use sequence scope instead of thread scope for "static: function" rules

mandiant · Dec 17, 2024 · 20e80d8 · 20e80d8
1 parent e033410
commit 20e80d8
Show file tree

Hide file tree

Showing 343 changed files with 343 additions and 343 deletions.
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003]
     mbc:

diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]
     references:

diff --git a/...is/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/...is/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:

diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001]
     examples:

diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml
@@ -7,7 +7,7 @@ rule:
     description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application.
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Indicator Removal [T1070]
     references:

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml
@@ -7,7 +7,7 @@ rule:
       - "@mr-tz"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Indicator Removal::Timestomp [T1070.006]
     examples:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml
@@ -7,7 +7,7 @@ rule:
       - "[email protected]"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion [T1497]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004]
     examples:

diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
     examples:

diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Collection::Data from Information Repositories [T1213]
     examples:

diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Collection::Data from Information Repositories [T1213]
     examples:

diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-filezilla-information.yml b/collection/file-managers/gather-filezilla-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-flashfxp-information.yml b/collection/file-managers/gather-flashfxp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-fling-ftp-information.yml b/collection/file-managers/gather-fling-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-freshftp-information.yml b/collection/file-managers/gather-freshftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: sequence
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     examples: