 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Thu, 26 Oct 2023 15:02:19 +0200 Subject: [PATCH 05/15] fix some dynamic unsupported rules --- collection/credit-card/parse-credit-card-information.yml | 2 +- compiler/vb/compiled-from-visual-basic.yml | 2 +- data-manipulation/hashing/md5/hash-data-with-md5.yml | 6 +++++- host-interaction/service/run-as-service.yml | 2 +- ...t-card-number-using-luhn-algorithm-with-lookup-table.yml | 2 +- load-code/pe/enumerate-pe-sections.yml | 2 +- nursery/implement-com-dll.yml | 2 +- nursery/inspect-load-icon-resource.yml | 2 +- nursery/reference-base58-string.yml | 2 +- persistence/act-as-dhcp-server-callout-dll.yml | 2 +- persistence/act-as-dns-server-plugin-dll.yml | 2 +- .../act-as-credential-manager-dll.yml | 2 +- .../authentication-process/act-as-password-filter-dll.yml | 2 +- .../act-as-security-support-provider-dll.yml | 2 +- .../act-as-subauthentication-package-dll.yml | 2 +- persistence/iis/persist-via-iis-module.yml | 2 +- persistence/iis/persist-via-isapi-extension.yml | 2 +- persistence/office/act-as-excel-xll-add-in.yml | 2 +- persistence/office/act-as-word-wll-add-in.yml | 2 +- 19 files changed, 23 insertions(+), 19 deletions(-) diff --git a/collection/credit-card/parse-credit-card-information.yml b/collection/credit-card/parse-credit-card-information.yml index 855d0686e..1357f9874 100644 --- a/collection/credit-card/parse-credit-card-information.yml +++ b/collection/credit-card/parse-credit-card-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: unsupported # requires mnemonic, Not features + dynamic: unsupported # requires mnemonic features mbc: - Data::Check String [C0019] examples: diff --git a/compiler/vb/compiled-from-visual-basic.yml b/compiler/vb/compiled-from-visual-basic.yml index 65a557e20..ee3242b64 100644 --- a/compiler/vb/compiled-from-visual-basic.yml +++ b/compiler/vb/compiled-from-visual-basic.yml @@ -6,7 +6,7 @@ rule: - "@williballenthin" scopes: static: file - dynamic: unsupported # requires import features + dynamic: file examples: - 9bca6b99e7981208af4c7925b96fb9cf features: diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml index e270bc0df..eb6b296d2 100644 --- a/data-manipulation/hashing/md5/hash-data-with-md5.yml +++ b/data-manipulation/hashing/md5/hash-data-with-md5.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unsupported # requires offset, Not features + dynamic: thread mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: @@ -34,6 +34,10 @@ rule: - and: - number: 0x8003 = CALG_MD5 - api: advapi32.CryptCreateHash + - call: + - and: + - number: 0x8003 = CALG_MD5 + - api: advapi32.CryptCreateHash - and: - format: dotnet - or: diff --git a/host-interaction/service/run-as-service.yml b/host-interaction/service/run-as-service.yml index a20c9c335..f307f6449 100644 --- a/host-interaction/service/run-as-service.yml +++ b/host-interaction/service/run-as-service.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: file - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: file mbc: - Anti-Behavioral Analysis::Conditional Execution::Runs as Service [B0025.007] examples: diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml index a498fafcc..bbac2e8ad 100644 --- a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml +++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: function - dynamic: unsupported # requires characteristic, offset, mnemonic, Not features + dynamic: unsupported # requires characteristic, offset, mnemonic features mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections.yml index d2d4c2f41..a992b380c 100644 --- a/load-code/pe/enumerate-pe-sections.yml +++ b/load-code/pe/enumerate-pe-sections.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: unsupported # requires offset, Not, operand[1].offset, characteristic, mnemonic, basicblock features + dynamic: unsupported # requires offset, operand[1].offset, characteristic, mnemonic, basicblock features mbc: - Discovery::Code Discovery::Enumerate PE Sections [B0046.001] references: diff --git a/nursery/implement-com-dll.yml b/nursery/implement-com-dll.yml index 15bb34522..f9f951412 100644 --- a/nursery/implement-com-dll.yml +++ b/nursery/implement-com-dll.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file references: - https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-dllgetclassobject features: diff --git a/nursery/inspect-load-icon-resource.yml b/nursery/inspect-load-icon-resource.yml index eecd9f1fc..6da2839d9 100644 --- a/nursery/inspect-load-icon-resource.yml +++ b/nursery/inspect-load-icon-resource.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: unsupported # requires Not, mnemonic features + dynamic: unsupported # requires mnemonic features features: # check if call to LoadIcon fails when first argument is NULL # and second argument is not a valid predefined icon - LoadIcon diff --git a/nursery/reference-base58-string.yml b/nursery/reference-base58-string.yml index 608376784..e0e2d1566 100644 --- a/nursery/reference-base58-string.yml +++ b/nursery/reference-base58-string.yml @@ -7,7 +7,7 @@ rule: description: Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0, I, O, and l). Base58 is used to represent bitcoin addresses. scopes: static: file - dynamic: unsupported # requires features + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/persistence/act-as-dhcp-server-callout-dll.yml b/persistence/act-as-dhcp-server-callout-dll.yml index 854058a4b..b07342510 100644 --- a/persistence/act-as-dhcp-server-callout-dll.yml +++ b/persistence/act-as-dhcp-server-callout-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Server Software Component [T1505] references: diff --git a/persistence/act-as-dns-server-plugin-dll.yml b/persistence/act-as-dns-server-plugin-dll.yml index b827b2226..11ac906a9 100644 --- a/persistence/act-as-dns-server-plugin-dll.yml +++ b/persistence/act-as-dns-server-plugin-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Server Software Component [T1505] references: diff --git a/persistence/authentication-process/act-as-credential-manager-dll.yml b/persistence/authentication-process/act-as-credential-manager-dll.yml index 720198bf0..29b726496 100644 --- a/persistence/authentication-process/act-as-credential-manager-dll.yml +++ b/persistence/authentication-process/act-as-credential-manager-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008] examples: diff --git a/persistence/authentication-process/act-as-password-filter-dll.yml b/persistence/authentication-process/act-as-password-filter-dll.yml index 9524402b8..fc90ac552 100644 --- a/persistence/authentication-process/act-as-password-filter-dll.yml +++ b/persistence/authentication-process/act-as-password-filter-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Modify Authentication Process::Password Filter DLL [T1556.002] examples: diff --git a/persistence/authentication-process/act-as-security-support-provider-dll.yml b/persistence/authentication-process/act-as-security-support-provider-dll.yml index 81200674b..2f9f60451 100644 --- a/persistence/authentication-process/act-as-security-support-provider-dll.yml +++ b/persistence/authentication-process/act-as-security-support-provider-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005] references: diff --git a/persistence/authentication-process/act-as-subauthentication-package-dll.yml b/persistence/authentication-process/act-as-subauthentication-package-dll.yml index e27f1753f..936dde16c 100644 --- a/persistence/authentication-process/act-as-subauthentication-package-dll.yml +++ b/persistence/authentication-process/act-as-subauthentication-package-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002] references: diff --git a/persistence/iis/persist-via-iis-module.yml b/persistence/iis/persist-via-iis-module.yml index 6e5f0f917..f499c2228 100644 --- a/persistence/iis/persist-via-iis-module.yml +++ b/persistence/iis/persist-via-iis-module.yml @@ -7,7 +7,7 @@ rule: description: IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Server Software Component::IIS Components [T1505.004] examples: diff --git a/persistence/iis/persist-via-isapi-extension.yml b/persistence/iis/persist-via-isapi-extension.yml index 36ab99e5c..f568da947 100644 --- a/persistence/iis/persist-via-isapi-extension.yml +++ b/persistence/iis/persist-via-isapi-extension.yml @@ -7,7 +7,7 @@ rule: description: Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Server Software Component::IIS Components [T1505.004] examples: diff --git a/persistence/office/act-as-excel-xll-add-in.yml b/persistence/office/act-as-excel-xll-add-in.yml index e08ca0ba2..913d5d196 100644 --- a/persistence/office/act-as-excel-xll-add-in.yml +++ b/persistence/office/act-as-excel-xll-add-in.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/office/act-as-word-wll-add-in.yml b/persistence/office/act-as-word-wll-add-in.yml index 17e31d3b7..34e939810 100644 --- a/persistence/office/act-as-word-wll-add-in.yml +++ b/persistence/office/act-as-word-wll-add-in.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: file - dynamic: unsupported # requires export features + dynamic: file att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: From b4dfc1ab4abddf2a37890ed2736a202ff4481bc9 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 8 Nov 2023 15:26:33 +0100 Subject: [PATCH 06/15] use number to support 32 and 64 bit, add support for dynamic analysis --- .../capture-screenshot-via-keybd-event.yml | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/collection/screenshot/capture-screenshot-via-keybd-event.yml b/collection/screenshot/capture-screenshot-via-keybd-event.yml index 604f182d6..515be39a6 100644 --- a/collection/screenshot/capture-screenshot-via-keybd-event.yml +++ b/collection/screenshot/capture-screenshot-via-keybd-event.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: unsupported # requires operand[0].number features + dynamic: thread att&ck: - Collection::Screen Capture [T1113] mbc: @@ -15,12 +15,22 @@ rule: - 3f3bbcf8fd90bdcdcdc5494314ed4225:0x402D10 features: - and: - - basic block: - - and: - - operand[0].number: 0x2C = VK_SNAPSHOT - - count(api(user32.keybd_event)): 2 - - or: - - operand[0].number: 0x3 = KEYEVENTF_KEYUP|KEYEVENTF_EXTENDEDKEY - - operand[0].number: 0x2 = KEYEVENTF_KEYUP + - or: + # static + - basic block: + - and: + - number: 0x2C = VK_SNAPSHOT + - count(api(user32.keybd_event)): 2 + - or: + - number: 0x3 = KEYEVENTF_KEYUP|KEYEVENTF_EXTENDEDKEY + - number: 0x2 = KEYEVENTF_KEYUP + # dynamic + - call: + - and: + - number: 0x2C = VK_SNAPSHOT + - count(api(user32.keybd_event)): 2 + - or: + - number: 0x3 = KEYEVENTF_KEYUP|KEYEVENTF_EXTENDEDKEY + - number: 0x2 = KEYEVENTF_KEYUP - match: read clipboard data - match: open clipboard From a6f3e4110a3e033baf4272b43bead021f71018c5 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 14 Nov 2023 14:22:31 +0000 Subject: [PATCH 07/15] further dynamic scope tweaks --- .../debugger-detection/check-for-protected-handle-exception.yml | 1 + communication/socket/create-vmci-socket.yml | 2 +- host-interaction/file-system/exists/check-if-file-exists.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 1d2324893..0a64a2e82 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -16,6 +16,7 @@ rule: features: - and: - or: + - description: SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); - basic block: - and: - count(number(2)): 2 or more diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index ae3892249..f2d536cc9 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: call mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/host-interaction/file-system/exists/check-if-file-exists.yml b/host-interaction/file-system/exists/check-if-file-exists.yml index 8a98ca569..d11153078 100644 --- a/host-interaction/file-system/exists/check-if-file-exists.yml +++ b/host-interaction/file-system/exists/check-if-file-exists.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unsupported # TODO dynamic scope could be adjusted + dynamic: call att&ck: - Discovery::File and Directory Discovery [T1083] mbc: From 3ce798ba598f07d97de6a8a55d08a19c726b2907 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 14 Nov 2023 14:33:26 +0000 Subject: [PATCH 08/15] fmt --- .../debugger-detection/check-process-job-object.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index a7ab788d2..ef93144b0 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -35,4 +35,4 @@ rule: - call: - and: - api: kernel32.OpenProcess - - number: 0x400 = PROCESS_QUERY_INFORMATION \ No newline at end of file + - number: 0x400 = PROCESS_QUERY_INFORMATION From 696287da05b1890ff03bf8ed2ec62906afe2e1ce Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 15 Nov 2023 11:00:26 +0000 Subject: [PATCH 09/15] vmci: tweak required vs optional APIs --- communication/socket/create-vmci-socket.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index f2d536cc9..1b55ad627 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -17,13 +17,13 @@ rule: - or: - and: - os: windows - - or: - - api: socket - - api: DeviceIoControl + - api: DeviceIoControl - number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE + - optional: + - api: socket - and: - os: linux - - or: - - api: socket - - api: ioctl + - api: ioctl - number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE + - optional: + - api: socket From 5e2dae155ff67edc7489dc779c6f8159285aecb9 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 24 Nov 2023 11:26:26 +0100 Subject: [PATCH 10/15] update scopes --- communication/socket/create-vmci-socket.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index 1b55ad627..0a248e298 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -5,8 +5,8 @@ rule: authors: - jakub.jozwiak@mandiant.com scopes: - static: basic block - dynamic: call + static: function + dynamic: thread mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: From 54308899027bf3c43e41067b0f986f1be55449ee Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 24 Nov 2023 11:51:37 +0100 Subject: [PATCH 11/15] update scopes --- .../anti-av/patch-antimalware-scan-interface-function.yml | 4 +++- .../encoding/encode-data-using-add-xor-sub-operations.yml | 4 +++- .../bundled-with-dotnet-single-file-deployment.yml | 4 +++- .../internal-dotnet-single-file-deployment-limitation.yml | 4 +++- nursery/access-camera-in-dotnet-on-android.yml | 4 +++- nursery/capture-microphone-audio-in-dotnet-on-android.yml | 4 +++- nursery/capture-screenshot-in-dotnet-on-android.yml | 4 +++- nursery/check-for-incoming-call-in-dotnet-on-android.yml | 4 +++- nursery/check-for-outgoing-call-in-dotnet-on-android.yml | 4 +++- nursery/compiled-with-xamarin.yml | 4 +++- nursery/get-os-version-in-dotnet-on-android.yml | 4 +++- 11 files changed, 33 insertions(+), 11 deletions(-) diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 14130f2db..446a093d8 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml b/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml index 6c4455c21..214e4fdd7 100644 --- a/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml +++ b/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml @@ -5,7 +5,9 @@ rule: authors: - jakub.jozwiak@mandiant.com description: Data encoding using a sequence of ADD/XOR/SUB (or SUB/XOR/ADD) operations common for PlugX but also used by other malware families. - scope: function + scopes: + static: function + dynamic: unsupported # requires basic block, characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml b/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml index 799a0a57f..99054c850 100644 --- a/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml +++ b/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml @@ -4,7 +4,9 @@ rule: namespace: executable/dotnet-singlefile authors: - sara.rincon@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli - https://github.com/dotnet/runtime/blob/84de9b678613675e0444b265905c82d33dae33a8/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs diff --git a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml index f29348d02..a327840e7 100644 --- a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml +++ b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml @@ -11,7 +11,9 @@ rule: The size of the single file in a self-contained application is large since it includes the runtime and the framework libraries. The main application and the libraries are contained in the overlay section. You may need to extract the runtime configuration files such as *.deps.json and *.runtimeconfig.json files to determine the main .NET library and extract it with the tool SingleFileExtractor. - scope: file + scopes: + static: file + dynamic: file examples: - 0da87fccbf7687a6c7ab38087dea8b8f32c2b1fb6546101485b7167d18d9c406 features: diff --git a/nursery/access-camera-in-dotnet-on-android.yml b/nursery/access-camera-in-dotnet-on-android.yml index c2051be09..d4f24fff2 100644 --- a/nursery/access-camera-in-dotnet-on-android.yml +++ b/nursery/access-camera-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/camera authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires .NET API feature features: - or: - api: Android.Hardware.Camera::Open diff --git a/nursery/capture-microphone-audio-in-dotnet-on-android.yml b/nursery/capture-microphone-audio-in-dotnet-on-android.yml index 802811f36..091ecdf60 100644 --- a/nursery/capture-microphone-audio-in-dotnet-on-android.yml +++ b/nursery/capture-microphone-audio-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: collection/microphone authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires .NET API features features: - and: - api: Android.Media.AudioRecord::StartRecording diff --git a/nursery/capture-screenshot-in-dotnet-on-android.yml b/nursery/capture-screenshot-in-dotnet-on-android.yml index 7e5bbb149..e82529264 100644 --- a/nursery/capture-screenshot-in-dotnet-on-android.yml +++ b/nursery/capture-screenshot-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: collection/screenshot authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires .NET API feature features: - or: - api: Android.Media.Projection.MediaProjectionManager::CreateScreenCaptureIntent diff --git a/nursery/check-for-incoming-call-in-dotnet-on-android.yml b/nursery/check-for-incoming-call-in-dotnet-on-android.yml index 3c45983ec..5158cf036 100644 --- a/nursery/check-for-incoming-call-in-dotnet-on-android.yml +++ b/nursery/check-for-incoming-call-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features: - and: - property/read: Android.Content.Intent::Action diff --git a/nursery/check-for-outgoing-call-in-dotnet-on-android.yml b/nursery/check-for-outgoing-call-in-dotnet-on-android.yml index 936e49ed1..722470071 100644 --- a/nursery/check-for-outgoing-call-in-dotnet-on-android.yml +++ b/nursery/check-for-outgoing-call-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features: - and: - property/read: Android.Content.Intent::Action diff --git a/nursery/compiled-with-xamarin.yml b/nursery/compiled-with-xamarin.yml index a7494eb28..7e71d3262 100644 --- a/nursery/compiled-with-xamarin.yml +++ b/nursery/compiled-with-xamarin.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/xamarin authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - namespace: Xamarin.Essentials diff --git a/nursery/get-os-version-in-dotnet-on-android.yml b/nursery/get-os-version-in-dotnet-on-android.yml index a946512b5..38c39fb0b 100644 --- a/nursery/get-os-version-in-dotnet-on-android.yml +++ b/nursery/get-os-version-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/info authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires class features features: - and: - class: Android.OS.Build From 305adfd16bab08b2526596e56b50b638d8f4bf43 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 24 Nov 2023 11:53:19 +0100 Subject: [PATCH 12/15] graduate rule from nursery --- .../rc4}/encrypt-data-using-rc4-via-systemfunction032.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {nursery => data-manipulation/encryption/rc4}/encrypt-data-using-rc4-via-systemfunction032.yml (100%) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml similarity index 100% rename from nursery/encrypt-data-using-rc4-via-systemfunction032.yml rename to data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml From 5a0d4df62c8a9d40aaf78565aee9c7b24bc08c7b Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 28 Nov 2023 16:21:43 +0100 Subject: [PATCH 13/15] suggest to run on dynamic trace for packed samples (#852) * suggest to run on dynamic trace for packed samples --------- Co-authored-by: Willi Ballenthin --- internal/limitation/file/internal-packer-file-limitation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/limitation/file/internal-packer-file-limitation.yml b/internal/limitation/file/internal-packer-file-limitation.yml index 5e87b7e56..bd983a65a 100644 --- a/internal/limitation/file/internal-packer-file-limitation.yml +++ b/internal/limitation/file/internal-packer-file-limitation.yml @@ -8,8 +8,9 @@ rule: This sample appears to be packed. Packed samples have often been obfuscated to hide their logic. - capa cannot handle obfuscation well. This means the results may be misleading or incomplete. + capa cannot handle obfuscation well using static analysis. This means the results may be misleading or incomplete. If possible, you should try to unpack this input file before analyzing it with capa. + Alternatively, run the sample in a supported sandbox and invoke capa against the report to obtain dynamic analysis results. scopes: static: file dynamic: file From bdf01d6243b36c3f74d5290b6ffe7d07256a3916 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 29 Nov 2023 13:24:41 +0000 Subject: [PATCH 14/15] update rule format documentation with dynamic details (#851) * wip: update rule format documentation with dynamic details * format: add example links * format: reorganize features vs scopes * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz * format: table formatting * format: try to express scoping for features * Update doc/format.md Co-authored-by: Moritz * Update doc/format.md Co-authored-by: Moritz --------- Co-authored-by: Moritz --- doc/format.md | 360 +++++++++++++++++++++++++++++++++++++------------- 1 file changed, 265 insertions(+), 95 deletions(-) diff --git a/doc/format.md b/doc/format.md index 09a4db371..8d1256a64 100644 --- a/doc/format.md +++ b/doc/format.md @@ -43,10 +43,24 @@ We'll start at the high level structure and then dig into the logic structures a - [rule format](#rule-format) - [yaml](#yaml) - [meta block](#meta-block) + - [rule name](#rule-name) + - [rule namespace](#rule-namespace) + - [analysis flavors](#analysis-flavors) - [features block](#features-block) - [extracted features](#extracted-features) - - [characteristic](#characteristic) - - [instruction features](#instruction-features) + - [static analysis scopes](#static-analysis-scopes) + - [instruction features](#instruction-features) + - [basic block features](#basic-block-features) + - [function features](#function-features) + - [dynamic analysis scopes](#dynamic-analysis-scopes) + - [call features](#call-features) + - [thread features](#thread-features) + - [process features](#process-features) + - [common scopes](#common-scopes) + - [file features](#file-features) + - [global features](#global-features) + - [complete feature listing](#complete-feature-listing) + - [characteristic](#characteristic) - [namespace](#namespace) - [class](#class) - [api](#api) @@ -57,9 +71,6 @@ We'll start at the high level structure and then dig into the logic structures a - [offset](#offset) - [mnemonic](#mnemonic) - [operand](#operand) - - [basic block features](#basic-block-features) - - [function features](#function-features) - - [file features](#file-features) - [string and substring](#file-string-and-substring) - [export](#export) - [import](#import) @@ -67,7 +78,6 @@ We'll start at the high level structure and then dig into the logic structures a - [function-name](#function-name) - [namespace](#namespace) - [class](#class) - - [global features](#global-features) - [os](#os) - [arch](#arch) - [format](#format) @@ -110,19 +120,20 @@ meta: name: packed with UPX namespace: anti-analysis/packer/upx authors: - - william.ballenthin@mandiant.com + - william.ballenthin@mandiant.com description: the sample appears to be packed with UPX - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027.002] mbc: - - Anti-Static Analysis::Software Packing + - Anti-Static Analysis::Software Packing examples: - CD2CBA9E6313E8DF2C1273593E649682 - Practical Malware Analysis Lab 01-02.exe_:0x0401000 ``` - Here are the common fields: - `name` is required. This string should uniquely identify the rule. More details below. @@ -133,14 +144,19 @@ Here are the common fields: - `description` is optional text that describes the intent or interpretation of the rule. - - `scope` indicates to which feature set this rule applies. - Here are the legal values: - - **`file`**: matches features across the whole file. - - **`function`** (default): match features within each function. - - **`basic block`**: matches features within each basic block. - This is used to achieve locality in rules (for example for parameters of a function). - - **`instruction`**: matches features found at a single instruction. - This is great to identify structure access or comparisons against magic constants. + - `scopes` indicates which feature set the rule applies to, when analyzing static or dynamic analysis artifacts. There are two required sub fields: `static` and `dynamic`. Here are the legal values: + - `scopes.static`: + - **`instruction`**: matches features found at a single instruction. + This is great to identify structure access or comparisons against magic constants. + - **`basic block`**: matches features within each basic block. + This is used to achieve close locality in rules (for example for parameters of a function). + - **`function`**: match features within each function. + - **`file`**: matches features across the whole file. + - `scopes.dynamic`: + - **`call`**: match features at each traced API call site, such as API name and argument values. + - **`thread`**: match features within each thread, such as sequence of API names. + - **`process`**: match features within each process. + - **`file`**: matches features across the whole file, including from the executable file features *and* across the entire runtime trace. - `att&ck` is an optional list of [ATT&CK framework](https://attack.mitre.org/) techniques that the rule implies, like `Discovery::Query Registry [T1012]` or `Persistence::Create or Modify System Process::Windows Service [T1543.003]`. @@ -252,6 +268,64 @@ rules/host-interaction/file-system/list The depth of the namespace tree is not limited, but we've found that 3-4 components is typically sufficient. +### analysis flavors + +capa analyzes capabilities found in both executable files and in API traces captured by sandboxes, such as CAPE. +We call these categories of analysis "flavors" and use "static analysis flavor" and "dynamic analysis flavor" to refer to them, respectively. Static analysis is great for reviewing the entire logic of a program and finding the interesting regions. Dynamic analysis via sandboxes helps bypass packing, which is very widespread in malware, and can better describe the actual runtime behavior of a program. We use the `meta.scopes.$flavor` key to specify how a rule interacts with a particular flavor. + +When possible, we try to write capa rules that work in both static and dynamic analysis flavors. +For example, here's a rule that matches in both flavors: + +```yml +rule: + meta: + name: create mutex + namespace: host-interaction/mutex + authors: + - moritz.raabe@mandiant.com + - michael.hunhoff@mandiant.com + scopes: + static: function + dynamic: call + features: + - or: + - api: kernel32.CreateMutex + - api: kernel32.CreateMutexEx + - api: System.Threading.Mutex::ctor +``` + +See how `create mutex` can be reasoned about both by inspecting the disassembly features (static analysis) as well as the runtime API trace (dynamic analysis)? + +On the other hand, some behaviors are best described by rules that work in only one scope. +Remember, its paramount that rules be human-readable, so avoid complicating logic for the sake of merging rules. +In this case, mark the excluded scope with `unsupported`, like in the following rule: + +```yml +rule: + meta: + name: check for software breakpoints + namespace: anti-analysis/anti-debugging/debugger-detection + authors: + - michael.hunhoff@mandiant.com + scopes: + static: function + dynamic: unsupported # requires mnemonic features + features: + - and: + - or: + - instruction: + - mnemonic: cmp + - number: 0xCC = INT3 + - match: contain loop +``` + +`check for software breakpoints` works great during disassembly analysis, where low-level instruction features can be matched, but doesn't work in dynamic scopes because these features aren't available. Hence, we mark the rule `scopes.dynamic: unsupported` so the rule won't be considered when processing sandbox traces. + +As you'll see in the [extracted features](#extracted-features) section, capa matches features at various scopes, starting small (e.g., `instruction`) and growing large (e.g., `file`). In static analysis, scopes grow from `instruction`, to `basic block`, `function`, and then `file`. In dynamic analysis, scopes grow from `call`, to `thread`, `process`, and then to `file`. + +When matching a sequence of API calls, the static scope is often `function` and the dynamic scope is `thread`. When matching a single API call with arguments, the static scope is usually `basic block` and the dynamic scope is `call`. One day we hope to support `call` scope directly in the static analysis flavor. + + ## features block This section declares logical statements about the features that must exist for the rule to match. @@ -288,49 +362,53 @@ If only one of these features is found in a function, the rule will not match. # extracted features -capa extracts features from multiple scopes, starting with the most specific (instruction) and working towards the most general: +capa matches features at multiple scopes, starting small (e.g., `instruction`) and growing large (e.g., `file`). In static analysis, scopes grow from `instruction`, to `basic block`, `function`, and then `file`. In dynamic analysis, scopes grow from `call`, to `thread`, `process`, and then to `file`: + +| static scope | best for... | +|--------------|------------------------------------------------------------------------------------------| +| instruction | specific combinations of mnemonics, operands, constants, etc. to find magic values | +| basic block | closely related instructions, such as structure access or function call arguments | +| function | collections of API calls, constants, etc. that suggest complete capabilities | +| file | high level conclusions, like encryptor, backdoor, or statically linked with some library | +| global | the features available at every scope, like architecture or OS | -| scope | best for... | -|-------------|------------------------------------------------------------------------------------------| -| instruction | specific combinations of mnemonics, operands, constants, etc. to find magic values | -| basic block | closely related instructions, such as structure access or function call arguments | -| function | collections of API calls, constants, etc. that suggest complete capabilities | -| file | high level conclusions, like encryptor, backdoor, or statically linked with some library | -| (global) | the features available at every scope, like arch or OS | +| dynamic scope | best for... | +|---------------|------------------------------------------------------------------------------------------| +| call | single API call and its arguments | +| thread | sequence of related API calls | +| process | combinations of other capabilities found within a (potentially multi-threaded) program | +| file | high level conclusions, like encryptor, backdoor, or statically linked with some library | +| global | the features available at every scope, like architecture or OS | In general, capa collects and merges the features from lower scopes into higher scopes; for example, features extracted from individual instructions are merged into the function scope that contains the instructions. This way, you can use the match results against instructions ("the constant X is for crypto algorithm Y") to recognize function-level capabilities ("crypto function Z"). - -### characteristic - -Characteristics are features that are extracted by the analysis engine. -They are one-off features that seem interesting to the authors. - -For example, the `characteristic: nzxor` feature describes non-zeroing XOR instructions. - -| characteristic | scope | description | -|--------------------------------------|------------------------------------|-------------| -| `characteristic: embedded pe` | file | (XOR encoded) embedded PE files. | -| `characteristic: forwarded export` | file | PE file has a forwarded export. | -| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | -| `characteristic: loop` | function | Function contains a loop. | -| `characteristic: recursive call` | function | Function is recursive. | -| `characteristic: calls from` | function | There are unique calls from this function. Best used like: `count(characteristic(calls from)): 3 or more` | -| `characteristic: calls to` | function | There are unique calls to this function. Best used like: `count(characteristic(calls to)): 3 or more` | -| `characteristic: tight loop` | basic block, function | A tight loop where a basic block branches to itself. | -| `characteristic: stack string` | basic block, function | There is a sequence of instructions that looks like stack string construction. | -| `characteristic: nzxor` | instruction, basic block, function | Non-zeroing XOR instruction | -| `characteristic: peb access` | instruction, basic block, function | Access to the process environment block (PEB), e.g. via fs:[30h], gs:[60h] | -| `characteristic: fs access` | instruction, basic block, function | Access to memory via the `fs` segment. | -| `characteristic: gs access` | instruction, basic block, function | Access to memory via the `gs` segment. | -| `characteristic: cross section flow` | instruction, basic block, function | Function contains a call/jump to a different section. This is commonly seen in unpacking stubs. | -| `characteristic: indirect call` | instruction, basic block, function | Indirect call instruction; for example, `call edx` or `call qword ptr [rsp+78h]`. | -| `characteristic: call $+5` | instruction, basic block, function | Call just past the current instruction. | -| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET | - -## instruction features +| feature | static scope | dynamic scope | +|-----------------------------------|---------------------------------------------|--------------------------------| +| [api](#api) | instruction ↦ basic block ↦ function ↦ file | call ↦ thread ↦ process ↦ file | +| [string](#string-and-substring) | instruction ↦ ... | call ↦ ... | +| [bytes](#bytes) | instruction ↦ ... | call ↦ ... | +| [number](#number) | instruction ↦ ... | call ↦ ... | +| [characteristic](#characteristic) | instruction ↦ ... | - | +| [mnemonic](#mnemonic) | instruction ↦ ... | - | +| [operand](#operand) | instruction ↦ ... | - | +| [offset](#offset) | instruction ↦ ... | - | +| [com](#com) | instruction ↦ ... | - | +| [namespace](#namespace) | instruction ↦ ... | - | +| [class](#class) | instruction ↦ ... | - | +| [property](#property) | instruction ↦ ... | - | +| [export](#export) | file | file | +| [import](#import) | file | file | +| [section](#section) | file | file | +| [function-name](#function-name) | file | - | +| [os](#os) | global | global | +| [arch](#arch) | global | global | +| [format](#format) | global | global | + +## static analysis scopes + +### instruction features Instruction features stem from individual instructions, such as mnemonics, string references, or function calls. The following features are relevant at this scope and above: @@ -357,6 +435,109 @@ Also, the following [characteristics](#characteristic) are relevant at this scop - `call $+5` - `unmanaged call` +### basic block features + +Basic block features stem from combinations of features from the instruction scope that are found within the same basic block. + +Also, the following [characteristics](#characteristic) are relevant at this scope and above: + - `tight loop` + - `stack string` + +### function features + +Function features stem from combinations of features from the instruction and basic block scopes that are found within the same function. + +Also, the following [characteristics](#characteristic) are relevant at this scope and above: + - `loop` + - `recursive call` + - `calls from` + - `calls to` + +## dynamic analysis scopes + +### call features + +Call features are collected from individual sandbox trace events, such as API calls. +They're typically useful for matching against the API name and arguments (strings or integer constants). + +The following features are relevant at this scope and above: + + - [api](#api) + - [number](#number) + - [string and substring](#string-and-substring) + - [bytes](#bytes) + +### thread features + +Thread features stem from combinations of features from the call scopes that are found within the same thread. +This is useful for matching a sequence of API calls, such as `OpenFile`/`ReadFile`/`CloseFile`. + +There are no thread-specific features. + +### process features + +Process features are combinations of features from the thread scopes found within the same process. +This is useful for matching behaviors found across an entire program, even if its multi-threaded. + +There are no process-specific features. + +## common scopes + +### file features + +File features stem from the file structure, i.e. PE structure or the raw file data. + +Also, all features found in all functions (static) or all processes (dynamic) are collected into the file scope. + +The following features are supported at this scope: + + - [string and substring](#file-string-and-substring) + - [export](#export) + - [import](#import) + - [section](#section) + - [function-name](#function-name) + - [namespace](#namespace) + - [class](#class) + +### global features + +Global features are extracted at all scopes. +These are features that may be useful to both disassembly and file structure interpretation, such as the targeted OS or architecture. +The following features are supported at this scope: + + - [os](#os) + - [arch](#arch) + - [format](#format) + +## complete feature listing + +### characteristic + +Characteristics are features that are extracted by the analysis engine. +They are one-off features that seem interesting to the authors. + +For example, the `characteristic: nzxor` feature describes non-zeroing XOR instructions. + +| characteristic | scope | description | +|--------------------------------------|------------------------------------|-----------------------------------------------------------------------------------------------------------| +| `characteristic: embedded pe` | file | (XOR encoded) embedded PE files. | +| `characteristic: forwarded export` | file | PE file has a forwarded export. | +| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | +| `characteristic: loop` | function | Function contains a loop. | +| `characteristic: recursive call` | function | Function is recursive. | +| `characteristic: calls from` | function | There are unique calls from this function. Best used like: `count(characteristic(calls from)): 3 or more` | +| `characteristic: calls to` | function | There are unique calls to this function. Best used like: `count(characteristic(calls to)): 3 or more` | +| `characteristic: tight loop` | basic block, function | A tight loop where a basic block branches to itself. | +| `characteristic: stack string` | basic block, function | There is a sequence of instructions that looks like stack string construction. | +| `characteristic: nzxor` | instruction, basic block, function | Non-zeroing XOR instruction | +| `characteristic: peb access` | instruction, basic block, function | Access to the process environment block (PEB), e.g. via fs:[30h], gs:[60h] | +| `characteristic: fs access` | instruction, basic block, function | Access to memory via the `fs` segment. | +| `characteristic: gs access` | instruction, basic block, function | Access to memory via the `gs` segment. | +| `characteristic: cross section flow` | instruction, basic block, function | Function contains a call/jump to a different section. This is commonly seen in unpacking stubs. | +| `characteristic: indirect call` | instruction, basic block, function | Indirect call instruction; for example, `call edx` or `call qword ptr [rsp+78h]`. | +| `characteristic: call $+5` | instruction, basic block, function | Call just past the current instruction. | +| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET | + ### namespace A named namespace used by the logic of the program. @@ -377,6 +558,9 @@ Example: class: System.IO.File class: System.Net.WebResponse +Example rule: [create new application domain in .NET](../host-interaction/memory/create-new-application-domain-in-dotnet.yml) + + ### api A call to a named function, probably an import, though possibly a local function (like `malloc`) extracted via function signature matching like FLIRT. @@ -398,6 +582,8 @@ Example: api: System.Net.WebResponse::GetResponseStream api: System.Threading.Mutex::ctor # match creation System.Threading.Mutex object +Example rule: [switch active desktop](../host-interaction/gui/switch-active-desktop.yml) + ### property A member of a class or structure used by the logic of a program. This must include the member's class and namespace if recoverable. @@ -408,6 +594,8 @@ Example: property/read: System.Environment::OSVersion property/write: System.Net.WebRequest::Proxy +Example rule: [enumere GUI resources](../host-interaction/gui/enumerate-gui-resources.yml) + ### number A number used by the logic of the program. This should not be a stack or structure offset. @@ -436,6 +624,8 @@ If the number is only relevant on a particular architecture, don't hesitate to u - number: 4 = size of pointer ``` +Example rule: [get disk size](../host-interaction/hardware/storage/get-disk-size.yml) + ### string and substring A string referenced by the logic of the program. This is probably a pointer to an ASCII or Unicode string. @@ -480,6 +670,8 @@ Examples: Note that regex and substring matching is expensive (`O(features)` rather than `O(1)`) so they should be used sparingly. +Example rule: [identify ATM dispenser service provider](../targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml) + ### bytes A sequence of bytes referenced by the logic of the program. The provided sequence must match from the beginning of the referenced bytes and be no more than `0x100` bytes. @@ -503,6 +695,8 @@ Example rule elements: bytes: 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_ShellLink bytes: EE 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = IID_IShellLink +Example rule: [hash data using Whirlpool](../nursery/hash-data-using-whirlpool.yml) + ### com COM features represent Component Object Model (COM) interfaces and classes used in the program's logic. They help identify interactions with COM objects, methods, properties, and interfaces. The parameter is the name of the COM class or interface. This feature allows you to list human-readable names instead of the byte representations found in the program. @@ -565,7 +759,8 @@ Examples: mnemonic: xor mnemonic: shl - + +Example rule: [check for trap flag exception](../anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml) ### operand @@ -577,36 +772,7 @@ Examples: operand[0].number: 0x10 operand[1].offset: 0x2C -## basic block features -Basic block features stem from combinations of features from the instruction scope that are found within the same basic block. - -Also, the following [characteristics](#characteristic) are relevant at this scope and above: - - `tight loop` - - `stack string` - - -## function features -Function features stem from combinations of features from the instruction and basic block scopes that are found within the same function. - -Also, the following [characteristics](#characteristic) are relevant at this scope and above: - - `loop` - - `recursive call` - - `calls from` - - `calls to` - - -## file features - -File features stem from the file structure, i.e. PE structure or the raw file data. -The following features are supported at this scope: - - - [string and substring](#file-string-and-substring) - - [export](#export) - - [import](#import) - - [section](#section) - - [function-name](#function-name) - - [namespace](#namespace) - - [class](#class) +Example rule: [encrypt data using XTEA](../data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml) ### file string and substring @@ -639,6 +805,8 @@ To specify a [forwarded export](https://devblogs.microsoft.com/oldnewthing/20060 export: "c:/windows/system32/version.GetFileVersionInfoA" export: "vresion.GetFileVersionInfoA" +Example rule: [act as password filter DLL](../persistence/authentication-process/act-as-password-filter-dll.yml) + ### import The name of a routine imported from a shared library. These can include DLL names that are checked during matching. @@ -650,6 +818,8 @@ Examples: import: kernel32.#22 # by ordinal import: System.IO.File::Exists +Example rule: [load NCR ATM library](../targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml) + ### function-name The name of a recognized statically-linked library, such as recovered via FLIRT, or a name extracted from information contained in the file, such as .NET metadata. @@ -660,6 +830,8 @@ Examples: function-name: "?FillEncTable@Base@Rijndael@CryptoPP@@KAXXZ" function-name: Malware.Backdoor::Beacon +Example rule: [execute via .NET startup hook](../runtime/dotnet/execute-via-dotnet-startup-hook.yml) + ### section The name of a section in a structured file. @@ -669,15 +841,7 @@ Examples: section: .rsrc -## global features - -Global features are extracted at all scopes. -These are features that may be useful to both disassembly and file structure interpretation, such as the targeted OS or architecture. -The following features are supported at this scope: - - - [os](#os) - - [arch](#arch) - - [format](#format) +Example rule: [compiled with DMD](../compiler/d/compiled-with-dmd.yml) ### os @@ -727,6 +891,8 @@ Valid OSes: Note: you can match any valid OS by not specifying an `os` feature or by using `any`, e.g. `- os: any`. +Example rule: [discover group policy via gpresult](../collection/group-policy/discover-group-policy-via-gpresult.yml) + ### arch The name of the CPU architecture on which the sample runs. @@ -769,6 +935,8 @@ However, this can be useful if you have groups of many architecture-specific off This can be easier to understand than using many `offset/x32` or `offset/x64` features. +Example rule: [get process heap flags](../host-interaction/process/get-process-heap-flags.yml) + ### format The name of the file format. @@ -778,6 +946,8 @@ Valid formats: - `elf` - `dotnet` +Example rule: [access .NET resource](../executable/resource/access-dotnet-resource.yml) + ## counting Many rules will inspect the feature set for a select combination of features; From bebddeae1e4cf33e77ef916a226d5a8c7b1f1909 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Wed, 29 Nov 2023 14:38:14 +0100 Subject: [PATCH 15/15] update scopes --- data-manipulation/compression/create-cabinet-on-windows.yml | 4 +++- data-manipulation/compression/extract-cabinet-on-windows.yml | 4 +++- ...create-file-decompression-interface-context-on-windows.yml | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/data-manipulation/compression/create-cabinet-on-windows.yml b/data-manipulation/compression/create-cabinet-on-windows.yml index 7b259c6f1..bf192b0d9 100644 --- a/data-manipulation/compression/create-cabinet-on-windows.yml +++ b/data-manipulation/compression/create-cabinet-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/extract-cabinet-on-windows.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml index b371b1a65..8c674532f 100644 --- a/data-manipulation/compression/extract-cabinet-on-windows.yml +++ b/data-manipulation/compression/extract-cabinet-on-windows.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/lib/create-file-decompression-interface-context-on-windows.yml b/lib/create-file-decompression-interface-context-on-windows.yml index b9a2bd5f3..9be8805b8 100644 --- a/lib/create-file-decompression-interface-context-on-windows.yml +++ b/lib/create-file-decompression-interface-context-on-windows.yml @@ -4,7 +4,9 @@ rule: authors: - jakub.jozwiak@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: call references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files examples: