From 20e80d8c740b6b27a4764a0020628ae9800dfdf0 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 17 Dec 2024 10:25:49 +0000 Subject: [PATCH] use sequence scope instead of thread scope for "static: function" rules --- README.md | 2 +- .../anti-av/overwrite-dll-text-section-to-remove-hooks.yml | 2 +- .../anti-av/patch-antimalware-scan-interface-function.yml | 2 +- .../anti-av/patch-event-tracing-for-windows-function.yml | 2 +- .../debugger-detection/check-for-protected-handle-exception.yml | 2 +- .../check-for-time-delay-via-queryperformancecounter.yml | 2 +- .../debugger-detection/check-process-job-object.yml | 2 +- .../debugger-evasion/hide-thread-from-debugger.yml | 2 +- .../wine/check-if-process-is-running-under-wine.yml | 2 +- .../anti-forensic/clear-logs/clear-windows-event-logs.yml | 2 +- .../anti-forensic/impersonate-file-version-information.yml | 2 +- .../self-deletion/self-delete-using-alternate-data-streams.yml | 2 +- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 2 +- anti-analysis/anti-forensic/timestomp/timestomp-file.yml | 2 +- .../vm-detection/check-for-microsoft-office-emulation.yml | 2 +- .../vm-detection/check-for-sandbox-username-or-hostname.yml | 2 +- .../check-for-windows-sandbox-via-genuine-state.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-process-name.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-registry.yml | 2 +- .../vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml | 2 +- .../detect-vm-via-motherboard-hardware-wmi-queries.yml | 2 +- .../acquire-credentials-from-windows-credential-manager.yml | 2 +- collection/browser/gather-firefox-profile-information.yml | 2 +- collection/database/sql/reference-sql-statements.yml | 2 +- collection/database/wmi/reference-wmi-statements.yml | 2 +- collection/file-managers/gather-3d-ftp-information.yml | 2 +- collection/file-managers/gather-alftp-information.yml | 2 +- collection/file-managers/gather-bitkinex-information.yml | 2 +- collection/file-managers/gather-blazeftp-information.yml | 2 +- collection/file-managers/gather-bulletproof-ftp-information.yml | 2 +- collection/file-managers/gather-classicftp-information.yml | 2 +- collection/file-managers/gather-coreftp-information.yml | 2 +- collection/file-managers/gather-cuteftp-information.yml | 2 +- collection/file-managers/gather-cyberduck-information.yml | 2 +- collection/file-managers/gather-direct-ftp-information.yml | 2 +- collection/file-managers/gather-directory-opus-information.yml | 2 +- collection/file-managers/gather-expandrive-information.yml | 2 +- .../file-managers/gather-faststone-browser-information.yml | 2 +- collection/file-managers/gather-fasttrack-ftp-information.yml | 2 +- collection/file-managers/gather-ffftp-information.yml | 2 +- collection/file-managers/gather-filezilla-information.yml | 2 +- collection/file-managers/gather-flashfxp-information.yml | 2 +- collection/file-managers/gather-fling-ftp-information.yml | 2 +- collection/file-managers/gather-freshftp-information.yml | 2 +- collection/file-managers/gather-frigate3-information.yml | 2 +- collection/file-managers/gather-ftp-commander-information.yml | 2 +- collection/file-managers/gather-ftp-explorer-information.yml | 2 +- collection/file-managers/gather-ftp-voyager-information.yml | 2 +- collection/file-managers/gather-ftpgetter-information.yml | 2 +- collection/file-managers/gather-ftpinfo-information.yml | 2 +- collection/file-managers/gather-ftpnow-information.yml | 2 +- collection/file-managers/gather-ftprush-information.yml | 2 +- collection/file-managers/gather-ftpshell-information.yml | 2 +- .../file-managers/gather-global-downloader-information.yml | 2 +- collection/file-managers/gather-goftp-information.yml | 2 +- collection/file-managers/gather-leapftp-information.yml | 2 +- collection/file-managers/gather-netdrive-information.yml | 2 +- collection/file-managers/gather-nexusfile-information.yml | 2 +- collection/file-managers/gather-nova-ftp-information.yml | 2 +- collection/file-managers/gather-robo-ftp-information.yml | 2 +- collection/file-managers/gather-securefx-information.yml | 2 +- collection/file-managers/gather-smart-ftp-information.yml | 2 +- collection/file-managers/gather-softx-ftp-information.yml | 2 +- .../file-managers/gather-southriver-webdrive-information.yml | 2 +- collection/file-managers/gather-staff-ftp-information.yml | 2 +- collection/file-managers/gather-total-commander-information.yml | 2 +- collection/file-managers/gather-turbo-ftp-information.yml | 2 +- collection/file-managers/gather-ultrafxp-information.yml | 2 +- collection/file-managers/gather-winscp-information.yml | 2 +- collection/file-managers/gather-winzip-information.yml | 2 +- collection/file-managers/gather-wise-ftp-information.yml | 2 +- collection/file-managers/gather-ws-ftp-information.yml | 2 +- collection/file-managers/gather-xftp-information.yml | 2 +- collection/get-geographical-location.yml | 2 +- collection/group-policy/discover-group-policy-via-gpresult.yml | 2 +- collection/keylog/log-keystrokes.yml | 2 +- collection/microphone/capture-microphone-audio.yml | 2 +- collection/network/capture-packets-using-sharppcap.yml | 2 +- collection/network/capture-public-ip.yml | 2 +- collection/network/get-domain-trust-relationships.yml | 2 +- collection/network/get-mac-address-on-windows.yml | 2 +- collection/screenshot/capture-screenshot-via-keybd-event.yml | 2 +- collection/screenshot/capture-screenshot.yml | 2 +- collection/webcam/capture-webcam-image.yml | 2 +- communication/c2/file-transfer/download-and-write-a-file.yml | 2 +- communication/c2/file-transfer/write-and-execute-a-file.yml | 2 +- communication/c2/shell/create-reverse-shell-on-linux.yml | 2 +- communication/c2/shell/create-reverse-shell.yml | 2 +- .../c2/shell/execute-shell-command-and-capture-output.yml | 2 +- .../execute-shell-command-received-from-socket-on-linux.yml | 2 +- communication/ftp/send/send-file-using-ftp.yml | 2 +- communication/http/client/connect-to-http-server.yml | 2 +- communication/http/client/connect-to-url.yml | 2 +- communication/http/client/create-http-request.yml | 2 +- .../decompress-http-response-via-iencodingfilterfactory.yml | 2 +- communication/http/client/read-data-from-internet.yml | 2 +- communication/http/client/receive-http-response.yml | 2 +- communication/http/client/send-http-request.yml | 2 +- communication/http/reference-http-user-agent-string.yml | 2 +- communication/http/server/receive-http-request.yml | 2 +- communication/http/server/start-http-server.yml | 2 +- communication/http/set-http-header.yml | 2 +- communication/icmp/send-icmp-echo-request.yml | 2 +- communication/mailslot/create-mailslot.yml | 2 +- communication/mailslot/read-from-mailslot.yml | 2 +- communication/named-pipe/create/create-two-anonymous-pipes.yml | 2 +- communication/named-pipe/read/read-pipe.yml | 2 +- communication/named-pipe/write/write-pipe.yml | 2 +- communication/receive-data.yml | 2 +- communication/send-data.yml | 2 +- communication/socket/tcp/connect-tcp-socket.yml | 2 +- communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml | 2 +- communication/tcp/client/act-as-tcp-client.yml | 2 +- communication/tcp/serve/start-tcp-server.yml | 2 +- compiler/perl2exe/compiled-with-perl2exe.yml | 2 +- data-manipulation/compression/compress-data-using-lzo.yml | 2 +- data-manipulation/compression/compress-data-via-winapi.yml | 2 +- data-manipulation/compression/create-cabinet-on-windows.yml | 2 +- data-manipulation/compression/extract-cabinet-on-windows.yml | 2 +- .../encryption/aes/encrypt-data-using-aes-via-winapi.yml | 2 +- .../encryption/des/encrypt-data-using-des-via-winapi.yml | 2 +- .../encryption/encrypt-data-using-memfrob-from-glibc.yml | 2 +- .../encryption/encrypt-or-decrypt-via-wincrypt.yml | 2 +- data-manipulation/encryption/import-public-key.yml | 2 +- .../rc4/encrypt-data-using-rc4-via-systemfunction032.yml | 2 +- .../rc4/encrypt-data-using-rc4-via-systemfunction033.yml | 2 +- .../encryption/rc4/encrypt-data-using-rc4-via-winapi.yml | 2 +- data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml | 2 +- data-manipulation/encryption/rsa/reference-public-rsa-key.yml | 2 +- data-manipulation/hashing/hash-data-via-wincrypt.yml | 2 +- data-manipulation/hashing/md5/hash-data-with-md5.yml | 2 +- data-manipulation/hashing/sha1/hash-data-using-sha1.yml | 2 +- data-manipulation/hashing/sha224/hash-data-using-sha224.yml | 2 +- data-manipulation/hashing/sha256/hash-data-using-sha256.yml | 2 +- data-manipulation/hashing/sha384/hash-data-using-sha384.yml | 2 +- data-manipulation/hashing/sha512/hash-data-using-sha512.yml | 2 +- .../prng/generate-random-numbers-via-rtlgenrandom.yml | 2 +- data-manipulation/prng/generate-random-numbers-via-winapi.yml | 2 +- .../generate-random-numbers-using-a-mersenne-twister.yml | 2 +- executable/resource/access-dotnet-resource.yml | 2 +- executable/resource/extract-resource-via-kernel32-functions.yml | 2 +- host-interaction/bootloader/disable-code-signing.yml | 2 +- host-interaction/bootloader/manipulate-boot-configuration.yml | 2 +- host-interaction/bootloader/manipulate-safe-mode-programs.yml | 2 +- host-interaction/clipboard/open-clipboard.yml | 2 +- host-interaction/clipboard/read-clipboard-data.yml | 2 +- host-interaction/clipboard/write-clipboard-data.yml | 2 +- host-interaction/console/manipulate-console-buffer.yml | 2 +- host-interaction/driver/create-device-object.yml | 2 +- host-interaction/driver/disable-driver-code-integrity.yml | 2 +- .../environment-variable/get-comspec-environment-variable.yml | 2 +- host-interaction/file-system/bypass-mark-of-the-web.yml | 2 +- .../file-system/create-virtual-file-system-in-dotnet.yml | 2 +- host-interaction/file-system/delete/delete-file.yml | 2 +- .../file-system/files/list/enumerate-files-on-linux.yml | 2 +- .../file-system/files/list/enumerate-files-on-windows.yml | 2 +- host-interaction/file-system/meta/get-file-version-info.yml | 2 +- host-interaction/file-system/read/read-file-on-linux.yml | 2 +- host-interaction/file-system/read/read-file-on-windows.yml | 2 +- host-interaction/file-system/read/read-file-via-mapping.yml | 2 +- host-interaction/file-system/read/read-ini-file.yml | 2 +- host-interaction/file-system/read/read-virtual-disk.yml | 2 +- .../windows-file-protection/bypass-windows-file-protection.yml | 2 +- host-interaction/file-system/write/write-file-on-linux.yml | 2 +- host-interaction/filter/enumerate-minifilter-drivers.yml | 2 +- .../modify/access-firewall-policy-via-inetfwpolicy2.yml | 2 +- .../modify/access-firewall-rule-properties-via-inetfwrule.yml | 2 +- host-interaction/gui/session/lock/lock-the-desktop.yml | 2 +- host-interaction/gui/switch-active-desktop.yml | 2 +- host-interaction/gui/taskbar/find/find-taskbar.yml | 2 +- host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml | 2 +- .../gui/window/get-text/get-graphical-window-text.yml | 2 +- host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml | 2 +- host-interaction/hardware/cpu/get-cpu-information.yml | 2 +- host-interaction/hardware/cpu/get-number-of-processor-cores.yml | 2 +- host-interaction/hardware/keyboard/get-keyboard-layout.yml | 2 +- host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml | 2 +- host-interaction/hardware/memory/get-memory-information.yml | 2 +- host-interaction/hardware/storage/get-disk-size.yml | 2 +- host-interaction/log/clfs/read-data-from-clfs-log-container.yml | 2 +- host-interaction/mutex/check-mutex-and-exit.yml | 2 +- host-interaction/mutex/create-semaphore-on-linux.yml | 2 +- host-interaction/mutex/lock-semaphore-on-linux.yml | 2 +- host-interaction/mutex/unlock-semaphore-on-linux.yml | 2 +- host-interaction/network/address/get-local-ipv4-addresses.yml | 2 +- .../network/connectivity/set-tcp-connection-state.yml | 2 +- .../network/domain/enumerate-domain-computers-via-ldap.yml | 2 +- host-interaction/network/domain/get-domain-controller-name.yml | 2 +- .../network/interface/get-networking-interfaces.yml | 2 +- .../traffic/filter/enumerate-network-filters-via-wfp-api.yml | 2 +- host-interaction/os/info/get-system-information-on-windows.yml | 2 +- host-interaction/os/version/get-kernel-version.yml | 2 +- host-interaction/os/version/get-linux-distribution.yml | 2 +- .../process/inject/allocate-user-process-rwx-memory.yml | 2 +- host-interaction/process/inject/attach-user-process-memory.yml | 2 +- host-interaction/process/inject/free-user-process-memory.yml | 2 +- host-interaction/process/inject/hijack-thread-execution.yml | 2 +- host-interaction/process/inject/inject-apc.yml | 2 +- host-interaction/process/inject/inject-dll.yml | 2 +- .../inject/inject-shellcode-using-a-file-mapping-object.yml | 2 +- .../inject/inject-shellcode-using-extra-window-memory.yml | 2 +- .../inject/inject-shellcode-using-window-subclass-procedure.yml | 2 +- host-interaction/process/inject/inject-thread.yml | 2 +- host-interaction/process/inject/use-process-replacement.yml | 2 +- .../list/enumerate-processes-on-remote-desktop-session-host.yml | 2 +- host-interaction/process/list/enumerate-processes.yml | 2 +- host-interaction/process/list/find-process-by-pid.yml | 2 +- host-interaction/process/map-section-object.yml | 2 +- host-interaction/process/modify/modify-access-privileges.yml | 2 +- .../process/modules/list/enumerate-process-modules.yml | 2 +- host-interaction/process/terminate/terminate-process.yml | 2 +- host-interaction/registry/delete/delete-registry-key.yml | 2 +- host-interaction/registry/delete/delete-registry-value.yml | 2 +- host-interaction/registry/query-or-enumerate-registry-key.yml | 2 +- host-interaction/registry/query-or-enumerate-registry-value.yml | 2 +- .../registry/set-registry-key-via-offline-registry-library.yml | 2 +- host-interaction/service/continue-service.yml | 2 +- host-interaction/service/create/create-service.yml | 2 +- host-interaction/service/delete/delete-service.yml | 2 +- host-interaction/service/modify/modify-service.yml | 2 +- host-interaction/service/pause-service.yml | 2 +- host-interaction/service/start/start-service.yml | 2 +- host-interaction/service/stop/stop-service.yml | 2 +- host-interaction/session/get-current-user-on-linux.yml | 2 +- host-interaction/session/get-logon-sessions.yml | 2 +- host-interaction/session/get-session-integrity-level.yml | 2 +- host-interaction/session/get-session-user-name.yml | 2 +- host-interaction/session/get-token-membership.yml | 2 +- host-interaction/thread/list/enumerate-threads.yml | 2 +- host-interaction/thread/tls/set-thread-local-storage-value.yml | 2 +- host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml | 2 +- host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml | 2 +- host-interaction/uac/bypass/bypass-uac-via-rpc.yml | 2 +- .../uac/bypass/bypass-uac-via-token-manipulation.yml | 2 +- impact/inhibit-system-recovery/delete-volume-shadow-copies.yml | 2 +- impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml | 2 +- lib/create-or-open-section-object.yml | 2 +- linking/runtime-linking/link-many-functions-at-runtime.yml | 2 +- load-code/pe/access-pe-header.yml | 2 +- load-code/pe/inspect-section-memory-permissions.yml | 2 +- load-code/powershell/run-powershell-expression.yml | 2 +- load-code/shellcode/execute-shellcode-via-copyfile2.yml | 2 +- .../shellcode/execute-shellcode-via-createthreadpoolwait.yml | 2 +- .../execute-shellcode-via-windows-callback-function.yml | 2 +- load-code/shellcode/execute-shellcode-via-windows-fibers.yml | 2 +- load-code/shellcode/spawn-thread-to-rwx-shellcode.yml | 2 +- malware-family/plugx/match-known-plugx-module.yml | 2 +- nursery/access-wmi-data-in-dotnet.yml | 2 +- nursery/add-value-to-global-atom-table.yml | 2 +- nursery/append-data-to-clfs-log-container.yml | 2 +- nursery/build-docker-image.yml | 2 +- nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml | 2 +- nursery/bypass-uac-via-scheduled-task-environment-variable.yml | 2 +- nursery/capture-webcam-video.yml | 2 +- nursery/check-for-process-debug-object.yml | 2 +- nursery/check-for-windows-sandbox-via-mutex.yml | 2 +- nursery/check-license-value.yml | 2 +- nursery/collect-ssh-keys.yml | 2 +- nursery/compile-csharp-in-dotnet.yml | 2 +- nursery/compile-visual-basic-in-dotnet.yml | 2 +- nursery/connect-network-resource.yml | 2 +- nursery/create-container.yml | 2 +- nursery/create-process-via-wmi-in-dotnet.yml | 2 +- nursery/create-registry-key-via-stdregprov.yml | 2 +- nursery/delete-internet-cache.yml | 2 +- nursery/delete-registry-key-via-stdregprov.yml | 2 +- nursery/delete-registry-value-via-stdregprov.yml | 2 +- nursery/destroy-software-breakpoint-capability.yml | 2 +- nursery/display-service-notification-message-box.yml | 2 +- nursery/enable-safe-mode-boot.yml | 2 +- nursery/encrypt-data-using-salsa20-or-chacha.yml | 2 +- nursery/encrypt-or-decrypt-data-via-bcrypt.yml | 2 +- nursery/enumerate-device-drivers-on-linux.yml | 2 +- nursery/enumerate-device-drivers-on-windows.yml | 2 +- nursery/enumerate-disk-volumes.yml | 2 +- nursery/enumerate-files-in-dotnet.yml | 2 +- nursery/enumerate-internet-cache.yml | 2 +- nursery/enumerate-network-shares.yml | 2 +- nursery/enumerate-processes-that-use-resource.yml | 2 +- nursery/enumerate-processes-via-procfs.yml | 2 +- nursery/execute-sqlite-statement-in-dotnet.yml | 2 +- nursery/get-client-handle-via-schannel.yml | 2 +- nursery/get-current-process-command-line.yml | 2 +- nursery/get-mac-address-in-dotnet.yml | 2 +- nursery/get-mac-address-on-linux.yml | 2 +- nursery/get-os-information-via-kuser_shared_data.yml | 2 +- nursery/get-proxy.yml | 2 +- nursery/get-session-information.yml | 2 +- nursery/get-storage-device-properties.yml | 2 +- nursery/get-system-information-on-linux.yml | 2 +- nursery/get-token-privileges.yml | 2 +- nursery/hash-data-using-ripemd256.yml | 2 +- nursery/hash-data-using-ripemd320.yml | 2 +- nursery/hash-data-using-sha1-via-wincrypt.yml | 2 +- nursery/hash-data-using-sha512managed-in-dotnet.yml | 2 +- nursery/hash-data-via-bcrypt.yml | 2 +- nursery/hook-routines-via-microsoft-detours.yml | 2 +- nursery/impersonate-user.yml | 2 +- nursery/initialize-hashing-via-wincrypt.yml | 2 +- nursery/link-function-at-runtime-on-linux.yml | 2 +- nursery/list-containers.yml | 2 +- nursery/list-drag-and-drop-files.yml | 2 +- nursery/load-packed-dex-via-jiagu-on-android.yml | 2 +- nursery/log-keystrokes-via-input-method-manager.yml | 2 +- nursery/make-an-http-request-with-a-cookie.yml | 2 +- nursery/migrate-process-to-active-window-station.yml | 2 +- nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml | 2 +- nursery/persist-via-gnome-autostart-on-linux.yml | 2 +- nursery/prompt-user-for-credentials.yml | 2 +- nursery/query-or-enumerate-registry-key-via-stdregprov.yml | 2 +- nursery/query-or-enumerate-registry-value-via-stdregprov.yml | 2 +- nursery/read-and-send-data-from-client-to-server.yml | 2 +- nursery/read-process-memory.yml | 2 +- nursery/receive-and-write-data-from-server-to-client.yml | 2 +- nursery/reference-114dns-dns-server.yml | 2 +- nursery/reference-alidns-dns-server.yml | 2 +- nursery/reference-cloudflare-dns-server.yml | 2 +- nursery/reference-comodo-secure-dns-server.yml | 2 +- nursery/reference-google-public-dns-server.yml | 2 +- nursery/reference-hurricane-electric-dns-server.yml | 2 +- nursery/reference-kornet-dns-server.yml | 2 +- nursery/reference-l3-dns-server.yml | 2 +- nursery/reference-opendns-dns-server.yml | 2 +- nursery/reference-quad9-dns-server.yml | 2 +- nursery/reference-verisign-dns-server.yml | 2 +- nursery/resolve-function-by-djb2-hash.yml | 2 +- nursery/resolve-function-by-fnv-1a-hash.yml | 2 +- nursery/resolve-function-by-hash.yml | 2 +- nursery/run-in-container.yml | 2 +- nursery/send-data-to-internet.yml | 2 +- nursery/send-http-request-with-host-header.yml | 2 +- nursery/send-request-in-dotnet.yml | 2 +- nursery/set-registry-value-via-stdregprov.yml | 2 +- nursery/terminate-process-by-name-in-dotnet.yml | 2 +- nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml | 2 +- persistence/exchange/act-as-exchange-transport-agent.yml | 2 +- persistence/persist-via-desktop-autostart.yml | 2 +- persistence/persist-via-shell-profile-or-rc-file.yml | 2 +- .../disable-appinit_dlls-code-signature-enforcement.yml | 2 +- persistence/service/persist-via-rc-script.yml | 2 +- persistence/startup-folder/write-file-to-startup-folder.yml | 2 +- .../ncr/reference-ncr-atm-library-routines.yml | 2 +- targeting/language/identify-system-language-via-api.yml | 2 +- 343 files changed, 343 insertions(+), 343 deletions(-) diff --git a/README.md b/README.md index 73697ead..0362da32 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml index d94e257a..8604e8d7 100644 --- a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml +++ b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 446a093d..20ae6e2d 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index e6b51df1..fa07fd07 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 0a64a2e8..9315f51c 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml index f1656e39..f4c901bf 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index ef93144b..fffe9d39 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index fe420821..bb64961f 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml index 61e60213..c7569989 100644 --- a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml +++ b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index 797171c9..81be1b53 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml index c21faefe..74006c27 100644 --- a/anti-analysis/anti-forensic/impersonate-file-version-information.yml +++ b/anti-analysis/anti-forensic/impersonate-file-version-information.yml @@ -7,7 +7,7 @@ rule: description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 15cce5d9..30240f02 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index c467d957..8cedcd9a 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml index 2041fc93..328cb320 100644 --- a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml +++ b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::Timestomp [T1070.006] examples: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml index 6471461d..d76b46bf 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml index 8b7e3e9a..0ac2b045 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml @@ -7,7 +7,7 @@ rule: - "echernofsky@google.com" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 1e6f5f7d..06a58cdd 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml index cb727295..4e5d49de 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml index a6cbfbec..f234c003 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index 2425a19a..e916a28a 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -7,7 +7,7 @@ rule: - anders.vejlby@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index cba1a9eb..1d46b8a9 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -7,7 +7,7 @@ rule: - anders.vejlby@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 7097dced..e9c3d189 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] examples: diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index e60fae03..3c69f977 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -7,7 +7,7 @@ rule: - still@teamt5.org scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml index fb7daa57..8d1a2798 100644 --- a/collection/database/sql/reference-sql-statements.yml +++ b/collection/database/sql/reference-sql-statements.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml index 18bbcf72..e345020a 100644 --- a/collection/database/wmi/reference-wmi-statements.yml +++ b/collection/database/wmi/reference-wmi-statements.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml index 183e7e6c..5b26a494 100644 --- a/collection/file-managers/gather-3d-ftp-information.yml +++ b/collection/file-managers/gather-3d-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml index c177630d..afa78f07 100644 --- a/collection/file-managers/gather-alftp-information.yml +++ b/collection/file-managers/gather-alftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml index 610692a2..15a9d388 100644 --- a/collection/file-managers/gather-bitkinex-information.yml +++ b/collection/file-managers/gather-bitkinex-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml index 50c464f3..03bcaa35 100644 --- a/collection/file-managers/gather-blazeftp-information.yml +++ b/collection/file-managers/gather-blazeftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml index eff43d32..62fbb969 100644 --- a/collection/file-managers/gather-bulletproof-ftp-information.yml +++ b/collection/file-managers/gather-bulletproof-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml index 9fa41274..73cc1863 100644 --- a/collection/file-managers/gather-classicftp-information.yml +++ b/collection/file-managers/gather-classicftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml index 052fb224..3e13a2ed 100644 --- a/collection/file-managers/gather-coreftp-information.yml +++ b/collection/file-managers/gather-coreftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml index 78c21fd9..fa45182c 100644 --- a/collection/file-managers/gather-cuteftp-information.yml +++ b/collection/file-managers/gather-cuteftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml index dd094e44..6886d2d9 100644 --- a/collection/file-managers/gather-cyberduck-information.yml +++ b/collection/file-managers/gather-cyberduck-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml index 30b4d1b8..d5a50939 100644 --- a/collection/file-managers/gather-direct-ftp-information.yml +++ b/collection/file-managers/gather-direct-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml index 93e6ca5a..16190f56 100644 --- a/collection/file-managers/gather-directory-opus-information.yml +++ b/collection/file-managers/gather-directory-opus-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml index 0fec6df2..1b07ee24 100644 --- a/collection/file-managers/gather-expandrive-information.yml +++ b/collection/file-managers/gather-expandrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml index 94d48120..d118331d 100644 --- a/collection/file-managers/gather-faststone-browser-information.yml +++ b/collection/file-managers/gather-faststone-browser-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml index 3c210f01..3f07be43 100644 --- a/collection/file-managers/gather-fasttrack-ftp-information.yml +++ b/collection/file-managers/gather-fasttrack-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml index 7ab79002..08e73436 100644 --- a/collection/file-managers/gather-ffftp-information.yml +++ b/collection/file-managers/gather-ffftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-filezilla-information.yml b/collection/file-managers/gather-filezilla-information.yml index 9f9b48e2..ea86b2c6 100644 --- a/collection/file-managers/gather-filezilla-information.yml +++ b/collection/file-managers/gather-filezilla-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-flashfxp-information.yml b/collection/file-managers/gather-flashfxp-information.yml index cfd1e836..e74a6d97 100644 --- a/collection/file-managers/gather-flashfxp-information.yml +++ b/collection/file-managers/gather-flashfxp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fling-ftp-information.yml b/collection/file-managers/gather-fling-ftp-information.yml index e09ac5ab..2abf8047 100644 --- a/collection/file-managers/gather-fling-ftp-information.yml +++ b/collection/file-managers/gather-fling-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-freshftp-information.yml b/collection/file-managers/gather-freshftp-information.yml index 74965be6..d250fd34 100644 --- a/collection/file-managers/gather-freshftp-information.yml +++ b/collection/file-managers/gather-freshftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-frigate3-information.yml b/collection/file-managers/gather-frigate3-information.yml index cd97ad7f..167cbfc7 100644 --- a/collection/file-managers/gather-frigate3-information.yml +++ b/collection/file-managers/gather-frigate3-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-commander-information.yml b/collection/file-managers/gather-ftp-commander-information.yml index 49f236ba..1f72c3f3 100644 --- a/collection/file-managers/gather-ftp-commander-information.yml +++ b/collection/file-managers/gather-ftp-commander-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-explorer-information.yml b/collection/file-managers/gather-ftp-explorer-information.yml index 7c4733db..11750640 100644 --- a/collection/file-managers/gather-ftp-explorer-information.yml +++ b/collection/file-managers/gather-ftp-explorer-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-voyager-information.yml b/collection/file-managers/gather-ftp-voyager-information.yml index ee724d4c..323fdfe6 100644 --- a/collection/file-managers/gather-ftp-voyager-information.yml +++ b/collection/file-managers/gather-ftp-voyager-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpgetter-information.yml b/collection/file-managers/gather-ftpgetter-information.yml index 3a2412b7..a00488c3 100644 --- a/collection/file-managers/gather-ftpgetter-information.yml +++ b/collection/file-managers/gather-ftpgetter-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpinfo-information.yml b/collection/file-managers/gather-ftpinfo-information.yml index e3fbfe1b..19389ea6 100644 --- a/collection/file-managers/gather-ftpinfo-information.yml +++ b/collection/file-managers/gather-ftpinfo-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpnow-information.yml b/collection/file-managers/gather-ftpnow-information.yml index 5e3fe704..077d9746 100644 --- a/collection/file-managers/gather-ftpnow-information.yml +++ b/collection/file-managers/gather-ftpnow-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-ftprush-information.yml b/collection/file-managers/gather-ftprush-information.yml index 9fbb5292..3494da0c 100644 --- a/collection/file-managers/gather-ftprush-information.yml +++ b/collection/file-managers/gather-ftprush-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpshell-information.yml b/collection/file-managers/gather-ftpshell-information.yml index 50ff8d90..db0418e9 100644 --- a/collection/file-managers/gather-ftpshell-information.yml +++ b/collection/file-managers/gather-ftpshell-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-global-downloader-information.yml b/collection/file-managers/gather-global-downloader-information.yml index bc3ee446..41b2c102 100644 --- a/collection/file-managers/gather-global-downloader-information.yml +++ b/collection/file-managers/gather-global-downloader-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-goftp-information.yml b/collection/file-managers/gather-goftp-information.yml index c9766053..ef0c3dcb 100644 --- a/collection/file-managers/gather-goftp-information.yml +++ b/collection/file-managers/gather-goftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-leapftp-information.yml b/collection/file-managers/gather-leapftp-information.yml index 425d7667..fdd48aeb 100644 --- a/collection/file-managers/gather-leapftp-information.yml +++ b/collection/file-managers/gather-leapftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-netdrive-information.yml b/collection/file-managers/gather-netdrive-information.yml index 652e2a1e..7b70fd04 100644 --- a/collection/file-managers/gather-netdrive-information.yml +++ b/collection/file-managers/gather-netdrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nexusfile-information.yml b/collection/file-managers/gather-nexusfile-information.yml index 97107817..7d5f0a85 100644 --- a/collection/file-managers/gather-nexusfile-information.yml +++ b/collection/file-managers/gather-nexusfile-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nova-ftp-information.yml b/collection/file-managers/gather-nova-ftp-information.yml index d6ef1623..3960ddac 100644 --- a/collection/file-managers/gather-nova-ftp-information.yml +++ b/collection/file-managers/gather-nova-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-robo-ftp-information.yml b/collection/file-managers/gather-robo-ftp-information.yml index c35cef85..8a3cb335 100644 --- a/collection/file-managers/gather-robo-ftp-information.yml +++ b/collection/file-managers/gather-robo-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-securefx-information.yml b/collection/file-managers/gather-securefx-information.yml index 90f4a390..68013873 100644 --- a/collection/file-managers/gather-securefx-information.yml +++ b/collection/file-managers/gather-securefx-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-smart-ftp-information.yml b/collection/file-managers/gather-smart-ftp-information.yml index abefbdbf..61315d9a 100644 --- a/collection/file-managers/gather-smart-ftp-information.yml +++ b/collection/file-managers/gather-smart-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-softx-ftp-information.yml b/collection/file-managers/gather-softx-ftp-information.yml index e785cfd7..53f18b8a 100644 --- a/collection/file-managers/gather-softx-ftp-information.yml +++ b/collection/file-managers/gather-softx-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-southriver-webdrive-information.yml b/collection/file-managers/gather-southriver-webdrive-information.yml index 7bb733d8..70022532 100644 --- a/collection/file-managers/gather-southriver-webdrive-information.yml +++ b/collection/file-managers/gather-southriver-webdrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-staff-ftp-information.yml b/collection/file-managers/gather-staff-ftp-information.yml index a4ed16d6..22d5946e 100644 --- a/collection/file-managers/gather-staff-ftp-information.yml +++ b/collection/file-managers/gather-staff-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-total-commander-information.yml b/collection/file-managers/gather-total-commander-information.yml index a8375545..16fb0bb5 100644 --- a/collection/file-managers/gather-total-commander-information.yml +++ b/collection/file-managers/gather-total-commander-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-turbo-ftp-information.yml b/collection/file-managers/gather-turbo-ftp-information.yml index 5ee2ebe9..126f2c5d 100644 --- a/collection/file-managers/gather-turbo-ftp-information.yml +++ b/collection/file-managers/gather-turbo-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ultrafxp-information.yml b/collection/file-managers/gather-ultrafxp-information.yml index 6476c708..000ce309 100644 --- a/collection/file-managers/gather-ultrafxp-information.yml +++ b/collection/file-managers/gather-ultrafxp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-winscp-information.yml b/collection/file-managers/gather-winscp-information.yml index d6266afb..e3608b70 100644 --- a/collection/file-managers/gather-winscp-information.yml +++ b/collection/file-managers/gather-winscp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-winzip-information.yml b/collection/file-managers/gather-winzip-information.yml index 775f081d..a490bc6c 100644 --- a/collection/file-managers/gather-winzip-information.yml +++ b/collection/file-managers/gather-winzip-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-wise-ftp-information.yml b/collection/file-managers/gather-wise-ftp-information.yml index 1cb33b96..668eb976 100644 --- a/collection/file-managers/gather-wise-ftp-information.yml +++ b/collection/file-managers/gather-wise-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ws-ftp-information.yml b/collection/file-managers/gather-ws-ftp-information.yml index c6f3fbfb..829c0c88 100644 --- a/collection/file-managers/gather-ws-ftp-information.yml +++ b/collection/file-managers/gather-ws-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-xftp-information.yml b/collection/file-managers/gather-xftp-information.yml index 838fa928..35b2a36a 100644 --- a/collection/file-managers/gather-xftp-information.yml +++ b/collection/file-managers/gather-xftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/get-geographical-location.yml b/collection/get-geographical-location.yml index 761ba38f..ac6f1871 100644 --- a/collection/get-geographical-location.yml +++ b/collection/get-geographical-location.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Location Discovery [T1614] examples: diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index f1421276..73835604 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Group Policy Discovery [T1615] examples: diff --git a/collection/keylog/log-keystrokes.yml b/collection/keylog/log-keystrokes.yml index 9caf9e25..2f8e1ccc 100644 --- a/collection/keylog/log-keystrokes.yml +++ b/collection/keylog/log-keystrokes.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Input Capture::Keylogging [T1056.001] examples: diff --git a/collection/microphone/capture-microphone-audio.yml b/collection/microphone/capture-microphone-audio.yml index a8599690..1fa1a193 100644 --- a/collection/microphone/capture-microphone-audio.yml +++ b/collection/microphone/capture-microphone-audio.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Audio Capture [T1123] examples: diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml index 4d8c60fc..0f88c67a 100644 --- a/collection/network/capture-packets-using-sharppcap.yml +++ b/collection/network/capture-packets-using-sharppcap.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Network Sniffing [T1040] references: diff --git a/collection/network/capture-public-ip.yml b/collection/network/capture-public-ip.yml index b60ebb4a..ca66442e 100644 --- a/collection/network/capture-public-ip.yml +++ b/collection/network/capture-public-ip.yml @@ -7,7 +7,7 @@ rule: - "still@teamt5.org" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/get-domain-trust-relationships.yml b/collection/network/get-domain-trust-relationships.yml index 9af3d1df..7e4a1123 100644 --- a/collection/network/get-domain-trust-relationships.yml +++ b/collection/network/get-domain-trust-relationships.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Domain Trust Discovery [T1482] examples: diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml index 018e3585..86414bc8 100644 --- a/collection/network/get-mac-address-on-windows.yml +++ b/collection/network/get-mac-address-on-windows.yml @@ -8,7 +8,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/collection/screenshot/capture-screenshot-via-keybd-event.yml b/collection/screenshot/capture-screenshot-via-keybd-event.yml index 515be39a..6b2dacd5 100644 --- a/collection/screenshot/capture-screenshot-via-keybd-event.yml +++ b/collection/screenshot/capture-screenshot-via-keybd-event.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index bbba9441..dc4847bb 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/webcam/capture-webcam-image.yml b/collection/webcam/capture-webcam-image.yml index 8783c61e..0383197f 100644 --- a/collection/webcam/capture-webcam-image.yml +++ b/collection/webcam/capture-webcam-image.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Video Capture [T1125] examples: diff --git a/communication/c2/file-transfer/download-and-write-a-file.yml b/communication/c2/file-transfer/download-and-write-a-file.yml index 42f305d8..32748a4b 100644 --- a/communication/c2/file-transfer/download-and-write-a-file.yml +++ b/communication/c2/file-transfer/download-and-write-a-file.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Command and Control::Ingress Tool Transfer [T1105] mbc: diff --git a/communication/c2/file-transfer/write-and-execute-a-file.yml b/communication/c2/file-transfer/write-and-execute-a-file.yml index dd974053..ec019ee1 100644 --- a/communication/c2/file-transfer/write-and-execute-a-file.yml +++ b/communication/c2/file-transfer/write-and-execute-a-file.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/communication/c2/shell/create-reverse-shell-on-linux.yml b/communication/c2/shell/create-reverse-shell-on-linux.yml index 3197bcf7..0f08b279 100644 --- a/communication/c2/shell/create-reverse-shell-on-linux.yml +++ b/communication/c2/shell/create-reverse-shell-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] mbc: diff --git a/communication/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml index a05615e5..e33e983d 100644 --- a/communication/c2/shell/create-reverse-shell.yml +++ b/communication/c2/shell/create-reverse-shell.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/communication/c2/shell/execute-shell-command-and-capture-output.yml b/communication/c2/shell/execute-shell-command-and-capture-output.yml index a5c49df2..37b6c95b 100644 --- a/communication/c2/shell/execute-shell-command-and-capture-output.yml +++ b/communication/c2/shell/execute-shell-command-and-capture-output.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] references: diff --git a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml index b3869dca..7351f2b4 100644 --- a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml +++ b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] examples: diff --git a/communication/ftp/send/send-file-using-ftp.yml b/communication/ftp/send/send-file-using-ftp.yml index 43a92868..04257c1f 100644 --- a/communication/ftp/send/send-file-using-ftp.yml +++ b/communication/ftp/send/send-file-using-ftp.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::FTP Communication::Send File [C0004.001] - Communication::FTP Communication::WinINet [C0004.002] diff --git a/communication/http/client/connect-to-http-server.yml b/communication/http/client/connect-to-http-server.yml index 8f958bfb..0980a702 100644 --- a/communication/http/client/connect-to-http-server.yml +++ b/communication/http/client/connect-to-http-server.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Connect to Server [C0002.009] examples: diff --git a/communication/http/client/connect-to-url.yml b/communication/http/client/connect-to-url.yml index 918fbadb..e868569a 100644 --- a/communication/http/client/connect-to-url.yml +++ b/communication/http/client/connect-to-url.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Open URL [C0002.004] examples: diff --git a/communication/http/client/create-http-request.yml b/communication/http/client/create-http-request.yml index f86d6699..fd41c7e7 100644 --- a/communication/http/client/create-http-request.yml +++ b/communication/http/client/create-http-request.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml index 52a7b68a..f5bf78cd 100644 --- a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml +++ b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/read-data-from-internet.yml b/communication/http/client/read-data-from-internet.yml index 4c48f76b..4b6918fe 100644 --- a/communication/http/client/read-data-from-internet.yml +++ b/communication/http/client/read-data-from-internet.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/receive-http-response.yml b/communication/http/client/receive-http-response.yml index ccabd60d..1aa62c46 100644 --- a/communication/http/client/receive-http-response.yml +++ b/communication/http/client/receive-http-response.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml index 8bc1aaf3..248132f2 100644 --- a/communication/http/client/send-http-request.yml +++ b/communication/http/client/send-http-request.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Send Request [C0002.003] examples: diff --git a/communication/http/reference-http-user-agent-string.yml b/communication/http/reference-http-user-agent-string.yml index 4607be79..d7e77936 100644 --- a/communication/http/reference-http-user-agent-string.yml +++ b/communication/http/reference-http-user-agent-string.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication [C0002] references: diff --git a/communication/http/server/receive-http-request.yml b/communication/http/server/receive-http-request.yml index 15fe2811..89383f4f 100644 --- a/communication/http/server/receive-http-request.yml +++ b/communication/http/server/receive-http-request.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Receive Request [C0002.015] examples: diff --git a/communication/http/server/start-http-server.yml b/communication/http/server/start-http-server.yml index c6fe087c..9181323a 100644 --- a/communication/http/server/start-http-server.yml +++ b/communication/http/server/start-http-server.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Start Server [C0002.018] examples: diff --git a/communication/http/set-http-header.yml b/communication/http/set-http-header.yml index 9500b92a..b07bbed8 100644 --- a/communication/http/set-http-header.yml +++ b/communication/http/set-http-header.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Set Header [C0002.013] examples: diff --git a/communication/icmp/send-icmp-echo-request.yml b/communication/icmp/send-icmp-echo-request.yml index 31a777d7..df5fe1c2 100644 --- a/communication/icmp/send-icmp-echo-request.yml +++ b/communication/icmp/send-icmp-echo-request.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::ICMP Communication::Echo Request [C0014.002] references: diff --git a/communication/mailslot/create-mailslot.yml b/communication/mailslot/create-mailslot.yml index 8cf723f3..ac3dcbea 100644 --- a/communication/mailslot/create-mailslot.yml +++ b/communication/mailslot/create-mailslot.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/mailslot/read-from-mailslot.yml b/communication/mailslot/read-from-mailslot.yml index 25b72f13..3bcf13c9 100644 --- a/communication/mailslot/read-from-mailslot.yml +++ b/communication/mailslot/read-from-mailslot.yml @@ -6,7 +6,7 @@ rule: - nick.simonian@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/named-pipe/create/create-two-anonymous-pipes.yml b/communication/named-pipe/create/create-two-anonymous-pipes.yml index 3a0ae45d..6ad454c2 100644 --- a/communication/named-pipe/create/create-two-anonymous-pipes.yml +++ b/communication/named-pipe/create/create-two-anonymous-pipes.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/read/read-pipe.yml b/communication/named-pipe/read/read-pipe.yml index 6347df84..5ecf1d65 100644 --- a/communication/named-pipe/read/read-pipe.yml +++ b/communication/named-pipe/read/read-pipe.yml @@ -8,7 +8,7 @@ rule: description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output. scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication::Read Pipe [C0003.003] examples: diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml index 53735f63..34a51efb 100644 --- a/communication/named-pipe/write/write-pipe.yml +++ b/communication/named-pipe/write/write-pipe.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication::Write Pipe [C0003.004] examples: diff --git a/communication/receive-data.yml b/communication/receive-data.yml index 8e52081f..c57ad7a2 100644 --- a/communication/receive-data.yml +++ b/communication/receive-data.yml @@ -7,7 +7,7 @@ rule: description: all known techniques for receiving data from a potential C2 server scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Command and Control::C2 Communication::Receive Data [B0030.002] examples: diff --git a/communication/send-data.yml b/communication/send-data.yml index 04982dea..a4597698 100644 --- a/communication/send-data.yml +++ b/communication/send-data.yml @@ -8,7 +8,7 @@ rule: description: all known techniques for sending data to a potential C2 server scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Command and Control::C2 Communication::Send Data [B0030.001] examples: diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 11b82a30..783948aa 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Connect Socket [C0001.004] examples: diff --git a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml index a409c583..95426272 100644 --- a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml +++ b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] examples: diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml index f89560e9..dae32049 100644 --- a/communication/tcp/client/act-as-tcp-client.yml +++ b/communication/tcp/client/act-as-tcp-client.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::TCP Client [C0001.008] examples: diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml index f3996f22..d32d4a3d 100644 --- a/communication/tcp/serve/start-tcp-server.yml +++ b/communication/tcp/serve/start-tcp-server.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Start TCP Server [C0001.005] examples: diff --git a/compiler/perl2exe/compiled-with-perl2exe.yml b/compiler/perl2exe/compiled-with-perl2exe.yml index b8724e47..da962ebd 100644 --- a/compiler/perl2exe/compiled-with-perl2exe.yml +++ b/compiler/perl2exe/compiled-with-perl2exe.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 features: diff --git a/data-manipulation/compression/compress-data-using-lzo.yml b/data-manipulation/compression/compress-data-using-lzo.yml index f16c7517..01634de6 100644 --- a/data-manipulation/compression/compress-data-using-lzo.yml +++ b/data-manipulation/compression/compress-data-using-lzo.yml @@ -8,7 +8,7 @@ rule: description: detects the compression routine from LZO scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/compress-data-via-winapi.yml b/data-manipulation/compression/compress-data-via-winapi.yml index 3fad4753..32d3fed7 100644 --- a/data-manipulation/compression/compress-data-via-winapi.yml +++ b/data-manipulation/compression/compress-data-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/create-cabinet-on-windows.yml b/data-manipulation/compression/create-cabinet-on-windows.yml index bf192b0d..e938c1c3 100644 --- a/data-manipulation/compression/create-cabinet-on-windows.yml +++ b/data-manipulation/compression/create-cabinet-on-windows.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/extract-cabinet-on-windows.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml index 8c674532..bd92d983 100644 --- a/data-manipulation/compression/extract-cabinet-on-windows.yml +++ b/data-manipulation/compression/extract-cabinet-on-windows.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml index 86c78647..7a890bed 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml index f84760fc..4c4b33c1 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml index b96a7f5d..f3997163 100644 --- a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml +++ b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml @@ -6,7 +6,7 @@ rule: - zander.work@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml index d73c6d35..a395ce75 100644 --- a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml +++ b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/import-public-key.yml b/data-manipulation/encryption/import-public-key.yml index 53764f55..8847f2ba 100644 --- a/data-manipulation/encryption/import-public-key.yml +++ b/data-manipulation/encryption/import-public-key.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Encryption Key::Import Public Key [C0028.001] examples: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml index 094e83d2..473b0442 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml @@ -6,7 +6,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml index ba2d1a86..04bd8ccf 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml index 582a627e..d9f768d6 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml index 8fd7578b..859a68e3 100644 --- a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml +++ b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml index f4d96a98..1dfa7548 100644 --- a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml +++ b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Encryption Key [C0028] references: diff --git a/data-manipulation/hashing/hash-data-via-wincrypt.yml b/data-manipulation/hashing/hash-data-via-wincrypt.yml index d84ae236..309dcec5 100644 --- a/data-manipulation/hashing/hash-data-via-wincrypt.yml +++ b/data-manipulation/hashing/hash-data-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash [C0029] examples: diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml index eb6b296d..37dc932a 100644 --- a/data-manipulation/hashing/md5/hash-data-with-md5.yml +++ b/data-manipulation/hashing/md5/hash-data-with-md5.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml index 35503c97..28dd842f 100644 --- a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml +++ b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::SHA1 [C0029.002] examples: diff --git a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml index cfaa86e2..93828132 100644 --- a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml +++ b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::SHA224 [C0029.004] references: diff --git a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml index 4da48ab3..4e69b47f 100644 --- a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml +++ b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::SHA256 [C0029.003] references: diff --git a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml index d4ed183c..e4a5d89a 100644 --- a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml +++ b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml index 02bbe90c..241b24a8 100644 --- a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml +++ b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index 8e125230..4079062d 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -7,7 +7,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] references: diff --git a/data-manipulation/prng/generate-random-numbers-via-winapi.yml b/data-manipulation/prng/generate-random-numbers-via-winapi.yml index 1bca70b8..02699a2b 100644 --- a/data-manipulation/prng/generate-random-numbers-via-winapi.yml +++ b/data-manipulation/prng/generate-random-numbers-via-winapi.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] examples: diff --git a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml index ab35eff5..d72a5e81 100644 --- a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml +++ b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] examples: diff --git a/executable/resource/access-dotnet-resource.yml b/executable/resource/access-dotnet-resource.yml index c8c7726f..3ee831a8 100644 --- a/executable/resource/access-dotnet-resource.yml +++ b/executable/resource/access-dotnet-resource.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173:0x06000084 features: diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml index 92513950..43971082 100644 --- a/executable/resource/extract-resource-via-kernel32-functions.yml +++ b/executable/resource/extract-resource-via-kernel32-functions.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence examples: - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000 - Practical Malware Analysis Lab 01-04.exe_:0x4011FC diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml index d116b6e0..01a1a4ba 100644 --- a/host-interaction/bootloader/disable-code-signing.yml +++ b/host-interaction/bootloader/disable-code-signing.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] examples: diff --git a/host-interaction/bootloader/manipulate-boot-configuration.yml b/host-interaction/bootloader/manipulate-boot-configuration.yml index b91396ed..57105959 100644 --- a/host-interaction/bootloader/manipulate-boot-configuration.yml +++ b/host-interaction/bootloader/manipulate-boot-configuration.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options examples: diff --git a/host-interaction/bootloader/manipulate-safe-mode-programs.yml b/host-interaction/bootloader/manipulate-safe-mode-programs.yml index 145f0fb4..1ab5b104 100644 --- a/host-interaction/bootloader/manipulate-safe-mode-programs.yml +++ b/host-interaction/bootloader/manipulate-safe-mode-programs.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] examples: diff --git a/host-interaction/clipboard/open-clipboard.yml b/host-interaction/clipboard/open-clipboard.yml index 5765585a..11fc2edd 100644 --- a/host-interaction/clipboard/open-clipboard.yml +++ b/host-interaction/clipboard/open-clipboard.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Clipboard Data [T1115] examples: diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index 37ae798a..20587b12 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Clipboard Data [T1115] references: diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml index dead8a80..d91a3210 100644 --- a/host-interaction/clipboard/write-clipboard-data.yml +++ b/host-interaction/clipboard/write-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Impact::Clipboard Modification [E1510] references: diff --git a/host-interaction/console/manipulate-console-buffer.yml b/host-interaction/console/manipulate-console-buffer.yml index 21fa1f52..c940481f 100644 --- a/host-interaction/console/manipulate-console-buffer.yml +++ b/host-interaction/console/manipulate-console-buffer.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Operating System::Console [C0033] references: diff --git a/host-interaction/driver/create-device-object.yml b/host-interaction/driver/create-device-object.yml index 894d95b4..28e9d53e 100644 --- a/host-interaction/driver/create-device-object.yml +++ b/host-interaction/driver/create-device-object.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence examples: - Practical Malware Analysis Lab 10-03.sys_:0x00010706 features: diff --git a/host-interaction/driver/disable-driver-code-integrity.yml b/host-interaction/driver/disable-driver-code-integrity.yml index bbc6e07c..60a67472 100644 --- a/host-interaction/driver/disable-driver-code-integrity.yml +++ b/host-interaction/driver/disable-driver-code-integrity.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml index f5afed21..52715062 100644 --- a/host-interaction/environment-variable/get-comspec-environment-variable.yml +++ b/host-interaction/environment-variable/get-comspec-environment-variable.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/file-system/bypass-mark-of-the-web.yml b/host-interaction/file-system/bypass-mark-of-the-web.yml index 11759fb7..5a9958aa 100644 --- a/host-interaction/file-system/bypass-mark-of-the-web.yml +++ b/host-interaction/file-system/bypass-mark-of-the-web.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005] examples: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index 3f47b1b8..0e362dc4 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] mbc: diff --git a/host-interaction/file-system/delete/delete-file.yml b/host-interaction/file-system/delete/delete-file.yml index 2e945c9d..ba88ea9a 100644 --- a/host-interaction/file-system/delete/delete-file.yml +++ b/host-interaction/file-system/delete/delete-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Delete File [C0047] examples: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml index d8c4340f..5880fdaf 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index fcb01482..3f809abc 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/get-file-version-info.yml b/host-interaction/file-system/meta/get-file-version-info.yml index c61ccc59..a8ab1e88 100644 --- a/host-interaction/file-system/meta/get-file-version-info.yml +++ b/host-interaction/file-system/meta/get-file-version-info.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/read/read-file-on-linux.yml b/host-interaction/file-system/read/read-file-on-linux.yml index 6d1b3073..a41e77c4 100644 --- a/host-interaction/file-system/read/read-file-on-linux.yml +++ b/host-interaction/file-system/read/read-file-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml index e04212ad..0d09a30b 100644 --- a/host-interaction/file-system/read/read-file-on-windows.yml +++ b/host-interaction/file-system/read/read-file-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-via-mapping.yml b/host-interaction/file-system/read/read-file-via-mapping.yml index 5337c472..b5858045 100644 --- a/host-interaction/file-system/read/read-file-via-mapping.yml +++ b/host-interaction/file-system/read/read-file-via-mapping.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-ini-file.yml b/host-interaction/file-system/read/read-ini-file.yml index cd5d8984..65fda069 100644 --- a/host-interaction/file-system/read/read-ini-file.yml +++ b/host-interaction/file-system/read/read-ini-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-virtual-disk.yml b/host-interaction/file-system/read/read-virtual-disk.yml index b81bdc4e..1a07fdc8 100644 --- a/host-interaction/file-system/read/read-virtual-disk.yml +++ b/host-interaction/file-system/read/read-virtual-disk.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read Virtual Disk [C0056] references: diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml index e6ccaa07..412803ba 100644 --- a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml +++ b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007] examples: diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml index 7a2f12fa..eb056fe5 100644 --- a/host-interaction/file-system/write/write-file-on-linux.yml +++ b/host-interaction/file-system/write/write-file-on-linux.yml @@ -7,7 +7,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/filter/enumerate-minifilter-drivers.yml b/host-interaction/filter/enumerate-minifilter-drivers.yml index bac74e8f..7ceb3428 100644 --- a/host-interaction/filter/enumerate-minifilter-drivers.yml +++ b/host-interaction/filter/enumerate-minifilter-drivers.yml @@ -6,7 +6,7 @@ rule: - aseel.kayal@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts diff --git a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml index a0893a36..9b034d87 100644 --- a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml +++ b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] references: diff --git a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml index 42427cc9..5ef9b148 100644 --- a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml +++ b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] references: diff --git a/host-interaction/gui/session/lock/lock-the-desktop.yml b/host-interaction/gui/session/lock/lock-the-desktop.yml index af0d1042..b27490f5 100644 --- a/host-interaction/gui/session/lock/lock-the-desktop.yml +++ b/host-interaction/gui/session/lock/lock-the-desktop.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Impact::Endpoint Denial of Service [T1499] examples: diff --git a/host-interaction/gui/switch-active-desktop.yml b/host-interaction/gui/switch-active-desktop.yml index 5160f6bb..2a379a06 100644 --- a/host-interaction/gui/switch-active-desktop.yml +++ b/host-interaction/gui/switch-active-desktop.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/host-interaction/gui/taskbar/find/find-taskbar.yml b/host-interaction/gui/taskbar/find/find-taskbar.yml index 8e6bb745..5bf96719 100644 --- a/host-interaction/gui/taskbar/find/find-taskbar.yml +++ b/host-interaction/gui/taskbar/find/find-taskbar.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::Taskbar Discovery [B0043] examples: diff --git a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml index cc6b2e63..c0422753 100644 --- a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml +++ b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Hide Artifacts [T1564] examples: diff --git a/host-interaction/gui/window/get-text/get-graphical-window-text.yml b/host-interaction/gui/window/get-text/get-graphical-window-text.yml index 2dd99b57..d9c1756f 100644 --- a/host-interaction/gui/window/get-text/get-graphical-window-text.yml +++ b/host-interaction/gui/window/get-text/get-graphical-window-text.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::Application Window Discovery [E1010] examples: diff --git a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml index 0673777c..980035d0 100644 --- a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml +++ b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Impact::Modify Hardware::CDROM [B0042.001] examples: diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index fce00394..8f858f88 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml index 73693717..de199af8 100644 --- a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml +++ b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/keyboard/get-keyboard-layout.yml b/host-interaction/hardware/keyboard/get-keyboard-layout.yml index b31c6141..b78a65c7 100644 --- a/host-interaction/hardware/keyboard/get-keyboard-layout.yml +++ b/host-interaction/hardware/keyboard/get-keyboard-layout.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: diff --git a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml index 794d2000..5fb4b0ea 100644 --- a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml +++ b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001] examples: diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml index c8328003..72d7f444 100644 --- a/host-interaction/hardware/memory/get-memory-information.yml +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index 10a61b09..396f18b4 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml index 6bc8f818..116ccd4f 100755 --- a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml +++ b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml @@ -7,7 +7,7 @@ rule: - blaine.stancill@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] references: diff --git a/host-interaction/mutex/check-mutex-and-exit.yml b/host-interaction/mutex/check-mutex-and-exit.yml index 58a5f43d..3934a5ae 100644 --- a/host-interaction/mutex/check-mutex-and-exit.yml +++ b/host-interaction/mutex/check-mutex-and-exit.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Process::Check Mutex [C0043] - Process::Terminate Process [C0018] diff --git a/host-interaction/mutex/create-semaphore-on-linux.yml b/host-interaction/mutex/create-semaphore-on-linux.yml index 03146022..79d6b4fe 100644 --- a/host-interaction/mutex/create-semaphore-on-linux.yml +++ b/host-interaction/mutex/create-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0 features: diff --git a/host-interaction/mutex/lock-semaphore-on-linux.yml b/host-interaction/mutex/lock-semaphore-on-linux.yml index e0802d96..47e4e78b 100644 --- a/host-interaction/mutex/lock-semaphore-on-linux.yml +++ b/host-interaction/mutex/lock-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/mutex/unlock-semaphore-on-linux.yml b/host-interaction/mutex/unlock-semaphore-on-linux.yml index 66c1a41e..f2e1b1a8 100644 --- a/host-interaction/mutex/unlock-semaphore-on-linux.yml +++ b/host-interaction/mutex/unlock-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/network/address/get-local-ipv4-addresses.yml b/host-interaction/network/address/get-local-ipv4-addresses.yml index 4b57f8cd..1e5d485e 100644 --- a/host-interaction/network/address/get-local-ipv4-addresses.yml +++ b/host-interaction/network/address/get-local-ipv4-addresses.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml index 44fa848b..8af06b9a 100644 --- a/host-interaction/network/connectivity/set-tcp-connection-state.yml +++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml @@ -7,7 +7,7 @@ rule: description: The SetTcpEntry function sets the state of a TCP connection. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses [T1562] references: diff --git a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml index a176f31f..6686f400 100644 --- a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml +++ b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml @@ -7,7 +7,7 @@ rule: description: Looks for an LDAP query and related Windows API calls used to enumerate other computers on the Windows domain that a computer is connected to. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-controller-name.yml b/host-interaction/network/domain/get-domain-controller-name.yml index 43768e97..2f926817 100644 --- a/host-interaction/network/domain/get-domain-controller-name.yml +++ b/host-interaction/network/domain/get-domain-controller-name.yml @@ -7,7 +7,7 @@ rule: description: Looks for calls to Windows APIs that can be used to determine the name of the domain controller for a Windows domain that a computer is connected to. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/interface/get-networking-interfaces.yml b/host-interaction/network/interface/get-networking-interfaces.yml index b807c106..150fd5e6 100644 --- a/host-interaction/network/interface/get-networking-interfaces.yml +++ b/host-interaction/network/interface/get-networking-interfaces.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml index 97af7ed5..b562204b 100644 --- a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml +++ b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterenum0 - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c diff --git a/host-interaction/os/info/get-system-information-on-windows.yml b/host-interaction/os/info/get-system-information-on-windows.yml index 4520cf7c..9b6e916d 100644 --- a/host-interaction/os/info/get-system-information-on-windows.yml +++ b/host-interaction/os/info/get-system-information-on-windows.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-kernel-version.yml b/host-interaction/os/version/get-kernel-version.yml index f68f290e..41126b10 100644 --- a/host-interaction/os/version/get-kernel-version.yml +++ b/host-interaction/os/version/get-kernel-version.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml index 12b0cfda..1d01bc02 100644 --- a/host-interaction/os/version/get-linux-distribution.yml +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml index 3dc6af4c..2d6a46ad 100644 --- a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/host-interaction/process/inject/attach-user-process-memory.yml b/host-interaction/process/inject/attach-user-process-memory.yml index 4f8fa5c0..c9447cd9 100644 --- a/host-interaction/process/inject/attach-user-process-memory.yml +++ b/host-interaction/process/inject/attach-user-process-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/free-user-process-memory.yml b/host-interaction/process/inject/free-user-process-memory.yml index f42f7a3d..081c21bd 100644 --- a/host-interaction/process/inject/free-user-process-memory.yml +++ b/host-interaction/process/inject/free-user-process-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/hijack-thread-execution.yml b/host-interaction/process/inject/hijack-thread-execution.yml index 9a43ccfc..6b3e0581 100644 --- a/host-interaction/process/inject/hijack-thread-execution.yml +++ b/host-interaction/process/inject/hijack-thread-execution.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml index da9102f8..c8179382 100644 --- a/host-interaction/process/inject/inject-apc.yml +++ b/host-interaction/process/inject/inject-apc.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004] examples: diff --git a/host-interaction/process/inject/inject-dll.yml b/host-interaction/process/inject/inject-dll.yml index adc9c90a..76120443 100644 --- a/host-interaction/process/inject/inject-dll.yml +++ b/host-interaction/process/inject/inject-dll.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] references: diff --git a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml index 9f7be243..12cb8d4b 100644 --- a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml +++ b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml index 3add357b..8070de26 100644 --- a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml +++ b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml index 2d10da4d..87a2fe2b 100644 --- a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-thread.yml b/host-interaction/process/inject/inject-thread.yml index b83848f2..8e1b7634 100644 --- a/host-interaction/process/inject/inject-thread.yml +++ b/host-interaction/process/inject/inject-thread.yml @@ -7,7 +7,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/use-process-replacement.yml b/host-interaction/process/inject/use-process-replacement.yml index 18e5c0c6..1bada8da 100644 --- a/host-interaction/process/inject/use-process-replacement.yml +++ b/host-interaction/process/inject/use-process-replacement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Process Hollowing [T1055.012] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml index a2591024..78657180 100644 --- a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml +++ b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/enumerate-processes.yml b/host-interaction/process/list/enumerate-processes.yml index d790b129..78b57883 100644 --- a/host-interaction/process/list/enumerate-processes.yml +++ b/host-interaction/process/list/enumerate-processes.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/find-process-by-pid.yml b/host-interaction/process/list/find-process-by-pid.yml index 881be3f3..ee983d72 100644 --- a/host-interaction/process/list/find-process-by-pid.yml +++ b/host-interaction/process/list/find-process-by-pid.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/map-section-object.yml b/host-interaction/process/map-section-object.yml index 52fbac7a..c4e1885a 100644 --- a/host-interaction/process/map-section-object.yml +++ b/host-interaction/process/map-section-object.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence examples: - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0 features: diff --git a/host-interaction/process/modify/modify-access-privileges.yml b/host-interaction/process/modify/modify-access-privileges.yml index 49f98971..691c0fd1 100644 --- a/host-interaction/process/modify/modify-access-privileges.yml +++ b/host-interaction/process/modify/modify-access-privileges.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml index 10ee51ca..dfbc619e 100644 --- a/host-interaction/process/modules/list/enumerate-process-modules.yml +++ b/host-interaction/process/modules/list/enumerate-process-modules.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index 5e5197c4..6af7f120 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/registry/delete/delete-registry-key.yml b/host-interaction/registry/delete/delete-registry-key.yml index 0760a49e..6a45d8cc 100644 --- a/host-interaction/registry/delete/delete-registry-key.yml +++ b/host-interaction/registry/delete/delete-registry-key.yml @@ -8,7 +8,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/delete/delete-registry-value.yml b/host-interaction/registry/delete/delete-registry-value.yml index 39a77d94..de44c944 100644 --- a/host-interaction/registry/delete/delete-registry-value.yml +++ b/host-interaction/registry/delete/delete-registry-value.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-key.yml b/host-interaction/registry/query-or-enumerate-registry-key.yml index 62d672d1..be0837b0 100644 --- a/host-interaction/registry/query-or-enumerate-registry-key.yml +++ b/host-interaction/registry/query-or-enumerate-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-value.yml b/host-interaction/registry/query-or-enumerate-registry-value.yml index 855da49e..43802500 100644 --- a/host-interaction/registry/query-or-enumerate-registry-value.yml +++ b/host-interaction/registry/query-or-enumerate-registry-value.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml index 66b1a58d..34088062 100644 --- a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index 5715989a..a7a5127d 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml index 6358c083..cd9db656 100644 --- a/host-interaction/service/create/create-service.yml +++ b/host-interaction/service/create/create-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/delete/delete-service.yml b/host-interaction/service/delete/delete-service.yml index 6aa8fe16..d32b04fa 100644 --- a/host-interaction/service/delete/delete-service.yml +++ b/host-interaction/service/delete/delete-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/modify/modify-service.yml b/host-interaction/service/modify/modify-service.yml index 18297751..68baa23f 100644 --- a/host-interaction/service/modify/modify-service.yml +++ b/host-interaction/service/modify/modify-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index c4667131..e9724a67 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/start/start-service.yml b/host-interaction/service/start/start-service.yml index 33d110b9..86f7ae69 100644 --- a/host-interaction/service/start/start-service.yml +++ b/host-interaction/service/start/start-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index dcd6ebac..3192a552 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Impact::Service Stop [T1489] diff --git a/host-interaction/session/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml index 89974972..d503bc2a 100644 --- a/host-interaction/session/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-logon-sessions.yml b/host-interaction/session/get-logon-sessions.yml index 70956342..eb0b3ffa 100644 --- a/host-interaction/session/get-logon-sessions.yml +++ b/host-interaction/session/get-logon-sessions.yml @@ -7,7 +7,7 @@ rule: description: Looks for imported Windows APIs being called to enumerate user sessions. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/session/get-session-integrity-level.yml b/host-interaction/session/get-session-integrity-level.yml index a07c7a25..9e7d17d5 100644 --- a/host-interaction/session/get-session-integrity-level.yml +++ b/host-interaction/session/get-session-integrity-level.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml index f9673dfb..d6e62bb4 100644 --- a/host-interaction/session/get-session-user-name.yml +++ b/host-interaction/session/get-session-user-name.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] - Discovery::Account Discovery [T1087] diff --git a/host-interaction/session/get-token-membership.yml b/host-interaction/session/get-token-membership.yml index 54b399b1..58e1422c 100644 --- a/host-interaction/session/get-token-membership.yml +++ b/host-interaction/session/get-token-membership.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/thread/list/enumerate-threads.yml b/host-interaction/thread/list/enumerate-threads.yml index cdf6ddf5..db792978 100644 --- a/host-interaction/thread/list/enumerate-threads.yml +++ b/host-interaction/thread/list/enumerate-threads.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] mbc: diff --git a/host-interaction/thread/tls/set-thread-local-storage-value.yml b/host-interaction/thread/tls/set-thread-local-storage-value.yml index 1fd8bd8c..5a84bd56 100644 --- a/host-interaction/thread/tls/set-thread-local-storage-value.yml +++ b/host-interaction/thread/tls/set-thread-local-storage-value.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Process::Set Thread Local Storage Value [C0041] examples: diff --git a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml index 7ffef285..d4210209 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml @@ -6,7 +6,7 @@ rule: - richard.cole@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml index 7e90cb1b..a2f0ebdc 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml index 27fcaf27..3c33b8b2 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml @@ -7,7 +7,7 @@ rule: - david@edeca.net scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml index 7a9795b1..a99f8561 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml @@ -7,7 +7,7 @@ rule: - david.cannings@pwc.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml index 3f09f537..bba4d42b 100644 --- a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml +++ b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Impact::Inhibit System Recovery [T1490] - Defense Evasion::Indicator Removal::File Deletion [T1070.004] diff --git a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml index 3257c3f0..e2168d2a 100644 --- a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml +++ b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Impact::Disk Wipe::Disk Structure Wipe [T1561.002] mbc: diff --git a/lib/create-or-open-section-object.yml b/lib/create-or-open-section-object.yml index 6def76ae..905eb9b1 100644 --- a/lib/create-or-open-section-object.yml +++ b/lib/create-or-open-section-object.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: function - dynamic: thread + dynamic: sequence examples: - daa13ae302fe8b618ddbf590537443ef:0x401116 features: diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index f2c6fbd3..0ad8e96b 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/access-pe-header.yml b/load-code/pe/access-pe-header.yml index 926024df..ae687ddd 100644 --- a/load-code/pe/access-pe-header.yml +++ b/load-code/pe/access-pe-header.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/inspect-section-memory-permissions.yml b/load-code/pe/inspect-section-memory-permissions.yml index 1c5383ad..e1a0e298 100644 --- a/load-code/pe/inspect-section-memory-permissions.yml +++ b/load-code/pe/inspect-section-memory-permissions.yml @@ -7,7 +7,7 @@ rule: description: "translate section memory permissions (specified in the 'Characteristics' field of the image section header) into page protection constants" scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::Code Discovery::Inspect Section Memory Permissions [B0046.002] examples: diff --git a/load-code/powershell/run-powershell-expression.yml b/load-code/powershell/run-powershell-expression.yml index 1c35b86d..71ecb96a 100644 --- a/load-code/powershell/run-powershell-expression.yml +++ b/load-code/powershell/run-powershell-expression.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-copyfile2.yml b/load-code/shellcode/execute-shellcode-via-copyfile2.yml index 023c4958..1e4762e1 100644 --- a/load-code/shellcode/execute-shellcode-via-copyfile2.yml +++ b/load-code/shellcode/execute-shellcode-via-copyfile2.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CopyFile2/CopyFile2.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml index 70006b7d..c6cf7543 100644 --- a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml +++ b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CreateThreadPoolWait/CreateThreadPoolWait.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml index 01fdd48c..450fec00 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml @@ -9,7 +9,7 @@ rule: description: Detect usage of various WinAPI functions that accept callback functions as parameters in order to execute arbitrary shellcode scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Reflective Code Loading [T1620] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml index 5dbb1f4c..49baeba4 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Defense Evasion::Process Injection::Injection via Windows Fibers [E1055.m05] references: diff --git a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml index d165499a..2ef4257f 100644 --- a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml +++ b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Memory::Allocate Memory [C0007] - Process::Create Thread [C0038] diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml index a0acd251..684acc63 100644 --- a/malware-family/plugx/match-known-plugx-module.yml +++ b/malware-family/plugx/match-known-plugx-module.yml @@ -8,7 +8,7 @@ rule: description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode) scopes: static: function - dynamic: thread + dynamic: sequence references: - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html diff --git a/nursery/access-wmi-data-in-dotnet.yml b/nursery/access-wmi-data-in-dotnet.yml index 1ea66ad5..c9ade539 100644 --- a/nursery/access-wmi-data-in-dotnet.yml +++ b/nursery/access-wmi-data-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/add-value-to-global-atom-table.yml b/nursery/add-value-to-global-atom-table.yml index 9e338a0b..20a0950f 100644 --- a/nursery/add-value-to-global-atom-table.yml +++ b/nursery/add-value-to-global-atom-table.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows - https://github.com/BreakingMalwareResearch/atom-bombing diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml index 07ecd9e5..8e14a3e8 100755 --- a/nursery/append-data-to-clfs-log-container.yml +++ b/nursery/append-data-to-clfs-log-container.yml @@ -7,7 +7,7 @@ rule: - blaine.stancill@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/windows/win32/api/clfsw32/ - https://github.com/libyal/libfsclfs/blob/main/documenation/Common%20Log%20File%20System%20(CLFS).asciidoc diff --git a/nursery/build-docker-image.yml b/nursery/build-docker-image.yml index cdf1dc0e..43cfd46f 100644 --- a/nursery/build-docker-image.yml +++ b/nursery/build-docker-image.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Build Image on Host [T1612] references: diff --git a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml index baaad79a..80429670 100644 --- a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml +++ b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml @@ -7,7 +7,7 @@ rule: description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use scopes: static: function - dynamic: thread + dynamic: sequence references: - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions features: diff --git a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml index ec31d517..b0f59e32 100644 --- a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml +++ b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/nursery/capture-webcam-video.yml b/nursery/capture-webcam-video.yml index e1dd86c5..a48af60c 100644 --- a/nursery/capture-webcam-video.yml +++ b/nursery/capture-webcam-video.yml @@ -7,7 +7,7 @@ rule: description: Rule that detects a system's webcam being used to capture video scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Video Capture [T1125] features: diff --git a/nursery/check-for-process-debug-object.yml b/nursery/check-for-process-debug-object.yml index ba44d8c1..e1178cf9 100644 --- a/nursery/check-for-process-debug-object.yml +++ b/nursery/check-for-process-debug-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-for-windows-sandbox-via-mutex.yml b/nursery/check-for-windows-sandbox-via-mutex.yml index 9e16518a..67fc01fc 100644 --- a/nursery/check-for-windows-sandbox-via-mutex.yml +++ b/nursery/check-for-windows-sandbox-via-mutex.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-license-value.yml b/nursery/check-license-value.yml index bcf84c1e..769aed48 100644 --- a/nursery/check-license-value.yml +++ b/nursery/check-license-value.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml index 644e61ae..77d38aa4 100644 --- a/nursery/collect-ssh-keys.yml +++ b/nursery/collect-ssh-keys.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Unsecured Credentials::Private Keys [T1552.004] features: diff --git a/nursery/compile-csharp-in-dotnet.yml b/nursery/compile-csharp-in-dotnet.yml index e9b1ae93..59d2930b 100644 --- a/nursery/compile-csharp-in-dotnet.yml +++ b/nursery/compile-csharp-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-visual-basic-in-dotnet.yml b/nursery/compile-visual-basic-in-dotnet.yml index d14c489a..53718bff 100644 --- a/nursery/compile-visual-basic-in-dotnet.yml +++ b/nursery/compile-visual-basic-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/connect-network-resource.yml b/nursery/connect-network-resource.yml index 2394a08a..c5018a95 100644 --- a/nursery/connect-network-resource.yml +++ b/nursery/connect-network-resource.yml @@ -7,7 +7,7 @@ rule: description: connect to disk or print resource scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/create-container.yml b/nursery/create-container.yml index e047c097..9ac9d3d9 100644 --- a/nursery/create-container.yml +++ b/nursery/create-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Deploy Container [T1610] references: diff --git a/nursery/create-process-via-wmi-in-dotnet.yml b/nursery/create-process-via-wmi-in-dotnet.yml index 92d4d776..fe6e5448 100644 --- a/nursery/create-process-via-wmi-in-dotnet.yml +++ b/nursery/create-process-via-wmi-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/create-registry-key-via-stdregprov.yml b/nursery/create-registry-key-via-stdregprov.yml index 41d27b5b..7ab4d3d7 100644 --- a/nursery/create-registry-key-via-stdregprov.yml +++ b/nursery/create-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-internet-cache.yml b/nursery/delete-internet-cache.yml index 47ac9b54..4f7eb60b 100644 --- a/nursery/delete-internet-cache.yml +++ b/nursery/delete-internet-cache.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: enumerate internet cache diff --git a/nursery/delete-registry-key-via-stdregprov.yml b/nursery/delete-registry-key-via-stdregprov.yml index 2db744a1..85dff7a9 100644 --- a/nursery/delete-registry-key-via-stdregprov.yml +++ b/nursery/delete-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-registry-value-via-stdregprov.yml b/nursery/delete-registry-value-via-stdregprov.yml index 3ac76ac5..f39d0fe5 100644 --- a/nursery/delete-registry-value-via-stdregprov.yml +++ b/nursery/delete-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/destroy-software-breakpoint-capability.yml b/nursery/destroy-software-breakpoint-capability.yml index dca3106c..eb1666ea 100644 --- a/nursery/destroy-software-breakpoint-capability.yml +++ b/nursery/destroy-software-breakpoint-capability.yml @@ -6,7 +6,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.microsoft.com/en-us/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ - https://anti-debug.checkpoint.com/techniques/assembly.html diff --git a/nursery/display-service-notification-message-box.yml b/nursery/display-service-notification-message-box.yml index 7bf65439..ed4bda77 100644 --- a/nursery/display-service-notification-message-box.yml +++ b/nursery/display-service-notification-message-box.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - number: 0x200000 = service notification diff --git a/nursery/enable-safe-mode-boot.yml b/nursery/enable-safe-mode-boot.yml index 1807ee02..c9683b22 100644 --- a/nursery/enable-safe-mode-boot.yml +++ b/nursery/enable-safe-mode-boot.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] features: diff --git a/nursery/encrypt-data-using-salsa20-or-chacha.yml b/nursery/encrypt-data-using-salsa20-or-chacha.yml index 5fc26d21..de06d943 100644 --- a/nursery/encrypt-data-using-salsa20-or-chacha.yml +++ b/nursery/encrypt-data-using-salsa20-or-chacha.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml index 02fb47b4..2924df5c 100644 --- a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml +++ b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/enumerate-device-drivers-on-linux.yml b/nursery/enumerate-device-drivers-on-linux.yml index c73df788..6e9147af 100644 --- a/nursery/enumerate-device-drivers-on-linux.yml +++ b/nursery/enumerate-device-drivers-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Device Driver Discovery [T1652] features: diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml index 8288e507..2abd915c 100644 --- a/nursery/enumerate-device-drivers-on-windows.yml +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Device Driver Discovery [T1652] references: diff --git a/nursery/enumerate-disk-volumes.yml b/nursery/enumerate-disk-volumes.yml index c8c8c085..a03a5206 100644 --- a/nursery/enumerate-disk-volumes.yml +++ b/nursery/enumerate-disk-volumes.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/enumerate-files-in-dotnet.yml b/nursery/enumerate-files-in-dotnet.yml index db3e09a1..ccb21c79 100644 --- a/nursery/enumerate-files-in-dotnet.yml +++ b/nursery/enumerate-files-in-dotnet.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/nursery/enumerate-internet-cache.yml b/nursery/enumerate-internet-cache.yml index 759366dd..b8296701 100644 --- a/nursery/enumerate-internet-cache.yml +++ b/nursery/enumerate-internet-cache.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: wininet.FindFirstUrlCacheEntry diff --git a/nursery/enumerate-network-shares.yml b/nursery/enumerate-network-shares.yml index 25f5e92b..1baa2496 100644 --- a/nursery/enumerate-network-shares.yml +++ b/nursery/enumerate-network-shares.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Network Share Discovery [T1135] features: diff --git a/nursery/enumerate-processes-that-use-resource.yml b/nursery/enumerate-processes-that-use-resource.yml index 4b9f3033..a548487e 100644 --- a/nursery/enumerate-processes-that-use-resource.yml +++ b/nursery/enumerate-processes-that-use-resource.yml @@ -6,7 +6,7 @@ rule: - "@Ana06" scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners # examples: diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml index 3914c2a8..cc5ee888 100644 --- a/nursery/enumerate-processes-via-procfs.yml +++ b/nursery/enumerate-processes-via-procfs.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/execute-sqlite-statement-in-dotnet.yml b/nursery/execute-sqlite-statement-in-dotnet.yml index 72533ea8..d92da4a2 100644 --- a/nursery/execute-sqlite-statement-in-dotnet.yml +++ b/nursery/execute-sqlite-statement-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/get-client-handle-via-schannel.yml b/nursery/get-client-handle-via-schannel.yml index ae2eb5df..0e7a32a0 100644 --- a/nursery/get-client-handle-via-schannel.yml +++ b/nursery/get-client-handle-via-schannel.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-current-process-command-line.yml b/nursery/get-current-process-command-line.yml index df4c844d..b639e1e7 100644 --- a/nursery/get-current-process-command-line.yml +++ b/nursery/get-current-process-command-line.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - os: linux diff --git a/nursery/get-mac-address-in-dotnet.yml b/nursery/get-mac-address-in-dotnet.yml index 43a3aeba..ea69efa3 100644 --- a/nursery/get-mac-address-in-dotnet.yml +++ b/nursery/get-mac-address-in-dotnet.yml @@ -8,7 +8,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-mac-address-on-linux.yml b/nursery/get-mac-address-on-linux.yml index ffcafe35..58485e9e 100644 --- a/nursery/get-mac-address-on-linux.yml +++ b/nursery/get-mac-address-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-os-information-via-kuser_shared_data.yml b/nursery/get-os-information-via-kuser_shared_data.yml index ed0d6f8f..05e4f61a 100644 --- a/nursery/get-os-information-via-kuser_shared_data.yml +++ b/nursery/get-os-information-via-kuser_shared_data.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/nursery/get-proxy.yml b/nursery/get-proxy.yml index 7f495675..1d667ad6 100644 --- a/nursery/get-proxy.yml +++ b/nursery/get-proxy.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-session-information.yml b/nursery/get-session-information.yml index 23d33682..e9fae8b9 100644 --- a/nursery/get-session-information.yml +++ b/nursery/get-session-information.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] features: diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index dc1cb3ed..ed0cd9a4 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index 3d829469..47a82615 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-token-privileges.yml b/nursery/get-token-privileges.yml index bc64f7de..aea1a7da 100644 --- a/nursery/get-token-privileges.yml +++ b/nursery/get-token-privileges.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml index 6cc08aaf..c8878ada 100755 --- a/nursery/hash-data-using-ripemd256.yml +++ b/nursery/hash-data-using-ripemd256.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://en.wikipedia.org/wiki/RIPEMD-256 features: diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml index a8fc6f67..c0782858 100755 --- a/nursery/hash-data-using-ripemd320.yml +++ b/nursery/hash-data-using-ripemd320.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://en.wikipedia.org/wiki/RIPEMD-320 features: diff --git a/nursery/hash-data-using-sha1-via-wincrypt.yml b/nursery/hash-data-using-sha1-via-wincrypt.yml index 3be8c8f8..0eb3b34d 100644 --- a/nursery/hash-data-using-sha1-via-wincrypt.yml +++ b/nursery/hash-data-using-sha1-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - or: - and: diff --git a/nursery/hash-data-using-sha512managed-in-dotnet.yml b/nursery/hash-data-using-sha512managed-in-dotnet.yml index 16886f25..9f8027fb 100644 --- a/nursery/hash-data-using-sha512managed-in-dotnet.yml +++ b/nursery/hash-data-using-sha512managed-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - jonathanlepore@google.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha512managed features: diff --git a/nursery/hash-data-via-bcrypt.yml b/nursery/hash-data-via-bcrypt.yml index 34e14c97..b7af6eb8 100644 --- a/nursery/hash-data-via-bcrypt.yml +++ b/nursery/hash-data-via-bcrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/hook-routines-via-microsoft-detours.yml b/nursery/hook-routines-via-microsoft-detours.yml index 9499d230..62c6a22c 100644 --- a/nursery/hook-routines-via-microsoft-detours.yml +++ b/nursery/hook-routines-via-microsoft-detours.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf features: diff --git a/nursery/impersonate-user.yml b/nursery/impersonate-user.yml index c6f6f451..c0f65154 100644 --- a/nursery/impersonate-user.yml +++ b/nursery/impersonate-user.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001] features: diff --git a/nursery/initialize-hashing-via-wincrypt.yml b/nursery/initialize-hashing-via-wincrypt.yml index b5797530..eaa99b51 100644 --- a/nursery/initialize-hashing-via-wincrypt.yml +++ b/nursery/initialize-hashing-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: advapi32.CryptCreateHash diff --git a/nursery/link-function-at-runtime-on-linux.yml b/nursery/link-function-at-runtime-on-linux.yml index 3132e37c..bb1e803d 100644 --- a/nursery/link-function-at-runtime-on-linux.yml +++ b/nursery/link-function-at-runtime-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Shared Modules [T1129] features: diff --git a/nursery/list-containers.yml b/nursery/list-containers.yml index 0c6c38c1..00350c23 100644 --- a/nursery/list-containers.yml +++ b/nursery/list-containers.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Container and Resource Discovery [T1613] references: diff --git a/nursery/list-drag-and-drop-files.yml b/nursery/list-drag-and-drop-files.yml index f9b0dfe4..83a89bd7 100644 --- a/nursery/list-drag-and-drop-files.yml +++ b/nursery/list-drag-and-drop-files.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/load-packed-dex-via-jiagu-on-android.yml b/nursery/load-packed-dex-via-jiagu-on-android.yml index bd1b153d..4c56f129 100644 --- a/nursery/load-packed-dex-via-jiagu-on-android.yml +++ b/nursery/load-packed-dex-via-jiagu-on-android.yml @@ -6,7 +6,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://github.com/Frezrik/Jiagu features: diff --git a/nursery/log-keystrokes-via-input-method-manager.yml b/nursery/log-keystrokes-via-input-method-manager.yml index ef23de6e..cc80ca75 100644 --- a/nursery/log-keystrokes-via-input-method-manager.yml +++ b/nursery/log-keystrokes-via-input-method-manager.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/make-an-http-request-with-a-cookie.yml b/nursery/make-an-http-request-with-a-cookie.yml index c056237f..65b803a7 100644 --- a/nursery/make-an-http-request-with-a-cookie.yml +++ b/nursery/make-an-http-request-with-a-cookie.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: send HTTP request diff --git a/nursery/migrate-process-to-active-window-station.yml b/nursery/migrate-process-to-active-window-station.yml index 541b4a68..4d902172 100644 --- a/nursery/migrate-process-to-active-window-station.yml +++ b/nursery/migrate-process-to-active-window-station.yml @@ -7,7 +7,7 @@ rule: description: set process to the active window station so it can receive GUI events. commonly seen in keyloggers. scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html - https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops diff --git a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml index 58f91138..a27c332a 100644 --- a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml +++ b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml @@ -6,7 +6,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - os: android diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml index 32048170..88b75d93 100644 --- a/nursery/persist-via-gnome-autostart-on-linux.yml +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - os: linux diff --git a/nursery/prompt-user-for-credentials.yml b/nursery/prompt-user-for-credentials.yml index 303c4ced..cfbbc6fa 100644 --- a/nursery/prompt-user-for-credentials.yml +++ b/nursery/prompt-user-for-credentials.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials features: diff --git a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml index 1dc167b9..0b9df019 100644 --- a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml index 063f4234..7c995002 100644 --- a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml index 6d181534..0a5f604f 100644 --- a/nursery/read-and-send-data-from-client-to-server.yml +++ b/nursery/read-and-send-data-from-client-to-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: host-interaction/file-system/read diff --git a/nursery/read-process-memory.yml b/nursery/read-process-memory.yml index db460b90..6d6c44fe 100644 --- a/nursery/read-process-memory.yml +++ b/nursery/read-process-memory.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: kernel32.ReadProcessMemory diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml index 369dbf19..c9f69986 100644 --- a/nursery/receive-and-write-data-from-server-to-client.yml +++ b/nursery/receive-and-write-data-from-server-to-client.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: receive data diff --git a/nursery/reference-114dns-dns-server.yml b/nursery/reference-114dns-dns-server.yml index c1ac922a..b52152e5 100644 --- a/nursery/reference-114dns-dns-server.yml +++ b/nursery/reference-114dns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.114dns.com/ - https://www.amazon.com/ask/questions/Tx27CUHKMM403NP diff --git a/nursery/reference-alidns-dns-server.yml b/nursery/reference-alidns-dns-server.yml index 1a35101a..696f2c4b 100644 --- a/nursery/reference-alidns-dns-server.yml +++ b/nursery/reference-alidns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.alidns.com/ # examples: diff --git a/nursery/reference-cloudflare-dns-server.yml b/nursery/reference-cloudflare-dns-server.yml index dd7e512c..9fd7d5b2 100644 --- a/nursery/reference-cloudflare-dns-server.yml +++ b/nursery/reference-cloudflare-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-comodo-secure-dns-server.yml b/nursery/reference-comodo-secure-dns-server.yml index b7664ff2..5eaf10df 100644 --- a/nursery/reference-comodo-secure-dns-server.yml +++ b/nursery/reference-comodo-secure-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-google-public-dns-server.yml b/nursery/reference-google-public-dns-server.yml index fccdc8e7..5815adcb 100644 --- a/nursery/reference-google-public-dns-server.yml +++ b/nursery/reference-google-public-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server - https://developers.google.com/speed/public-dns/docs/using diff --git a/nursery/reference-hurricane-electric-dns-server.yml b/nursery/reference-hurricane-electric-dns-server.yml index c90176fe..bfd2c1ea 100644 --- a/nursery/reference-hurricane-electric-dns-server.yml +++ b/nursery/reference-hurricane-electric-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://dns.he.net/ - https://dnslytics.com/ip/216.66.1.2 diff --git a/nursery/reference-kornet-dns-server.yml b/nursery/reference-kornet-dns-server.yml index f08d6b3c..add6a03d 100644 --- a/nursery/reference-kornet-dns-server.yml +++ b/nursery/reference-kornet-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://whatismyipaddress.com/ip/168.126.63.1 # examples: diff --git a/nursery/reference-l3-dns-server.yml b/nursery/reference-l3-dns-server.yml index 0a0f1f98..45ba4e6d 100644 --- a/nursery/reference-l3-dns-server.yml +++ b/nursery/reference-l3-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.quora.com/What-is-a-4-2-2-1-DNS-server features: diff --git a/nursery/reference-opendns-dns-server.yml b/nursery/reference-opendns-dns-server.yml index 128ed617..e0a68d41 100644 --- a/nursery/reference-opendns-dns-server.yml +++ b/nursery/reference-opendns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-quad9-dns-server.yml b/nursery/reference-quad9-dns-server.yml index 74188a33..4c9732b1 100644 --- a/nursery/reference-quad9-dns-server.yml +++ b/nursery/reference-quad9-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-verisign-dns-server.yml b/nursery/reference-verisign-dns-server.yml index 626ae4b9..6b0528cc 100644 --- a/nursery/reference-verisign-dns-server.yml +++ b/nursery/reference-verisign-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/resolve-function-by-djb2-hash.yml b/nursery/resolve-function-by-djb2-hash.yml index 49d40508..3c5ec73a 100644 --- a/nursery/resolve-function-by-djb2-hash.yml +++ b/nursery/resolve-function-by-djb2-hash.yml @@ -7,7 +7,7 @@ rule: description: known import name hashes calculated using the non-cryptographic djb2 hashing algorithm scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/nursery/resolve-function-by-fnv-1a-hash.yml b/nursery/resolve-function-by-fnv-1a-hash.yml index 7f323956..91f8d6fb 100644 --- a/nursery/resolve-function-by-fnv-1a-hash.yml +++ b/nursery/resolve-function-by-fnv-1a-hash.yml @@ -7,7 +7,7 @@ rule: description: known import name hashes calculated using the non-cryptographic FNV-1a hashing algorithm scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/resolve-function-by-hash.yml b/nursery/resolve-function-by-hash.yml index 9e84d6a6..cb219c7e 100644 --- a/nursery/resolve-function-by-hash.yml +++ b/nursery/resolve-function-by-hash.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/run-in-container.yml b/nursery/run-in-container.yml index dd96985a..4d7cb40d 100644 --- a/nursery/run-in-container.yml +++ b/nursery/run-in-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Container Administration Command [T1609] references: diff --git a/nursery/send-data-to-internet.yml b/nursery/send-data-to-internet.yml index 44e1a3a6..c2ffa3a7 100644 --- a/nursery/send-data-to-internet.yml +++ b/nursery/send-data-to-internet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - optional: diff --git a/nursery/send-http-request-with-host-header.yml b/nursery/send-http-request-with-host-header.yml index 4e54322f..959694ba 100644 --- a/nursery/send-http-request-with-host-header.yml +++ b/nursery/send-http-request-with-host-header.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: send HTTP request diff --git a/nursery/send-request-in-dotnet.yml b/nursery/send-request-in-dotnet.yml index 9c66ac39..4233995a 100644 --- a/nursery/send-request-in-dotnet.yml +++ b/nursery/send-request-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonakr@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc: diff --git a/nursery/set-registry-value-via-stdregprov.yml b/nursery/set-registry-value-via-stdregprov.yml index ecc12bb5..61ea9b56 100644 --- a/nursery/set-registry-value-via-stdregprov.yml +++ b/nursery/set-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/terminate-process-by-name-in-dotnet.yml b/nursery/terminate-process-by-name-in-dotnet.yml index d54e5029..4488795a 100644 --- a/nursery/terminate-process-by-name-in-dotnet.yml +++ b/nursery/terminate-process-by-name-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: System.Diagnostics.Process::GetProcessesByName diff --git a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml index 2f5426f2..bd2c68dc 100644 --- a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml +++ b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml @@ -7,7 +7,7 @@ rule: description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/persistence/exchange/act-as-exchange-transport-agent.yml b/persistence/exchange/act-as-exchange-transport-agent.yml index e6148126..c3cc8f39 100644 --- a/persistence/exchange/act-as-exchange-transport-agent.yml +++ b/persistence/exchange/act-as-exchange-transport-agent.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Server Software Component::Transport Agent [T1505.002] references: diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml index 13809bb3..e2a4030e 100644 --- a/persistence/persist-via-desktop-autostart.yml +++ b/persistence/persist-via-desktop-autostart.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] examples: diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml index b4d149f4..351c54da 100644 --- a/persistence/persist-via-shell-profile-or-rc-file.yml +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] examples: diff --git a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml index 2f4b7292..b05e9079 100644 --- a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml +++ b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@fireye.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml index 11c4c0fa..742e0729 100644 --- a/persistence/service/persist-via-rc-script.yml +++ b/persistence/service/persist-via-rc-script.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] examples: diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 2b88013d..0f463ec6 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -7,7 +7,7 @@ rule: - j.j.vannielen@utwente.nl scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml index 7354fd6e..4a23a7d2 100644 --- a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml +++ b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/language/identify-system-language-via-api.yml b/targeting/language/identify-system-language-via-api.yml index 7ba9a0a2..5535d56f 100644 --- a/targeting/language/identify-system-language-via-api.yml +++ b/targeting/language/identify-system-language-via-api.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: