use sequence scope instead of thread scope for "static: basic block" …

…rules
mandiant · Dec 17, 2024 · 1f4c7a4 · 1f4c7a4
1 parent 20e80d8
commit 1f4c7a4
Show file tree

Hide file tree

Showing 19 changed files with 19 additions and 19 deletions.
diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
       - Anti-Behavioral Analysis::Sandbox Detection [B0007]

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]
     examples:

diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
     references:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Discovery::System Network Configuration Discovery [T1016]
     examples:

diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Communication::HTTP Communication::Send Data [C0002.005]
     examples:

diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Communication::Socket Communication::Create Socket [C0001.003]
     references:

diff --git a/host-interaction/driver/complete-processing-asynchronous-io-request.yml b/host-interaction/driver/complete-processing-asynchronous-io-request.yml
@@ -7,7 +7,7 @@ rule:
     description: signals that driver has finished all processing for a given IRP (part of major function)
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     examples:
       - Practical Malware Analysis Lab 10-03.sys_:0x10666
   features:

diff --git a/host-interaction/driver/interact-with-driver-via-ioctl.yml b/host-interaction/driver/interact-with-driver-via-ioctl.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     examples:
       - Practical Malware Analysis Lab 10-03.exe_:0x40108c
   features:

diff --git a/host-interaction/gui/logon/references-logon-banner.yml b/host-interaction/gui/logon/references-logon-banner.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     examples:
       - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC
   features:

diff --git a/host-interaction/mutex/check-mutex.yml b/host-interaction/mutex/check-mutex.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Process::Check Mutex [C0043]
     examples:

diff --git a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml
@@ -6,7 +6,7 @@ rule:
       - "@mr-tz"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Memory::Allocate Memory [C0007]
     examples:

diff --git a/host-interaction/process/list/get-explorer-pid.yml b/host-interaction/process/list/get-explorer-pid.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Discovery::Process Discovery [T1057]
     references:

diff --git a/host-interaction/process/modify/acquire-debug-privileges.yml b/host-interaction/process/modify/acquire-debug-privileges.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Privilege Escalation::Access Token Manipulation [T1134]
     examples:

diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml
@@ -9,7 +9,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Process::Create Thread [C0038]
     examples:

diff --git a/nursery/check-for-windows-sandbox-via-subdirectory.yml b/nursery/check-for-windows-sandbox-via-subdirectory.yml
@@ -6,7 +6,7 @@ rule:
       - "[email protected]"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/nursery/get-process-image-filename.yml b/nursery/get-process-image-filename.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
   features:
     - or:
       - and:

diff --git a/nursery/hook-routines-via-lsplant.yml b/nursery/hook-routines-via-lsplant.yml
@@ -7,7 +7,7 @@ rule:
     description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
     references:
       - https://github.com/LSPosed/LSPlant
   features:

diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: sequence
   features:
     - and:
       - or: