From 4b5fa3b0d0d2ed84d16f2229035d0d0f1c2155d0 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 13 Oct 2023 14:50:54 +0200 Subject: [PATCH] upgraded rules using script --- ...-on-executable-memory-pages-using-arbitrary-code-guard.yml | 4 +++- anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml | 4 +++- .../anti-av/patch-event-tracing-for-windows-function.yml | 4 +++- .../protect-spawned-processes-with-mitigation-policies.yml | 4 +++- .../debugger-detection/check-for-debugger-via-api.yml | 4 +++- .../debugger-detection/check-for-hardware-breakpoints.yml | 4 +++- ...eck-for-kernel-debugger-via-shared-user-data-structure.yml | 4 +++- .../debugger-detection/check-for-outputdebugstring-error.yml | 4 +++- .../debugger-detection/check-for-peb-beingdebugged-flag.yml | 4 +++- .../debugger-detection/check-for-peb-ntglobalflag-flag.yml | 4 +++- .../check-for-protected-handle-exception.yml | 4 +++- .../debugger-detection/check-for-software-breakpoints.yml | 4 +++- .../check-for-time-delay-via-gettickcount.yml | 4 +++- .../check-for-time-delay-via-queryperformancecounter.yml | 4 +++- .../debugger-detection/check-for-trap-flag-exception.yml | 4 +++- .../debugger-detection/check-for-unexpected-memory-writes.yml | 4 +++- .../debugger-detection/check-process-job-object.yml | 4 +++- .../debugger-detection/check-processdebugport.yml | 4 +++- .../execute-anti-debugging-instructions.yml | 4 +++- .../debugger-evasion/hide-thread-from-debugger.yml | 4 +++- .../anti-disasm/64-bit-execution-via-heavens-gate.yml | 4 +++- anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml | 4 +++- .../wine/check-if-process-is-running-under-wine.yml | 4 +++- .../anti-forensic/clear-logs/clear-windows-event-logs.yml | 4 +++- .../anti-forensic/crash-the-windows-event-logging-service.yml | 4 +++- .../anti-forensic/impersonate-file-version-information.yml | 4 +++- anti-analysis/anti-forensic/patch-process-command-line.yml | 4 +++- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 4 +++- anti-analysis/anti-forensic/spoof-parent-pid.yml | 4 +++- anti-analysis/anti-forensic/timestomp/timestomp-file.yml | 4 +++- .../vm-detection/check-for-foreground-window-switch.yml | 4 +++- .../vm-detection/check-for-microsoft-office-emulation.yml | 4 +++- .../vm-detection/check-for-sandbox-username-or-hostname.yml | 4 +++- .../anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml | 4 +++- .../vm-detection/check-for-windows-sandbox-via-device.yml | 4 +++- .../vm-detection/check-for-windows-sandbox-via-dns-suffix.yml | 4 +++- .../check-for-windows-sandbox-via-genuine-state.yml | 4 +++- .../check-for-windows-sandbox-via-process-name.yml | 4 +++- .../vm-detection/check-for-windows-sandbox-via-registry.yml | 4 +++- .../vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml | 4 +++- .../detect-vm-via-motherboard-hardware-wmi-queries.yml | 4 +++- .../reference-anti-vm-strings-targeting-parallels.yml | 4 +++- .../vm-detection/reference-anti-vm-strings-targeting-qemu.yml | 4 +++- .../reference-anti-vm-strings-targeting-virtualbox.yml | 4 +++- .../reference-anti-vm-strings-targeting-virtualpc.yml | 4 +++- .../reference-anti-vm-strings-targeting-vmware.yml | 4 +++- .../vm-detection/reference-anti-vm-strings-targeting-xen.yml | 4 +++- .../anti-vm/vm-detection/reference-anti-vm-strings.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml | 4 +++- .../obfuscation/obfuscated-with-babel-obfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml | 4 +++- .../obfuscation/obfuscated-with-deepsea-obfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-smartassembly.yml | 4 +++- .../obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml | 4 +++- anti-analysis/obfuscation/obfuscated-with-yano.yml | 4 +++- .../string/stackstring/contain-obfuscated-stackstrings.yml | 4 +++- anti-analysis/packer/amber/packed-with-amber.yml | 4 +++- anti-analysis/packer/aspack/packed-with-aspack.yml | 4 +++- anti-analysis/packer/confuser/packed-with-confuser.yml | 4 +++- anti-analysis/packer/generic/packed-with-generic-packer.yml | 4 +++- anti-analysis/packer/gopacker/packed-with-gopacker.yml | 4 +++- anti-analysis/packer/huan/packed-with-huan.yml | 4 +++- anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml | 4 +++- anti-analysis/packer/nspack/packed-with-nspack.yml | 4 +++- anti-analysis/packer/pebundle/packed-with-pebundle.yml | 4 +++- anti-analysis/packer/pecompact/packed-with-pecompact.yml | 4 +++- anti-analysis/packer/pelocknt/packed-with-pelocknt.yml | 4 +++- anti-analysis/packer/peshield/packed-with-peshield.yml | 4 +++- anti-analysis/packer/pespin/packed-with-pespin.yml | 4 +++- anti-analysis/packer/petite/packed-with-petite.yml | 4 +++- anti-analysis/packer/rlpack/packed-with-rlpack.yml | 4 +++- anti-analysis/packer/themida/packed-with-themida.yml | 4 +++- anti-analysis/packer/upack/packed-with-upack.yml | 4 +++- anti-analysis/packer/upx/packed-with-upx.yml | 4 +++- anti-analysis/packer/vmprotect/packed-with-vmprotect.yml | 4 +++- anti-analysis/packer/y0da/packed-with-y0da-crypter.yml | 4 +++- anti-analysis/reference-analysis-tools-strings.yml | 4 +++- .../acquire-credentials-from-windows-credential-manager.yml | 4 +++- .../browser/gather-chrome-based-browser-login-information.yml | 4 +++- collection/browser/gather-firefox-profile-information.yml | 4 +++- collection/credit-card/parse-credit-card-information.yml | 4 +++- collection/database/sql/reference-sql-statements.yml | 4 +++- collection/database/wmi/reference-wmi-statements.yml | 4 +++- collection/file-managers/gather-3d-ftp-information.yml | 4 +++- collection/file-managers/gather-alftp-information.yml | 4 +++- collection/file-managers/gather-bitkinex-information.yml | 4 +++- collection/file-managers/gather-blazeftp-information.yml | 4 +++- .../file-managers/gather-bulletproof-ftp-information.yml | 4 +++- collection/file-managers/gather-classicftp-information.yml | 4 +++- collection/file-managers/gather-coreftp-information.yml | 4 +++- collection/file-managers/gather-cuteftp-information.yml | 4 +++- collection/file-managers/gather-cyberduck-information.yml | 4 +++- collection/file-managers/gather-direct-ftp-information.yml | 4 +++- .../file-managers/gather-directory-opus-information.yml | 4 +++- collection/file-managers/gather-expandrive-information.yml | 4 +++- .../file-managers/gather-faststone-browser-information.yml | 4 +++- collection/file-managers/gather-fasttrack-ftp-information.yml | 4 +++- collection/file-managers/gather-ffftp-information.yml | 4 +++- collection/file-managers/gather-filezilla-information.yml | 4 +++- collection/file-managers/gather-flashfxp-information.yml | 4 +++- collection/file-managers/gather-fling-ftp-information.yml | 4 +++- collection/file-managers/gather-freshftp-information.yml | 4 +++- collection/file-managers/gather-frigate3-information.yml | 4 +++- collection/file-managers/gather-ftp-commander-information.yml | 4 +++- collection/file-managers/gather-ftp-explorer-information.yml | 4 +++- collection/file-managers/gather-ftp-voyager-information.yml | 4 +++- collection/file-managers/gather-ftpgetter-information.yml | 4 +++- collection/file-managers/gather-ftpinfo-information.yml | 4 +++- collection/file-managers/gather-ftpnow-information.yml | 4 +++- collection/file-managers/gather-ftprush-information.yml | 4 +++- collection/file-managers/gather-ftpshell-information.yml | 4 +++- .../file-managers/gather-global-downloader-information.yml | 4 +++- collection/file-managers/gather-goftp-information.yml | 4 +++- collection/file-managers/gather-leapftp-information.yml | 4 +++- collection/file-managers/gather-netdrive-information.yml | 4 +++- collection/file-managers/gather-nexusfile-information.yml | 4 +++- collection/file-managers/gather-nova-ftp-information.yml | 4 +++- collection/file-managers/gather-robo-ftp-information.yml | 4 +++- collection/file-managers/gather-securefx-information.yml | 4 +++- collection/file-managers/gather-smart-ftp-information.yml | 4 +++- collection/file-managers/gather-softx-ftp-information.yml | 4 +++- .../file-managers/gather-southriver-webdrive-information.yml | 4 +++- collection/file-managers/gather-staff-ftp-information.yml | 4 +++- .../file-managers/gather-total-commander-information.yml | 4 +++- collection/file-managers/gather-turbo-ftp-information.yml | 4 +++- collection/file-managers/gather-ultrafxp-information.yml | 4 +++- collection/file-managers/gather-winscp-information.yml | 4 +++- collection/file-managers/gather-winzip-information.yml | 4 +++- collection/file-managers/gather-wise-ftp-information.yml | 4 +++- collection/file-managers/gather-ws-ftp-information.yml | 4 +++- collection/file-managers/gather-xftp-information.yml | 4 +++- collection/get-geographical-location.yml | 4 +++- .../group-policy/discover-group-policy-via-gpresult.yml | 4 +++- collection/keylog/log-keystrokes-via-application-hook.yml | 4 +++- collection/keylog/log-keystrokes-via-polling.yml | 4 +++- collection/keylog/log-keystrokes.yml | 4 +++- collection/microphone/capture-microphone-audio.yml | 4 +++- .../network/capture-network-configuration-via-ipconfig.yml | 4 +++- collection/network/capture-packets-using-sharppcap.yml | 4 +++- collection/network/capture-public-ip.yml | 4 +++- collection/network/get-domain-trust-relationships.yml | 4 +++- collection/network/get-mac-address-on-windows.yml | 4 +++- .../steal-keepass-passwords-using-keefarce.yml | 4 +++- collection/screenshot/capture-screenshot-via-keybd-event.yml | 4 +++- collection/screenshot/capture-screenshot.yml | 4 +++- collection/use-dotnet-library-sharpclipboard.yml | 4 +++- collection/webcam/capture-webcam-image.yml | 4 +++- communication/c2/file-transfer/download-and-write-a-file.yml | 4 +++- communication/c2/file-transfer/write-and-execute-a-file.yml | 4 +++- communication/c2/shell/create-reverse-shell-on-linux.yml | 4 +++- communication/c2/shell/create-reverse-shell.yml | 4 +++- .../c2/shell/execute-shell-command-and-capture-output.yml | 4 +++- .../execute-shell-command-received-from-socket-on-linux.yml | 4 +++- communication/dns/reference-dns-over-https-endpoints.yml | 4 +++- communication/dns/resolve-dns.yml | 4 +++- communication/ftp/send/send-file-using-ftp.yml | 4 +++- communication/http/client/check-http-status-code.yml | 4 +++- communication/http/client/connect-to-http-server.yml | 4 +++- communication/http/client/connect-to-url.yml | 4 +++- communication/http/client/create-bits-job.yml | 4 +++- communication/http/client/create-http-request.yml | 4 +++- .../decompress-http-response-via-iencodingfilterfactory.yml | 4 +++- communication/http/client/download-url.yml | 4 +++- communication/http/client/extract-http-body.yml | 4 +++- .../http/client/get-http-document-via-iwebbrowser2.yml | 4 +++- .../http/client/get-http-response-content-encoding.yml | 4 +++- communication/http/client/prepare-http-request.yml | 4 +++- communication/http/client/read-data-from-internet.yml | 4 +++- communication/http/client/receive-http-response.yml | 4 +++- communication/http/client/send-file-via-http.yml | 4 +++- communication/http/client/send-http-request.yml | 4 +++- communication/http/get-http-content-length.yml | 4 +++- communication/http/initialize-iwebbrowser2.yml | 4 +++- communication/http/initialize-winhttp-library.yml | 4 +++- communication/http/read-http-header.yml | 4 +++- communication/http/reference-http-user-agent-string.yml | 4 +++- communication/http/server/receive-http-request.yml | 4 +++- communication/http/server/send-http-response.yml | 4 +++- communication/http/server/start-http-server.yml | 4 +++- communication/http/set-http-header.yml | 4 +++- communication/icmp/send-icmp-echo-request.yml | 4 +++- communication/ip/convert-ip-address-from-string.yml | 4 +++- communication/mailslot/create-mailslot.yml | 4 +++- communication/mailslot/read-from-mailslot.yml | 4 +++- communication/named-pipe/connect/connect-pipe.yml | 4 +++- communication/named-pipe/create/create-pipe.yml | 4 +++- .../named-pipe/create/create-two-anonymous-pipes.yml | 4 +++- communication/named-pipe/read/read-pipe.yml | 4 +++- communication/named-pipe/write/write-pipe.yml | 4 +++- communication/receive-data.yml | 4 +++- communication/send-data.yml | 4 +++- communication/socket/create-raw-socket.yml | 4 +++- communication/socket/create-vmci-socket.yml | 4 +++- communication/socket/get-socket-status.yml | 4 +++- communication/socket/initialize-winsock-library.yml | 4 +++- communication/socket/receive/receive-data-on-socket.yml | 4 +++- communication/socket/send/send-data-on-socket.yml | 4 +++- communication/socket/set-socket-configuration.yml | 4 +++- communication/socket/tcp/connect-tcp-socket.yml | 4 +++- .../socket/tcp/create-tcp-socket-via-raw-afd-driver.yml | 4 +++- communication/socket/tcp/create-tcp-socket.yml | 4 +++- .../obtain-transmitpackets-callback-function-via-wsaioctl.yml | 4 +++- communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml | 4 +++- communication/socket/udp/send/create-udp-socket.yml | 4 +++- communication/tcp/client/act-as-tcp-client.yml | 4 +++- communication/tcp/serve/start-tcp-server.yml | 4 +++- compiler/autohotkey/compiled-with-autohotkey.yml | 4 +++- compiler/autoit/compiled-with-autoit.yml | 4 +++- compiler/cx_freeze/compiled-with-cx_freeze.yml | 4 +++- compiler/d/compiled-with-dmd.yml | 4 +++- compiler/delphi/compiled-with-borland-delphi.yml | 4 +++- compiler/exe4j/compiled-with-exe4j.yml | 4 +++- compiler/go/compiled-with-go.yml | 4 +++- compiler/mingw/compiled-with-mingw-for-windows.yml | 4 +++- compiler/nim/compiled-with-nim.yml | 4 +++- compiler/nuitka/compiled-with-nuitka.yml | 4 +++- compiler/perl2exe/compiled-with-perl2exe.yml | 4 +++- compiler/ps2exe/compiled-with-ps2exe.yml | 4 +++- compiler/py2exe/compiled-with-py2exe.yml | 4 +++- compiler/pyarmor/compiled-with-pyarmor.yml | 4 +++- compiler/rust/compiled-with-rust.yml | 4 +++- compiler/v/compiled-with-v.yml | 4 +++- compiler/vb/compiled-from-visual-basic.yml | 4 +++- compiler/zig/compiled-with-zig.yml | 4 +++- .../checksum/adler32/compute-adler32-checksum.yml | 4 +++- data-manipulation/checksum/crc32/hash-data-with-crc32.yml | 4 +++- .../validate-payment-card-number-using-luhn-algorithm.yml | 4 +++- data-manipulation/compression/compress-data-using-lzo.yml | 4 +++- data-manipulation/compression/compress-data-via-winapi.yml | 4 +++- .../compression/compress-data-via-zlib-inflate-or-deflate.yml | 4 +++- data-manipulation/compression/decompress-data-using-aplib.yml | 4 +++- data-manipulation/compression/decompress-data-using-lzo.yml | 4 +++- .../compression/decompress-data-using-quicklz.yml | 4 +++- data-manipulation/compression/decompress-data-using-ucl.yml | 4 +++- .../decompress-data-via-iencodingfilterfactory.yml | 4 +++- .../decode-data-using-base64-via-dword-translation-table.yml | 4 +++- .../encoding/base64/decode-data-using-base64-via-winapi.yml | 4 +++- .../encoding/base64/encode-data-using-base64-via-winapi.yml | 4 +++- .../encoding/base64/encode-data-using-base64.yml | 4 +++- data-manipulation/encoding/base64/reference-base64-string.yml | 4 +++- data-manipulation/encoding/xor/encode-data-using-xor.yml | 4 +++- .../aes/decrypt-data-using-aes-via-x86-extensions.yml | 4 +++- .../encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml | 4 +++- .../encryption/aes/encrypt-data-using-aes-via-dotnet.yml | 4 +++- .../encryption/aes/encrypt-data-using-aes-via-winapi.yml | 4 +++- .../encryption/aes/manually-build-aes-constants.yml | 4 +++- .../encryption/aes/use-dotnet-library-encryptdecryptutils.yml | 4 +++- .../encryption/blowfish/encrypt-data-using-blowfish.yml | 4 +++- .../encryption/camellia/encrypt-data-using-camellia.yml | 4 +++- .../encryption/create-new-key-via-cryptacquirecontext.yml | 4 +++- .../encryption/des/encrypt-data-using-des-via-winapi.yml | 4 +++- data-manipulation/encryption/des/encrypt-data-using-des.yml | 4 +++- .../encryption/dpapi/encrypt-data-using-dpapi.yml | 4 +++- .../elliptic-curve/encrypt-data-using-curve25519.yml | 4 +++- .../encryption/encrypt-data-using-memfrob-from-glibc.yml | 4 +++- .../encryption/encrypt-or-decrypt-via-wincrypt.yml | 4 +++- .../get-outbound-credentials-handle-via-credssp.yml | 4 +++- .../hc-128/encrypt-data-using-hc-128-via-wolfssl.yml | 4 +++- .../encryption/hc-128/encrypt-data-using-hc-128.yml | 4 +++- data-manipulation/encryption/import-public-key.yml | 4 +++- .../encryption/rc4/encrypt-data-using-rc4-ksa.yml | 4 +++- .../encryption/rc4/encrypt-data-using-rc4-prga.yml | 4 +++- .../encryption/rc4/encrypt-data-using-rc4-via-winapi.yml | 4 +++- .../rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml | 4 +++- data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml | 4 +++- data-manipulation/encryption/rsa/reference-public-rsa-key.yml | 4 +++- .../encryption/skipjack/encrypt-data-using-skipjack.yml | 4 +++- .../encryption/sosemanuk/encrypt-data-using-sosemanuk.yml | 4 +++- data-manipulation/encryption/tea/decrypt-data-using-tea.yml | 4 +++- data-manipulation/encryption/tea/encrypt-data-using-tea.yml | 4 +++- .../encryption/twofish/encrypt-data-using-twofish.yml | 4 +++- data-manipulation/encryption/vest/encrypt-data-using-vest.yml | 4 +++- data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml | 4 +++- .../encryption/xxtea/encrypt-data-using-xxtea.yml | 4 +++- data-manipulation/hashing/djb2/hash-data-using-djb2.yml | 4 +++- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 4 +++- data-manipulation/hashing/hash-data-via-wincrypt.yml | 4 +++- data-manipulation/hashing/md5/hash-data-with-md5.yml | 4 +++- data-manipulation/hashing/murmur/hash-data-using-murmur3.yml | 4 +++- data-manipulation/hashing/sha1/hash-data-using-sha1.yml | 4 +++- data-manipulation/hashing/sha224/hash-data-using-sha224.yml | 4 +++- data-manipulation/hashing/sha256/hash-data-using-sha256.yml | 4 +++- data-manipulation/hashing/sha384/hash-data-using-sha384.yml | 4 +++- data-manipulation/hashing/sha512/hash-data-using-sha512.yml | 4 +++- data-manipulation/hashing/tiger/hash-data-using-tiger.yml | 4 +++- data-manipulation/hmac/authenticate-hmac.yml | 4 +++- data-manipulation/json/use-dotnet-library-newtonsoftjson.yml | 4 +++- .../prng/generate-random-numbers-via-rtlgenrandom.yml | 4 +++- data-manipulation/prng/generate-random-numbers-via-winapi.yml | 4 +++- .../generate-random-numbers-using-a-mersenne-twister.yml | 4 +++- data-manipulation/svg/use-dotnet-library-sharpvectors.yml | 4 +++- .../dotnet/packaged-as-single-file-dotnet-application.yml | 4 +++- .../packaged-as-an-iexpress-self-extracting-archive.yml | 4 +++- .../inno-setup/packaged-as-an-inno-setup-installer.yml | 4 +++- executable/pe/export/forwarded-export.yml | 4 +++- executable/pe/pdb/contains-pdb-path.yml | 4 +++- .../tls/contain-a-thread-local-storage-tls-section.yml | 4 +++- executable/resource/access-dotnet-resource.yml | 4 +++- .../embed-dependencies-as-resources-using-fodycostura.yml | 4 +++- .../resource/extract-resource-via-kernel32-functions.yml | 4 +++- executable/subfile/pe/contain-an-embedded-pe-file.yml | 4 +++- host-interaction/bootloader/disable-code-signing.yml | 4 +++- host-interaction/bootloader/get-uefi-variable.yml | 4 +++- host-interaction/bootloader/manipulate-boot-configuration.yml | 4 +++- host-interaction/bootloader/manipulate-safe-mode-programs.yml | 4 +++- host-interaction/bootloader/set-uefi-variable.yml | 4 +++- host-interaction/cli/accept-command-line-arguments.yml | 4 +++- host-interaction/cli/resolve-path-using-msvcrt.yml | 4 +++- host-interaction/clipboard/open-clipboard.yml | 4 +++- host-interaction/clipboard/read-clipboard-data.yml | 4 +++- host-interaction/clipboard/write-clipboard-data.yml | 4 +++- host-interaction/console/manipulate-console-buffer.yml | 4 +++- host-interaction/driver/create-device-object.yml | 4 +++- host-interaction/driver/disable-driver-code-integrity.yml | 4 +++- host-interaction/driver/install-driver.yml | 4 +++- .../driver/interact-with-driver-via-control-codes.yml | 4 +++- .../environment-variable/get-comspec-environment-variable.yml | 4 +++- .../environment-variable/query-environment-variable.yml | 4 +++- .../environment-variable/set-environment-variable.yml | 4 +++- host-interaction/file-system/bypass-mark-of-the-web.yml | 4 +++- .../file-system/change-file-permission-on-linux.yml | 4 +++- host-interaction/file-system/copy/copy-file.yml | 4 +++- .../file-system/create-virtual-file-system-in-dotnet.yml | 4 +++- host-interaction/file-system/create/create-directory.yml | 4 +++- host-interaction/file-system/delete/delete-directory.yml | 4 +++- host-interaction/file-system/delete/delete-file.yml | 4 +++- host-interaction/file-system/exists/check-if-file-exists.yml | 4 +++- .../file-system/files/list/enumerate-files-on-linux.yml | 4 +++- .../file-system/files/list/enumerate-files-on-windows.yml | 4 +++- .../file-system/files/list/enumerate-files-recursively.yml | 4 +++- host-interaction/file-system/get-common-file-path.yml | 4 +++- .../file-system/get-file-system-object-information.yml | 4 +++- host-interaction/file-system/get-program-files-directory.yml | 4 +++- .../get-windows-directory-from-kuser_shared_data.yml | 4 +++- host-interaction/file-system/meta/get-file-attributes.yml | 4 +++- host-interaction/file-system/meta/get-file-size.yml | 4 +++- host-interaction/file-system/meta/get-file-version-info.yml | 4 +++- host-interaction/file-system/meta/set-file-attributes.yml | 4 +++- host-interaction/file-system/move/move-file.yml | 4 +++- host-interaction/file-system/read/read-file-on-linux.yml | 4 +++- host-interaction/file-system/read/read-file-on-windows.yml | 4 +++- host-interaction/file-system/read/read-file-via-mapping.yml | 4 +++- host-interaction/file-system/read/read-ini-file.yml | 4 +++- host-interaction/file-system/read/read-virtual-disk.yml | 4 +++- .../file-system/reference-absolute-stream-path-on-windows.yml | 4 +++- .../bypass-windows-file-protection.yml | 4 +++- host-interaction/file-system/write/write-file-on-linux.yml | 4 +++- host-interaction/file-system/write/write-file-on-windows.yml | 4 +++- host-interaction/filter/enumerate-minifilter-drivers.yml | 4 +++- host-interaction/filter/register-minifilter-driver.yml | 4 +++- host-interaction/filter/start-minifilter-driver.yml | 4 +++- .../modify/access-firewall-settings-via-inetfwmgr.yml | 4 +++- host-interaction/gui/console/set-console-window-title.yml | 4 +++- host-interaction/gui/enumerate-gui-resources.yml | 4 +++- host-interaction/gui/logon/references-logon-banner.yml | 4 +++- host-interaction/gui/session/lock/lock-the-desktop.yml | 4 +++- .../gui/session/wallpaper/change-the-wallpaper.yml | 4 +++- host-interaction/gui/set-application-hook.yml | 4 +++- host-interaction/gui/switch-active-desktop.yml | 4 +++- host-interaction/gui/taskbar/find/find-taskbar.yml | 4 +++- .../gui/taskbar/hide/hide-the-windows-taskbar.yml | 4 +++- host-interaction/gui/window/find/find-graphical-window.yml | 4 +++- .../gui/window/get-text/get-graphical-window-text.yml | 4 +++- host-interaction/gui/window/hide/hide-graphical-window.yml | 4 +++- host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml | 4 +++- host-interaction/hardware/cpu/get-cpu-information.yml | 4 +++- .../hardware/cpu/get-number-of-processor-cores.yml | 4 +++- host-interaction/hardware/cpu/get-number-of-processors.yml | 4 +++- host-interaction/hardware/enumerate-devices-by-category.yml | 4 +++- host-interaction/hardware/keyboard/get-keyboard-layout.yml | 4 +++- host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml | 4 +++- host-interaction/hardware/memory/get-memory-capacity.yml | 4 +++- host-interaction/hardware/memory/get-memory-information.yml | 4 +++- host-interaction/hardware/mouse/swap-mouse-buttons.yml | 4 +++- .../hardware/storage/enumerate-disk-properties.yml | 4 +++- host-interaction/hardware/storage/get-disk-information.yml | 4 +++- host-interaction/hardware/storage/get-disk-size.yml | 4 +++- .../log/clfs/read-data-from-clfs-log-container.yml | 4 +++- .../log/debug/write-event/print-debug-messages.yml | 4 +++- .../log/winevt/access/access-the-windows-event-log.yml | 4 +++- .../memory/create-new-application-domain-in-dotnet.yml | 4 +++- host-interaction/mutex/check-mutex-and-exit.yml | 4 +++- host-interaction/mutex/check-mutex.yml | 4 +++- host-interaction/mutex/create-mutex.yml | 4 +++- host-interaction/mutex/create-semaphore-on-linux.yml | 4 +++- host-interaction/mutex/lock-file.yml | 4 +++- host-interaction/mutex/lock-semaphore-on-linux.yml | 4 +++- host-interaction/mutex/unlock-semaphore-on-linux.yml | 4 +++- host-interaction/network/address/get-local-ipv4-addresses.yml | 4 +++- .../connectivity/check-internet-connectivity-via-wininet.yml | 4 +++- .../network/connectivity/set-tcp-connection-state.yml | 4 +++- .../network/domain/enumerate-domain-computers-via-ldap.yml | 4 +++- .../network/domain/get-domain-controller-name.yml | 4 +++- host-interaction/network/domain/get-domain-information.yml | 4 +++- .../network/interface/get-networking-interfaces.yml | 4 +++- .../network/traffic/copy/copy-network-traffic.yml | 4 +++- .../traffic/filter/register-network-filter-via-wfp-api.yml | 4 +++- host-interaction/os/hostname/get-hostname.yml | 4 +++- .../os/info/get-system-information-on-windows.yml | 4 +++- host-interaction/os/shutdown-system.yml | 4 +++- host-interaction/os/version/check-os-version.yml | 4 +++- host-interaction/os/version/get-kernel-version.yml | 4 +++- host-interaction/os/version/get-linux-distribution.yml | 4 +++- host-interaction/process/allocate-thread-local-storage.yml | 4 +++- .../create-a-process-with-modified-io-handles-and-window.yml | 4 +++- host-interaction/process/create/create-process-on-linux.yml | 4 +++- host-interaction/process/create/create-process-on-windows.yml | 4 +++- host-interaction/process/create/create-process-suspended.yml | 4 +++- host-interaction/process/create/execute-command.yml | 4 +++- .../process/dump/create-process-memory-minidump.yml | 4 +++- host-interaction/process/get-process-heap-flags.yml | 4 +++- host-interaction/process/get-process-heap-force-flags.yml | 4 +++- host-interaction/process/inject/allocate-rwx-memory.yml | 4 +++- .../process/inject/allocate-user-process-rwx-memory.yml | 4 +++- .../process/inject/attach-user-process-memory.yml | 4 +++- host-interaction/process/inject/free-user-process-memory.yml | 4 +++- host-interaction/process/inject/hijack-thread-execution.yml | 4 +++- host-interaction/process/inject/inject-apc.yml | 4 +++- host-interaction/process/inject/inject-dll.yml | 4 +++- host-interaction/process/inject/inject-pe.yml | 4 +++- .../inject/inject-shellcode-using-a-file-mapping-object.yml | 4 +++- .../inject/inject-shellcode-using-extra-window-memory.yml | 4 +++- .../inject-shellcode-using-window-subclass-procedure.yml | 4 +++- host-interaction/process/inject/inject-thread.yml | 4 +++- .../process/inject/use-process-doppelg\303\244nging.yml" | 4 +++- host-interaction/process/inject/use-process-replacement.yml | 4 +++- .../enumerate-processes-on-remote-desktop-session-host.yml | 4 +++- .../list/enumerate-processes-via-ntquerysysteminformation.yml | 4 +++- host-interaction/process/list/enumerate-processes.yml | 4 +++- host-interaction/process/list/find-process-by-pid.yml | 4 +++- host-interaction/process/list/get-explorer-pid.yml | 4 +++- host-interaction/process/map-section-object.yml | 4 +++- host-interaction/process/modify/acquire-debug-privileges.yml | 4 +++- host-interaction/process/modify/modify-access-privileges.yml | 4 +++- .../process/modules/list/enumerate-process-modules.yml | 4 +++- host-interaction/process/set-thread-local-storage-value.yml | 4 +++- .../process/terminate/terminate-process-via-kill.yml | 4 +++- host-interaction/process/terminate/terminate-process.yml | 4 +++- host-interaction/recycle-bin/empty-recycle-bin-quietly.yml | 4 +++- .../create-registry-key-via-offline-registry-library.yml | 4 +++- host-interaction/registry/create/set-registry-value.yml | 4 +++- host-interaction/registry/delete/delete-registry-key.yml | 4 +++- host-interaction/registry/delete/delete-registry-value.yml | 4 +++- .../open-registry-key-via-offline-registry-library.yml | 4 +++- host-interaction/registry/query-or-enumerate-registry-key.yml | 4 +++- .../registry/query-or-enumerate-registry-value.yml | 4 +++- .../query-registry-key-via-offline-registry-library.yml | 4 +++- .../set-registry-key-via-offline-registry-library.yml | 4 +++- host-interaction/service/continue-service.yml | 4 +++- host-interaction/service/create/create-service.yml | 4 +++- host-interaction/service/delete/delete-service.yml | 4 +++- host-interaction/service/list/enumerate-services.yml | 4 +++- host-interaction/service/modify/modify-service.yml | 4 +++- host-interaction/service/pause-service.yml | 4 +++- host-interaction/service/query-service-configuration.yml | 4 +++- host-interaction/service/query-service-status.yml | 4 +++- host-interaction/service/run-as-service.yml | 4 +++- host-interaction/service/start/start-service.yml | 4 +++- host-interaction/service/stop/stop-service.yml | 4 +++- host-interaction/session/get-current-user-on-linux.yml | 4 +++- host-interaction/session/get-logon-sessions.yml | 4 +++- host-interaction/session/get-session-integrity-level.yml | 4 +++- host-interaction/session/get-session-user-name.yml | 4 +++- host-interaction/session/get-token-membership.yml | 4 +++- host-interaction/session/get-user-security-identifier.yml | 4 +++- host-interaction/software/get-installed-programs.yml | 4 +++- host-interaction/thread/create/create-thread.yml | 4 +++- host-interaction/thread/list/enumerate-threads.yml | 4 +++- host-interaction/thread/resume/resume-thread.yml | 4 +++- host-interaction/thread/suspend/suspend-thread.yml | 4 +++- host-interaction/thread/terminate/terminate-thread.yml | 4 +++- host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml | 4 +++- host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml | 4 +++- host-interaction/uac/bypass/bypass-uac-via-rpc.yml | 4 +++- .../uac/bypass/bypass-uac-via-token-manipulation.yml | 4 +++- .../wmi/connect-to-wmi-namespace-via-wbemlocator.yml | 4 +++- .../inhibit-system-recovery/delete-volume-shadow-copies.yml | 4 +++- .../wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml | 4 +++- .../limitation/file/internal-autohotkey-file-limitation.yml | 4 +++- internal/limitation/file/internal-autoit-file-limitation.yml | 4 +++- .../limitation/file/internal-installer-file-limitation.yml | 4 +++- internal/limitation/file/internal-packer-file-limitation.yml | 4 +++- .../limitation/file/internal-visual-basic-file-limitation.yml | 4 +++- lib/allocate-memory.yml | 4 +++- lib/allocate-rw-memory.yml | 4 +++- lib/calculate-modulo-256-via-x86-assembly.yml | 4 +++- lib/contain-loop.yml | 4 +++- lib/contain-pusha-popa-sequence.yml | 4 +++- lib/create-or-open-file.yml | 4 +++- lib/create-or-open-registry-key.yml | 4 +++- lib/create-or-open-section-object.yml | 4 +++- lib/delay-execution.yml | 4 +++- lib/duplicate-stdin-and-stdout.yml | 4 +++- lib/get-os-version.yml | 4 +++- lib/get-service-handle.yml | 4 +++- lib/open-process.yml | 4 +++- lib/open-thread.yml | 4 +++- lib/peb-access.yml | 4 +++- ...ent-card-number-using-luhn-algorithm-with-lookup-table.yml | 4 +++- ...-card-number-using-luhn-algorithm-with-no-lookup-table.yml | 4 +++- lib/write-process-memory.yml | 4 +++- linking/runtime-linking/access-peb-ldr_data.yml | 4 +++- linking/runtime-linking/get-kernel32-base-address.yml | 4 +++- linking/runtime-linking/get-ntdll-base-address.yml | 4 +++- .../runtime-linking/link-function-at-runtime-on-windows.yml | 4 +++- linking/runtime-linking/link-many-functions-at-runtime.yml | 4 +++- .../resolve-function-by-brute-ratel-badger-hash.yml | 4 +++- linking/runtime-linking/resolve-function-by-fin8-fasthash.yml | 4 +++- linking/static/aplib/linked-against-aplib.yml | 4 +++- linking/static/cryptopp/linked-against-crypto.yml | 4 +++- linking/static/libcurl/linked-against-libcurl.yml | 4 +++- linking/static/linked-against-cpp-standard-library.yml | 4 +++- linking/static/msdetours/linked-against-microsoft-detours.yml | 4 +++- linking/static/openssl/linked-against-openssl.yml | 4 +++- linking/static/polarssl/linked-against-polarsslmbed-tls.yml | 4 +++- linking/static/sqlite3/linked-against-cppsqlite3.yml | 4 +++- linking/static/sqlite3/linked-against-sqlite3.yml | 4 +++- linking/static/wolfcrypt/linked-against-wolfcrypt.yml | 4 +++- linking/static/wolfssl/linked-against-wolfssl.yml | 4 +++- linking/static/zlib/linked-against-zlib.yml | 4 +++- load-code/dotnet/load-windows-common-language-runtime.yml | 4 +++- .../execute-vbscript-javascript-or-jscript-in-memory.yml | 4 +++- load-code/pe/access-pe-header.yml | 4 +++- load-code/pe/enumerate-pe-sections.yml | 4 +++- load-code/pe/inject-dll-reflectively.yml | 4 +++- load-code/pe/inspect-section-memory-permissions.yml | 4 +++- load-code/pe/parse-pe-header.yml | 4 +++- load-code/pe/rebuild-import-table.yml | 4 +++- load-code/pe/resolve-function-by-parsing-pe-exports.yml | 4 +++- load-code/powershell/run-powershell-expression.yml | 4 +++- load-code/shellcode/execute-shellcode-via-copyfile2.yml | 4 +++- .../shellcode/execute-shellcode-via-createthreadpoolwait.yml | 4 +++- .../execute-shellcode-via-windows-callback-function.yml | 4 +++- load-code/shellcode/execute-shellcode-via-windows-fibers.yml | 4 +++- load-code/shellcode/spawn-thread-to-rwx-shellcode.yml | 4 +++- malware-family/plugx/match-known-plugx-module.yml | 4 +++- nursery/access-wmi-data-in-dotnet.yml | 4 +++- nursery/add-file-to-cabinet-file.yml | 4 +++- nursery/add-user-account-group.yml | 4 +++- nursery/add-user-account-to-group.yml | 4 +++- nursery/add-user-account.yml | 4 +++- nursery/add-value-to-global-atom-table.yml | 4 +++- nursery/allocate-unmanaged-memory-in-dotnet.yml | 4 +++- nursery/append-data-to-clfs-log-container.yml | 4 +++- nursery/authenticate-data-with-md5-mac.yml | 4 +++- nursery/build-docker-image.yml | 4 +++- .../bypass-uac-via-scheduled-task-environment-variable.yml | 4 +++- nursery/capture-network-configuration-via-ifconfig.yml | 4 +++- nursery/capture-process-snapshot-data.yml | 4 +++- nursery/capture-screenshot-in-go.yml | 4 +++- nursery/capture-webcam-video.yml | 4 +++- nursery/change-user-account-password.yml | 4 +++- nursery/check-clipboard-data.yml | 4 +++- nursery/check-file-extension-in-dotnet.yml | 4 +++- nursery/check-for-minimum-number-of-windows-on-screen.yml | 4 +++- nursery/check-for-process-debug-object.yml | 4 +++- nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml | 4 +++- nursery/check-for-vm-using-instruction-vpcext.yml | 4 +++- nursery/check-for-windows-sandbox-via-mutex.yml | 4 +++- nursery/check-for-windows-sandbox-via-subdirectory.yml | 4 +++- nursery/check-if-directory-exists.yml | 4 +++- nursery/check-license-value.yml | 4 +++- nursery/check-processdebugflags.yml | 4 +++- nursery/check-systemkerneldebuggerinformation.yml | 4 +++- nursery/check-thread-yield-allowed.yml | 4 +++- nursery/clear-clipboard-data.yml | 4 +++- nursery/collect-ssh-keys.yml | 4 +++- ...unicate-with-kernel-module-via-netlink-socket-on-linux.yml | 4 +++- nursery/compare-security-identifiers.yml | 4 +++- nursery/compile-csharp-in-dotnet.yml | 4 +++- nursery/compile-dotnet-assembly.yml | 4 +++- nursery/compile-visual-basic-in-dotnet.yml | 4 +++- nursery/compiled-from-epl.yml | 4 +++- nursery/compiled-with-exescript.yml | 4 +++- nursery/compress-data-using-gzip-in-dotnet.yml | 4 +++- nursery/connect-network-resource.yml | 4 +++- .../contain-a-thread-local-storage-tls-section-in-dotnet.yml | 4 +++- ...d-write-data-to-windows-directory-using-indirect-calls.yml | 4 +++- nursery/create-container.yml | 4 +++- nursery/create-process-via-wmi-in-dotnet.yml | 4 +++- nursery/create-registry-key-via-stdregprov.yml | 4 +++- nursery/create-restart-manager-session.yml | 4 +++- nursery/create-zip-archive-in-dotnet.yml | 4 +++- nursery/debug-build.yml | 4 +++- nursery/decode-data-using-base64-in-dotnet.yml | 4 +++- nursery/decode-data-using-url-encoding.yml | 4 +++- nursery/decrypt-data-using-rsa.yml | 4 +++- nursery/decrypt-data-via-sspi.yml | 4 +++- nursery/delete-internet-cache.yml | 4 +++- nursery/delete-registry-key-via-offline-registry-library.yml | 4 +++- nursery/delete-registry-key-via-stdregprov.yml | 4 +++- nursery/delete-registry-value-via-stdregprov.yml | 4 +++- nursery/delete-user-account-from-group.yml | 4 +++- nursery/delete-user-account-group.yml | 4 +++- nursery/delete-user-account.yml | 4 +++- nursery/delete-windows-backup-catalog.yml | 4 +++- nursery/deserialize-json-in-dotnet.yml | 4 +++- nursery/destroy-software-breakpoint-capability.yml | 4 +++- nursery/disable-automatic-windows-recovery-features.yml | 4 +++- nursery/display-service-notification-message-box.yml | 4 +++- nursery/empty-the-recycle-bin.yml | 4 +++- nursery/enable-safe-mode-boot.yml | 4 +++- nursery/encrypt-data-using-aes-via-x86-extensions.yml | 4 +++- nursery/encrypt-data-using-aes.yml | 4 +++- nursery/encrypt-data-using-fakem-cipher.yml | 4 +++- nursery/encrypt-data-using-openssl-dsa.yml | 4 +++- nursery/encrypt-data-using-openssl-ecdsa.yml | 4 +++- nursery/encrypt-data-using-openssl-rsa.yml | 4 +++- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 4 +++- nursery/encrypt-data-using-rsa.yml | 4 +++- nursery/encrypt-data-using-salsa20-or-chacha.yml | 4 +++- nursery/encrypt-data-via-sspi.yml | 4 +++- nursery/encrypt-or-decrypt-data-via-bcrypt.yml | 4 +++- nursery/enumerate-browser-history.yml | 4 +++- nursery/enumerate-device-drivers-on-linux.yml | 4 +++- nursery/enumerate-device-drivers-on-windows.yml | 4 +++- nursery/enumerate-disk-volumes.yml | 4 +++- nursery/enumerate-drives.yml | 4 +++- nursery/enumerate-internet-cache.yml | 4 +++- nursery/enumerate-network-shares.yml | 4 +++- nursery/enumerate-pe-sections-in-dotnet.yml | 4 +++- nursery/enumerate-processes-that-use-resource.yml | 4 +++- nursery/enumerate-processes-via-procfs.yml | 4 +++- nursery/enumerate-system-firmware-tables.yml | 4 +++- nursery/execute-dotnet-assembly.yml | 4 +++- .../execute-shell-command-via-windows-remote-management.yml | 4 +++- nursery/execute-shellcode-via-indirect-call.yml | 4 +++- nursery/execute-sqlite-statement-in-dotnet.yml | 4 +++- nursery/execute-syscall-instruction.yml | 4 +++- nursery/execute-via-asynchronous-task-in-dotnet.yml | 4 +++- nursery/execute-via-timer-in-dotnet.yml | 4 +++- nursery/extract-zip-archive-in-dotnet.yml | 4 +++- nursery/find-data-using-regex-in-dotnet.yml | 4 +++- nursery/find-process-by-name.yml | 4 +++- nursery/flush-cabinet-file.yml | 4 +++- nursery/generate-method-via-reflection-in-dotnet.yml | 4 +++- nursery/generate-random-bytes-in-dotnet.yml | 4 +++- nursery/generate-random-filename-in-dotnet.yml | 4 +++- nursery/generate-random-numbers-in-dotnet.yml | 4 +++- nursery/generate-random-numbers-using-the-delphi-lcg.yml | 4 +++- nursery/get-client-handle-via-schannel.yml | 4 +++- nursery/get-current-pid-on-linux.yml | 4 +++- nursery/get-file-system-information-on-linux.yml | 4 +++- nursery/get-http-request-uri.yml | 4 +++- nursery/get-inbound-credentials-handle-via-credssp.yml | 4 +++- nursery/get-mac-address-on-linux.yml | 4 +++- nursery/get-networking-parameters.yml | 4 +++- nursery/get-ntoskrnl-base-address.yml | 4 +++- nursery/get-os-information-via-kuser_shared_data.yml | 4 +++- nursery/get-os-version-in-dotnet.yml | 4 +++- nursery/get-password-database-entry-on-linux.yml | 4 +++- nursery/get-process-image-filename.yml | 4 +++- nursery/get-proxy.yml | 4 +++- nursery/get-remote-cert-context-via-schannel.yml | 4 +++- nursery/get-routing-table.yml | 4 +++- nursery/get-session-information.yml | 4 +++- nursery/get-socket-information.yml | 4 +++- nursery/get-storage-device-properties.yml | 4 +++- nursery/get-system-firmware-table.yml | 4 +++- nursery/get-system-information-on-linux.yml | 4 +++- nursery/get-system-web-proxy.yml | 4 +++- nursery/get-thread-local-storage-value.yml | 4 +++- nursery/get-token-privileges.yml | 4 +++- nursery/hash-data-using-aphash.yml | 4 +++- nursery/hash-data-using-crc32b.yml | 4 +++- nursery/hash-data-using-jshash.yml | 4 +++- nursery/hash-data-using-md4.yml | 4 +++- nursery/hash-data-using-murmur2.yml | 4 +++- nursery/hash-data-using-ripemd128.yml | 4 +++- nursery/hash-data-using-ripemd256.yml | 4 +++- nursery/hash-data-using-ripemd320.yml | 4 +++- nursery/hash-data-using-rshash.yml | 4 +++- nursery/hash-data-using-sha1-via-wincrypt.yml | 4 +++- nursery/hash-data-using-sha1-via-x86-extensions.yml | 4 +++- nursery/hash-data-using-sha256-via-x86-extensions.yml | 4 +++- nursery/hash-data-using-sha512managed-in-dotnet.yml | 4 +++- nursery/hash-data-using-whirlpool.yml | 4 +++- nursery/hash-data-via-bcrypt.yml | 4 +++- nursery/hook-routines-via-microsoft-detours.yml | 4 +++- nursery/hooked-by-api-override.yml | 4 +++- nursery/impersonate-user.yml | 4 +++- nursery/implement-com-dll.yml | 4 +++- nursery/initialize-hashing-via-wincrypt.yml | 4 +++- nursery/inspect-load-icon-resource.yml | 4 +++- nursery/interact-with-iptables.yml | 4 +++- nursery/invoke-dotnet-assembly-method.yml | 4 +++- nursery/link-function-at-runtime-on-linux.yml | 4 +++- nursery/linked-against-cpp-http-library.yml | 4 +++- nursery/linked-against-cpp-json-library.yml | 4 +++- nursery/linked-against-cpp-regex-library.yml | 4 +++- nursery/linked-against-go-process-enumeration-library.yml | 4 +++- nursery/linked-against-go-registry-library.yml | 4 +++- nursery/linked-against-go-static-asset-library.yml | 4 +++- nursery/linked-against-go-wmi-library.yml | 4 +++- nursery/linked-against-libsodium.yml | 4 +++- nursery/linked-against-xzip.yml | 4 +++- nursery/list-containers.yml | 4 +++- nursery/list-domain-servers.yml | 4 +++- nursery/list-drag-and-drop-files.yml | 4 +++- nursery/list-groups-for-user-account.yml | 4 +++- nursery/list-tcp-connections-and-listeners.yml | 4 +++- nursery/list-udp-connections-and-listeners.yml | 4 +++- nursery/list-user-account-groups.yml | 4 +++- nursery/list-user-accounts-for-group.yml | 4 +++- nursery/list-user-accounts.yml | 4 +++- nursery/listen-for-remote-procedure-calls.yml | 4 +++- nursery/load-dotnet-assembly.yml | 4 +++- nursery/load-xml-in-dotnet.yml | 4 +++- nursery/log-keystrokes-via-input-method-manager.yml | 4 +++- nursery/log-keystrokes-via-raw-input-data.yml | 4 +++- nursery/make-an-http-request-with-a-cookie.yml | 4 +++- nursery/manipulate-console-window.yml | 4 +++- nursery/manipulate-network-credentials-in-dotnet.yml | 4 +++- nursery/manipulate-unmanaged-memory-in-dotnet.yml | 4 +++- nursery/manipulate-user-privileges.yml | 4 +++- nursery/mark-thread-detached-on-linux.yml | 4 +++- nursery/migrate-process-to-active-window-station.yml | 4 +++- nursery/mixed-mode.yml | 4 +++- nursery/monitor-clipboard-content.yml | 4 +++- nursery/monitor-local-ipv4-address-changes.yml | 4 +++- nursery/move-directory.yml | 4 +++- nursery/obfuscated-with-koivm.yml | 4 +++- nursery/open-cabinet-file.yml | 4 +++- nursery/packaged-as-a-createinstall-installer.yml | 4 +++- nursery/packaged-as-a-nsis-installer.yml | 4 +++- nursery/packaged-as-a-pintool.yml | 4 +++- nursery/packaged-as-a-winzip-self-extracting-archive.yml | 4 +++- nursery/packaged-as-a-wise-installer.yml | 4 +++- nursery/packaged-as-an-installshield-installer.yml | 4 +++- nursery/packed-with-ccg.yml | 4 +++- nursery/packed-with-crunch.yml | 4 +++- nursery/packed-with-dragon-armor.yml | 4 +++- nursery/packed-with-enigma.yml | 4 +++- nursery/packed-with-epack.yml | 4 +++- nursery/packed-with-maskpe.yml | 4 +++- nursery/packed-with-mew.yml | 4 +++- nursery/packed-with-mpress.yml | 4 +++- nursery/packed-with-neolite.yml | 4 +++- nursery/packed-with-pepack.yml | 4 +++- nursery/packed-with-perplex.yml | 4 +++- nursery/packed-with-procrypt.yml | 4 +++- nursery/packed-with-rpcrypt.yml | 4 +++- nursery/packed-with-seausfx.yml | 4 +++- nursery/packed-with-shrinker.yml | 4 +++- nursery/packed-with-simple-pack.yml | 4 +++- nursery/packed-with-starforce.yml | 4 +++- nursery/packed-with-svkp.yml | 4 +++- nursery/packed-with-tsuloader.yml | 4 +++- nursery/packed-with-vprotect.yml | 4 +++- nursery/packed-with-wwpack.yml | 4 +++- nursery/parse-url.yml | 4 +++- nursery/persist-via-gnome-autostart-on-linux.yml | 4 +++- nursery/power-down-monitor.yml | 4 +++- nursery/prompt-user-for-credentials.yml | 4 +++- nursery/query-or-enumerate-registry-key-via-stdregprov.yml | 4 +++- nursery/query-or-enumerate-registry-value-via-stdregprov.yml | 4 +++- nursery/query-remote-server-for-available-data.yml | 4 +++- nursery/read-and-send-data-from-client-to-server.yml | 4 +++- nursery/read-process-memory.yml | 4 +++- nursery/read-raw-disk-data.yml | 4 +++- nursery/rebuilt-by-imprec.yml | 4 +++- nursery/receive-and-write-data-from-server-to-client.yml | 4 +++- nursery/reference-114dns-dns-server.yml | 4 +++- nursery/reference-aes-constants.yml | 4 +++- nursery/reference-alidns-dns-server.yml | 4 +++- nursery/reference-base58-string.yml | 4 +++- nursery/reference-cloudflare-dns-server.yml | 4 +++- nursery/reference-comodo-secure-dns-server.yml | 4 +++- nursery/reference-cryptocurrency-strings.yml | 4 +++- nursery/reference-google-public-dns-server.yml | 4 +++- nursery/reference-hurricane-electric-dns-server.yml | 4 +++- nursery/reference-kornet-dns-server.yml | 4 +++- nursery/reference-l3-dns-server.yml | 4 +++- nursery/reference-opendns-dns-server.yml | 4 +++- nursery/reference-processor-manufacturer-constants.yml | 4 +++- nursery/reference-quad9-dns-server.yml | 4 +++- nursery/reference-screen-saver-executable.yml | 4 +++- nursery/reference-startup-folder.yml | 4 +++- nursery/reference-the-vmware-io-port.yml | 4 +++- nursery/reference-verisign-dns-server.yml | 4 +++- nursery/register-http-server-url.yml | 4 +++- nursery/register-raw-input-devices.yml | 4 +++- nursery/resize-volume-shadow-copy-storage.yml | 4 +++- nursery/resolve-function-by-djb2-hash.yml | 4 +++- nursery/resolve-function-by-fnv-1a-hash.yml | 4 +++- nursery/resolve-function-by-hash.yml | 4 +++- nursery/run-in-container.yml | 4 +++- nursery/save-image-in-dotnet.yml | 4 +++- nursery/schedule-task-via-itaskservice.yml | 4 +++- nursery/search-for-credit-card-data.yml | 4 +++- nursery/send-data-to-internet.yml | 4 +++- nursery/send-email-in-dotnet.yml | 4 +++- nursery/send-http-request-with-host-header.yml | 4 +++- nursery/send-keystrokes.yml | 4 +++- nursery/send-request-in-dotnet.yml | 4 +++- nursery/send-sms-on-android.yml | 4 +++- nursery/serialize-json-in-dotnet.yml | 4 +++- nursery/set-current-directory.yml | 4 +++- nursery/set-global-application-hook.yml | 4 +++- nursery/set-http-cookie.yml | 4 +++- nursery/set-http-user-agent-in-dotnet.yml | 4 +++- nursery/set-registry-value-via-stdregprov.yml | 4 +++- nursery/set-thread-name-on-linux.yml | 4 +++- nursery/set-web-proxy-in-dotnet.yml | 4 +++- nursery/terminate-process-by-name-in-dotnet.yml | 4 +++- nursery/terminate-process-by-name.yml | 4 +++- nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml | 4 +++- nursery/unmanaged-call.yml | 4 +++- persistence/act-as-dhcp-server-callout-dll.yml | 4 +++- persistence/act-as-dns-server-plugin-dll.yml | 4 +++- .../authentication-process/act-as-credential-manager-dll.yml | 4 +++- .../authentication-process/act-as-password-filter-dll.yml | 4 +++- .../act-as-security-support-provider-dll.yml | 4 +++- .../act-as-subauthentication-package-dll.yml | 4 +++- persistence/create-shortcut-via-ishelllink.yml | 4 +++- persistence/exchange/act-as-exchange-transport-agent.yml | 4 +++- persistence/iis/persist-via-iis-module.yml | 4 +++- persistence/iis/persist-via-isapi-extension.yml | 4 +++- persistence/office/act-as-excel-xll-add-in.yml | 4 +++- persistence/office/act-as-office-com-add-in.yml | 4 +++- persistence/office/act-as-word-wll-add-in.yml | 4 +++- persistence/persist-via-desktop-autostart.yml | 4 +++- persistence/persist-via-shell-profile-or-rc-file.yml | 4 +++- .../disable-appinit_dlls-code-signature-enforcement.yml | 4 +++- .../appinitdlls/persist-via-appinit_dlls-registry-key.yml | 4 +++- .../registry/ginadll/persist-via-ginadll-registry-key.yml | 4 +++- .../registry/persist-via-active-setup-registry-key.yml | 4 +++- persistence/registry/run/persist-via-run-registry-key.yml | 4 +++- .../persist-via-winlogon-helper-dll-registry-key.yml | 4 +++- persistence/scheduled-tasks/schedule-task-via-at.yml | 4 +++- .../scheduled-tasks/schedule-task-via-itaskscheduler.yml | 4 +++- persistence/scheduled-tasks/schedule-task-via-schtasks.yml | 4 +++- persistence/service/persist-via-rc-script.yml | 4 +++- persistence/service/persist-via-windows-service.yml | 4 +++- persistence/startup-folder/get-startup-folder.yml | 4 +++- persistence/startup-folder/write-file-to-startup-folder.yml | 4 +++- runtime/dotnet/compiled-to-the-dotnet-platform.yml | 4 +++- runtime/dotnet/execute-via-dotnet-startup-hook.yml | 4 +++- .../diebold-nixdorf/load-diebold-nixdorf-atm-library.yml | 4 +++- .../diebold-nixdorf/reference-diebold-atm-routines.yml | 4 +++- .../identify-atm-dispenser-service-provider.yml | 4 +++- .../automated-teller-machine/ncr/load-ncr-atm-library.yml | 4 +++- .../ncr/reference-ncr-atm-library-routines.yml | 4 +++- targeting/language/identify-system-language-via-api.yml | 4 +++- 846 files changed, 2538 insertions(+), 846 deletions(-) diff --git a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml index 0ff303f81..ec75c1d2d 100644 --- a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml +++ b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml index 9c7ffc69e..046ea442f 100644 --- a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml +++ b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] - Anti-Behavioral Analysis::Sandbox Detection [B0007] diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index 8edfa3fc0..f11e81d8c 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006] mbc: diff --git a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml index e96604b2f..81ed21b8c 100644 --- a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml +++ b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml index 86b4d7bdb..b6eef64cf 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002] - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031] diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml index a053a1731..af8632766 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope mbc: - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml index 8ff372a7a..d2bc2ee76 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml index 1fd5dc6bb..03726d770 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml index ce30cc8c3..ebd309cf0 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml index c0fc48717..2779022ab 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 18bc29b2e..7748f0355 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml index 9e14035a9..bd9cdbfba 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml index ea7651c5a..49d9c71f0 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml index fe9520476..f1656e395 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml index c504d5bb3..b9dc24462 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml index e2bb60d8d..66dafe3b7 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index 7f1439599..06f980d4b 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml index fc1cbc382..0e49e4792 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml index 857fedb5d..d9dfce8ef 100644 --- a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml +++ b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope mbc: - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034] examples: diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index 7f50b0e22..8be6c5db9 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml index 6cdac8faa..06370ec6c 100644 --- a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml +++ b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate) - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008] references: diff --git a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml index e22ec11a6..8b6770f88 100644 --- a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml +++ b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-disasm authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Anti-Static Analysis::Disassembler Evasion [B0012] examples: diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml index 7e3933f02..61e60213c 100644 --- a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml +++ b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-emulation/wine authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index 0b72f2ce2..0cb1a2fc6 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-forensic/clear-logs authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml index 41f4e9fbf..1d7a9503a 100644 --- a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml +++ b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-forensic authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml index ccf77d086..02cc9e961 100644 --- a/anti-analysis/anti-forensic/impersonate-file-version-information.yml +++ b/anti-analysis/anti-forensic/impersonate-file-version-information.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/anti-analysis/anti-forensic/patch-process-command-line.yml b/anti-analysis/anti-forensic/patch-process-command-line.yml index 12a9f51d8..33c8e628b 100644 --- a/anti-analysis/anti-forensic/patch-process-command-line.yml +++ b/anti-analysis/anti-forensic/patch-process-command-line.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 0b0b75f14..0303b6c18 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/spoof-parent-pid.yml b/anti-analysis/anti-forensic/spoof-parent-pid.yml index 81e4cac36..6b1344d76 100644 --- a/anti-analysis/anti-forensic/spoof-parent-pid.yml +++ b/anti-analysis/anti-forensic/spoof-parent-pid.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis/anti-forensic authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004] references: diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml index f5dfdf481..2041fc937 100644 --- a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml +++ b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-forensic/timestomp authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Indicator Removal::Timestomp [T1070.006] examples: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml index 412bc98e2..1ff37e837 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml @@ -5,7 +5,9 @@ rule: authors: - ervin.ocampo@mandiant.com description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment. - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml index 0aaeadff1..e6d033e6d 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml index 50a2d18ae..5e57550ee 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - "echernofsky@google.com" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml b/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml index 1fe948375..e9f398a81 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - BitsOfBinary - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml index 7a23ab587..bd4e132e4 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml index f3426eb51..563ccd180 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 9d1d548ae..aba4fb832 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml index f3fcb7116..1b42e3fcd 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml index a529a98d0..a6cbfbec2 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index e19528ffe..2425a19a8 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - anders.vejlby@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index 56c830688..cba1a9eb5 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - anders.vejlby@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml index 33cd55c2c..b25cc26bc 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml index c9ebbf58c..fe62a87d3 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml index 208f7fe5c..2c54cdddb 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml index d5dfab881..69fe0a33e 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml index 71b42490f..04cb942a9 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - "@johnk3r" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml index 04c9e58cf..3beb59be9 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml index b68d3f4b1..100d33574 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml index 547b7354c..9e803df0b 100644 --- a/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml index e664fe3ff..4c2588f6e 100644 --- a/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-babel-obfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml index 2426a94c2..35c4e0189 100644 --- a/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - johnk3r - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml index d93d12406..258eea3b0 100644 --- a/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-deepsea-obfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml index 1758eeff4..24db6603e 100644 --- a/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-dotfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml b/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml index a3412a291..d27b33fb5 100644 --- a/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml +++ b/anti-analysis/obfuscation/obfuscated-with-smartassembly.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml b/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml index 21ea9be4e..436e1780c 100644 --- a/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml +++ b/anti-analysis/obfuscation/obfuscated-with-spicesdotnet-obfuscator.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml b/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml index bd4329977..5e3fa94c0 100644 --- a/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml +++ b/anti-analysis/obfuscation/obfuscated-with-vs-obfuscation.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/obfuscated-with-yano.yml b/anti-analysis/obfuscation/obfuscated-with-yano.yml index ca1dbc27c..192729d20 100644 --- a/anti-analysis/obfuscation/obfuscated-with-yano.yml +++ b/anti-analysis/obfuscation/obfuscated-with-yano.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml index 9df3b4527..2c038c892 100644 --- a/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml +++ b/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation/string/stackstring authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/anti-analysis/packer/amber/packed-with-amber.yml b/anti-analysis/packer/amber/packed-with-amber.yml index 946dc2d73..806b6946b 100644 --- a/anti-analysis/packer/amber/packed-with-amber.yml +++ b/anti-analysis/packer/amber/packed-with-amber.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/amber authors: - "john.gorman@mandiant.com" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/aspack/packed-with-aspack.yml b/anti-analysis/packer/aspack/packed-with-aspack.yml index 8b2bb84a4..cf7382f99 100644 --- a/anti-analysis/packer/aspack/packed-with-aspack.yml +++ b/anti-analysis/packer/aspack/packed-with-aspack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/aspack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/confuser/packed-with-confuser.yml b/anti-analysis/packer/confuser/packed-with-confuser.yml index 1139026fb..17cb62580 100644 --- a/anti-analysis/packer/confuser/packed-with-confuser.yml +++ b/anti-analysis/packer/confuser/packed-with-confuser.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/confuser authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains unsupported feature class for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml index 1a9258d74..ee6bbaa76 100644 --- a/anti-analysis/packer/generic/packed-with-generic-packer.yml +++ b/anti-analysis/packer/generic/packed-with-generic-packer.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/generic authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/gopacker/packed-with-gopacker.yml b/anti-analysis/packer/gopacker/packed-with-gopacker.yml index 47bc95c6d..2ece8830f 100644 --- a/anti-analysis/packer/gopacker/packed-with-gopacker.yml +++ b/anti-analysis/packer/gopacker/packed-with-gopacker.yml @@ -5,7 +5,9 @@ rule: authors: - jared.wilson@mandiant.com description: The sample appears to be packed with GoPacker. - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/huan/packed-with-huan.yml b/anti-analysis/packer/huan/packed-with-huan.yml index d3dbd44d3..f65622051 100644 --- a/anti-analysis/packer/huan/packed-with-huan.yml +++ b/anti-analysis/packer/huan/packed-with-huan.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/huan authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml b/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml index eabe63b76..4eabfa4a8 100644 --- a/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml +++ b/anti-analysis/packer/kkrunchy/packed-with-kkrunchy.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/kkrunchy authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/nspack/packed-with-nspack.yml b/anti-analysis/packer/nspack/packed-with-nspack.yml index c6070a7aa..9eab472a3 100644 --- a/anti-analysis/packer/nspack/packed-with-nspack.yml +++ b/anti-analysis/packer/nspack/packed-with-nspack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/nspack authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pebundle/packed-with-pebundle.yml b/anti-analysis/packer/pebundle/packed-with-pebundle.yml index 9da8d71ac..68eefea0a 100644 --- a/anti-analysis/packer/pebundle/packed-with-pebundle.yml +++ b/anti-analysis/packer/pebundle/packed-with-pebundle.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pebundle authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pecompact/packed-with-pecompact.yml b/anti-analysis/packer/pecompact/packed-with-pecompact.yml index 0aff39449..a203b3d6b 100644 --- a/anti-analysis/packer/pecompact/packed-with-pecompact.yml +++ b/anti-analysis/packer/pecompact/packed-with-pecompact.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pecompact authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml b/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml index 9a0377482..9a76a5fe7 100644 --- a/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml +++ b/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pelocknt authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/peshield/packed-with-peshield.yml b/anti-analysis/packer/peshield/packed-with-peshield.yml index 2a8ee5deb..e76a283ea 100644 --- a/anti-analysis/packer/peshield/packed-with-peshield.yml +++ b/anti-analysis/packer/peshield/packed-with-peshield.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/peshield authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/pespin/packed-with-pespin.yml b/anti-analysis/packer/pespin/packed-with-pespin.yml index 9377a1510..7e3a5dc9e 100644 --- a/anti-analysis/packer/pespin/packed-with-pespin.yml +++ b/anti-analysis/packer/pespin/packed-with-pespin.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pespin authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/petite/packed-with-petite.yml b/anti-analysis/packer/petite/packed-with-petite.yml index 82df3cc23..12dd911b6 100644 --- a/anti-analysis/packer/petite/packed-with-petite.yml +++ b/anti-analysis/packer/petite/packed-with-petite.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/petite authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/rlpack/packed-with-rlpack.yml b/anti-analysis/packer/rlpack/packed-with-rlpack.yml index b6cae30cb..3551dcd31 100644 --- a/anti-analysis/packer/rlpack/packed-with-rlpack.yml +++ b/anti-analysis/packer/rlpack/packed-with-rlpack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/rlpack authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/themida/packed-with-themida.yml b/anti-analysis/packer/themida/packed-with-themida.yml index 758a41f54..9320e4cba 100644 --- a/anti-analysis/packer/themida/packed-with-themida.yml +++ b/anti-analysis/packer/themida/packed-with-themida.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/themida authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/upack/packed-with-upack.yml b/anti-analysis/packer/upack/packed-with-upack.yml index e31c984b7..ea4420ebe 100644 --- a/anti-analysis/packer/upack/packed-with-upack.yml +++ b/anti-analysis/packer/upack/packed-with-upack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/upack authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/upx/packed-with-upx.yml b/anti-analysis/packer/upx/packed-with-upx.yml index ee87c947c..27396d097 100644 --- a/anti-analysis/packer/upx/packed-with-upx.yml +++ b/anti-analysis/packer/upx/packed-with-upx.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/upx authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml b/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml index 68ffb0932..edf1872a3 100644 --- a/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml +++ b/anti-analysis/packer/vmprotect/packed-with-vmprotect.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/vmprotect authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml b/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml index af95dd95c..bcc70ca68 100644 --- a/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml +++ b/anti-analysis/packer/y0da/packed-with-y0da-crypter.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/y0da authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/anti-analysis/reference-analysis-tools-strings.yml b/anti-analysis/reference-analysis-tools-strings.yml index b0e80c5c7..22624d9bc 100644 --- a/anti-analysis/reference-analysis-tools-strings.yml +++ b/anti-analysis/reference-analysis-tools-strings.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Discovery::Analysis Tool Discovery::Process detection [B0013.001] references: diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 73777b3b1..037697c00 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -5,7 +5,9 @@ rule: namespace: collection authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] examples: diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index a2020985b..7fa879acc 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 6e268da2b..e60fae03a 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - still@teamt5.org - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/credit-card/parse-credit-card-information.yml b/collection/credit-card/parse-credit-card-information.yml index cd551c621..3225d7b40 100644 --- a/collection/credit-card/parse-credit-card-information.yml +++ b/collection/credit-card/parse-credit-card-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/credit-card authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Check String [C0019] examples: diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml index 303f7e955..fb7daa570 100644 --- a/collection/database/sql/reference-sql-statements.yml +++ b/collection/database/sql/reference-sql-statements.yml @@ -4,7 +4,9 @@ rule: namespace: collection/database/sql authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml index 6db0b12a1..18bbcf721 100644 --- a/collection/database/wmi/reference-wmi-statements.yml +++ b/collection/database/wmi/reference-wmi-statements.yml @@ -4,7 +4,9 @@ rule: namespace: collection/database/wmi authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml index 1b2637510..183e7e6c6 100644 --- a/collection/file-managers/gather-3d-ftp-information.yml +++ b/collection/file-managers/gather-3d-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml index 0464e22bd..c177630d9 100644 --- a/collection/file-managers/gather-alftp-information.yml +++ b/collection/file-managers/gather-alftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml index f714b513b..610692a2a 100644 --- a/collection/file-managers/gather-bitkinex-information.yml +++ b/collection/file-managers/gather-bitkinex-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml index 900a14e0f..50c464f3c 100644 --- a/collection/file-managers/gather-blazeftp-information.yml +++ b/collection/file-managers/gather-blazeftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml index ddc4d2acb..eff43d32e 100644 --- a/collection/file-managers/gather-bulletproof-ftp-information.yml +++ b/collection/file-managers/gather-bulletproof-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml index bea23c3d6..9fa41274a 100644 --- a/collection/file-managers/gather-classicftp-information.yml +++ b/collection/file-managers/gather-classicftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml index 118827240..052fb224c 100644 --- a/collection/file-managers/gather-coreftp-information.yml +++ b/collection/file-managers/gather-coreftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml index 6bdb13fc6..78c21fd9b 100644 --- a/collection/file-managers/gather-cuteftp-information.yml +++ b/collection/file-managers/gather-cuteftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml index 9e2473e24..dd094e440 100644 --- a/collection/file-managers/gather-cyberduck-information.yml +++ b/collection/file-managers/gather-cyberduck-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml index bee5d1f79..30b4d1b87 100644 --- a/collection/file-managers/gather-direct-ftp-information.yml +++ b/collection/file-managers/gather-direct-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml index 6310f16d8..93e6ca5aa 100644 --- a/collection/file-managers/gather-directory-opus-information.yml +++ b/collection/file-managers/gather-directory-opus-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml index cadd077fc..0fec6df2d 100644 --- a/collection/file-managers/gather-expandrive-information.yml +++ b/collection/file-managers/gather-expandrive-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml index de98c2bf3..94d481207 100644 --- a/collection/file-managers/gather-faststone-browser-information.yml +++ b/collection/file-managers/gather-faststone-browser-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml index 3f699652b..3c210f019 100644 --- a/collection/file-managers/gather-fasttrack-ftp-information.yml +++ b/collection/file-managers/gather-fasttrack-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml index d6082f493..7ab79002c 100644 --- a/collection/file-managers/gather-ffftp-information.yml +++ b/collection/file-managers/gather-ffftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-filezilla-information.yml b/collection/file-managers/gather-filezilla-information.yml index 6409b3aa4..9f9b48e2d 100644 --- a/collection/file-managers/gather-filezilla-information.yml +++ b/collection/file-managers/gather-filezilla-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-flashfxp-information.yml b/collection/file-managers/gather-flashfxp-information.yml index 3f82c5a94..cfd1e836a 100644 --- a/collection/file-managers/gather-flashfxp-information.yml +++ b/collection/file-managers/gather-flashfxp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fling-ftp-information.yml b/collection/file-managers/gather-fling-ftp-information.yml index 266ea83a4..e09ac5ab4 100644 --- a/collection/file-managers/gather-fling-ftp-information.yml +++ b/collection/file-managers/gather-fling-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-freshftp-information.yml b/collection/file-managers/gather-freshftp-information.yml index b77c089c4..74965be6b 100644 --- a/collection/file-managers/gather-freshftp-information.yml +++ b/collection/file-managers/gather-freshftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-frigate3-information.yml b/collection/file-managers/gather-frigate3-information.yml index 742233bfb..cd97ad7f0 100644 --- a/collection/file-managers/gather-frigate3-information.yml +++ b/collection/file-managers/gather-frigate3-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-commander-information.yml b/collection/file-managers/gather-ftp-commander-information.yml index 7bd8bc5eb..49f236baf 100644 --- a/collection/file-managers/gather-ftp-commander-information.yml +++ b/collection/file-managers/gather-ftp-commander-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-explorer-information.yml b/collection/file-managers/gather-ftp-explorer-information.yml index 96d06dbdb..7c4733dbd 100644 --- a/collection/file-managers/gather-ftp-explorer-information.yml +++ b/collection/file-managers/gather-ftp-explorer-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-voyager-information.yml b/collection/file-managers/gather-ftp-voyager-information.yml index e8c1405da..ee724d4c5 100644 --- a/collection/file-managers/gather-ftp-voyager-information.yml +++ b/collection/file-managers/gather-ftp-voyager-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpgetter-information.yml b/collection/file-managers/gather-ftpgetter-information.yml index 3c4393346..3a2412b7d 100644 --- a/collection/file-managers/gather-ftpgetter-information.yml +++ b/collection/file-managers/gather-ftpgetter-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpinfo-information.yml b/collection/file-managers/gather-ftpinfo-information.yml index 0008e9e39..e3fbfe1bc 100644 --- a/collection/file-managers/gather-ftpinfo-information.yml +++ b/collection/file-managers/gather-ftpinfo-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpnow-information.yml b/collection/file-managers/gather-ftpnow-information.yml index d2b21bcb0..5e3fe7045 100644 --- a/collection/file-managers/gather-ftpnow-information.yml +++ b/collection/file-managers/gather-ftpnow-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-ftprush-information.yml b/collection/file-managers/gather-ftprush-information.yml index 117a9e802..9fbb52929 100644 --- a/collection/file-managers/gather-ftprush-information.yml +++ b/collection/file-managers/gather-ftprush-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpshell-information.yml b/collection/file-managers/gather-ftpshell-information.yml index 136a8e5fd..50ff8d90b 100644 --- a/collection/file-managers/gather-ftpshell-information.yml +++ b/collection/file-managers/gather-ftpshell-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-global-downloader-information.yml b/collection/file-managers/gather-global-downloader-information.yml index 9ed4df526..bc3ee4469 100644 --- a/collection/file-managers/gather-global-downloader-information.yml +++ b/collection/file-managers/gather-global-downloader-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-goftp-information.yml b/collection/file-managers/gather-goftp-information.yml index 3462abb3c..c9766053e 100644 --- a/collection/file-managers/gather-goftp-information.yml +++ b/collection/file-managers/gather-goftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-leapftp-information.yml b/collection/file-managers/gather-leapftp-information.yml index 92d696286..425d76676 100644 --- a/collection/file-managers/gather-leapftp-information.yml +++ b/collection/file-managers/gather-leapftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-netdrive-information.yml b/collection/file-managers/gather-netdrive-information.yml index 1b875e136..652e2a1e7 100644 --- a/collection/file-managers/gather-netdrive-information.yml +++ b/collection/file-managers/gather-netdrive-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nexusfile-information.yml b/collection/file-managers/gather-nexusfile-information.yml index 06254cc58..971078177 100644 --- a/collection/file-managers/gather-nexusfile-information.yml +++ b/collection/file-managers/gather-nexusfile-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nova-ftp-information.yml b/collection/file-managers/gather-nova-ftp-information.yml index 09d81b662..d6ef16233 100644 --- a/collection/file-managers/gather-nova-ftp-information.yml +++ b/collection/file-managers/gather-nova-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-robo-ftp-information.yml b/collection/file-managers/gather-robo-ftp-information.yml index 74fb146e1..c35cef851 100644 --- a/collection/file-managers/gather-robo-ftp-information.yml +++ b/collection/file-managers/gather-robo-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-securefx-information.yml b/collection/file-managers/gather-securefx-information.yml index 594631043..90f4a390d 100644 --- a/collection/file-managers/gather-securefx-information.yml +++ b/collection/file-managers/gather-securefx-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-smart-ftp-information.yml b/collection/file-managers/gather-smart-ftp-information.yml index dff32f4a6..abefbdbfb 100644 --- a/collection/file-managers/gather-smart-ftp-information.yml +++ b/collection/file-managers/gather-smart-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-softx-ftp-information.yml b/collection/file-managers/gather-softx-ftp-information.yml index 22c507a9e..e785cfd7b 100644 --- a/collection/file-managers/gather-softx-ftp-information.yml +++ b/collection/file-managers/gather-softx-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-southriver-webdrive-information.yml b/collection/file-managers/gather-southriver-webdrive-information.yml index 5197b0903..7bb733d87 100644 --- a/collection/file-managers/gather-southriver-webdrive-information.yml +++ b/collection/file-managers/gather-southriver-webdrive-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-staff-ftp-information.yml b/collection/file-managers/gather-staff-ftp-information.yml index 6ee5de75c..a4ed16d6b 100644 --- a/collection/file-managers/gather-staff-ftp-information.yml +++ b/collection/file-managers/gather-staff-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-total-commander-information.yml b/collection/file-managers/gather-total-commander-information.yml index e2256187a..a8375545e 100644 --- a/collection/file-managers/gather-total-commander-information.yml +++ b/collection/file-managers/gather-total-commander-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-turbo-ftp-information.yml b/collection/file-managers/gather-turbo-ftp-information.yml index 1c9b8473f..5ee2ebe9d 100644 --- a/collection/file-managers/gather-turbo-ftp-information.yml +++ b/collection/file-managers/gather-turbo-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ultrafxp-information.yml b/collection/file-managers/gather-ultrafxp-information.yml index dc0e57cdd..6476c708f 100644 --- a/collection/file-managers/gather-ultrafxp-information.yml +++ b/collection/file-managers/gather-ultrafxp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-winscp-information.yml b/collection/file-managers/gather-winscp-information.yml index 81152c90d..d6266afbb 100644 --- a/collection/file-managers/gather-winscp-information.yml +++ b/collection/file-managers/gather-winscp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-winzip-information.yml b/collection/file-managers/gather-winzip-information.yml index 59f79aad5..775f081d3 100644 --- a/collection/file-managers/gather-winzip-information.yml +++ b/collection/file-managers/gather-winzip-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-wise-ftp-information.yml b/collection/file-managers/gather-wise-ftp-information.yml index 2d80d3330..1cb33b96e 100644 --- a/collection/file-managers/gather-wise-ftp-information.yml +++ b/collection/file-managers/gather-wise-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ws-ftp-information.yml b/collection/file-managers/gather-ws-ftp-information.yml index ce2c27b36..c6f3fbfb4 100644 --- a/collection/file-managers/gather-ws-ftp-information.yml +++ b/collection/file-managers/gather-ws-ftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-xftp-information.yml b/collection/file-managers/gather-xftp-information.yml index 484a27944..838fa9282 100644 --- a/collection/file-managers/gather-xftp-information.yml +++ b/collection/file-managers/gather-xftp-information.yml @@ -4,7 +4,9 @@ rule: namespace: collection/file-managers authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/get-geographical-location.yml b/collection/get-geographical-location.yml index 35d9e78d1..761ba38f0 100644 --- a/collection/get-geographical-location.yml +++ b/collection/get-geographical-location.yml @@ -6,7 +6,9 @@ rule: authors: - moritz.raabe - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Location Discovery [T1614] examples: diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index 867cfe5b3..f14212761 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -4,7 +4,9 @@ rule: namespace: collection/group-policy authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Group Policy Discovery [T1615] examples: diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml index 9f47b93ab..003425302 100644 --- a/collection/keylog/log-keystrokes-via-application-hook.yml +++ b/collection/keylog/log-keystrokes-via-application-hook.yml @@ -4,7 +4,9 @@ rule: namespace: collection/keylog authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Collection::Input Capture::Keylogging [T1056.001] mbc: diff --git a/collection/keylog/log-keystrokes-via-polling.yml b/collection/keylog/log-keystrokes-via-polling.yml index 3c1b6b955..301c91eae 100644 --- a/collection/keylog/log-keystrokes-via-polling.yml +++ b/collection/keylog/log-keystrokes-via-polling.yml @@ -4,7 +4,9 @@ rule: namespace: collection/keylog authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Input Capture::Keylogging [T1056.001] mbc: diff --git a/collection/keylog/log-keystrokes.yml b/collection/keylog/log-keystrokes.yml index 0853e2dd8..9caf9e255 100644 --- a/collection/keylog/log-keystrokes.yml +++ b/collection/keylog/log-keystrokes.yml @@ -4,7 +4,9 @@ rule: namespace: collection/keylog authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Input Capture::Keylogging [T1056.001] examples: diff --git a/collection/microphone/capture-microphone-audio.yml b/collection/microphone/capture-microphone-audio.yml index f3cb212dc..a85996905 100644 --- a/collection/microphone/capture-microphone-audio.yml +++ b/collection/microphone/capture-microphone-audio.yml @@ -4,7 +4,9 @@ rule: namespace: collection/microphone authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Audio Capture [T1123] examples: diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml index ee6c87ac9..c7d0b18eb 100644 --- a/collection/network/capture-network-configuration-via-ipconfig.yml +++ b/collection/network/capture-network-configuration-via-ipconfig.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml index 853016008..4d8c60fcb 100644 --- a/collection/network/capture-packets-using-sharppcap.yml +++ b/collection/network/capture-packets-using-sharppcap.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Network Sniffing [T1040] references: diff --git a/collection/network/capture-public-ip.yml b/collection/network/capture-public-ip.yml index 5c00ad6bf..fa3fdea76 100644 --- a/collection/network/capture-public-ip.yml +++ b/collection/network/capture-public-ip.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/get-domain-trust-relationships.yml b/collection/network/get-domain-trust-relationships.yml index d57f98027..9af3d1df5 100644 --- a/collection/network/get-domain-trust-relationships.yml +++ b/collection/network/get-domain-trust-relationships.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Domain Trust Discovery [T1482] examples: diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml index 3dc73645d..6ded3c61e 100644 --- a/collection/network/get-mac-address-on-windows.yml +++ b/collection/network/get-mac-address-on-windows.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - echernofsky@google.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/collection/password-manager/steal-keepass-passwords-using-keefarce.yml b/collection/password-manager/steal-keepass-passwords-using-keefarce.yml index e3f0bb491..b591e8a90 100644 --- a/collection/password-manager/steal-keepass-passwords-using-keefarce.yml +++ b/collection/password-manager/steal-keepass-passwords-using-keefarce.yml @@ -4,7 +4,9 @@ rule: namespace: collection/password-manager authors: - "@Ana06" - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Credential Access::Credentials from Password Stores::Password Managers [T1555.005] references: diff --git a/collection/screenshot/capture-screenshot-via-keybd-event.yml b/collection/screenshot/capture-screenshot-via-keybd-event.yml index 1f783513b..331f08f0d 100644 --- a/collection/screenshot/capture-screenshot-via-keybd-event.yml +++ b/collection/screenshot/capture-screenshot-via-keybd-event.yml @@ -4,7 +4,9 @@ rule: namespace: collection/screenshot authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index fe9ef9e37..f3be19e37 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - "@_re_fox" - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/use-dotnet-library-sharpclipboard.yml b/collection/use-dotnet-library-sharpclipboard.yml index 8e881a36a..d70687972 100644 --- a/collection/use-dotnet-library-sharpclipboard.yml +++ b/collection/use-dotnet-library-sharpclipboard.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Collection::Clipboard Data [T1115] mbc: diff --git a/collection/webcam/capture-webcam-image.yml b/collection/webcam/capture-webcam-image.yml index 173baa0bf..6a6e7bd89 100644 --- a/collection/webcam/capture-webcam-image.yml +++ b/collection/webcam/capture-webcam-image.yml @@ -4,7 +4,9 @@ rule: namespace: collection/webcam authors: - johnk3r - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Collection::Video Capture [T1125] examples: diff --git a/communication/c2/file-transfer/download-and-write-a-file.yml b/communication/c2/file-transfer/download-and-write-a-file.yml index f78cc532a..0f361abe4 100644 --- a/communication/c2/file-transfer/download-and-write-a-file.yml +++ b/communication/c2/file-transfer/download-and-write-a-file.yml @@ -5,7 +5,9 @@ rule: maec/malware-category: downloader authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Command and Control::Ingress Tool Transfer [T1105] mbc: diff --git a/communication/c2/file-transfer/write-and-execute-a-file.yml b/communication/c2/file-transfer/write-and-execute-a-file.yml index aed75a191..ba5a12e5b 100644 --- a/communication/c2/file-transfer/write-and-execute-a-file.yml +++ b/communication/c2/file-transfer/write-and-execute-a-file.yml @@ -5,7 +5,9 @@ rule: maec/malware-category: launcher authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/communication/c2/shell/create-reverse-shell-on-linux.yml b/communication/c2/shell/create-reverse-shell-on-linux.yml index 0ed07655f..d1e99a580 100644 --- a/communication/c2/shell/create-reverse-shell-on-linux.yml +++ b/communication/c2/shell/create-reverse-shell-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] mbc: diff --git a/communication/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml index a6748b36e..9414f56ad 100644 --- a/communication/c2/shell/create-reverse-shell.yml +++ b/communication/c2/shell/create-reverse-shell.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/communication/c2/shell/execute-shell-command-and-capture-output.yml b/communication/c2/shell/execute-shell-command-and-capture-output.yml index 1653efcaf..3cf6338c6 100644 --- a/communication/c2/shell/execute-shell-command-and-capture-output.yml +++ b/communication/c2/shell/execute-shell-command-and-capture-output.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] references: diff --git a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml index f8b7688ed..45ef9dccb 100644 --- a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml +++ b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/shell authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] examples: diff --git a/communication/dns/reference-dns-over-https-endpoints.yml b/communication/dns/reference-dns-over-https-endpoints.yml index 1a82e4f46..c25544145 100644 --- a/communication/dns/reference-dns-over-https-endpoints.yml +++ b/communication/dns/reference-dns-over-https-endpoints.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - markus.neis@swisscom.com / @markus_neis - scope: file + scopes: + static: file + dynamic: file mbc: - Communication::DNS Communication::Server Connect [C0011.002] references: diff --git a/communication/dns/resolve-dns.yml b/communication/dns/resolve-dns.yml index ff86f9d1a..09b1a8e89 100644 --- a/communication/dns/resolve-dns.yml +++ b/communication/dns/resolve-dns.yml @@ -7,7 +7,9 @@ rule: - johnk3r - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::DNS Communication::Resolve [C0011.001] examples: diff --git a/communication/ftp/send/send-file-using-ftp.yml b/communication/ftp/send/send-file-using-ftp.yml index a0903f86f..bf1b6d0ae 100644 --- a/communication/ftp/send/send-file-using-ftp.yml +++ b/communication/ftp/send/send-file-using-ftp.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Communication::FTP Communication::Send File [C0004.001] - Communication::FTP Communication::WinINet [C0004.002] diff --git a/communication/http/client/check-http-status-code.yml b/communication/http/client/check-http-status-code.yml index c1d74ab2f..c3bb62a15 100644 --- a/communication/http/client/check-http-status-code.yml +++ b/communication/http/client/check-http-status-code.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Communication::HTTP Communication::Read Header [C0002.014] examples: diff --git a/communication/http/client/connect-to-http-server.yml b/communication/http/client/connect-to-http-server.yml index a679d89ef..3177a88b3 100644 --- a/communication/http/client/connect-to-http-server.yml +++ b/communication/http/client/connect-to-http-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::HTTP Communication::Connect to Server [C0002.009] examples: diff --git a/communication/http/client/connect-to-url.yml b/communication/http/client/connect-to-url.yml index 076d063bc..9b6b34a63 100644 --- a/communication/http/client/connect-to-url.yml +++ b/communication/http/client/connect-to-url.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::HTTP Communication::Open URL [C0002.004] examples: diff --git a/communication/http/client/create-bits-job.yml b/communication/http/client/create-bits-job.yml index a63f85de2..966f40c44 100644 --- a/communication/http/client/create-bits-job.yml +++ b/communication/http/client/create-bits-job.yml @@ -6,7 +6,9 @@ rule: authors: - "@mr-tz" description: BITS jobs can be used to download data or achieve persistence (via SetNotifyCmdLine) - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::BITS Jobs [T1197] - Persistence::BITS Jobs [T1197] diff --git a/communication/http/client/create-http-request.yml b/communication/http/client/create-http-request.yml index 3ce2e5633..f86d66993 100644 --- a/communication/http/client/create-http-request.yml +++ b/communication/http/client/create-http-request.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml index 4d50aba6c..752556560 100644 --- a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml +++ b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/download-url.yml b/communication/http/client/download-url.yml index 27e3147df..b15c46c25 100644 --- a/communication/http/client/download-url.yml +++ b/communication/http/client/download-url.yml @@ -6,7 +6,9 @@ rule: - matthew.williams@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Download URL [C0002.006] examples: diff --git a/communication/http/client/extract-http-body.yml b/communication/http/client/extract-http-body.yml index 25b03b4aa..bf7a7f10f 100644 --- a/communication/http/client/extract-http-body.yml +++ b/communication/http/client/extract-http-body.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Communication::HTTP Communication::Extract Body [C0002.011] references: diff --git a/communication/http/client/get-http-document-via-iwebbrowser2.yml b/communication/http/client/get-http-document-via-iwebbrowser2.yml index 14a26ac74..f39722142 100644 --- a/communication/http/client/get-http-document-via-iwebbrowser2.yml +++ b/communication/http/client/get-http-document-via-iwebbrowser2.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Get Response [C0002.017] - Communication::HTTP Communication::IWebBrowser [C0002.010] diff --git a/communication/http/client/get-http-response-content-encoding.yml b/communication/http/client/get-http-response-content-encoding.yml index 0dd996d58..af83f7e07 100644 --- a/communication/http/client/get-http-response-content-encoding.yml +++ b/communication/http/client/get-http-response-content-encoding.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/prepare-http-request.yml b/communication/http/client/prepare-http-request.yml index 904ab80eb..d4c5c2731 100644 --- a/communication/http/client/prepare-http-request.yml +++ b/communication/http/client/prepare-http-request.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/read-data-from-internet.yml b/communication/http/client/read-data-from-internet.yml index da502cafe..e4b0e415d 100644 --- a/communication/http/client/read-data-from-internet.yml +++ b/communication/http/client/read-data-from-internet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/receive-http-response.yml b/communication/http/client/receive-http-response.yml index fb8d080b3..ccabd60dc 100644 --- a/communication/http/client/receive-http-response.yml +++ b/communication/http/client/receive-http-response.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml index c6038f8ae..2598901b2 100644 --- a/communication/http/client/send-file-via-http.yml +++ b/communication/http/client/send-file-via-http.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::HTTP Communication::Send Data [C0002.005] examples: diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml index 164bcfe20..988afec74 100644 --- a/communication/http/client/send-http-request.yml +++ b/communication/http/client/send-http-request.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::HTTP Communication::Send Request [C0002.003] examples: diff --git a/communication/http/get-http-content-length.yml b/communication/http/get-http-content-length.yml index 666121769..2f55ea338 100644 --- a/communication/http/get-http-content-length.yml +++ b/communication/http/get-http-content-length.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::HTTP Communication [C0002] examples: diff --git a/communication/http/initialize-iwebbrowser2.yml b/communication/http/initialize-iwebbrowser2.yml index 03c5ecfe7..f976ca60f 100644 --- a/communication/http/initialize-iwebbrowser2.yml +++ b/communication/http/initialize-iwebbrowser2.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Communication::HTTP Communication::IWebBrowser [C0002.010] references: diff --git a/communication/http/initialize-winhttp-library.yml b/communication/http/initialize-winhttp-library.yml index a58b6d9f8..1bdd70939 100644 --- a/communication/http/initialize-winhttp-library.yml +++ b/communication/http/initialize-winhttp-library.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::WinHTTP [C0002.008] examples: diff --git a/communication/http/read-http-header.yml b/communication/http/read-http-header.yml index f9ecd0b98..478410f5c 100644 --- a/communication/http/read-http-header.yml +++ b/communication/http/read-http-header.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Communication::HTTP Communication::Read Header [C0002.014] examples: diff --git a/communication/http/reference-http-user-agent-string.yml b/communication/http/reference-http-user-agent-string.yml index 672dd614b..c35d20856 100644 --- a/communication/http/reference-http-user-agent-string.yml +++ b/communication/http/reference-http-user-agent-string.yml @@ -5,7 +5,9 @@ rule: namespace: communication/http authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Communication::HTTP Communication [C0002] references: diff --git a/communication/http/server/receive-http-request.yml b/communication/http/server/receive-http-request.yml index 404957723..15fe28119 100644 --- a/communication/http/server/receive-http-request.yml +++ b/communication/http/server/receive-http-request.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/server authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Receive Request [C0002.015] examples: diff --git a/communication/http/server/send-http-response.yml b/communication/http/server/send-http-response.yml index 14495c4b6..ea42ae433 100644 --- a/communication/http/server/send-http-response.yml +++ b/communication/http/server/send-http-response.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/server authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Send Response [C0002.016] examples: diff --git a/communication/http/server/start-http-server.yml b/communication/http/server/start-http-server.yml index 7bfe1e0a8..c6fe087cb 100644 --- a/communication/http/server/start-http-server.yml +++ b/communication/http/server/start-http-server.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::HTTP Communication::Start Server [C0002.018] examples: diff --git a/communication/http/set-http-header.yml b/communication/http/set-http-header.yml index 8a669336e..dbb295b36 100644 --- a/communication/http/set-http-header.yml +++ b/communication/http/set-http-header.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Communication::HTTP Communication::Set Header [C0002.013] examples: diff --git a/communication/icmp/send-icmp-echo-request.yml b/communication/icmp/send-icmp-echo-request.yml index b8dbf7613..31a777d7c 100644 --- a/communication/icmp/send-icmp-echo-request.yml +++ b/communication/icmp/send-icmp-echo-request.yml @@ -4,7 +4,9 @@ rule: namespace: communication/icmp authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::ICMP Communication::Echo Request [C0014.002] references: diff --git a/communication/ip/convert-ip-address-from-string.yml b/communication/ip/convert-ip-address-from-string.yml index 0a00e2fe1..ab5fce36f 100644 --- a/communication/ip/convert-ip-address-from-string.yml +++ b/communication/ip/convert-ip-address-from-string.yml @@ -5,7 +5,9 @@ rule: namespace: communication/ip authors: - "@mr-tz" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead examples: - 0796F1C1EA0A142FC1EB7109A44C86CB:0x405D20 features: diff --git a/communication/mailslot/create-mailslot.yml b/communication/mailslot/create-mailslot.yml index 9f9f69017..8cf723f3f 100644 --- a/communication/mailslot/create-mailslot.yml +++ b/communication/mailslot/create-mailslot.yml @@ -4,7 +4,9 @@ rule: namespace: communication/mailslot authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/mailslot/read-from-mailslot.yml b/communication/mailslot/read-from-mailslot.yml index 2e3090104..25b72f130 100644 --- a/communication/mailslot/read-from-mailslot.yml +++ b/communication/mailslot/read-from-mailslot.yml @@ -4,7 +4,9 @@ rule: namespace: communication/mailslot authors: - nick.simonian@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/named-pipe/connect/connect-pipe.yml b/communication/named-pipe/connect/connect-pipe.yml index 117b4dd37..6164eae81 100644 --- a/communication/named-pipe/connect/connect-pipe.yml +++ b/communication/named-pipe/connect/connect-pipe.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication::Connect Pipe [C0003.002] examples: diff --git a/communication/named-pipe/create/create-pipe.yml b/communication/named-pipe/create/create-pipe.yml index c0b687989..de26e7c93 100644 --- a/communication/named-pipe/create/create-pipe.yml +++ b/communication/named-pipe/create/create-pipe.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/create/create-two-anonymous-pipes.yml b/communication/named-pipe/create/create-two-anonymous-pipes.yml index 42ec62a29..3a0ae45d0 100644 --- a/communication/named-pipe/create/create-two-anonymous-pipes.yml +++ b/communication/named-pipe/create/create-two-anonymous-pipes.yml @@ -4,7 +4,9 @@ rule: namespace: communication/named-pipe/create authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/read/read-pipe.yml b/communication/named-pipe/read/read-pipe.yml index 21e7e0cc4..6347df841 100644 --- a/communication/named-pipe/read/read-pipe.yml +++ b/communication/named-pipe/read/read-pipe.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output. - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Interprocess Communication::Read Pipe [C0003.003] examples: diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml index 60a179e67..d2f437f93 100644 --- a/communication/named-pipe/write/write-pipe.yml +++ b/communication/named-pipe/write/write-pipe.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::Interprocess Communication::Write Pipe [C0003.004] examples: diff --git a/communication/receive-data.yml b/communication/receive-data.yml index c914b56b3..aee7acecf 100644 --- a/communication/receive-data.yml +++ b/communication/receive-data.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: all known techniques for receiving data from a potential C2 server - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Command and Control::C2 Communication::Receive Data [B0030.002] examples: diff --git a/communication/send-data.yml b/communication/send-data.yml index d0bcb9ec3..e180750fb 100644 --- a/communication/send-data.yml +++ b/communication/send-data.yml @@ -6,7 +6,9 @@ rule: - william.ballenthin@mandiant.com - joakim@intezer.com description: all known techniques for sending data to a potential C2 server - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Command and Control::C2 Communication::Send Data [B0030.001] examples: diff --git a/communication/socket/create-raw-socket.yml b/communication/socket/create-raw-socket.yml index 4e5185b94..c86bc40b3 100644 --- a/communication/socket/create-raw-socket.yml +++ b/communication/socket/create-raw-socket.yml @@ -5,7 +5,9 @@ rule: namespace: communication/socket authors: - blas.kojusner@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index 784fe3a5d..ae86d995b 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - jakub.jozwiak@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/get-socket-status.yml b/communication/socket/get-socket-status.yml index 01f849fdc..42456e028 100644 --- a/communication/socket/get-socket-status.yml +++ b/communication/socket/get-socket-status.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] mbc: diff --git a/communication/socket/initialize-winsock-library.yml b/communication/socket/initialize-winsock-library.yml index 31e3b46cc..2f53f1edc 100644 --- a/communication/socket/initialize-winsock-library.yml +++ b/communication/socket/initialize-winsock-library.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Socket Communication::Initialize Winsock Library [C0001.009] examples: diff --git a/communication/socket/receive/receive-data-on-socket.yml b/communication/socket/receive/receive-data-on-socket.yml index 556df036a..1225efea3 100644 --- a/communication/socket/receive/receive-data-on-socket.yml +++ b/communication/socket/receive/receive-data-on-socket.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Socket Communication::Receive Data [C0001.006] examples: diff --git a/communication/socket/send/send-data-on-socket.yml b/communication/socket/send/send-data-on-socket.yml index dd876cfd0..05ecb3c55 100644 --- a/communication/socket/send/send-data-on-socket.yml +++ b/communication/socket/send/send-data-on-socket.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Socket Communication::Send Data [C0001.007] examples: diff --git a/communication/socket/set-socket-configuration.yml b/communication/socket/set-socket-configuration.yml index 624f5a7f0..45e3fef42 100644 --- a/communication/socket/set-socket-configuration.yml +++ b/communication/socket/set-socket-configuration.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Socket Communication::Set Socket Config [C0001.001] examples: diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 17e597e60..e64337f60 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::Socket Communication::Connect Socket [C0001.004] examples: diff --git a/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml b/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml index 4c1b1c30f..8da6e92ac 100644 --- a/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml +++ b/communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket/tcp authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] references: diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml index 070e22f4f..58f277032 100644 --- a/communication/socket/tcp/create-tcp-socket.yml +++ b/communication/socket/tcp/create-tcp-socket.yml @@ -6,7 +6,9 @@ rule: - william.ballenthin@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] examples: diff --git a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml index c49460ad8..7790dd89e 100644 --- a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml +++ b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml @@ -5,7 +5,9 @@ rule: authors: - jonathan.lepore@mandiant.com description: The TransmitPackets function transmits in-memory data or file data over a connected socket. The TransmitPackets function uses the operating system cache manager to retrieve file data, locking memory for the minimum time required to transmit and resulting in efficient, high-performance transmission. - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] references: diff --git a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml index 9ee59420f..a409c5834 100644 --- a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml +++ b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket/tcp/send authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] examples: diff --git a/communication/socket/udp/send/create-udp-socket.yml b/communication/socket/udp/send/create-udp-socket.yml index f51b639bf..ab0ae7e3c 100644 --- a/communication/socket/udp/send/create-udp-socket.yml +++ b/communication/socket/udp/send/create-udp-socket.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::Socket Communication::Create UDP Socket [C0001.010] examples: diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml index 1757a3c90..ddf82a40c 100644 --- a/communication/tcp/client/act-as-tcp-client.yml +++ b/communication/tcp/client/act-as-tcp-client.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::Socket Communication::TCP Client [C0001.008] examples: diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml index f1a07a75b..23a4fc0bb 100644 --- a/communication/tcp/serve/start-tcp-server.yml +++ b/communication/tcp/serve/start-tcp-server.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Communication::Socket Communication::Start TCP Server [C0001.005] examples: diff --git a/compiler/autohotkey/compiled-with-autohotkey.yml b/compiler/autohotkey/compiled-with-autohotkey.yml index a4f1a683c..14c719b54 100644 --- a/compiler/autohotkey/compiled-with-autohotkey.yml +++ b/compiler/autohotkey/compiled-with-autohotkey.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/autohotkey authors: - awillia2@cisco.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter [T1059] references: diff --git a/compiler/autoit/compiled-with-autoit.yml b/compiler/autoit/compiled-with-autoit.yml index 24b0c1a28..a9b5be674 100644 --- a/compiler/autoit/compiled-with-autoit.yml +++ b/compiler/autoit/compiled-with-autoit.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/autoit authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter [T1059] references: diff --git a/compiler/cx_freeze/compiled-with-cx_freeze.yml b/compiler/cx_freeze/compiled-with-cx_freeze.yml index bb5689e1e..c14e78153 100644 --- a/compiler/cx_freeze/compiled-with-cx_freeze.yml +++ b/compiler/cx_freeze/compiled-with-cx_freeze.yml @@ -5,7 +5,9 @@ rule: authors: - "@mr-tz" - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter::Python [T1059.006] - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] diff --git a/compiler/d/compiled-with-dmd.yml b/compiler/d/compiled-with-dmd.yml index af7a01ffd..88a57328f 100644 --- a/compiler/d/compiled-with-dmd.yml +++ b/compiler/d/compiled-with-dmd.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/d authors: - "@_re_fox" - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/dlang/dmd examples: diff --git a/compiler/delphi/compiled-with-borland-delphi.yml b/compiler/delphi/compiled-with-borland-delphi.yml index 7b0a5decc..0ecf28a0d 100644 --- a/compiler/delphi/compiled-with-borland-delphi.yml +++ b/compiler/delphi/compiled-with-borland-delphi.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file examples: - 4BDD67FF852C221112337FECD0681EAC features: diff --git a/compiler/exe4j/compiled-with-exe4j.yml b/compiler/exe4j/compiled-with-exe4j.yml index a193fd0ee..d6290b7f9 100644 --- a/compiler/exe4j/compiled-with-exe4j.yml +++ b/compiler/exe4j/compiled-with-exe4j.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/exe4j authors: - johnk3r - scope: file + scopes: + static: file + dynamic: file examples: - 6b25f1e754ef486bbb28a66d46bababe:0x404EDE features: diff --git a/compiler/go/compiled-with-go.yml b/compiler/go/compiled-with-go.yml index 5e35e9f76..12d70d35e 100644 --- a/compiler/go/compiled-with-go.yml +++ b/compiler/go/compiled-with-go.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/go authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 49a34cfbeed733c24392c9217ef46bb6 features: diff --git a/compiler/mingw/compiled-with-mingw-for-windows.yml b/compiler/mingw/compiled-with-mingw-for-windows.yml index 34f677621..560a14913 100644 --- a/compiler/mingw/compiled-with-mingw-for-windows.yml +++ b/compiler/mingw/compiled-with-mingw-for-windows.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/mingw authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 5b3968b47eb16a1cb88525e3b565eab1 features: diff --git a/compiler/nim/compiled-with-nim.yml b/compiler/nim/compiled-with-nim.yml index bd82dbe66..928f6e8f4 100644 --- a/compiler/nim/compiled-with-nim.yml +++ b/compiler/nim/compiled-with-nim.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/nim authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 580c37831fe98a254eb6c61c692c70d8.exe_ features: diff --git a/compiler/nuitka/compiled-with-nuitka.yml b/compiler/nuitka/compiled-with-nuitka.yml index 5953a6bbe..933a7043b 100644 --- a/compiler/nuitka/compiled-with-nuitka.yml +++ b/compiler/nuitka/compiled-with-nuitka.yml @@ -5,7 +5,9 @@ rule: authors: - "@williballenthin" - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file examples: - 39ce034911a6ebd482af5893f9bdbd95 features: diff --git a/compiler/perl2exe/compiled-with-perl2exe.yml b/compiler/perl2exe/compiled-with-perl2exe.yml index 3900292cd..60791b563 100644 --- a/compiler/perl2exe/compiled-with-perl2exe.yml +++ b/compiler/perl2exe/compiled-with-perl2exe.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/perl2exe authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope examples: - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 features: diff --git a/compiler/ps2exe/compiled-with-ps2exe.yml b/compiler/ps2exe/compiled-with-ps2exe.yml index fdf8812cf..2e04e31ff 100644 --- a/compiler/ps2exe/compiled-with-ps2exe.yml +++ b/compiler/ps2exe/compiled-with-ps2exe.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://github.com/ikarstein/ps2exe - https://github.com/MScholtes/PS2EXE diff --git a/compiler/py2exe/compiled-with-py2exe.yml b/compiler/py2exe/compiled-with-py2exe.yml index 88debc2fa..7d096c846 100644 --- a/compiler/py2exe/compiled-with-py2exe.yml +++ b/compiler/py2exe/compiled-with-py2exe.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/py2exe authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead examples: - ed888dc2f04f5eac83d6d14088d002de:0x40194A features: diff --git a/compiler/pyarmor/compiled-with-pyarmor.yml b/compiler/pyarmor/compiled-with-pyarmor.yml index 5f174c807..76aff3fe1 100644 --- a/compiler/pyarmor/compiled-with-pyarmor.yml +++ b/compiler/pyarmor/compiled-with-pyarmor.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/pyarmor authors: - "@stvemillertime, @itreallynick" - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Command and Scripting Interpreter::Python [T1059.006] - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] diff --git a/compiler/rust/compiled-with-rust.yml b/compiler/rust/compiled-with-rust.yml index 0d61cf450..8a6cebcd2 100644 --- a/compiler/rust/compiled-with-rust.yml +++ b/compiler/rust/compiled-with-rust.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x45F490 features: diff --git a/compiler/v/compiled-with-v.yml b/compiler/v/compiled-with-v.yml index b7df07d46..6a6c645b0 100644 --- a/compiler/v/compiled-with-v.yml +++ b/compiler/v/compiled-with-v.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/v authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://vlang.io - https://github.com/vlang/v diff --git a/compiler/vb/compiled-from-visual-basic.yml b/compiler/vb/compiled-from-visual-basic.yml index 75077783d..ee3242b64 100644 --- a/compiler/vb/compiled-from-visual-basic.yml +++ b/compiler/vb/compiled-from-visual-basic.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/vb authors: - "@williballenthin" - scope: file + scopes: + static: file + dynamic: file examples: - 9bca6b99e7981208af4c7925b96fb9cf features: diff --git a/compiler/zig/compiled-with-zig.yml b/compiler/zig/compiled-with-zig.yml index 3ff240efd..d36e03dc0 100644 --- a/compiler/zig/compiled-with-zig.yml +++ b/compiler/zig/compiled-with-zig.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/zig authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://ziglang.org - https://github.com/ziglang/zig diff --git a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml b/data-manipulation/checksum/adler32/compute-adler32-checksum.yml index 111338dae..0fc4632a2 100644 --- a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml +++ b/data-manipulation/checksum/adler32/compute-adler32-checksum.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/adler32 authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Checksum::Adler [C0032.005] references: diff --git a/data-manipulation/checksum/crc32/hash-data-with-crc32.yml b/data-manipulation/checksum/crc32/hash-data-with-crc32.yml index d8a9a623c..d2a94204d 100644 --- a/data-manipulation/checksum/crc32/hash-data-with-crc32.yml +++ b/data-manipulation/checksum/crc32/hash-data-with-crc32.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/crc32 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Checksum::CRC32 [C0032.001] examples: diff --git a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml index 494d9bf1d..392015c2d 100644 --- a/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml +++ b/data-manipulation/checksum/luhn/validate-payment-card-number-using-luhn-algorithm.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/luhn authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/data-manipulation/compression/compress-data-using-lzo.yml b/data-manipulation/compression/compress-data-using-lzo.yml index 8f82579e7..f16c75171 100644 --- a/data-manipulation/compression/compress-data-using-lzo.yml +++ b/data-manipulation/compression/compress-data-using-lzo.yml @@ -6,7 +6,9 @@ rule: - david@edeca.net - david.cannings@pwc.com description: detects the compression routine from LZO - scope: function + scopes: + static: function + dynamic: thread mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/compress-data-via-winapi.yml b/data-manipulation/compression/compress-data-via-winapi.yml index be953f263..3fad47530 100644 --- a/data-manipulation/compression/compress-data-via-winapi.yml +++ b/data-manipulation/compression/compress-data-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml b/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml index f6d36ea11..0cec4d7f8 100644 --- a/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml +++ b/data-manipulation/compression/compress-data-via-zlib-inflate-or-deflate.yml @@ -5,7 +5,9 @@ rule: namespace: data-manipulation/compression authors: - blas.kojusner@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/decompress-data-using-aplib.yml b/data-manipulation/compression/decompress-data-using-aplib.yml index 59949e6e8..6a102f855 100644 --- a/data-manipulation/compression/decompress-data-using-aplib.yml +++ b/data-manipulation/compression/decompress-data-using-aplib.yml @@ -7,7 +7,9 @@ rule: - moritz.raabe@mandiant.com - cdong49@gatech.edu description: detects decompression function of library aPLib - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Data::Decompress Data::aPLib [C0025.003] references: diff --git a/data-manipulation/compression/decompress-data-using-lzo.yml b/data-manipulation/compression/decompress-data-using-lzo.yml index 1383cf59b..bf02eba25 100644 --- a/data-manipulation/compression/decompress-data-using-lzo.yml +++ b/data-manipulation/compression/decompress-data-using-lzo.yml @@ -6,7 +6,9 @@ rule: - david@edeca.net - david.cannings@pwc.com description: detects the decompression routine from LZO - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Decompress Data [C0025] references: diff --git a/data-manipulation/compression/decompress-data-using-quicklz.yml b/data-manipulation/compression/decompress-data-using-quicklz.yml index a9cb92cd1..2f13c2428 100644 --- a/data-manipulation/compression/decompress-data-using-quicklz.yml +++ b/data-manipulation/compression/decompress-data-using-quicklz.yml @@ -5,7 +5,9 @@ rule: authors: - david@edeca.net description: detects the inner decompression loop from QuickLZ - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Decompress Data::QuickLZ [C0025.001] references: diff --git a/data-manipulation/compression/decompress-data-using-ucl.yml b/data-manipulation/compression/decompress-data-using-ucl.yml index 024616235..16c546a68 100644 --- a/data-manipulation/compression/decompress-data-using-ucl.yml +++ b/data-manipulation/compression/decompress-data-using-ucl.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Data::Decompress Data [C0025] references: diff --git a/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml b/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml index e12a2d6e6..9ffafe646 100644 --- a/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml +++ b/data-manipulation/compression/decompress-data-via-iencodingfilterfactory.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Data::Decompress Data::IEncodingFilterFactory [C0025.002] references: diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index 877f551c0..1ef79d893 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -5,7 +5,9 @@ rule: authors: - gilbert.elliot@mandiant.com - sara.rincon@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml index da46668e6..fc8bda56e 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] examples: diff --git a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml index e35c3832c..a17a081bd 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] examples: diff --git a/data-manipulation/encoding/base64/encode-data-using-base64.yml b/data-manipulation/encoding/base64/encode-data-using-base64.yml index 582fd51b6..2978cfede 100644 --- a/data-manipulation/encoding/base64/encode-data-using-base64.yml +++ b/data-manipulation/encoding/base64/encode-data-using-base64.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encoding/base64/reference-base64-string.yml b/data-manipulation/encoding/base64/reference-base64-string.yml index 7713d1df0..b1eb67f22 100644 --- a/data-manipulation/encoding/base64/reference-base64-string.yml +++ b/data-manipulation/encoding/base64/reference-base64-string.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encoding/xor/encode-data-using-xor.yml b/data-manipulation/encoding/xor/encode-data-using-xor.yml index b96be1417..4f0ada50d 100644 --- a/data-manipulation/encoding/xor/encode-data-using-xor.yml +++ b/data-manipulation/encoding/xor/encode-data-using-xor.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/xor authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml b/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml index f2c0164fd..5cd14c641 100644 --- a/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml +++ b/data-manipulation/encryption/aes/decrypt-data-using-aes-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml index 768aa7c3d..568535f3d 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-mixcolumns-step.yml @@ -5,7 +5,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml index af0163420..07f4c4d66 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains unsupported feature class for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml index e62b8e602..86c78647c 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/manually-build-aes-constants.yml b/data-manipulation/encryption/aes/manually-build-aes-constants.yml index a0acbc184..e4ade9f8f 100644 --- a/data-manipulation/encryption/aes/manually-build-aes-constants.yml +++ b/data-manipulation/encryption/aes/manually-build-aes-constants.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - huynh.t.nhan@gmail.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml b/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml index 4076aa167..3f2453995 100644 --- a/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml +++ b/data-manipulation/encryption/aes/use-dotnet-library-encryptdecryptutils.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml b/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml index 1ae18757b..316532590 100644 --- a/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml +++ b/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/blowfish authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml b/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml index 8456f1b0c..5e2c704fb 100644 --- a/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml +++ b/data-manipulation/encryption/camellia/encrypt-data-using-camellia.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/camellia authors: - '@_re_fox' - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml b/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml index 665a815ef..15aeabe45 100644 --- a/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml +++ b/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - chuong.dong@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml index 4e5207b9b..f84760fcb 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/des authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des.yml b/data-manipulation/encryption/des/encrypt-data-using-des.yml index eb0ae8cb7..65a4fabf6 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml index aed6fbbec..d5f40b48d 100644 --- a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml +++ b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml b/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml index 6efdfa87b..509a32992 100644 --- a/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml +++ b/data-manipulation/encryption/elliptic-curve/encrypt-data-using-curve25519.yml @@ -5,7 +5,9 @@ rule: authors: - dimiter.andonov@mandiant.com description: Targets code that enforces Curve25519's secret key restrictions. The specification states "The legitimate users are assumed to generate independent uniform random secret keys. A user can, for example, generate 32 uniform random bytes, clear bits 0, 1, 2 of the first byte, clear bit 7 of the last byte, and set bit 6 of the last byte." - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] examples: diff --git a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml index 97c8afb8d..b96a7f5df 100644 --- a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml +++ b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - zander.work@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml index 744a16ab1..d73c6d35b 100644 --- a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml +++ b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml index 1eb5145b8..e882c0bb5 100644 --- a/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml +++ b/data-manipulation/encryption/get-outbound-credentials-handle-via-credssp.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml index d079f522c..5d4769a01 100755 --- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml +++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml @@ -5,7 +5,9 @@ rule: namespace: data-manipulation/encryption/hc-128 authors: - blaine.stancill@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml index 7db6103e1..dd49c1a9a 100644 --- a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml +++ b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for instruction mnemonics associated with initialization of the HC-128 stream cipher - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/import-public-key.yml b/data-manipulation/encryption/import-public-key.yml index 6bf44a538..53764f55e 100644 --- a/data-manipulation/encryption/import-public-key.yml +++ b/data-manipulation/encryption/import-public-key.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Encryption Key::Import Public Key [C0028.001] examples: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml index 516444e29..76b7709c3 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml index 93c17aa47..6b4059201 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml index c1354f466..582a627e3 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml index 7dfc24222..c16e210bf 100755 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - blaine.stancill@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml index d571b8033..8fd7578b0 100644 --- a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml +++ b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc6 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml index 05cdcba17..70c57f8e3 100644 --- a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml +++ b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Cryptography::Encryption Key [C0028] references: diff --git a/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml b/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml index eb1763e7d..cfcf32713 100644 --- a/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml +++ b/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/skipjack authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml index dbda8d117..68df60a71 100644 --- a/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml +++ b/data-manipulation/encryption/sosemanuk/encrypt-data-using-sosemanuk.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for cryptographic constants associated with the Sosemanuk stream cipher - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml index 887ba2c95..8529f0f6a 100755 --- a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml +++ b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml index ffe8c60f7..105245799 100755 --- a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml +++ b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml b/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml index 4ee2c821b..d925613b5 100644 --- a/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml +++ b/data-manipulation/encryption/twofish/encrypt-data-using-twofish.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/twofish authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/vest/encrypt-data-using-vest.yml b/data-manipulation/encryption/vest/encrypt-data-using-vest.yml index ceda4cfb8..621043bc2 100644 --- a/data-manipulation/encryption/vest/encrypt-data-using-vest.yml +++ b/data-manipulation/encryption/vest/encrypt-data-using-vest.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/vest authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml b/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml index 4f51a9f09..0180b53c9 100755 --- a/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml +++ b/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/xtea authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml index bd99f80a6..8aa8f1cff 100755 --- a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml +++ b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/xxtea authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/hashing/djb2/hash-data-using-djb2.yml b/data-manipulation/hashing/djb2/hash-data-using-djb2.yml index acdfe958b..6d8ff388b 100644 --- a/data-manipulation/hashing/djb2/hash-data-using-djb2.yml +++ b/data-manipulation/hashing/djb2/hash-data-using-djb2.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com - still@teamt5.org - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Non-Cryptographic Hash::djb2 [C0030.006] references: diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 825be537a..a467fb191 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -7,7 +7,9 @@ rule: - "@_re_fox" - michael.hunhoff@mandiant.com description: can be any Fowler-Noll-Vo (FNV) hash variant, including FNV-1, FNV-1a, FNV-0 - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Non-Cryptographic Hash::FNV [C0030.005] references: diff --git a/data-manipulation/hashing/hash-data-via-wincrypt.yml b/data-manipulation/hashing/hash-data-via-wincrypt.yml index ae8572c5c..b0142e145 100644 --- a/data-manipulation/hashing/hash-data-via-wincrypt.yml +++ b/data-manipulation/hashing/hash-data-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Cryptography::Cryptographic Hash [C0029] examples: diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml index 9bf05b933..c30113734 100644 --- a/data-manipulation/hashing/md5/hash-data-with-md5.yml +++ b/data-manipulation/hashing/md5/hash-data-with-md5.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml b/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml index da88c86fa..90fccf858 100644 --- a/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml +++ b/data-manipulation/hashing/murmur/hash-data-using-murmur3.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/murmur authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Non-Cryptographic Hash::MurmurHash [C0030.001] references: diff --git a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml index d5d0644df..1696cbbcd 100644 --- a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml +++ b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Cryptography::Cryptographic Hash::SHA1 [C0029.002] examples: diff --git a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml index 205b69cb3..cfaa86e26 100644 --- a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml +++ b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha224 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Cryptographic Hash::SHA224 [C0029.004] references: diff --git a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml index 9f3400f97..2b232df26 100644 --- a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml +++ b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Cryptography::Cryptographic Hash::SHA256 [C0029.003] references: diff --git a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml index 1a723cef2..ac47370b4 100644 --- a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml +++ b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha384 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml index 1b09d83f5..85e747567 100644 --- a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml +++ b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha512 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/tiger/hash-data-using-tiger.yml b/data-manipulation/hashing/tiger/hash-data-using-tiger.yml index 8be819bb8..e3962e561 100644 --- a/data-manipulation/hashing/tiger/hash-data-using-tiger.yml +++ b/data-manipulation/hashing/tiger/hash-data-using-tiger.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/tiger authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Cryptography::Cryptographic Hash::Tiger [C0029.005] examples: diff --git a/data-manipulation/hmac/authenticate-hmac.yml b/data-manipulation/hmac/authenticate-hmac.yml index 8956e1049..18ee0aba7 100644 --- a/data-manipulation/hmac/authenticate-hmac.yml +++ b/data-manipulation/hmac/authenticate-hmac.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hmac authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Cryptography::Hashed Message Authentication Code [C0061] references: diff --git a/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml b/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml index 08d8b1146..9aaf65679 100644 --- a/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml +++ b/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/json authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ examples: diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index cd6b6e57a..0bc027d44 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - richard.weiss@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] references: diff --git a/data-manipulation/prng/generate-random-numbers-via-winapi.yml b/data-manipulation/prng/generate-random-numbers-via-winapi.yml index 13670595d..1bca70b83 100644 --- a/data-manipulation/prng/generate-random-numbers-via-winapi.yml +++ b/data-manipulation/prng/generate-random-numbers-via-winapi.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] examples: diff --git a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml index 5f8a68b6c..ab35eff57 100644 --- a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml +++ b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/prng/mersenne authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] examples: diff --git a/data-manipulation/svg/use-dotnet-library-sharpvectors.yml b/data-manipulation/svg/use-dotnet-library-sharpvectors.yml index b6cd87e52..36b73632e 100644 --- a/data-manipulation/svg/use-dotnet-library-sharpvectors.yml +++ b/data-manipulation/svg/use-dotnet-library-sharpvectors.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/svg authors: - "@johnk3r" - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ examples: diff --git a/executable/installer/dotnet/packaged-as-single-file-dotnet-application.yml b/executable/installer/dotnet/packaged-as-single-file-dotnet-application.yml index 999ef224a..5af0632d1 100644 --- a/executable/installer/dotnet/packaged-as-single-file-dotnet-application.yml +++ b/executable/installer/dotnet/packaged-as-single-file-dotnet-application.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Single binary containing target .NET application and all application-dependent files - scope: file + scopes: + static: file + dynamic: file references: - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli examples: diff --git a/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml b/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml index 5d47d5838..80c50f418 100644 --- a/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml +++ b/executable/installer/iexpress/packaged-as-an-iexpress-self-extracting-archive.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/iexpress authors: - awillia2@cisco.com - scope: file + scopes: + static: file + dynamic: file references: - https://en.wikipedia.org/wiki/IExpress examples: diff --git a/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml b/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml index dd7a3e228..547a96858 100644 --- a/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml +++ b/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/inno-setup authors: - awillia2@cisco.com - scope: file + scopes: + static: file + dynamic: file references: - https://jrsoftware.org/isinfo.php examples: diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 9e7495c94..bdd929c41 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/export authors: - ronnie.salomonsen@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/executable/pe/pdb/contains-pdb-path.yml b/executable/pe/pdb/contains-pdb-path.yml index 38d7d72f4..efb1b946f 100644 --- a/executable/pe/pdb/contains-pdb-path.yml +++ b/executable/pe/pdb/contains-pdb-path.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/pdb authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - 464EF2CA59782CE697BC329713698CCC # level32.exe features: diff --git a/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml b/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml index b66885524..d1d81b18e 100644 --- a/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml +++ b/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/section/tls authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - Practical Malware Analysis Lab 16-02.exe_ features: diff --git a/executable/resource/access-dotnet-resource.yml b/executable/resource/access-dotnet-resource.yml index 93aaf14ec..c8c7726fc 100644 --- a/executable/resource/access-dotnet-resource.yml +++ b/executable/resource/access-dotnet-resource.yml @@ -4,7 +4,9 @@ rule: namespace: executable/resource authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread examples: - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173:0x06000084 features: diff --git a/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml b/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml index 3289c035f..4983b63bb 100644 --- a/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml +++ b/executable/resource/embed-dependencies-as-resources-using-fodycostura.yml @@ -5,7 +5,9 @@ rule: authors: - "@johnk3r" - "@mr-tz" - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ examples: diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml index beddea449..92513950a 100644 --- a/executable/resource/extract-resource-via-kernel32-functions.yml +++ b/executable/resource/extract-resource-via-kernel32-functions.yml @@ -4,7 +4,9 @@ rule: namespace: executable/resource authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread examples: - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000 - Practical Malware Analysis Lab 01-04.exe_:0x4011FC diff --git a/executable/subfile/pe/contain-an-embedded-pe-file.yml b/executable/subfile/pe/contain-an-embedded-pe-file.yml index 72760f0e8..42a75b6ee 100644 --- a/executable/subfile/pe/contain-an-embedded-pe-file.yml +++ b/executable/subfile/pe/contain-an-embedded-pe-file.yml @@ -4,7 +4,9 @@ rule: namespace: executable/subfile/pe authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml index 28d8ff528..4694f5260 100644 --- a/host-interaction/bootloader/disable-code-signing.yml +++ b/host-interaction/bootloader/disable-code-signing.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] examples: diff --git a/host-interaction/bootloader/get-uefi-variable.yml b/host-interaction/bootloader/get-uefi-variable.yml index 24eed7cdd..20da77119 100644 --- a/host-interaction/bootloader/get-uefi-variable.yml +++ b/host-interaction/bootloader/get-uefi-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Pre-OS Boot::System Firmware [T1542.001] references: diff --git a/host-interaction/bootloader/manipulate-boot-configuration.yml b/host-interaction/bootloader/manipulate-boot-configuration.yml index 60b1409bb..b91396ed9 100644 --- a/host-interaction/bootloader/manipulate-boot-configuration.yml +++ b/host-interaction/bootloader/manipulate-boot-configuration.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options examples: diff --git a/host-interaction/bootloader/manipulate-safe-mode-programs.yml b/host-interaction/bootloader/manipulate-safe-mode-programs.yml index 150ff9b16..145f0fb4e 100644 --- a/host-interaction/bootloader/manipulate-safe-mode-programs.yml +++ b/host-interaction/bootloader/manipulate-safe-mode-programs.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] examples: diff --git a/host-interaction/bootloader/set-uefi-variable.yml b/host-interaction/bootloader/set-uefi-variable.yml index d4c669423..940742b5f 100644 --- a/host-interaction/bootloader/set-uefi-variable.yml +++ b/host-interaction/bootloader/set-uefi-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Pre-OS Boot::System Firmware [T1542.001] references: diff --git a/host-interaction/cli/accept-command-line-arguments.yml b/host-interaction/cli/accept-command-line-arguments.yml index e4fcebd5e..96ff5d011 100644 --- a/host-interaction/cli/accept-command-line-arguments.yml +++ b/host-interaction/cli/accept-command-line-arguments.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter [T1059] mbc: diff --git a/host-interaction/cli/resolve-path-using-msvcrt.yml b/host-interaction/cli/resolve-path-using-msvcrt.yml index 90e700fe1..943b6ec45 100644 --- a/host-interaction/cli/resolve-path-using-msvcrt.yml +++ b/host-interaction/cli/resolve-path-using-msvcrt.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/cli authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/clipboard/open-clipboard.yml b/host-interaction/clipboard/open-clipboard.yml index b973bf6e3..5765585a7 100644 --- a/host-interaction/clipboard/open-clipboard.yml +++ b/host-interaction/clipboard/open-clipboard.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/clipboard authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] examples: diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index f920f8f65..2a24b1b36 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Collection::Clipboard Data [T1115] references: diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml index cbc655c0e..1e05855a3 100644 --- a/host-interaction/clipboard/write-clipboard-data.yml +++ b/host-interaction/clipboard/write-clipboard-data.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Impact::Clipboard Modification [E1510] references: diff --git a/host-interaction/console/manipulate-console-buffer.yml b/host-interaction/console/manipulate-console-buffer.yml index d5a09408d..21fa1f524 100644 --- a/host-interaction/console/manipulate-console-buffer.yml +++ b/host-interaction/console/manipulate-console-buffer.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Operating System::Console [C0033] references: diff --git a/host-interaction/driver/create-device-object.yml b/host-interaction/driver/create-device-object.yml index 5f5c82a0c..894d95b45 100644 --- a/host-interaction/driver/create-device-object.yml +++ b/host-interaction/driver/create-device-object.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread examples: - Practical Malware Analysis Lab 10-03.sys_:0x00010706 features: diff --git a/host-interaction/driver/disable-driver-code-integrity.yml b/host-interaction/driver/disable-driver-code-integrity.yml index 05948e6eb..bbc6e07c5 100644 --- a/host-interaction/driver/disable-driver-code-integrity.yml +++ b/host-interaction/driver/disable-driver-code-integrity.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/host-interaction/driver/install-driver.yml b/host-interaction/driver/install-driver.yml index a7a7f5e0f..dd719578b 100644 --- a/host-interaction/driver/install-driver.yml +++ b/host-interaction/driver/install-driver.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] mbc: diff --git a/host-interaction/driver/interact-with-driver-via-control-codes.yml b/host-interaction/driver/interact-with-driver-via-control-codes.yml index d54015a58..45dd6d377 100644 --- a/host-interaction/driver/interact-with-driver-via-control-codes.yml +++ b/host-interaction/driver/interact-with-driver-via-control-codes.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/driver authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::System Services::Service Execution [T1569.002] examples: diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml index 360570d71..82f5a8491 100644 --- a/host-interaction/environment-variable/get-comspec-environment-variable.yml +++ b/host-interaction/environment-variable/get-comspec-environment-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/environment-variable authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/environment-variable/query-environment-variable.yml b/host-interaction/environment-variable/query-environment-variable.yml index 4ef54c8c0..4559ba91e 100644 --- a/host-interaction/environment-variable/query-environment-variable.yml +++ b/host-interaction/environment-variable/query-environment-variable.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/environment-variable/set-environment-variable.yml b/host-interaction/environment-variable/set-environment-variable.yml index 897aed271..012fce6ab 100644 --- a/host-interaction/environment-variable/set-environment-variable.yml +++ b/host-interaction/environment-variable/set-environment-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/environment-variable authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Operating System::Environment Variable::Set Variable [C0034.001] examples: diff --git a/host-interaction/file-system/bypass-mark-of-the-web.yml b/host-interaction/file-system/bypass-mark-of-the-web.yml index 0f5c40f94..11759fb77 100644 --- a/host-interaction/file-system/bypass-mark-of-the-web.yml +++ b/host-interaction/file-system/bypass-mark-of-the-web.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005] examples: diff --git a/host-interaction/file-system/change-file-permission-on-linux.yml b/host-interaction/file-system/change-file-permission-on-linux.yml index 872badff6..fea34e52f 100644 --- a/host-interaction/file-system/change-file-permission-on-linux.yml +++ b/host-interaction/file-system/change-file-permission-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - File System::Set File Attributes [C0050] examples: diff --git a/host-interaction/file-system/copy/copy-file.yml b/host-interaction/file-system/copy/copy-file.yml index 2b3913a4b..577a6ba27 100644 --- a/host-interaction/file-system/copy/copy-file.yml +++ b/host-interaction/file-system/copy/copy-file.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - File System::Copy File [C0045] examples: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index 79474ebb8..3f47b1b8e 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] mbc: diff --git a/host-interaction/file-system/create/create-directory.yml b/host-interaction/file-system/create/create-directory.yml index d43de4d33..9ccf8aaa5 100644 --- a/host-interaction/file-system/create/create-directory.yml +++ b/host-interaction/file-system/create/create-directory.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Create Directory [C0046] examples: diff --git a/host-interaction/file-system/delete/delete-directory.yml b/host-interaction/file-system/delete/delete-directory.yml index 41edc033e..c6018c78d 100644 --- a/host-interaction/file-system/delete/delete-directory.yml +++ b/host-interaction/file-system/delete/delete-directory.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Delete Directory [C0048] examples: diff --git a/host-interaction/file-system/delete/delete-file.yml b/host-interaction/file-system/delete/delete-file.yml index 95f4d1df9..3ad78fd42 100644 --- a/host-interaction/file-system/delete/delete-file.yml +++ b/host-interaction/file-system/delete/delete-file.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - File System::Delete File [C0047] examples: diff --git a/host-interaction/file-system/exists/check-if-file-exists.yml b/host-interaction/file-system/exists/check-if-file-exists.yml index 9891433be..9644fa056 100644 --- a/host-interaction/file-system/exists/check-if-file-exists.yml +++ b/host-interaction/file-system/exists/check-if-file-exists.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml index ff6c579b3..9afd51bfb 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/files/list authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index 3b9a4179d..34fa2e30c 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-recursively.yml b/host-interaction/file-system/files/list/enumerate-files-recursively.yml index f80a082cc..aac8d0278 100644 --- a/host-interaction/file-system/files/list/enumerate-files-recursively.yml +++ b/host-interaction/file-system/files/list/enumerate-files-recursively.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/get-common-file-path.yml b/host-interaction/file-system/get-common-file-path.yml index 13ca9804f..d67e1725e 100644 --- a/host-interaction/file-system/get-common-file-path.yml +++ b/host-interaction/file-system/get-common-file-path.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/get-file-system-object-information.yml b/host-interaction/file-system/get-file-system-object-information.yml index a5a9d5a54..302b337df 100644 --- a/host-interaction/file-system/get-file-system-object-information.yml +++ b/host-interaction/file-system/get-file-system-object-information.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/file-system/get-program-files-directory.yml b/host-interaction/file-system/get-program-files-directory.yml index 88dfead36..e72aaf9f9 100644 --- a/host-interaction/file-system/get-program-files-directory.yml +++ b/host-interaction/file-system/get-program-files-directory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::File and Directory Discovery [T1083] examples: diff --git a/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml index acd2d387f..8620abefb 100644 --- a/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml +++ b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - david.cannings@pwc.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead references: - http://www.rohitab.com/discuss/topic/42325-the-kuser-shared-data-structure/ - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntexapi_x/kuser_shared_data/index.htm diff --git a/host-interaction/file-system/meta/get-file-attributes.yml b/host-interaction/file-system/meta/get-file-attributes.yml index a1b929a1e..a1055c76d 100644 --- a/host-interaction/file-system/meta/get-file-attributes.yml +++ b/host-interaction/file-system/meta/get-file-attributes.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - File System::Get File Attributes [C0049] examples: diff --git a/host-interaction/file-system/meta/get-file-size.yml b/host-interaction/file-system/meta/get-file-size.yml index 2d212bfab..a420a8324 100644 --- a/host-interaction/file-system/meta/get-file-size.yml +++ b/host-interaction/file-system/meta/get-file-size.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/get-file-version-info.yml b/host-interaction/file-system/meta/get-file-version-info.yml index 5bd99c1cc..c61ccc59f 100644 --- a/host-interaction/file-system/meta/get-file-version-info.yml +++ b/host-interaction/file-system/meta/get-file-version-info.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/set-file-attributes.yml b/host-interaction/file-system/meta/set-file-attributes.yml index 53ea96eed..716a3469f 100644 --- a/host-interaction/file-system/meta/set-file-attributes.yml +++ b/host-interaction/file-system/meta/set-file-attributes.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Defense Evasion::File and Directory Permissions Modification [T1222] mbc: diff --git a/host-interaction/file-system/move/move-file.yml b/host-interaction/file-system/move/move-file.yml index 9e8b23f45..d991430da 100644 --- a/host-interaction/file-system/move/move-file.yml +++ b/host-interaction/file-system/move/move-file.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - File System::Move File [C0063] examples: diff --git a/host-interaction/file-system/read/read-file-on-linux.yml b/host-interaction/file-system/read/read-file-on-linux.yml index 6b1db96b6..840228134 100644 --- a/host-interaction/file-system/read/read-file-on-linux.yml +++ b/host-interaction/file-system/read/read-file-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/read authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml index f971aca77..306a0a6ab 100644 --- a/host-interaction/file-system/read/read-file-on-windows.yml +++ b/host-interaction/file-system/read/read-file-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-via-mapping.yml b/host-interaction/file-system/read/read-file-via-mapping.yml index d7aea180e..f3de3e5d0 100644 --- a/host-interaction/file-system/read/read-file-via-mapping.yml +++ b/host-interaction/file-system/read/read-file-via-mapping.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/read authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-ini-file.yml b/host-interaction/file-system/read/read-ini-file.yml index 3de512a26..cd5d89845 100644 --- a/host-interaction/file-system/read/read-ini-file.yml +++ b/host-interaction/file-system/read/read-ini-file.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-virtual-disk.yml b/host-interaction/file-system/read/read-virtual-disk.yml index b1e72d214..b81bdc4ed 100644 --- a/host-interaction/file-system/read/read-virtual-disk.yml +++ b/host-interaction/file-system/read/read-virtual-disk.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/read authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread mbc: - File System::Read Virtual Disk [C0056] references: diff --git a/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml b/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml index 3b571d84c..3a1f2939d 100644 --- a/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml +++ b/host-interaction/file-system/reference-absolute-stream-path-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - blas.kojusner@mandiant.com - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead references: - https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams examples: diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml index 67c13e022..4a1148afe 100644 --- a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml +++ b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/windows-file-protection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007] examples: diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml index ea501c4a0..5a8650ae1 100644 --- a/host-interaction/file-system/write/write-file-on-linux.yml +++ b/host-interaction/file-system/write/write-file-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/write authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/file-system/write/write-file-on-windows.yml b/host-interaction/file-system/write/write-file-on-windows.yml index d380d53f1..d7cbbce9d 100644 --- a/host-interaction/file-system/write/write-file-on-windows.yml +++ b/host-interaction/file-system/write/write-file-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/filter/enumerate-minifilter-drivers.yml b/host-interaction/filter/enumerate-minifilter-drivers.yml index 46c3dcd37..bac74e8f2 100644 --- a/host-interaction/filter/enumerate-minifilter-drivers.yml +++ b/host-interaction/filter/enumerate-minifilter-drivers.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/filter authors: - aseel.kayal@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts diff --git a/host-interaction/filter/register-minifilter-driver.yml b/host-interaction/filter/register-minifilter-driver.yml index 71e80fc7e..1da57ba45 100644 --- a/host-interaction/filter/register-minifilter-driver.yml +++ b/host-interaction/filter/register-minifilter-driver.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/filter authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Hardware::Install Driver::Minifilter [C0037.001] references: diff --git a/host-interaction/filter/start-minifilter-driver.yml b/host-interaction/filter/start-minifilter-driver.yml index b62e44c00..ab1318f8d 100644 --- a/host-interaction/filter/start-minifilter-driver.yml +++ b/host-interaction/filter/start-minifilter-driver.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/filter authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Hardware::Load Driver::Minifilter [C0023.001] references: diff --git a/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml b/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml index 56976b9dc..990f094c6 100644 --- a/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml +++ b/host-interaction/firewall/modify/access-firewall-settings-via-inetfwmgr.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/firewall/modify authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] diff --git a/host-interaction/gui/console/set-console-window-title.yml b/host-interaction/gui/console/set-console-window-title.yml index c89d7fe3a..9a1548550 100644 --- a/host-interaction/gui/console/set-console-window-title.yml +++ b/host-interaction/gui/console/set-console-window-title.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/console authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Operating System::Console [C0033] examples: diff --git a/host-interaction/gui/enumerate-gui-resources.yml b/host-interaction/gui/enumerate-gui-resources.yml index 3926f4eeb..cdb0eea9f 100644 --- a/host-interaction/gui/enumerate-gui-resources.yml +++ b/host-interaction/gui/enumerate-gui-resources.yml @@ -5,7 +5,9 @@ rule: authors: - johnk3r - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::Application Window Discovery [T1010] examples: diff --git a/host-interaction/gui/logon/references-logon-banner.yml b/host-interaction/gui/logon/references-logon-banner.yml index 3f6114e72..14acbb36c 100644 --- a/host-interaction/gui/logon/references-logon-banner.yml +++ b/host-interaction/gui/logon/references-logon-banner.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/logon authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC features: diff --git a/host-interaction/gui/session/lock/lock-the-desktop.yml b/host-interaction/gui/session/lock/lock-the-desktop.yml index a9343b930..af0d10427 100644 --- a/host-interaction/gui/session/lock/lock-the-desktop.yml +++ b/host-interaction/gui/session/lock/lock-the-desktop.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/session/lock authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::Endpoint Denial of Service [T1499] examples: diff --git a/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml b/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml index ebe0dc9a6..68486ff38 100644 --- a/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml +++ b/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/session authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Operating System::Wallpaper [C0035] examples: diff --git a/host-interaction/gui/set-application-hook.yml b/host-interaction/gui/set-application-hook.yml index 530a8ab9f..52299cbb0 100644 --- a/host-interaction/gui/set-application-hook.yml +++ b/host-interaction/gui/set-application-hook.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread examples: - Practical Malware Analysis Lab 12-03.exe_:0x401000 features: diff --git a/host-interaction/gui/switch-active-desktop.yml b/host-interaction/gui/switch-active-desktop.yml index 54d3ac48e..5160f6bb1 100644 --- a/host-interaction/gui/switch-active-desktop.yml +++ b/host-interaction/gui/switch-active-desktop.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/host-interaction/gui/taskbar/find/find-taskbar.yml b/host-interaction/gui/taskbar/find/find-taskbar.yml index 324f02f83..272c7578b 100644 --- a/host-interaction/gui/taskbar/find/find-taskbar.yml +++ b/host-interaction/gui/taskbar/find/find-taskbar.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/taskbar/find authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Discovery::Taskbar Discovery [B0043] examples: diff --git a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml index 5e670e5b6..787e6c512 100644 --- a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml +++ b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/taskbar/hide authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Hide Artifacts [T1564] examples: diff --git a/host-interaction/gui/window/find/find-graphical-window.yml b/host-interaction/gui/window/find/find-graphical-window.yml index 7113a1bc7..0900fe569 100644 --- a/host-interaction/gui/window/find/find-graphical-window.yml +++ b/host-interaction/gui/window/find/find-graphical-window.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/window/find authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Application Window Discovery [T1010] examples: diff --git a/host-interaction/gui/window/get-text/get-graphical-window-text.yml b/host-interaction/gui/window/get-text/get-graphical-window-text.yml index 97dd4565b..bb8f5c136 100644 --- a/host-interaction/gui/window/get-text/get-graphical-window-text.yml +++ b/host-interaction/gui/window/get-text/get-graphical-window-text.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/window/get-text authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Discovery::Application Window Discovery [E1010] examples: diff --git a/host-interaction/gui/window/hide/hide-graphical-window.yml b/host-interaction/gui/window/hide/hide-graphical-window.yml index da4ae933b..d08248103 100644 --- a/host-interaction/gui/window/hide/hide-graphical-window.yml +++ b/host-interaction/gui/window/hide/hide-graphical-window.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui/window/hide authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003] examples: diff --git a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml index e1239ce63..0673777cb 100644 --- a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml +++ b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/cdrom authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Impact::Modify Hardware::CDROM [B0042.001] examples: diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index 5704b98f4..769fc09bf 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml index b87620209..73693717e 100644 --- a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml +++ b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/cpu authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/cpu/get-number-of-processors.yml b/host-interaction/hardware/cpu/get-number-of-processors.yml index 4001c4c04..bdd78d406 100644 --- a/host-interaction/hardware/cpu/get-number-of-processors.yml +++ b/host-interaction/hardware/cpu/get-number-of-processors.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/enumerate-devices-by-category.yml b/host-interaction/hardware/enumerate-devices-by-category.yml index 50e1b7368..faf84944c 100644 --- a/host-interaction/hardware/enumerate-devices-by-category.yml +++ b/host-interaction/hardware/enumerate-devices-by-category.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/hardware authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://learn.microsoft.com/en-us/windows/win32/api/strmif/nf-strmif-icreatedevenum-createclassenumerator examples: diff --git a/host-interaction/hardware/keyboard/get-keyboard-layout.yml b/host-interaction/hardware/keyboard/get-keyboard-layout.yml index 5bbc21025..b31c61415 100644 --- a/host-interaction/hardware/keyboard/get-keyboard-layout.yml +++ b/host-interaction/hardware/keyboard/get-keyboard-layout.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/keyboard authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: diff --git a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml index 2d9bf4626..5039763ba 100644 --- a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml +++ b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001] examples: diff --git a/host-interaction/hardware/memory/get-memory-capacity.yml b/host-interaction/hardware/memory/get-memory-capacity.yml index 017640ecb..842f6385c 100644 --- a/host-interaction/hardware/memory/get-memory-capacity.yml +++ b/host-interaction/hardware/memory/get-memory-capacity.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/memory authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml index 8827b4075..45ca6100d 100644 --- a/host-interaction/hardware/memory/get-memory-information.yml +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/memory authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/mouse/swap-mouse-buttons.yml b/host-interaction/hardware/mouse/swap-mouse-buttons.yml index f53901622..776fe2942 100644 --- a/host-interaction/hardware/mouse/swap-mouse-buttons.yml +++ b/host-interaction/hardware/mouse/swap-mouse-buttons.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/mouse authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Impact::Modify Hardware::Mouse [B0042.002] examples: diff --git a/host-interaction/hardware/storage/enumerate-disk-properties.yml b/host-interaction/hardware/storage/enumerate-disk-properties.yml index 90ad23d51..146bede8f 100644 --- a/host-interaction/hardware/storage/enumerate-disk-properties.yml +++ b/host-interaction/hardware/storage/enumerate-disk-properties.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/storage authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/storage/get-disk-information.yml b/host-interaction/hardware/storage/get-disk-information.yml index 187f98995..22982c4b1 100644 --- a/host-interaction/hardware/storage/get-disk-information.yml +++ b/host-interaction/hardware/storage/get-disk-information.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index a5a865d17..67c91f466 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml index 1b308263b..6bc8f8185 100755 --- a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml +++ b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/log/clfs/read authors: - blaine.stancill@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] references: diff --git a/host-interaction/log/debug/write-event/print-debug-messages.yml b/host-interaction/log/debug/write-event/print-debug-messages.yml index 67fe5b278..3e14f95c6 100644 --- a/host-interaction/log/debug/write-event/print-debug-messages.yml +++ b/host-interaction/log/debug/write-event/print-debug-messages.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/log/debug/write-event authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread examples: - 493167E85E45363D09495D0841C30648:0x401000 features: diff --git a/host-interaction/log/winevt/access/access-the-windows-event-log.yml b/host-interaction/log/winevt/access/access-the-windows-event-log.yml index 8d86a2198..98b71938f 100644 --- a/host-interaction/log/winevt/access/access-the-windows-event-log.yml +++ b/host-interaction/log/winevt/access/access-the-windows-event-log.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/log/winevt/access authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] examples: diff --git a/host-interaction/memory/create-new-application-domain-in-dotnet.yml b/host-interaction/memory/create-new-application-domain-in-dotnet.yml index 8626dfdab..e8b24fafe 100644 --- a/host-interaction/memory/create-new-application-domain-in-dotnet.yml +++ b/host-interaction/memory/create-new-application-domain-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/memory authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains unsupported feature class for dynamic scope att&ck: - Persistence::Hijack Execution Flow [T1574] mbc: diff --git a/host-interaction/mutex/check-mutex-and-exit.yml b/host-interaction/mutex/check-mutex-and-exit.yml index 37a3ba08a..d545ad2a0 100644 --- a/host-interaction/mutex/check-mutex-and-exit.yml +++ b/host-interaction/mutex/check-mutex-and-exit.yml @@ -5,7 +5,9 @@ rule: authors: - "@_re_fox" - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Process::Check Mutex [C0043] - Process::Terminate Process [C0018] diff --git a/host-interaction/mutex/check-mutex.yml b/host-interaction/mutex/check-mutex.yml index 21c5ac08b..18f0fbfef 100644 --- a/host-interaction/mutex/check-mutex.yml +++ b/host-interaction/mutex/check-mutex.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Process::Check Mutex [C0043] examples: diff --git a/host-interaction/mutex/create-mutex.yml b/host-interaction/mutex/create-mutex.yml index 7cb7472f3..b36020efe 100644 --- a/host-interaction/mutex/create-mutex.yml +++ b/host-interaction/mutex/create-mutex.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Process::Create Mutex [C0042] examples: diff --git a/host-interaction/mutex/create-semaphore-on-linux.yml b/host-interaction/mutex/create-semaphore-on-linux.yml index 1a8469d52..5adb80524 100644 --- a/host-interaction/mutex/create-semaphore-on-linux.yml +++ b/host-interaction/mutex/create-semaphore-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - "@ramen0x3f" - scope: function + scopes: + static: function + dynamic: thread examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0 features: diff --git a/host-interaction/mutex/lock-file.yml b/host-interaction/mutex/lock-file.yml index cac4863fc..795e862ce 100644 --- a/host-interaction/mutex/lock-file.yml +++ b/host-interaction/mutex/lock-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Mutex [C0042] examples: diff --git a/host-interaction/mutex/lock-semaphore-on-linux.yml b/host-interaction/mutex/lock-semaphore-on-linux.yml index 04e10c726..301927621 100644 --- a/host-interaction/mutex/lock-semaphore-on-linux.yml +++ b/host-interaction/mutex/lock-semaphore-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - "@ramen0x3f" - scope: function + scopes: + static: function + dynamic: thread examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/mutex/unlock-semaphore-on-linux.yml b/host-interaction/mutex/unlock-semaphore-on-linux.yml index 62ae268cc..b33ff115c 100644 --- a/host-interaction/mutex/unlock-semaphore-on-linux.yml +++ b/host-interaction/mutex/unlock-semaphore-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/mutex authors: - "@ramen0x3f" - scope: function + scopes: + static: function + dynamic: thread examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/network/address/get-local-ipv4-addresses.yml b/host-interaction/network/address/get-local-ipv4-addresses.yml index 92afbadfc..4b57f8cda 100644 --- a/host-interaction/network/address/get-local-ipv4-addresses.yml +++ b/host-interaction/network/address/get-local-ipv4-addresses.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml b/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml index 685a7e719..94d34f1ec 100644 --- a/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml +++ b/host-interaction/network/connectivity/check-internet-connectivity-via-wininet.yml @@ -5,7 +5,9 @@ rule: authors: - matthew.williams@mandiant.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] examples: diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml index 4c8d87a49..44fa848b4 100644 --- a/host-interaction/network/connectivity/set-tcp-connection-state.yml +++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml @@ -5,7 +5,9 @@ rule: authors: - "@johnk3r" description: The SetTcpEntry function sets the state of a TCP connection. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses [T1562] references: diff --git a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml index 2cb447de3..a176f31f5 100644 --- a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml +++ b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for an LDAP query and related Windows API calls used to enumerate other computers on the Windows domain that a computer is connected to. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-controller-name.yml b/host-interaction/network/domain/get-domain-controller-name.yml index 028a98728..43768e97f 100644 --- a/host-interaction/network/domain/get-domain-controller-name.yml +++ b/host-interaction/network/domain/get-domain-controller-name.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for calls to Windows APIs that can be used to determine the name of the domain controller for a Windows domain that a computer is connected to. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-information.yml b/host-interaction/network/domain/get-domain-information.yml index 7e9999e78..e883671aa 100644 --- a/host-interaction/network/domain/get-domain-information.yml +++ b/host-interaction/network/domain/get-domain-information.yml @@ -7,7 +7,9 @@ rule: - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com description: Detect collection of Windows domain information - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/interface/get-networking-interfaces.yml b/host-interaction/network/interface/get-networking-interfaces.yml index dfcee3545..b807c106c 100644 --- a/host-interaction/network/interface/get-networking-interfaces.yml +++ b/host-interaction/network/interface/get-networking-interfaces.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/traffic/copy/copy-network-traffic.yml b/host-interaction/network/traffic/copy/copy-network-traffic.yml index 0747b5c1e..1e4281c4e 100644 --- a/host-interaction/network/traffic/copy/copy-network-traffic.yml +++ b/host-interaction/network/traffic/copy/copy-network-traffic.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/traffic/copy authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Network Sniffing [T1040] examples: diff --git a/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml b/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml index 9a3a89be6..8c4f5ac28 100644 --- a/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml +++ b/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/traffic/filter authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002] examples: diff --git a/host-interaction/os/hostname/get-hostname.yml b/host-interaction/os/hostname/get-hostname.yml index fe3681451..f44d1319f 100644 --- a/host-interaction/os/hostname/get-hostname.yml +++ b/host-interaction/os/hostname/get-hostname.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/os/info/get-system-information-on-windows.yml b/host-interaction/os/info/get-system-information-on-windows.yml index ee8bdb495..4520cf7ca 100644 --- a/host-interaction/os/info/get-system-information-on-windows.yml +++ b/host-interaction/os/info/get-system-information-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/shutdown-system.yml b/host-interaction/os/shutdown-system.yml index c1fa5e9a2..e336110f6 100644 --- a/host-interaction/os/shutdown-system.yml +++ b/host-interaction/os/shutdown-system.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::System Shutdown/Reboot [T1529] examples: diff --git a/host-interaction/os/version/check-os-version.yml b/host-interaction/os/version/check-os-version.yml index 66402d52a..20765355f 100644 --- a/host-interaction/os/version/check-os-version.yml +++ b/host-interaction/os/version/check-os-version.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/os/version/get-kernel-version.yml b/host-interaction/os/version/get-kernel-version.yml index cc39769b3..f68f290e0 100644 --- a/host-interaction/os/version/get-kernel-version.yml +++ b/host-interaction/os/version/get-kernel-version.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/version authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml index a5ab0ce4f..9acefab8d 100644 --- a/host-interaction/os/version/get-linux-distribution.yml +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/version authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/process/allocate-thread-local-storage.yml b/host-interaction/process/allocate-thread-local-storage.yml index 0313f726a..bad29513b 100644 --- a/host-interaction/process/allocate-thread-local-storage.yml +++ b/host-interaction/process/allocate-thread-local-storage.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Process::Allocate Thread Local Storage [C0040] examples: diff --git a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml index c8a7adeef..0ec650478 100644 --- a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml +++ b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml @@ -5,7 +5,9 @@ rule: authors: - matthew.williams@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Process::Create Process [C0017] references: diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml index 44987b88d..2555bfd90 100644 --- a/host-interaction/process/create/create-process-on-linux.yml +++ b/host-interaction/process/create/create-process-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/create/create-process-on-windows.yml b/host-interaction/process/create/create-process-on-windows.yml index 1f3dcd75f..c72689fca 100644 --- a/host-interaction/process/create/create-process-on-windows.yml +++ b/host-interaction/process/create/create-process-on-windows.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/create/create-process-suspended.yml b/host-interaction/process/create/create-process-suspended.yml index 63e50e719..b0a4f8152 100644 --- a/host-interaction/process/create/create-process-suspended.yml +++ b/host-interaction/process/create/create-process-suspended.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Process::Create Suspended Process [C0017.003] examples: diff --git a/host-interaction/process/create/execute-command.yml b/host-interaction/process/create/execute-command.yml index 1ca1d9fdb..f2fcc313f 100644 --- a/host-interaction/process/create/execute-command.yml +++ b/host-interaction/process/create/execute-command.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/create authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread mbc: - Process::Create Process [C0017] examples: diff --git a/host-interaction/process/dump/create-process-memory-minidump.yml b/host-interaction/process/dump/create-process-memory-minidump.yml index 14e5d39ca..caf81379e 100644 --- a/host-interaction/process/dump/create-process-memory-minidump.yml +++ b/host-interaction/process/dump/create-process-memory-minidump.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/process/dump authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/process/get-process-heap-flags.yml b/host-interaction/process/get-process-heap-flags.yml index 8dee6840e..019965390 100644 --- a/host-interaction/process/get-process-heap-flags.yml +++ b/host-interaction/process/get-process-heap-flags.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/get-process-heap-force-flags.yml b/host-interaction/process/get-process-heap-force-flags.yml index b2240ba64..8fb91cacb 100644 --- a/host-interaction/process/get-process-heap-force-flags.yml +++ b/host-interaction/process/get-process-heap-force-flags.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/inject/allocate-rwx-memory.yml b/host-interaction/process/inject/allocate-rwx-memory.yml index d8587e00a..168c0c74c 100644 --- a/host-interaction/process/inject/allocate-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-rwx-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml index d2f4b40ab..50df7caba 100644 --- a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/host-interaction/process/inject/attach-user-process-memory.yml b/host-interaction/process/inject/attach-user-process-memory.yml index 4cb52d706..4f8fa5c00 100644 --- a/host-interaction/process/inject/attach-user-process-memory.yml +++ b/host-interaction/process/inject/attach-user-process-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/free-user-process-memory.yml b/host-interaction/process/inject/free-user-process-memory.yml index eb5ec915f..5f2efed32 100644 --- a/host-interaction/process/inject/free-user-process-memory.yml +++ b/host-interaction/process/inject/free-user-process-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/hijack-thread-execution.yml b/host-interaction/process/inject/hijack-thread-execution.yml index 6ecbae26a..fc058f7a2 100644 --- a/host-interaction/process/inject/hijack-thread-execution.yml +++ b/host-interaction/process/inject/hijack-thread-execution.yml @@ -5,7 +5,9 @@ rule: authors: - 0x534a@mailbox.org - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml index 6f803b9da..87b101715 100644 --- a/host-interaction/process/inject/inject-apc.yml +++ b/host-interaction/process/inject/inject-apc.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004] examples: diff --git a/host-interaction/process/inject/inject-dll.yml b/host-interaction/process/inject/inject-dll.yml index a9276aa1f..9aaaf4548 100644 --- a/host-interaction/process/inject/inject-dll.yml +++ b/host-interaction/process/inject/inject-dll.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] references: diff --git a/host-interaction/process/inject/inject-pe.yml b/host-interaction/process/inject/inject-pe.yml index 3ce5e81b2..df89a06ed 100644 --- a/host-interaction/process/inject/inject-pe.yml +++ b/host-interaction/process/inject/inject-pe.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Portable Executable Injection [T1055.002] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml index 7bf617d35..7735e65d1 100644 --- a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml +++ b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml index f500f3e7d..00ba1ec5a 100644 --- a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml +++ b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml index ba0ebdacc..982b257e7 100644 --- a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-thread.yml b/host-interaction/process/inject/inject-thread.yml index 97a66feb5..0e45fd14f 100644 --- a/host-interaction/process/inject/inject-thread.yml +++ b/host-interaction/process/inject/inject-thread.yml @@ -5,7 +5,9 @@ rule: authors: - anamaria.martinezgom@mandiant.com - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git "a/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" "b/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" index 866ced9b4..01bd3a732 100644 --- "a/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" +++ "b/host-interaction/process/inject/use-process-doppelg\303\244nging.yml" @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Process Injection::Process Doppelgänging [T1055.013] examples: diff --git a/host-interaction/process/inject/use-process-replacement.yml b/host-interaction/process/inject/use-process-replacement.yml index 1f11157ab..d249a1565 100644 --- a/host-interaction/process/inject/use-process-replacement.yml +++ b/host-interaction/process/inject/use-process-replacement.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Process Hollowing [T1055.012] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml index 7f32dd57b..a25910247 100644 --- a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml +++ b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml b/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml index ef325cc6f..792fbfc97 100644 --- a/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml +++ b/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/enumerate-processes.yml b/host-interaction/process/list/enumerate-processes.yml index 59e618880..e2829d56d 100644 --- a/host-interaction/process/list/enumerate-processes.yml +++ b/host-interaction/process/list/enumerate-processes.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/find-process-by-pid.yml b/host-interaction/process/list/find-process-by-pid.yml index dc33f7f59..881be3f33 100644 --- a/host-interaction/process/list/find-process-by-pid.yml +++ b/host-interaction/process/list/find-process-by-pid.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/get-explorer-pid.yml b/host-interaction/process/list/get-explorer-pid.yml index 0d3e888eb..06877e821 100644 --- a/host-interaction/process/list/get-explorer-pid.yml +++ b/host-interaction/process/list/get-explorer-pid.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/map-section-object.yml b/host-interaction/process/map-section-object.yml index e76816331..2aa6750ab 100644 --- a/host-interaction/process/map-section-object.yml +++ b/host-interaction/process/map-section-object.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match examples: - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0 features: diff --git a/host-interaction/process/modify/acquire-debug-privileges.yml b/host-interaction/process/modify/acquire-debug-privileges.yml index 35893a611..885cabbef 100644 --- a/host-interaction/process/modify/acquire-debug-privileges.yml +++ b/host-interaction/process/modify/acquire-debug-privileges.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/modify authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modify/modify-access-privileges.yml b/host-interaction/process/modify/modify-access-privileges.yml index e127f503a..49f989714 100644 --- a/host-interaction/process/modify/modify-access-privileges.yml +++ b/host-interaction/process/modify/modify-access-privileges.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/modify authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml index d588a51e8..2b0020199 100644 --- a/host-interaction/process/modules/list/enumerate-process-modules.yml +++ b/host-interaction/process/modules/list/enumerate-process-modules.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/set-thread-local-storage-value.yml b/host-interaction/process/set-thread-local-storage-value.yml index edb7329ac..4237c75c5 100644 --- a/host-interaction/process/set-thread-local-storage-value.yml +++ b/host-interaction/process/set-thread-local-storage-value.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Process::Set Thread Local Storage Value [C0041] examples: diff --git a/host-interaction/process/terminate/terminate-process-via-kill.yml b/host-interaction/process/terminate/terminate-process-via-kill.yml index b9140122a..eac67dc0d 100644 --- a/host-interaction/process/terminate/terminate-process-via-kill.yml +++ b/host-interaction/process/terminate/terminate-process-via-kill.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/terminate authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index 6d80122fe..fba90716c 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml b/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml index 4c3c5cd8d..f89b5939e 100644 --- a/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml +++ b/host-interaction/recycle-bin/empty-recycle-bin-quietly.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/recycle-bin authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/host-interaction/registry/create-registry-key-via-offline-registry-library.yml b/host-interaction/registry/create-registry-key-via-offline-registry-library.yml index 654693767..9bdc2a61c 100644 --- a/host-interaction/registry/create-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/create-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/create/set-registry-value.yml b/host-interaction/registry/create/set-registry-value.yml index 63236890d..cea81e82b 100644 --- a/host-interaction/registry/create/set-registry-value.yml +++ b/host-interaction/registry/create/set-registry-value.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Operating System::Registry::Set Registry Key [C0036.001] examples: diff --git a/host-interaction/registry/delete/delete-registry-key.yml b/host-interaction/registry/delete/delete-registry-key.yml index f702e7a14..e24225d1c 100644 --- a/host-interaction/registry/delete/delete-registry-key.yml +++ b/host-interaction/registry/delete/delete-registry-key.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - johnk3r - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/delete/delete-registry-value.yml b/host-interaction/registry/delete/delete-registry-value.yml index f61c0461a..3cda90c89 100644 --- a/host-interaction/registry/delete/delete-registry-value.yml +++ b/host-interaction/registry/delete/delete-registry-value.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/open-registry-key-via-offline-registry-library.yml b/host-interaction/registry/open-registry-key-via-offline-registry-library.yml index 7baadd03b..31f079f03 100644 --- a/host-interaction/registry/open-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/open-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread mbc: - Operating System::Registry::Open Registry Key [C0036.003] examples: diff --git a/host-interaction/registry/query-or-enumerate-registry-key.yml b/host-interaction/registry/query-or-enumerate-registry-key.yml index 5644e6431..cd270c9b7 100644 --- a/host-interaction/registry/query-or-enumerate-registry-key.yml +++ b/host-interaction/registry/query-or-enumerate-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-value.yml b/host-interaction/registry/query-or-enumerate-registry-value.yml index 5eaa5b664..69756d2cd 100644 --- a/host-interaction/registry/query-or-enumerate-registry-value.yml +++ b/host-interaction/registry/query-or-enumerate-registry-value.yml @@ -6,7 +6,9 @@ rule: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-registry-key-via-offline-registry-library.yml b/host-interaction/registry/query-registry-key-via-offline-registry-library.yml index 6092ed4cf..bdd075516 100644 --- a/host-interaction/registry/query-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/query-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml index dc1e84388..66b1a58dc 100644 --- a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index dd481e8b0..584154277 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml index 5987994d7..6358c083d 100644 --- a/host-interaction/service/create/create-service.yml +++ b/host-interaction/service/create/create-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/create authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/delete/delete-service.yml b/host-interaction/service/delete/delete-service.yml index b704dd523..c29293288 100644 --- a/host-interaction/service/delete/delete-service.yml +++ b/host-interaction/service/delete/delete-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/delete authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/list/enumerate-services.yml b/host-interaction/service/list/enumerate-services.yml index 6c4bd7c6d..f44a101be 100644 --- a/host-interaction/service/list/enumerate-services.yml +++ b/host-interaction/service/list/enumerate-services.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Service Discovery [T1007] examples: diff --git a/host-interaction/service/modify/modify-service.yml b/host-interaction/service/modify/modify-service.yml index 2ada512ed..333d9d677 100644 --- a/host-interaction/service/modify/modify-service.yml +++ b/host-interaction/service/modify/modify-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/modify authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index 91bbafe99..069637958 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/query-service-configuration.yml b/host-interaction/service/query-service-configuration.yml index 539aab630..be7cfc339 100644 --- a/host-interaction/service/query-service-configuration.yml +++ b/host-interaction/service/query-service-configuration.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Service Discovery [T1007] examples: diff --git a/host-interaction/service/query-service-status.yml b/host-interaction/service/query-service-status.yml index 0d7293103..7a670c831 100644 --- a/host-interaction/service/query-service-status.yml +++ b/host-interaction/service/query-service-status.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Service Discovery [T1007] examples: diff --git a/host-interaction/service/run-as-service.yml b/host-interaction/service/run-as-service.yml index d2fa5d425..503292a2d 100644 --- a/host-interaction/service/run-as-service.yml +++ b/host-interaction/service/run-as-service.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Conditional Execution::Runs as Service [B0025.007] examples: diff --git a/host-interaction/service/start/start-service.yml b/host-interaction/service/start/start-service.yml index a8ff5f63d..dfd23c7c9 100644 --- a/host-interaction/service/start/start-service.yml +++ b/host-interaction/service/start/start-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/start authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index d1426f20b..f2d1641e6 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/service/stop authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Impact::Service Stop [T1489] diff --git a/host-interaction/session/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml index 06a668dbd..29f7a424a 100644 --- a/host-interaction/session/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-logon-sessions.yml b/host-interaction/session/get-logon-sessions.yml index 227959188..709563420 100644 --- a/host-interaction/session/get-logon-sessions.yml +++ b/host-interaction/session/get-logon-sessions.yml @@ -5,7 +5,9 @@ rule: authors: - awillia2@cisco.com description: Looks for imported Windows APIs being called to enumerate user sessions. - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/session/get-session-integrity-level.yml b/host-interaction/session/get-session-integrity-level.yml index 7a5cd2a57..a07c7a25f 100644 --- a/host-interaction/session/get-session-integrity-level.yml +++ b/host-interaction/session/get-session-integrity-level.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml index 4938f799c..13164106c 100644 --- a/host-interaction/session/get-session-user-name.yml +++ b/host-interaction/session/get-session-user-name.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::System Owner/User Discovery [T1033] - Discovery::Account Discovery [T1087] diff --git a/host-interaction/session/get-token-membership.yml b/host-interaction/session/get-token-membership.yml index 731a695d2..54b399b12 100644 --- a/host-interaction/session/get-token-membership.yml +++ b/host-interaction/session/get-token-membership.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-user-security-identifier.yml b/host-interaction/session/get-user-security-identifier.yml index 587c114ff..bf2c6ea4b 100644 --- a/host-interaction/session/get-user-security-identifier.yml +++ b/host-interaction/session/get-user-security-identifier.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/software/get-installed-programs.yml b/host-interaction/software/get-installed-programs.yml index a91827675..b74d3164c 100644 --- a/host-interaction/software/get-installed-programs.yml +++ b/host-interaction/software/get-installed-programs.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Software Discovery [T1518] examples: diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml index bba2ea2eb..b91fa6865 100644 --- a/host-interaction/thread/create/create-thread.yml +++ b/host-interaction/thread/create/create-thread.yml @@ -7,7 +7,9 @@ rule: - michael.hunhoff@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Create Thread [C0038] examples: diff --git a/host-interaction/thread/list/enumerate-threads.yml b/host-interaction/thread/list/enumerate-threads.yml index 5b3757640..e431ae8fe 100644 --- a/host-interaction/thread/list/enumerate-threads.yml +++ b/host-interaction/thread/list/enumerate-threads.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread/list authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Discovery::Process Discovery [T1057] mbc: diff --git a/host-interaction/thread/resume/resume-thread.yml b/host-interaction/thread/resume/resume-thread.yml index 2fa1c118f..26a4ee934 100644 --- a/host-interaction/thread/resume/resume-thread.yml +++ b/host-interaction/thread/resume/resume-thread.yml @@ -5,7 +5,9 @@ rule: authors: - 0x534a@mailbox.org - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Resume Thread [C0054] examples: diff --git a/host-interaction/thread/suspend/suspend-thread.yml b/host-interaction/thread/suspend/suspend-thread.yml index 563591c51..f3edf003c 100644 --- a/host-interaction/thread/suspend/suspend-thread.yml +++ b/host-interaction/thread/suspend/suspend-thread.yml @@ -5,7 +5,9 @@ rule: authors: - 0x534a@mailbox.org - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Suspend Thread [C0055] examples: diff --git a/host-interaction/thread/terminate/terminate-thread.yml b/host-interaction/thread/terminate/terminate-thread.yml index cfc7e63ce..3bf7356c8 100644 --- a/host-interaction/thread/terminate/terminate-thread.yml +++ b/host-interaction/thread/terminate/terminate-thread.yml @@ -6,7 +6,9 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Terminate Thread [C0039] examples: diff --git a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml index 83748e71d..7ffef285f 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/uac/bypass authors: - richard.cole@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml index 2b1b3a3f6..1e95c57b3 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/uac/bypass authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml index e8d34bf7d..b194594ba 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml @@ -5,7 +5,9 @@ rule: authors: - david.cannings@pwc.com - david@edeca.net - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml index 241175562..7a9795b1d 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml @@ -5,7 +5,9 @@ rule: authors: - richard.cole@mandiant.com - david.cannings@pwc.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml index 2aac42794..37b75b5c0 100644 --- a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml +++ b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/wmi authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Execution::Windows Management Instrumentation [T1047] examples: diff --git a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml index 47db03ce7..3f09f5379 100644 --- a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml +++ b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml @@ -4,7 +4,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Impact::Inhibit System Recovery [T1490] - Defense Evasion::Indicator Removal::File Deletion [T1070.004] diff --git a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml index 7fd1819f7..8d0a00f83 100644 --- a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml +++ b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml @@ -4,7 +4,9 @@ rule: namespace: impact/wipe-disk/wipe-mbr authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Impact::Disk Wipe::Disk Structure Wipe [T1561.002] mbc: diff --git a/internal/limitation/file/internal-autohotkey-file-limitation.yml b/internal/limitation/file/internal-autohotkey-file-limitation.yml index 3a82e33d6..e7933ce13 100644 --- a/internal/limitation/file/internal-autohotkey-file-limitation.yml +++ b/internal/limitation/file/internal-autohotkey-file-limitation.yml @@ -11,7 +11,9 @@ rule: AutoHotkey was developed from AutoIT and the scripts may be similar. capa cannot handle AutoHotkey scripts. This means that the results will be misleading or incomplete. You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match examples: - 92D8EA10EA30E8B534334A1C9857A455 features: diff --git a/internal/limitation/file/internal-autoit-file-limitation.yml b/internal/limitation/file/internal-autoit-file-limitation.yml index 1d11979c7..885fa71fe 100644 --- a/internal/limitation/file/internal-autoit-file-limitation.yml +++ b/internal/limitation/file/internal-autoit-file-limitation.yml @@ -13,7 +13,9 @@ rule: AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI. capa cannot handle AutoIt scripts. This means that the results will be misleading or incomplete. You may have to analyze the file manually, using a tool like the AutoIt decompiler MyAut2Exe. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match examples: - 55D77AB16377A8A314982F723FCC6FAE features: diff --git a/internal/limitation/file/internal-installer-file-limitation.yml b/internal/limitation/file/internal-installer-file-limitation.yml index c12eaed29..8bc8e3ee9 100644 --- a/internal/limitation/file/internal-installer-file-limitation.yml +++ b/internal/limitation/file/internal-installer-file-limitation.yml @@ -11,7 +11,9 @@ rule: capa cannot handle installers well. This means the results may be misleading or incomplete. You should try to understand the install mechanism and analyze created files with capa. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match examples: - 70FD3347786ED7A4A43910E6778EF296 features: diff --git a/internal/limitation/file/internal-packer-file-limitation.yml b/internal/limitation/file/internal-packer-file-limitation.yml index 9789d54e3..3e505ede7 100644 --- a/internal/limitation/file/internal-packer-file-limitation.yml +++ b/internal/limitation/file/internal-packer-file-limitation.yml @@ -10,7 +10,9 @@ rule: Packed samples have often been obfuscated to hide their logic. capa cannot handle obfuscation well. This means the results may be misleading or incomplete. If possible, you should try to unpack this input file before analyzing it with capa. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match examples: - CD2CBA9E6313E8DF2C1273593E649682 features: diff --git a/internal/limitation/file/internal-visual-basic-file-limitation.yml b/internal/limitation/file/internal-visual-basic-file-limitation.yml index 20cc6dc4c..fe5a48fa1 100644 --- a/internal/limitation/file/internal-visual-basic-file-limitation.yml +++ b/internal/limitation/file/internal-visual-basic-file-limitation.yml @@ -11,7 +11,9 @@ rule: representation called P-Code. capa cannot handle Visual Basic executables well. This means that the results will be misleading or incomplete. You may have to analyze the file manually, for example using a tool like VB Decompiler. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match examples: - 9bca6b99e7981208af4c7925b96fb9cf features: diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index 60ab97f50..98bd2db58 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -4,7 +4,9 @@ rule: authors: - 0x534a@mailbox.org lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/lib/allocate-rw-memory.yml b/lib/allocate-rw-memory.yml index 25c085299..6b68e5cc3 100644 --- a/lib/allocate-rw-memory.yml +++ b/lib/allocate-rw-memory.yml @@ -4,7 +4,9 @@ rule: authors: - 0x534a@mailbox.org lib: true - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/lib/calculate-modulo-256-via-x86-assembly.yml b/lib/calculate-modulo-256-via-x86-assembly.yml index 694a307d6..c0743b52c 100644 --- a/lib/calculate-modulo-256-via-x86-assembly.yml +++ b/lib/calculate-modulo-256-via-x86-assembly.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: instruction + scopes: + static: instruction + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope mbc: - Data::Modulo [C0058] examples: diff --git a/lib/contain-loop.yml b/lib/contain-loop.yml index 6dcf5fdac..de32de048 100644 --- a/lib/contain-loop.yml +++ b/lib/contain-loop.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: thread examples: - 08AC667C65D36D6542917655571E61C8:0x406EAA features: diff --git a/lib/contain-pusha-popa-sequence.yml b/lib/contain-pusha-popa-sequence.yml index 1fbe9b256..c64513b88 100644 --- a/lib/contain-pusha-popa-sequence.yml +++ b/lib/contain-pusha-popa-sequence.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope examples: - a5c70086b3bc4fe64f4e7a0aa452e620:0x35007200 features: diff --git a/lib/create-or-open-file.yml b/lib/create-or-open-file.yml index 8cbc7f309..def162e81 100644 --- a/lib/create-or-open-file.yml +++ b/lib/create-or-open-file.yml @@ -5,7 +5,9 @@ rule: - michael.hunhoff@mandiant.com - joakim@intezer.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - File System::Create File [C0016] examples: diff --git a/lib/create-or-open-registry-key.yml b/lib/create-or-open-registry-key.yml index 3c2f6d566..58c2a1436 100644 --- a/lib/create-or-open-registry-key.yml +++ b/lib/create-or-open-registry-key.yml @@ -5,7 +5,9 @@ rule: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Operating System::Registry::Create Registry Key [C0036.004] - Operating System::Registry::Open Registry Key [C0036.003] diff --git a/lib/create-or-open-section-object.yml b/lib/create-or-open-section-object.yml index 75968e983..6def76aeb 100644 --- a/lib/create-or-open-section-object.yml +++ b/lib/create-or-open-section-object.yml @@ -4,7 +4,9 @@ rule: authors: - william.ballenthin@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: thread examples: - daa13ae302fe8b618ddbf590537443ef:0x401116 features: diff --git a/lib/delay-execution.yml b/lib/delay-execution.yml index 14448a5b6..71c1a0182 100644 --- a/lib/delay-execution.yml +++ b/lib/delay-execution.yml @@ -5,7 +5,9 @@ rule: - michael.hunhoff@mandiant.com - "@ramen0x3f" lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003] references: diff --git a/lib/duplicate-stdin-and-stdout.yml b/lib/duplicate-stdin-and-stdout.yml index ed94dbf69..84091724a 100644 --- a/lib/duplicate-stdin-and-stdout.yml +++ b/lib/duplicate-stdin-and-stdout.yml @@ -4,7 +4,9 @@ rule: authors: - joakim@intezer.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead examples: - 7351f8a40c5450557b24622417fc478d:0x40236D features: diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml index 4ef45d0c1..c18ad1b3c 100644 --- a/lib/get-os-version.yml +++ b/lib/get-os-version.yml @@ -4,7 +4,9 @@ rule: authors: - "@mr-tz" lib: true - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match examples: - 493167E85E45363D09495D0841C30648:0x401000 - 5f66b82558ca92e54e77f216ef4c066c:0x44580A diff --git a/lib/get-service-handle.yml b/lib/get-service-handle.yml index 703555c7b..d33c6e2ff 100644 --- a/lib/get-service-handle.yml +++ b/lib/get-service-handle.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: thread examples: - Practical Malware Analysis Lab 03-02.dll_:0x10004706 features: diff --git a/lib/open-process.yml b/lib/open-process.yml index 684fc4fa6..7981b6891 100644 --- a/lib/open-process.yml +++ b/lib/open-process.yml @@ -4,7 +4,9 @@ rule: authors: - 0x534a@mailbox.org lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Open Process [C0065] examples: diff --git a/lib/open-thread.yml b/lib/open-thread.yml index 60b0aca59..a08e99cad 100644 --- a/lib/open-thread.yml +++ b/lib/open-thread.yml @@ -4,7 +4,9 @@ rule: authors: - 0x534a@mailbox.org lib: true - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Process::Open Thread [C0066] examples: diff --git a/lib/peb-access.yml b/lib/peb-access.yml index 00a76905b..c08186054 100644 --- a/lib/peb-access.yml +++ b/lib/peb-access.yml @@ -4,7 +4,9 @@ rule: authors: - michael.hunhoff@mandiant.com lib: true - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block [B0001.019] references: diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml index df9a211a7..991dba93c 100644 --- a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml +++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml @@ -4,7 +4,9 @@ rule: authors: - "@_re_fox" lib: true - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml index 576ba2e52..59167f70c 100644 --- a/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml +++ b/lib/validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml @@ -4,7 +4,9 @@ rule: authors: - "@_re_fox" lib: true - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Checksum::Luhn [C0032.002] examples: diff --git a/lib/write-process-memory.yml b/lib/write-process-memory.yml index e5e2dd368..428312f36 100644 --- a/lib/write-process-memory.yml +++ b/lib/write-process-memory.yml @@ -4,7 +4,9 @@ rule: authors: - moritz.raabe@mandiant.com lib: true - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/linking/runtime-linking/access-peb-ldr_data.yml b/linking/runtime-linking/access-peb-ldr_data.yml index 1dbce3e2b..778bddfa0 100644 --- a/linking/runtime-linking/access-peb-ldr_data.yml +++ b/linking/runtime-linking/access-peb-ldr_data.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Shared Modules [T1129] references: diff --git a/linking/runtime-linking/get-kernel32-base-address.yml b/linking/runtime-linking/get-kernel32-base-address.yml index c8d89557e..0624a6096 100644 --- a/linking/runtime-linking/get-kernel32-base-address.yml +++ b/linking/runtime-linking/get-kernel32-base-address.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Shared Modules [T1129] references: diff --git a/linking/runtime-linking/get-ntdll-base-address.yml b/linking/runtime-linking/get-ntdll-base-address.yml index bddd293cf..63382ceb2 100644 --- a/linking/runtime-linking/get-ntdll-base-address.yml +++ b/linking/runtime-linking/get-ntdll-base-address.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Shared Modules [T1129] references: diff --git a/linking/runtime-linking/link-function-at-runtime-on-windows.yml b/linking/runtime-linking/link-function-at-runtime-on-windows.yml index fabedd42b..42d0892b5 100644 --- a/linking/runtime-linking/link-function-at-runtime-on-windows.yml +++ b/linking/runtime-linking/link-function-at-runtime-on-windows.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index b5b765918..f4f6e1893 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -5,7 +5,9 @@ rule: authors: - moritz.raabe@mandiant.com - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml index f7a79c99c..8919a88a1 100644 --- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml +++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml @@ -5,7 +5,9 @@ rule: authors: - jakub.jozwiak@mandiant.com description: Custom API hashing algorithm used in Brute Ratel Badger (version 1.3 or higher) - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007] mbc: diff --git a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml index 6b9a3a710..e1181cc78 100644 --- a/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml +++ b/linking/runtime-linking/resolve-function-by-fin8-fasthash.yml @@ -5,7 +5,9 @@ rule: authors: - "@r3c0nst (Frank Boldewin)" description: APIHashing algorithm derived from a fasthash implementation in OpenCPN using seeds - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Cryptography::Cryptographic Hash [C0029] references: diff --git a/linking/static/aplib/linked-against-aplib.yml b/linking/static/aplib/linked-against-aplib.yml index 481c8c2a7..c0198168a 100644 --- a/linking/static/aplib/linked-against-aplib.yml +++ b/linking/static/aplib/linked-against-aplib.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/aplib authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file mbc: - Data::Compression Library [C0060] examples: diff --git a/linking/static/cryptopp/linked-against-crypto.yml b/linking/static/cryptopp/linked-against-crypto.yml index 3e021972b..9de6aada8 100644 --- a/linking/static/cryptopp/linked-against-crypto.yml +++ b/linking/static/cryptopp/linked-against-crypto.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/cryptopp authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] examples: diff --git a/linking/static/libcurl/linked-against-libcurl.yml b/linking/static/libcurl/linked-against-libcurl.yml index d6dcbaca3..6f1bfc0a8 100644 --- a/linking/static/libcurl/linked-against-libcurl.yml +++ b/linking/static/libcurl/linked-against-libcurl.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/libcurl authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - A90E5B3454AA71D9700B2EA54615F44B features: diff --git a/linking/static/linked-against-cpp-standard-library.yml b/linking/static/linked-against-cpp-standard-library.yml index e76823970..cb889b5af 100644 --- a/linking/static/linked-against-cpp-standard-library.yml +++ b/linking/static/linked-against-cpp-standard-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static authors: - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://en.wikipedia.org/wiki/P._J._Plauger - https://www.dinkumware.com/ diff --git a/linking/static/msdetours/linked-against-microsoft-detours.yml b/linking/static/msdetours/linked-against-microsoft-detours.yml index 7b3fee0dd..41b7ae5fa 100644 --- a/linking/static/msdetours/linked-against-microsoft-detours.yml +++ b/linking/static/msdetours/linked-against-microsoft-detours.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/msdetours authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Hijack Execution Flow [T1574] references: diff --git a/linking/static/openssl/linked-against-openssl.yml b/linking/static/openssl/linked-against-openssl.yml index 495191269..4f49aea81 100644 --- a/linking/static/openssl/linked-against-openssl.yml +++ b/linking/static/openssl/linked-against-openssl.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] examples: diff --git a/linking/static/polarssl/linked-against-polarsslmbed-tls.yml b/linking/static/polarssl/linked-against-polarsslmbed-tls.yml index 6d2fa7e1a..59e0fb72d 100644 --- a/linking/static/polarssl/linked-against-polarsslmbed-tls.yml +++ b/linking/static/polarssl/linked-against-polarsslmbed-tls.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/polarssl authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] examples: diff --git a/linking/static/sqlite3/linked-against-cppsqlite3.yml b/linking/static/sqlite3/linked-against-cppsqlite3.yml index 43d3c5f6d..4ecd58605 100644 --- a/linking/static/sqlite3/linked-against-cppsqlite3.yml +++ b/linking/static/sqlite3/linked-against-cppsqlite3.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/sqlite3 authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file examples: - 253309d8b3675d3cc61d4bf23aa15d4b features: diff --git a/linking/static/sqlite3/linked-against-sqlite3.yml b/linking/static/sqlite3/linked-against-sqlite3.yml index ee20789b4..71512cf73 100644 --- a/linking/static/sqlite3/linked-against-sqlite3.yml +++ b/linking/static/sqlite3/linked-against-sqlite3.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/sqlite3 authors: - still@teamt5.org - scope: file + scopes: + static: file + dynamic: file examples: - 253309d8b3675d3cc61d4bf23aa15d4b features: diff --git a/linking/static/wolfcrypt/linked-against-wolfcrypt.yml b/linking/static/wolfcrypt/linked-against-wolfcrypt.yml index fb8690291..c5b84f04b 100644 --- a/linking/static/wolfcrypt/linked-against-wolfcrypt.yml +++ b/linking/static/wolfcrypt/linked-against-wolfcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/wolfcrypt authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] references: diff --git a/linking/static/wolfssl/linked-against-wolfssl.yml b/linking/static/wolfssl/linked-against-wolfssl.yml index f520af08f..b27f04957 100644 --- a/linking/static/wolfssl/linked-against-wolfssl.yml +++ b/linking/static/wolfssl/linked-against-wolfssl.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/wolfssl authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] references: diff --git a/linking/static/zlib/linked-against-zlib.yml b/linking/static/zlib/linked-against-zlib.yml index 072a489b0..e4a0ce80d 100644 --- a/linking/static/zlib/linked-against-zlib.yml +++ b/linking/static/zlib/linked-against-zlib.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/zlib authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Data::Compression Library [C0060] examples: diff --git a/load-code/dotnet/load-windows-common-language-runtime.yml b/load-code/dotnet/load-windows-common-language-runtime.yml index de821ea11..d7c491d65 100644 --- a/load-code/dotnet/load-windows-common-language-runtime.yml +++ b/load-code/dotnet/load-windows-common-language-runtime.yml @@ -7,7 +7,9 @@ rule: - michael.hunhoff@mandiant.com - blas.kojusner@mandiant.com - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match references: - https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ - https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c diff --git a/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml b/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml index 0c157efb9..ca2056f20 100644 --- a/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml +++ b/load-code/execute-vbscript-javascript-or-jscript-in-memory.yml @@ -6,7 +6,9 @@ rule: authors: - blas.kojusner@mandiant.com description: the sample may execute 32-bit VBScript, JavaScript, or JScript (32-bit) - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063 examples: diff --git a/load-code/pe/access-pe-header.yml b/load-code/pe/access-pe-header.yml index 25976dad8..926024dfb 100644 --- a/load-code/pe/access-pe-header.yml +++ b/load-code/pe/access-pe-header.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections.yml index f9cc1eb08..d2d6783ea 100644 --- a/load-code/pe/enumerate-pe-sections.yml +++ b/load-code/pe/enumerate-pe-sections.yml @@ -5,7 +5,9 @@ rule: authors: - "@Ana06" - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Discovery::Code Discovery::Enumerate PE Sections [B0046.001] references: diff --git a/load-code/pe/inject-dll-reflectively.yml b/load-code/pe/inject-dll-reflectively.yml index 210a16d68..1967e2f24 100644 --- a/load-code/pe/inject-dll-reflectively.yml +++ b/load-code/pe/inject-dll-reflectively.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - "@Ana06" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/load-code/pe/inspect-section-memory-permissions.yml b/load-code/pe/inspect-section-memory-permissions.yml index 499d334da..1c5383ad5 100644 --- a/load-code/pe/inspect-section-memory-permissions.yml +++ b/load-code/pe/inspect-section-memory-permissions.yml @@ -5,7 +5,9 @@ rule: authors: - "@Ana06" description: "translate section memory permissions (specified in the 'Characteristics' field of the image section header) into page protection constants" - scope: function + scopes: + static: function + dynamic: thread mbc: - Discovery::Code Discovery::Inspect Section Memory Permissions [B0046.002] examples: diff --git a/load-code/pe/parse-pe-header.yml b/load-code/pe/parse-pe-header.yml index 5820c0a3c..dec51f084 100644 --- a/load-code/pe/parse-pe-header.yml +++ b/load-code/pe/parse-pe-header.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/rebuild-import-table.yml b/load-code/pe/rebuild-import-table.yml index 93782a13d..e09a03f6e 100644 --- a/load-code/pe/rebuild-import-table.yml +++ b/load-code/pe/rebuild-import-table.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - "@Ana06" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Defense Evasion::Hijack Execution Flow::Import Address Table Hooking [F0015.003] references: diff --git a/load-code/pe/resolve-function-by-parsing-pe-exports.yml b/load-code/pe/resolve-function-by-parsing-pe-exports.yml index f5b15bf76..592bec96f 100755 --- a/load-code/pe/resolve-function-by-parsing-pe-exports.yml +++ b/load-code/pe/resolve-function-by-parsing-pe-exports.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - sara-rn - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope examples: - 73CE04892E5F39EC82B00C02FC04C70F:0x406BA1 features: diff --git a/load-code/powershell/run-powershell-expression.yml b/load-code/powershell/run-powershell-expression.yml index 00d86d983..1c35b86d3 100644 --- a/load-code/powershell/run-powershell-expression.yml +++ b/load-code/powershell/run-powershell-expression.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/powershell/ authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-copyfile2.yml b/load-code/shellcode/execute-shellcode-via-copyfile2.yml index 98b81bee6..29d8df99e 100644 --- a/load-code/shellcode/execute-shellcode-via-copyfile2.yml +++ b/load-code/shellcode/execute-shellcode-via-copyfile2.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CopyFile2/CopyFile2.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml index 6f8379bfe..1216b18a7 100644 --- a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml +++ b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CreateThreadPoolWait/CreateThreadPoolWait.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml index a95f9d2dc..58a5c31a2 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml @@ -6,7 +6,9 @@ rule: - ervin.ocampo@mandiant.com - jakub.jozwiak@mandiant.com description: Detect usage of various WinAPI functions that accept callback functions as parameters in order to execute arbitrary shellcode - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Reflective Code Loading [T1620] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml index 7524d1867..9039b9c1d 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Defense Evasion::Process Injection::Injection via Windows Fibers [E1055.m05] references: diff --git a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml index 7920143b6..71fe9e4b7 100644 --- a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml +++ b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Memory::Allocate Memory [C0007] - Process::Create Thread [C0038] diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml index ca2e552d5..beebe7dd9 100644 --- a/malware-family/plugx/match-known-plugx-module.yml +++ b/malware-family/plugx/match-known-plugx-module.yml @@ -6,7 +6,9 @@ rule: authors: - still@teamt5.org description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode) - scope: function + scopes: + static: function + dynamic: thread references: - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html diff --git a/nursery/access-wmi-data-in-dotnet.yml b/nursery/access-wmi-data-in-dotnet.yml index 589a18b0f..1ea66ad56 100644 --- a/nursery/access-wmi-data-in-dotnet.yml +++ b/nursery/access-wmi-data-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/wmi authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/add-file-to-cabinet-file.yml b/nursery/add-file-to-cabinet-file.yml index 5988a5180..b3502781c 100644 --- a/nursery/add-file-to-cabinet-file.yml +++ b/nursery/add-file-to-cabinet-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files features: diff --git a/nursery/add-user-account-group.yml b/nursery/add-user-account-group.yml index 3e2da64ba..cd994eeb0 100644 --- a/nursery/add-user-account-group.yml +++ b/nursery/add-user-account-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/add-user-account-to-group.yml b/nursery/add-user-account-to-group.yml index 220820755..e3f1bf243 100644 --- a/nursery/add-user-account-to-group.yml +++ b/nursery/add-user-account-to-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/add-user-account.yml b/nursery/add-user-account.yml index a1941a4ec..75ddd15f1 100644 --- a/nursery/add-user-account.yml +++ b/nursery/add-user-account.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Create Account [T1136] features: diff --git a/nursery/add-value-to-global-atom-table.yml b/nursery/add-value-to-global-atom-table.yml index 2cc527b55..9e338a0b9 100644 --- a/nursery/add-value-to-global-atom-table.yml +++ b/nursery/add-value-to-global-atom-table.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/inject authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread references: - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows - https://github.com/BreakingMalwareResearch/atom-bombing diff --git a/nursery/allocate-unmanaged-memory-in-dotnet.yml b/nursery/allocate-unmanaged-memory-in-dotnet.yml index fc9042faf..159993c2c 100644 --- a/nursery/allocate-unmanaged-memory-in-dotnet.yml +++ b/nursery/allocate-unmanaged-memory-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/memory authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Runtime.InteropServices.Marshal::AllocHGlobal diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml index 10d585e0f..07ecd9e58 100755 --- a/nursery/append-data-to-clfs-log-container.yml +++ b/nursery/append-data-to-clfs-log-container.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/log/clfs/append authors: - blaine.stancill@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows/win32/api/clfsw32/ - https://github.com/libyal/libfsclfs/blob/main/documenation/Common%20Log%20File%20System%20(CLFS).asciidoc diff --git a/nursery/authenticate-data-with-md5-mac.yml b/nursery/authenticate-data-with-md5-mac.yml index 78766a9fa..de036f491 100644 --- a/nursery/authenticate-data-with-md5-mac.yml +++ b/nursery/authenticate-data-with-md5-mac.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/md5 authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/nursery/build-docker-image.yml b/nursery/build-docker-image.yml index 2a20b4cd0..b7d08f5ac 100644 --- a/nursery/build-docker-image.yml +++ b/nursery/build-docker-image.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Build Image on Host [T1612] references: diff --git a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml index ffe9bdf62..69e503ba4 100644 --- a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml +++ b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/uac/bypass authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/nursery/capture-network-configuration-via-ifconfig.yml b/nursery/capture-network-configuration-via-ifconfig.yml index e6a073cfa..42db889cd 100644 --- a/nursery/capture-network-configuration-via-ifconfig.yml +++ b/nursery/capture-network-configuration-via-ifconfig.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - joakim@intezeer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/capture-process-snapshot-data.yml b/nursery/capture-process-snapshot-data.yml index 526aa1096..be2c11831 100644 --- a/nursery/capture-process-snapshot-data.yml +++ b/nursery/capture-process-snapshot-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/dump authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: PssCaptureSnapshot diff --git a/nursery/capture-screenshot-in-go.yml b/nursery/capture-screenshot-in-go.yml index 7dca50c9b..93d31b3e6 100644 --- a/nursery/capture-screenshot-in-go.yml +++ b/nursery/capture-screenshot-in-go.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Detects screenshot capability via WinAPI for Go files. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/nursery/capture-webcam-video.yml b/nursery/capture-webcam-video.yml index e41a3ad3b..733ae72c3 100644 --- a/nursery/capture-webcam-video.yml +++ b/nursery/capture-webcam-video.yml @@ -5,7 +5,9 @@ rule: authors: - "@johnk3r" description: Rule that detects a system's webcam being used to capture video - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Collection::Video Capture [T1125] features: diff --git a/nursery/change-user-account-password.yml b/nursery/change-user-account-password.yml index 1de2ea6bc..613c92d74 100644 --- a/nursery/change-user-account-password.yml +++ b/nursery/change-user-account-password.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/check-clipboard-data.yml b/nursery/check-clipboard-data.yml index b3c00610c..23d66aa33 100644 --- a/nursery/check-clipboard-data.yml +++ b/nursery/check-clipboard-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/clipboard authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/check-file-extension-in-dotnet.yml b/nursery/check-file-extension-in-dotnet.yml index 0b9b48113..9ab065681 100644 --- a/nursery/check-file-extension-in-dotnet.yml +++ b/nursery/check-file-extension-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.IO.Path::GetExtension diff --git a/nursery/check-for-minimum-number-of-windows-on-screen.yml b/nursery/check-for-minimum-number-of-windows-on-screen.yml index cc986f1b8..72b9cd07f 100644 --- a/nursery/check-for-minimum-number-of-windows-on-screen.yml +++ b/nursery/check-for-minimum-number-of-windows-on-screen.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - echernofsky@google.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/check-for-process-debug-object.yml b/nursery/check-for-process-debug-object.yml index 17d51481d..d1e05d8e3 100644 --- a/nursery/check-for-process-debug-object.yml +++ b/nursery/check-for-process-debug-object.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml b/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml index 20a593822..49ff4604f 100644 --- a/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml +++ b/nursery/check-for-sandbox-via-mac-address-ouis-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - jonathanlepore@google.com description: detects sandbox detection via mac address organizationally unique identifiers (OUIs). Based off publicly available CSharpShooter/CheckPlease.cs - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-for-vm-using-instruction-vpcext.yml b/nursery/check-for-vm-using-instruction-vpcext.yml index 619dd4540..7b6aefedc 100644 --- a/nursery/check-for-vm-using-instruction-vpcext.yml +++ b/nursery/check-for-vm-using-instruction-vpcext.yml @@ -6,7 +6,9 @@ rule: authors: - richard.weiss@mandiant.com description: Detects virtualization using VPCEXT (visual property container extender) instruction. Execution of this instruction will cause an illegal instruction exception outside of a virtual environment otherwise return 0 - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/nursery/check-for-windows-sandbox-via-mutex.yml b/nursery/check-for-windows-sandbox-via-mutex.yml index 0e6fe3ac5..595520440 100644 --- a/nursery/check-for-windows-sandbox-via-mutex.yml +++ b/nursery/check-for-windows-sandbox-via-mutex.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-for-windows-sandbox-via-subdirectory.yml b/nursery/check-for-windows-sandbox-via-subdirectory.yml index d073f4454..a2026b33c 100644 --- a/nursery/check-for-windows-sandbox-via-subdirectory.yml +++ b/nursery/check-for-windows-sandbox-via-subdirectory.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - "echernofsky@google.com" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-if-directory-exists.yml b/nursery/check-if-directory-exists.yml index 8cc5b3ac3..569073d3f 100644 --- a/nursery/check-if-directory-exists.yml +++ b/nursery/check-if-directory-exists.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/exists authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::File and Directory Discovery [T1083] features: diff --git a/nursery/check-license-value.yml b/nursery/check-license-value.yml index e6d979eef..bcf84c1e1 100644 --- a/nursery/check-license-value.yml +++ b/nursery/check-license-value.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/check-processdebugflags.yml b/nursery/check-processdebugflags.yml index e9989d6d0..da33fa7d2 100644 --- a/nursery/check-processdebugflags.yml +++ b/nursery/check-processdebugflags.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-systemkerneldebuggerinformation.yml b/nursery/check-systemkerneldebuggerinformation.yml index 5d5c7282e..212a4caae 100644 --- a/nursery/check-systemkerneldebuggerinformation.yml +++ b/nursery/check-systemkerneldebuggerinformation.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/nursery/check-thread-yield-allowed.yml b/nursery/check-thread-yield-allowed.yml index c13f61a8a..9f7e415b9 100644 --- a/nursery/check-thread-yield-allowed.yml +++ b/nursery/check-thread-yield-allowed.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Anti-Behavioral Analysis::Debugger Detection::NtYieldExecution/SwitchToThread [B0001.015] references: diff --git a/nursery/clear-clipboard-data.yml b/nursery/clear-clipboard-data.yml index dba3bbbc9..8f9ad3ca0 100644 --- a/nursery/clear-clipboard-data.yml +++ b/nursery/clear-clipboard-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/clipboard authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml index 0001f9295..bdfcb0cec 100644 --- a/nursery/collect-ssh-keys.yml +++ b/nursery/collect-ssh-keys.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Credential Access::Unsecured Credentials::Private Keys [T1552.004] features: diff --git a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml index 1c0b9f1a2..76f9cbd9a 100644 --- a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml +++ b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html) - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/compare-security-identifiers.yml b/nursery/compare-security-identifiers.yml index 4da0abd3d..31e8aec81 100644 --- a/nursery/compare-security-identifiers.yml +++ b/nursery/compare-security-identifiers.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/sid authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: advapi32.EqualSid diff --git a/nursery/compile-csharp-in-dotnet.yml b/nursery/compile-csharp-in-dotnet.yml index e910bc3a4..d15aec767 100644 --- a/nursery/compile-csharp-in-dotnet.yml +++ b/nursery/compile-csharp-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet/csharp authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-dotnet-assembly.yml b/nursery/compile-dotnet-assembly.yml index c26b5cd94..cad312ca7 100644 --- a/nursery/compile-dotnet-assembly.yml +++ b/nursery/compile-dotnet-assembly.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-visual-basic-in-dotnet.yml b/nursery/compile-visual-basic-in-dotnet.yml index 4958676d7..7ff7873f2 100644 --- a/nursery/compile-visual-basic-in-dotnet.yml +++ b/nursery/compile-visual-basic-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet/vb authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compiled-from-epl.yml b/nursery/compiled-from-epl.yml index e9a8f3b9f..b3db95f3a 100644 --- a/nursery/compiled-from-epl.yml +++ b/nursery/compiled-from-epl.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/epl authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2019/02/13/pe-files-and-the-easy-programming-language-epl/ features: diff --git a/nursery/compiled-with-exescript.yml b/nursery/compiled-with-exescript.yml index 4a50df497..c5c602f9a 100644 --- a/nursery/compiled-with-exescript.yml +++ b/nursery/compiled-with-exescript.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/exescript authors: - jonathanlepore@google.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://www.hide-folder.com/overview/hf_7.html features: diff --git a/nursery/compress-data-using-gzip-in-dotnet.yml b/nursery/compress-data-using-gzip-in-dotnet.yml index ad9b473a6..51d4a9bc2 100644 --- a/nursery/compress-data-using-gzip-in-dotnet.yml +++ b/nursery/compress-data-using-gzip-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/nursery/connect-network-resource.yml b/nursery/connect-network-resource.yml index d8bf343c9..2394a08a0 100644 --- a/nursery/connect-network-resource.yml +++ b/nursery/connect-network-resource.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: connect to disk or print resource - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml b/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml index 76bec757f..37476ca40 100644 --- a/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml +++ b/nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: .NET file contains uncommon TLS section - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://washi.dev/blog/posts/entry-points/ features: diff --git a/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml index 03ff61292..8209047fd 100644 --- a/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml +++ b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/xor authors: - dan.kelly@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/create-container.yml b/nursery/create-container.yml index 52a025f18..bcc4788be 100644 --- a/nursery/create-container.yml +++ b/nursery/create-container.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Deploy Container [T1610] references: diff --git a/nursery/create-process-via-wmi-in-dotnet.yml b/nursery/create-process-via-wmi-in-dotnet.yml index d03178ec1..92d4d7764 100644 --- a/nursery/create-process-via-wmi-in-dotnet.yml +++ b/nursery/create-process-via-wmi-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/wmi authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/create-registry-key-via-stdregprov.yml b/nursery/create-registry-key-via-stdregprov.yml index c5b7558dd..41d27b5b5 100644 --- a/nursery/create-registry-key-via-stdregprov.yml +++ b/nursery/create-registry-key-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/create-restart-manager-session.yml b/nursery/create-restart-manager-session.yml index 434c2e278..edb7cd3d9 100644 --- a/nursery/create-restart-manager-session.yml +++ b/nursery/create-restart-manager-session.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Windows Restart Manager can be used to close/unlock specific files, often abused by Ransomware - scope: function + scopes: + static: function + dynamic: thread references: - https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ features: diff --git a/nursery/create-zip-archive-in-dotnet.yml b/nursery/create-zip-archive-in-dotnet.yml index 3025a14b7..53b2e0040 100644 --- a/nursery/create-zip-archive-in-dotnet.yml +++ b/nursery/create-zip-archive-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/compression authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - optional: diff --git a/nursery/debug-build.yml b/nursery/debug-build.yml index 020d6f822..e3cd54cf1 100644 --- a/nursery/debug-build.yml +++ b/nursery/debug-build.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe/debug authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - string: "Assertion failed!" diff --git a/nursery/decode-data-using-base64-in-dotnet.yml b/nursery/decode-data-using-base64-in-dotnet.yml index 4037304fd..c89272205 100644 --- a/nursery/decode-data-using-base64-in-dotnet.yml +++ b/nursery/decode-data-using-base64-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/base64 authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/nursery/decode-data-using-url-encoding.yml b/nursery/decode-data-using-url-encoding.yml index 87d9e45e8..1d71307d9 100644 --- a/nursery/decode-data-using-url-encoding.yml +++ b/nursery/decode-data-using-url-encoding.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encoding/url authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/decrypt-data-using-rsa.yml b/nursery/decrypt-data-using-rsa.yml index 63e3fde98..dbdf5b165 100644 --- a/nursery/decrypt-data-using-rsa.yml +++ b/nursery/decrypt-data-using-rsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/nursery/decrypt-data-via-sspi.yml b/nursery/decrypt-data-via-sspi.yml index 4d3435050..acf79c52a 100644 --- a/nursery/decrypt-data-via-sspi.yml +++ b/nursery/decrypt-data-via-sspi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] references: diff --git a/nursery/delete-internet-cache.yml b/nursery/delete-internet-cache.yml index e7e96112d..7a5bab3c9 100644 --- a/nursery/delete-internet-cache.yml +++ b/nursery/delete-internet-cache.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/internet/cache authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - match: enumerate internet cache diff --git a/nursery/delete-registry-key-via-offline-registry-library.yml b/nursery/delete-registry-key-via-offline-registry-library.yml index ce67f0ff7..848ab9dc1 100644 --- a/nursery/delete-registry-key-via-offline-registry-library.yml +++ b/nursery/delete-registry-key-via-offline-registry-library.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/registry authors: - johnk3r - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/nursery/delete-registry-key-via-stdregprov.yml b/nursery/delete-registry-key-via-stdregprov.yml index 93f218fe3..2db744a1d 100644 --- a/nursery/delete-registry-key-via-stdregprov.yml +++ b/nursery/delete-registry-key-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-registry-value-via-stdregprov.yml b/nursery/delete-registry-value-via-stdregprov.yml index 946da742c..3ac76ac57 100644 --- a/nursery/delete-registry-value-via-stdregprov.yml +++ b/nursery/delete-registry-value-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-user-account-from-group.yml b/nursery/delete-user-account-from-group.yml index 6b5038712..fbe55d0b3 100644 --- a/nursery/delete-user-account-from-group.yml +++ b/nursery/delete-user-account-from-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/delete-user-account-group.yml b/nursery/delete-user-account-group.yml index 4cec4502f..29a88fe3f 100644 --- a/nursery/delete-user-account-group.yml +++ b/nursery/delete-user-account-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Account Manipulation [T1098] features: diff --git a/nursery/delete-user-account.yml b/nursery/delete-user-account.yml index 0c9242819..7c7756a86 100644 --- a/nursery/delete-user-account.yml +++ b/nursery/delete-user-account.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Impact::Account Access Removal [T1531] features: diff --git a/nursery/delete-windows-backup-catalog.yml b/nursery/delete-windows-backup-catalog.yml index 964984739..a2b5955ed 100644 --- a/nursery/delete-windows-backup-catalog.yml +++ b/nursery/delete-windows-backup-catalog.yml @@ -4,7 +4,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Impact::Inhibit System Recovery [T1490] features: diff --git a/nursery/deserialize-json-in-dotnet.yml b/nursery/deserialize-json-in-dotnet.yml index e9f458988..fbf8381d4 100644 --- a/nursery/deserialize-json-in-dotnet.yml +++ b/nursery/deserialize-json-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/json authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Web.Script.Serialization.JavaScriptSerializer::Deserialize diff --git a/nursery/destroy-software-breakpoint-capability.yml b/nursery/destroy-software-breakpoint-capability.yml index 3a6499bc5..dca3106c9 100644 --- a/nursery/destroy-software-breakpoint-capability.yml +++ b/nursery/destroy-software-breakpoint-capability.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-debugging authors: - echernofsky@google.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.microsoft.com/en-us/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ - https://anti-debug.checkpoint.com/techniques/assembly.html diff --git a/nursery/disable-automatic-windows-recovery-features.yml b/nursery/disable-automatic-windows-recovery-features.yml index d58513ddd..518065403 100644 --- a/nursery/disable-automatic-windows-recovery-features.yml +++ b/nursery/disable-automatic-windows-recovery-features.yml @@ -4,7 +4,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Impact::Inhibit System Recovery [T1490] features: diff --git a/nursery/display-service-notification-message-box.yml b/nursery/display-service-notification-message-box.yml index ae3ca40a4..7bf65439a 100644 --- a/nursery/display-service-notification-message-box.yml +++ b/nursery/display-service-notification-message-box.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - number: 0x200000 = service notification diff --git a/nursery/empty-the-recycle-bin.yml b/nursery/empty-the-recycle-bin.yml index 051486aa4..bac27732d 100644 --- a/nursery/empty-the-recycle-bin.yml +++ b/nursery/empty-the-recycle-bin.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/recycle-bin authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: SHEmptyRecycleBin diff --git a/nursery/enable-safe-mode-boot.yml b/nursery/enable-safe-mode-boot.yml index 7fea17952..1807ee023 100644 --- a/nursery/enable-safe-mode-boot.yml +++ b/nursery/enable-safe-mode-boot.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/bootloader authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] features: diff --git a/nursery/encrypt-data-using-aes-via-x86-extensions.yml b/nursery/encrypt-data-using-aes-via-x86-extensions.yml index 778dfabb6..8632109e5 100644 --- a/nursery/encrypt-data-using-aes-via-x86-extensions.yml +++ b/nursery/encrypt-data-using-aes-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-aes.yml b/nursery/encrypt-data-using-aes.yml index db463beea..9283d1c55 100644 --- a/nursery/encrypt-data-using-aes.yml +++ b/nursery/encrypt-data-using-aes.yml @@ -6,7 +6,9 @@ rule: authors: - william.ballenthin@mandiant.com - Ivan Kwiatkowski (@JusticeRage) - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-fakem-cipher.yml b/nursery/encrypt-data-using-fakem-cipher.yml index af5189ef6..e3d19338c 100644 --- a/nursery/encrypt-data-using-fakem-cipher.yml +++ b/nursery/encrypt-data-using-fakem-cipher.yml @@ -6,7 +6,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: Detect custom encryption cipher used by FAKEM malware family - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-openssl-dsa.yml b/nursery/encrypt-data-using-openssl-dsa.yml index cbb259b83..e75d79dc3 100644 --- a/nursery/encrypt-data-using-openssl-dsa.yml +++ b/nursery/encrypt-data-using-openssl-dsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/dsa authors: - "Ana06" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://github.com/openssl/openssl/blob/fdc5043d58900663b493147298e64f11353b35fe/crypto/objects/obj_dat.h features: diff --git a/nursery/encrypt-data-using-openssl-ecdsa.yml b/nursery/encrypt-data-using-openssl-ecdsa.yml index 141c9a5f6..a7254ecdd 100644 --- a/nursery/encrypt-data-using-openssl-ecdsa.yml +++ b/nursery/encrypt-data-using-openssl-ecdsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/ecdsa authors: - "Ana06" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://github.com/openssl/openssl/blob/fdc5043d58900663b493147298e64f11353b35fe/crypto/objects/obj_dat.h features: diff --git a/nursery/encrypt-data-using-openssl-rsa.yml b/nursery/encrypt-data-using-openssl-rsa.yml index 9821861a8..6af851b74 100644 --- a/nursery/encrypt-data-using-openssl-rsa.yml +++ b/nursery/encrypt-data-using-openssl-rsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - "Ana06" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Cryptography::Encrypt Data::RSA [C0027.011] references: diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index ffa79dd05..26012396d 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rc4 authors: - richard.weiss@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-rsa.yml b/nursery/encrypt-data-using-rsa.yml index 39d06b378..639f5ac2a 100644 --- a/nursery/encrypt-data-using-rsa.yml +++ b/nursery/encrypt-data-using-rsa.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/rsa authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/encrypt-data-using-salsa20-or-chacha.yml b/nursery/encrypt-data-using-salsa20-or-chacha.yml index 44df19d40..09322591f 100644 --- a/nursery/encrypt-data-using-salsa20-or-chacha.yml +++ b/nursery/encrypt-data-using-salsa20-or-chacha.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/salsa20 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-data-via-sspi.yml b/nursery/encrypt-data-via-sspi.yml index c9dd53d99..74f979956 100644 --- a/nursery/encrypt-data-via-sspi.yml +++ b/nursery/encrypt-data-via-sspi.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml index 635cb53f5..02fb47b41 100644 --- a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml +++ b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/enumerate-browser-history.yml b/nursery/enumerate-browser-history.yml index f9044e901..06cf40453 100644 --- a/nursery/enumerate-browser-history.yml +++ b/nursery/enumerate-browser-history.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/browser/history/list authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope features: - and: - api: ole32.CoCreateInstance diff --git a/nursery/enumerate-device-drivers-on-linux.yml b/nursery/enumerate-device-drivers-on-linux.yml index 481f5dd43..c73df788d 100644 --- a/nursery/enumerate-device-drivers-on-linux.yml +++ b/nursery/enumerate-device-drivers-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Device Driver Discovery [T1652] features: diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml index ad159db18..866feabce 100644 --- a/nursery/enumerate-device-drivers-on-windows.yml +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Device Driver Discovery [T1652] references: diff --git a/nursery/enumerate-disk-volumes.yml b/nursery/enumerate-disk-volumes.yml index cca3030a9..399b2ba87 100644 --- a/nursery/enumerate-disk-volumes.yml +++ b/nursery/enumerate-disk-volumes.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/storage authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/enumerate-drives.yml b/nursery/enumerate-drives.yml index 451f443f9..540efbb12 100644 --- a/nursery/enumerate-drives.yml +++ b/nursery/enumerate-drives.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.IO.DriveInfo::GetDrives diff --git a/nursery/enumerate-internet-cache.yml b/nursery/enumerate-internet-cache.yml index c9d22bb2a..5283a9b98 100644 --- a/nursery/enumerate-internet-cache.yml +++ b/nursery/enumerate-internet-cache.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/internet/cache authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - api: wininet.FindFirstUrlCacheEntry diff --git a/nursery/enumerate-network-shares.yml b/nursery/enumerate-network-shares.yml index bb06b367f..64efb484c 100644 --- a/nursery/enumerate-network-shares.yml +++ b/nursery/enumerate-network-shares.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Network Share Discovery [T1135] features: diff --git a/nursery/enumerate-pe-sections-in-dotnet.yml b/nursery/enumerate-pe-sections-in-dotnet.yml index bd5becadf..d85592934 100644 --- a/nursery/enumerate-pe-sections-in-dotnet.yml +++ b/nursery/enumerate-pe-sections-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/pe authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope mbc: - Discovery::Code Discovery::Enumerate PE Sections [B0046.001] features: diff --git a/nursery/enumerate-processes-that-use-resource.yml b/nursery/enumerate-processes-that-use-resource.yml index 41a3d5cf7..4b9f30335 100644 --- a/nursery/enumerate-processes-that-use-resource.yml +++ b/nursery/enumerate-processes-that-use-resource.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - "@Ana06" - scope: function + scopes: + static: function + dynamic: thread references: - https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners # examples: diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml index fe7380459..0e28b86c3 100644 --- a/nursery/enumerate-processes-via-procfs.yml +++ b/nursery/enumerate-processes-via-procfs.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/enumerate-system-firmware-tables.yml b/nursery/enumerate-system-firmware-tables.yml index 414592e94..0ec3c8a98 100644 --- a/nursery/enumerate-system-firmware-tables.yml +++ b/nursery/enumerate-system-firmware-tables.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/firmware authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L843 features: diff --git a/nursery/execute-dotnet-assembly.yml b/nursery/execute-dotnet-assembly.yml index 9c10ded24..ccbf2b006 100644 --- a/nursery/execute-dotnet-assembly.yml +++ b/nursery/execute-dotnet-assembly.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Reflective Code Loading [T1620] features: diff --git a/nursery/execute-shell-command-via-windows-remote-management.yml b/nursery/execute-shell-command-via-windows-remote-management.yml index 8f69608a1..b5281be3f 100644 --- a/nursery/execute-shell-command-via-windows-remote-management.yml +++ b/nursery/execute-shell-command-via-windows-remote-management.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/process/create authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/execute-shellcode-via-indirect-call.yml b/nursery/execute-shellcode-via-indirect-call.yml index 9d48eb518..3e1449313 100644 --- a/nursery/execute-shellcode-via-indirect-call.yml +++ b/nursery/execute-shellcode-via-indirect-call.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/shellcode authors: - ronnie.salomonsen@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match mbc: - Memory::Allocate Memory [C0007] features: diff --git a/nursery/execute-sqlite-statement-in-dotnet.yml b/nursery/execute-sqlite-statement-in-dotnet.yml index 02263b3c3..72533ea8c 100644 --- a/nursery/execute-sqlite-statement-in-dotnet.yml +++ b/nursery/execute-sqlite-statement-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/database/sql authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/execute-syscall-instruction.yml b/nursery/execute-syscall-instruction.yml index cba27d2c1..d1308714c 100644 --- a/nursery/execute-syscall-instruction.yml +++ b/nursery/execute-syscall-instruction.yml @@ -6,7 +6,9 @@ rule: - "@kulinacs" - "@mr-tz" description: may be used to evade hooks or hinder analysis - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope references: - https://github.com/j00ru/windows-syscalls features: diff --git a/nursery/execute-via-asynchronous-task-in-dotnet.yml b/nursery/execute-via-asynchronous-task-in-dotnet.yml index 729b451d7..273a2fd98 100644 --- a/nursery/execute-via-asynchronous-task-in-dotnet.yml +++ b/nursery/execute-via-asynchronous-task-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread/task authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Threading.Tasks.Task::ctor diff --git a/nursery/execute-via-timer-in-dotnet.yml b/nursery/execute-via-timer-in-dotnet.yml index 494d98ccc..857261c77 100644 --- a/nursery/execute-via-timer-in-dotnet.yml +++ b/nursery/execute-via-timer-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread/timer authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Threading.Timer::ctor diff --git a/nursery/extract-zip-archive-in-dotnet.yml b/nursery/extract-zip-archive-in-dotnet.yml index ccdefd420..dd0949b33 100644 --- a/nursery/extract-zip-archive-in-dotnet.yml +++ b/nursery/extract-zip-archive-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] features: diff --git a/nursery/find-data-using-regex-in-dotnet.yml b/nursery/find-data-using-regex-in-dotnet.yml index 7345f1665..5af1419b2 100644 --- a/nursery/find-data-using-regex-in-dotnet.yml +++ b/nursery/find-data-using-regex-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/regex authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Text.RegularExpressions.Regex::Matches diff --git a/nursery/find-process-by-name.yml b/nursery/find-process-by-name.yml index a6f6ddee2..6ae86821b 100644 --- a/nursery/find-process-by-name.yml +++ b/nursery/find-process-by-name.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/list authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::Process Discovery [T1057] features: diff --git a/nursery/flush-cabinet-file.yml b/nursery/flush-cabinet-file.yml index b75ec4f63..3e5786500 100644 --- a/nursery/flush-cabinet-file.yml +++ b/nursery/flush-cabinet-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files features: diff --git a/nursery/generate-method-via-reflection-in-dotnet.yml b/nursery/generate-method-via-reflection-in-dotnet.yml index 7eb4e8932..9176caa43 100644 --- a/nursery/generate-method-via-reflection-in-dotnet.yml +++ b/nursery/generate-method-via-reflection-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: https://github.com/bohops/DynamicDotNet/blob/main/assembly_loader/DynamicAssemblyLoader.cs - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Reflection.Emit.DynamicMethod::ctor diff --git a/nursery/generate-random-bytes-in-dotnet.yml b/nursery/generate-random-bytes-in-dotnet.yml index 02788ba16..1d022c943 100644 --- a/nursery/generate-random-bytes-in-dotnet.yml +++ b/nursery/generate-random-bytes-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/prng authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] features: diff --git a/nursery/generate-random-filename-in-dotnet.yml b/nursery/generate-random-filename-in-dotnet.yml index 6d81c8379..bcddca080 100644 --- a/nursery/generate-random-filename-in-dotnet.yml +++ b/nursery/generate-random-filename-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.IO.Path::GetRandomFileName diff --git a/nursery/generate-random-numbers-in-dotnet.yml b/nursery/generate-random-numbers-in-dotnet.yml index 732ccf707..6df0d12dc 100644 --- a/nursery/generate-random-numbers-in-dotnet.yml +++ b/nursery/generate-random-numbers-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - anushka.virgaonkar@mandiant.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] features: diff --git a/nursery/generate-random-numbers-using-the-delphi-lcg.yml b/nursery/generate-random-numbers-using-the-delphi-lcg.yml index 75ae1fd6e..52d635fc2 100644 --- a/nursery/generate-random-numbers-using-the-delphi-lcg.yml +++ b/nursery/generate-random-numbers-using-the-delphi-lcg.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/prng/lcg authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] references: diff --git a/nursery/get-client-handle-via-schannel.yml b/nursery/get-client-handle-via-schannel.yml index b90b27c7e..d14e7f8fa 100644 --- a/nursery/get-client-handle-via-schannel.yml +++ b/nursery/get-client-handle-via-schannel.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-current-pid-on-linux.yml b/nursery/get-current-pid-on-linux.yml index 7694d69cf..e15944543 100644 --- a/nursery/get-current-pid-on-linux.yml +++ b/nursery/get-current-pid-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/get-file-system-information-on-linux.yml b/nursery/get-file-system-information-on-linux.yml index 1893ef422..1916a888d 100644 --- a/nursery/get-file-system-information-on-linux.yml +++ b/nursery/get-file-system-information-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/get-http-request-uri.yml b/nursery/get-http-request-uri.yml index 1be9fc1f9..2cc5d889d 100644 --- a/nursery/get-http-request-uri.yml +++ b/nursery/get-http-request-uri.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - william.ballenthin@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead mbc: - Communication::HTTP Communication [C0002] features: diff --git a/nursery/get-inbound-credentials-handle-via-credssp.yml b/nursery/get-inbound-credentials-handle-via-credssp.yml index c948dc8d6..7f32cc04a 100644 --- a/nursery/get-inbound-credentials-handle-via-credssp.yml +++ b/nursery/get-inbound-credentials-handle-via-credssp.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-mac-address-on-linux.yml b/nursery/get-mac-address-on-linux.yml index 93d9b023d..d07a8974a 100644 --- a/nursery/get-mac-address-on-linux.yml +++ b/nursery/get-mac-address-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: collection/network authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-networking-parameters.yml b/nursery/get-networking-parameters.yml index ff45d1720..a84fa1bac 100644 --- a/nursery/get-networking-parameters.yml +++ b/nursery/get-networking-parameters.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-ntoskrnl-base-address.yml b/nursery/get-ntoskrnl-base-address.yml index 0f2686ab3..2c499ab4c 100644 --- a/nursery/get-ntoskrnl-base-address.yml +++ b/nursery/get-ntoskrnl-base-address.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Execution::Shared Modules [T1129] references: diff --git a/nursery/get-os-information-via-kuser_shared_data.yml b/nursery/get-os-information-via-kuser_shared_data.yml index c2a690e29..ed0d6f8f3 100644 --- a/nursery/get-os-information-via-kuser_shared_data.yml +++ b/nursery/get-os-information-via-kuser_shared_data.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/os/version authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/nursery/get-os-version-in-dotnet.yml b/nursery/get-os-version-in-dotnet.yml index fc9f4cf8f..c43b23fa5 100644 --- a/nursery/get-os-version-in-dotnet.yml +++ b/nursery/get-os-version-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/version authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-password-database-entry-on-linux.yml b/nursery/get-password-database-entry-on-linux.yml index e776243fd..198c72d80 100644 --- a/nursery/get-password-database-entry-on-linux.yml +++ b/nursery/get-password-database-entry-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/get-process-image-filename.yml b/nursery/get-process-image-filename.yml index 97a33a93c..da8593d18 100644 --- a/nursery/get-process-image-filename.yml +++ b/nursery/get-process-image-filename.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope features: - or: - and: diff --git a/nursery/get-proxy.yml b/nursery/get-proxy.yml index a4bb4dfcf..bf5675660 100644 --- a/nursery/get-proxy.yml +++ b/nursery/get-proxy.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/proxy authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-remote-cert-context-via-schannel.yml b/nursery/get-remote-cert-context-via-schannel.yml index a45e4fdfa..28cd7243c 100644 --- a/nursery/get-remote-cert-context-via-schannel.yml +++ b/nursery/get-remote-cert-context-via-schannel.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-routing-table.yml b/nursery/get-routing-table.yml index d6302cb79..b39d1c25f 100644 --- a/nursery/get-routing-table.yml +++ b/nursery/get-routing-table.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/network/routing-table authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-session-information.yml b/nursery/get-session-information.yml index 714bebe70..23d33682c 100644 --- a/nursery/get-session-information.yml +++ b/nursery/get-session-information.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Owner/User Discovery [T1033] features: diff --git a/nursery/get-socket-information.yml b/nursery/get-socket-information.yml index 7e9ad1e13..22c14fe0f 100644 --- a/nursery/get-socket-information.yml +++ b/nursery/get-socket-information.yml @@ -4,7 +4,9 @@ rule: namespace: communication/socket authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index e95eb85e4..4f5c341cc 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/hardware/storage authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match references: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: diff --git a/nursery/get-system-firmware-table.yml b/nursery/get-system-firmware-table.yml index 315843909..e6b96226c 100644 --- a/nursery/get-system-firmware-table.yml +++ b/nursery/get-system-firmware-table.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/firmware authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L854 features: diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index dcdf9369e..3d8294694 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-system-web-proxy.yml b/nursery/get-system-web-proxy.yml index dae322577..45288ca64 100644 --- a/nursery/get-system-web-proxy.yml +++ b/nursery/get-system-web-proxy.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/nursery/get-thread-local-storage-value.yml b/nursery/get-thread-local-storage-value.yml index 20ea67fd7..ba35301b9 100644 --- a/nursery/get-thread-local-storage-value.yml +++ b/nursery/get-thread-local-storage-value.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: kernel32.TlsGetValue diff --git a/nursery/get-token-privileges.yml b/nursery/get-token-privileges.yml index d1c6c7ead..c177c007b 100644 --- a/nursery/get-token-privileges.yml +++ b/nursery/get-token-privileges.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/session authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope features: - and: - basic block: diff --git a/nursery/hash-data-using-aphash.yml b/nursery/hash-data-using-aphash.yml index 513577ed2..c5188e04b 100644 --- a/nursery/hash-data-using-aphash.yml +++ b/nursery/hash-data-using-aphash.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/aphash authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Non-Cryptographic Hash [C0030] references: diff --git a/nursery/hash-data-using-crc32b.yml b/nursery/hash-data-using-crc32b.yml index b39e8c446..9407dc76d 100644 --- a/nursery/hash-data-using-crc32b.yml +++ b/nursery/hash-data-using-crc32b.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/checksum/crc32 authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - number: 0x4C11DB7 diff --git a/nursery/hash-data-using-jshash.yml b/nursery/hash-data-using-jshash.yml index ccdd0fb98..2cf2a6807 100644 --- a/nursery/hash-data-using-jshash.yml +++ b/nursery/hash-data-using-jshash.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/jshash authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope mbc: - Data::Non-Cryptographic Hash [C0030] references: diff --git a/nursery/hash-data-using-md4.yml b/nursery/hash-data-using-md4.yml index ef482ce4d..54bc21519 100644 --- a/nursery/hash-data-using-md4.yml +++ b/nursery/hash-data-using-md4.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/md4 authors: - anamaria.martinezgom@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - number: 0x8002 = CALG_MD4 diff --git a/nursery/hash-data-using-murmur2.yml b/nursery/hash-data-using-murmur2.yml index 0cec679a9..e7794a3a0 100644 --- a/nursery/hash-data-using-murmur2.yml +++ b/nursery/hash-data-using-murmur2.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/murmur authors: - william.ballenthin@mandiant.com - scope: instruction + scopes: + static: instruction + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope references: - https://github.com/abrandoned/murmur2/blob/master/MurmurHash2.c features: diff --git a/nursery/hash-data-using-ripemd128.yml b/nursery/hash-data-using-ripemd128.yml index cd3035fbd..209a41ea0 100755 --- a/nursery/hash-data-using-ripemd128.yml +++ b/nursery/hash-data-using-ripemd128.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/ripemd128 authors: - raymond.leong@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains Subscope references: - https://en.wikipedia.org/wiki/RIPEMD-128 features: diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml index 5353fb9e7..ce700a47d 100755 --- a/nursery/hash-data-using-ripemd256.yml +++ b/nursery/hash-data-using-ripemd256.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/ripemd256 authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://en.wikipedia.org/wiki/RIPEMD-256 features: diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml index 0b537a127..24cd25842 100755 --- a/nursery/hash-data-using-ripemd320.yml +++ b/nursery/hash-data-using-ripemd320.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/ripemd320 authors: - raymond.leong@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope references: - https://en.wikipedia.org/wiki/RIPEMD-320 features: diff --git a/nursery/hash-data-using-rshash.yml b/nursery/hash-data-using-rshash.yml index a8da14a3f..902bc6242 100644 --- a/nursery/hash-data-using-rshash.yml +++ b/nursery/hash-data-using-rshash.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/rshash authors: - "@_re_fox" - scope: function + scopes: + static: function + dynamic: thread mbc: - Data::Non-Cryptographic Hash [C0030] references: diff --git a/nursery/hash-data-using-sha1-via-wincrypt.yml b/nursery/hash-data-using-sha1-via-wincrypt.yml index 7df3f5b03..fe07b5bce 100644 --- a/nursery/hash-data-using-sha1-via-wincrypt.yml +++ b/nursery/hash-data-using-sha1-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha1 authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - or: - and: diff --git a/nursery/hash-data-using-sha1-via-x86-extensions.yml b/nursery/hash-data-using-sha1-via-x86-extensions.yml index 34e22fbeb..037d73324 100644 --- a/nursery/hash-data-using-sha1-via-x86-extensions.yml +++ b/nursery/hash-data-using-sha1-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha1 authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope features: - or: - mnemonic: sha1rnds4 = Perform Four Rounds of SHA1 Operation diff --git a/nursery/hash-data-using-sha256-via-x86-extensions.yml b/nursery/hash-data-using-sha256-via-x86-extensions.yml index 8c6b5045d..6de958e4c 100644 --- a/nursery/hash-data-using-sha256-via-x86-extensions.yml +++ b/nursery/hash-data-using-sha256-via-x86-extensions.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha256 authors: - "@_re_fox" - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope features: - or: - mnemonic: sha256rnds2 = Perform Two Rounds of SHA256 Operation diff --git a/nursery/hash-data-using-sha512managed-in-dotnet.yml b/nursery/hash-data-using-sha512managed-in-dotnet.yml index b2fb012bd..16886f25e 100644 --- a/nursery/hash-data-using-sha512managed-in-dotnet.yml +++ b/nursery/hash-data-using-sha512managed-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/sha512 authors: - jonathanlepore@google.com - scope: function + scopes: + static: function + dynamic: thread references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha512managed features: diff --git a/nursery/hash-data-using-whirlpool.yml b/nursery/hash-data-using-whirlpool.yml index 22a11905f..a2f4e1be4 100644 --- a/nursery/hash-data-using-whirlpool.yml +++ b/nursery/hash-data-using-whirlpool.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing/whirlpool authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope mbc: - Cryptography::Cryptographic Hash [C0029] references: diff --git a/nursery/hash-data-via-bcrypt.yml b/nursery/hash-data-via-bcrypt.yml index bb87c81e4..34e14c978 100644 --- a/nursery/hash-data-via-bcrypt.yml +++ b/nursery/hash-data-via-bcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/hook-routines-via-microsoft-detours.yml b/nursery/hook-routines-via-microsoft-detours.yml index b00acc304..b93980461 100644 --- a/nursery/hook-routines-via-microsoft-detours.yml +++ b/nursery/hook-routines-via-microsoft-detours.yml @@ -4,7 +4,9 @@ rule: # namespace: linking/hooking authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf features: diff --git a/nursery/hooked-by-api-override.yml b/nursery/hooked-by-api-override.yml index a7832c0fd..24d63b6cd 100644 --- a/nursery/hooked-by-api-override.yml +++ b/nursery/hooked-by-api-override.yml @@ -4,7 +4,9 @@ rule: namespace: executable/hooked/api-override authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ - http://jacquelin.potier.free.fr/winapioverride32/ diff --git a/nursery/impersonate-user.yml b/nursery/impersonate-user.yml index dd9286c31..c6f6f4510 100644 --- a/nursery/impersonate-user.yml +++ b/nursery/impersonate-user.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/user authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001] features: diff --git a/nursery/implement-com-dll.yml b/nursery/implement-com-dll.yml index 9cf2167b5..f9f951412 100644 --- a/nursery/implement-com-dll.yml +++ b/nursery/implement-com-dll.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pe authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-dllgetclassobject features: diff --git a/nursery/initialize-hashing-via-wincrypt.yml b/nursery/initialize-hashing-via-wincrypt.yml index cbd1b389a..b57975301 100644 --- a/nursery/initialize-hashing-via-wincrypt.yml +++ b/nursery/initialize-hashing-via-wincrypt.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/hashing authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: advapi32.CryptCreateHash diff --git a/nursery/inspect-load-icon-resource.yml b/nursery/inspect-load-icon-resource.yml index afa1ad45e..293b53f11 100644 --- a/nursery/inspect-load-icon-resource.yml +++ b/nursery/inspect-load-icon-resource.yml @@ -5,7 +5,9 @@ rule: namespace: anti-analysis authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope features: # check if call to LoadIcon fails when first argument is NULL # and second argument is not a valid predefined icon - LoadIcon diff --git a/nursery/interact-with-iptables.yml b/nursery/interact-with-iptables.yml index fefe34750..f60567e89 100644 --- a/nursery/interact-with-iptables.yml +++ b/nursery/interact-with-iptables.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/firewall authors: - joakim@intezer.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] diff --git a/nursery/invoke-dotnet-assembly-method.yml b/nursery/invoke-dotnet-assembly-method.yml index ccee9d26e..c33dc3989 100644 --- a/nursery/invoke-dotnet-assembly-method.yml +++ b/nursery/invoke-dotnet-assembly-method.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Reflective Code Loading [T1620] features: diff --git a/nursery/link-function-at-runtime-on-linux.yml b/nursery/link-function-at-runtime-on-linux.yml index db6acb21a..62c383a9a 100644 --- a/nursery/link-function-at-runtime-on-linux.yml +++ b/nursery/link-function-at-runtime-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Execution::Shared Modules [T1129] features: diff --git a/nursery/linked-against-cpp-http-library.yml b/nursery/linked-against-cpp-http-library.yml index 0f248f141..8a3ca603c 100644 --- a/nursery/linked-against-cpp-http-library.yml +++ b/nursery/linked-against-cpp-http-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/httplib authors: - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/yhirose/cpp-httplib features: diff --git a/nursery/linked-against-cpp-json-library.yml b/nursery/linked-against-cpp-json-library.yml index 44ed90e7e..580373db9 100644 --- a/nursery/linked-against-cpp-json-library.yml +++ b/nursery/linked-against-cpp-json-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/jsoncpp authors: - "@mr-tz" - scope: file + scopes: + static: file + dynamic: file references: - https://github.com/open-source-parsers/jsoncpp features: diff --git a/nursery/linked-against-cpp-regex-library.yml b/nursery/linked-against-cpp-regex-library.yml index 907481982..9fbea2e21 100644 --- a/nursery/linked-against-cpp-regex-library.yml +++ b/nursery/linked-against-cpp-regex-library.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/cppregex authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - http://www.cplusplus.com/reference/regex/regex_error/ features: diff --git a/nursery/linked-against-go-process-enumeration-library.yml b/nursery/linked-against-go-process-enumeration-library.yml index c50655cb0..418651287 100644 --- a/nursery/linked-against-go-process-enumeration-library.yml +++ b/nursery/linked-against-go-process-enumeration-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Enumerating processes using a Go library - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/linked-against-go-registry-library.yml b/nursery/linked-against-go-registry-library.yml index eb7ed878f..6ac8b1f87 100644 --- a/nursery/linked-against-go-registry-library.yml +++ b/nursery/linked-against-go-registry-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Uses a Go library for interacting with the Windows registry. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://github.com/golang/sys features: diff --git a/nursery/linked-against-go-static-asset-library.yml b/nursery/linked-against-go-static-asset-library.yml index 060d2ce81..adba97b26 100644 --- a/nursery/linked-against-go-static-asset-library.yml +++ b/nursery/linked-against-go-static-asset-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: Detects if the Go file includes an static assets. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match references: - https://github.com/rakyll/statik - https://github.com/gobuffalo/packr diff --git a/nursery/linked-against-go-wmi-library.yml b/nursery/linked-against-go-wmi-library.yml index 1e635c0ff..e35ab3a07 100644 --- a/nursery/linked-against-go-wmi-library.yml +++ b/nursery/linked-against-go-wmi-library.yml @@ -5,7 +5,9 @@ rule: authors: - joakim@intezer.com description: StackExchange's WMI library is used to interact with WMI. - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Collection::Data from Information Repositories [T1213] references: diff --git a/nursery/linked-against-libsodium.yml b/nursery/linked-against-libsodium.yml index 81b0539bd..9782dc646 100644 --- a/nursery/linked-against-libsodium.yml +++ b/nursery/linked-against-libsodium.yml @@ -5,7 +5,9 @@ rule: authors: - "@mr-tz" description: Sodium is a software library for encryption, decryption, signatures, password hashing and more. - scope: file + scopes: + static: file + dynamic: file mbc: - Cryptography::Crypto Library [C0059] features: diff --git a/nursery/linked-against-xzip.yml b/nursery/linked-against-xzip.yml index 1b9b5c668..5d17ae09c 100644 --- a/nursery/linked-against-xzip.yml +++ b/nursery/linked-against-xzip.yml @@ -4,7 +4,9 @@ rule: namespace: linking/static/xzip authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file mbc: - Data::Compression Library [C0060] references: diff --git a/nursery/list-containers.yml b/nursery/list-containers.yml index 198beb437..b1c50f6df 100644 --- a/nursery/list-containers.yml +++ b/nursery/list-containers.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Discovery::Container and Resource Discovery [T1613] references: diff --git a/nursery/list-domain-servers.yml b/nursery/list-domain-servers.yml index 73f893664..11030930f 100644 --- a/nursery/list-domain-servers.yml +++ b/nursery/list-domain-servers.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/domain authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] features: diff --git a/nursery/list-drag-and-drop-files.yml b/nursery/list-drag-and-drop-files.yml index b726f9617..f9b0dfe42 100644 --- a/nursery/list-drag-and-drop-files.yml +++ b/nursery/list-drag-and-drop-files.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/clipboard authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/list-groups-for-user-account.yml b/nursery/list-groups-for-user-account.yml index 3e0c06e90..c9c0c0da0 100644 --- a/nursery/list-groups-for-user-account.yml +++ b/nursery/list-groups-for-user-account.yml @@ -6,7 +6,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: enumerates all the groups to which a user account belongs - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Account Discovery [T1087] features: diff --git a/nursery/list-tcp-connections-and-listeners.yml b/nursery/list-tcp-connections-and-listeners.yml index 356c20790..04cef09d4 100644 --- a/nursery/list-tcp-connections-and-listeners.yml +++ b/nursery/list-tcp-connections-and-listeners.yml @@ -5,7 +5,9 @@ rule: namespace: collection/network authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: iphlpapi.GetExtendedTcpTable diff --git a/nursery/list-udp-connections-and-listeners.yml b/nursery/list-udp-connections-and-listeners.yml index b975e8180..20d50cc29 100644 --- a/nursery/list-udp-connections-and-listeners.yml +++ b/nursery/list-udp-connections-and-listeners.yml @@ -5,7 +5,9 @@ rule: namespace: collection/network authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: iphlpapi.GetExtendedUdpTable diff --git a/nursery/list-user-account-groups.yml b/nursery/list-user-account-groups.yml index 3e4040e80..918fedaf9 100644 --- a/nursery/list-user-account-groups.yml +++ b/nursery/list-user-account-groups.yml @@ -6,7 +6,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: enumerates all the groups present on the system/domain - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Permission Groups Discovery [T1069] features: diff --git a/nursery/list-user-accounts-for-group.yml b/nursery/list-user-accounts-for-group.yml index 172b6a939..4c76247b4 100644 --- a/nursery/list-user-accounts-for-group.yml +++ b/nursery/list-user-accounts-for-group.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Permission Groups Discovery [T1069] features: diff --git a/nursery/list-user-accounts.yml b/nursery/list-user-accounts.yml index 066f2328e..ea41e4cda 100644 --- a/nursery/list-user-accounts.yml +++ b/nursery/list-user-accounts.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/accounts authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::Account Discovery [T1087] features: diff --git a/nursery/listen-for-remote-procedure-calls.yml b/nursery/listen-for-remote-procedure-calls.yml index e32f0e889..c5449d2e8 100644 --- a/nursery/listen-for-remote-procedure-calls.yml +++ b/nursery/listen-for-remote-procedure-calls.yml @@ -5,7 +5,9 @@ rule: namespace: communication/rpc/server authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: rpcrt4.RpcServerListen diff --git a/nursery/load-dotnet-assembly.yml b/nursery/load-dotnet-assembly.yml index efc65e138..fde478b4f 100644 --- a/nursery/load-dotnet-assembly.yml +++ b/nursery/load-dotnet-assembly.yml @@ -4,7 +4,9 @@ rule: namespace: load-code/dotnet authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Reflective Code Loading [T1620] features: diff --git a/nursery/load-xml-in-dotnet.yml b/nursery/load-xml-in-dotnet.yml index 5c3e8528a..04db030f9 100644 --- a/nursery/load-xml-in-dotnet.yml +++ b/nursery/load-xml-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/xml authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Xml.XmlDocument::Load diff --git a/nursery/log-keystrokes-via-input-method-manager.yml b/nursery/log-keystrokes-via-input-method-manager.yml index 0a266d237..ef23de6e0 100644 --- a/nursery/log-keystrokes-via-input-method-manager.yml +++ b/nursery/log-keystrokes-via-input-method-manager.yml @@ -5,7 +5,9 @@ rule: namespace: collection/keylog authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/log-keystrokes-via-raw-input-data.yml b/nursery/log-keystrokes-via-raw-input-data.yml index 8a98532d3..f738038d0 100644 --- a/nursery/log-keystrokes-via-raw-input-data.yml +++ b/nursery/log-keystrokes-via-raw-input-data.yml @@ -5,7 +5,9 @@ rule: namespace: collection/keylog authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Collection::Input Capture::Keylogging [T1056.001] features: diff --git a/nursery/make-an-http-request-with-a-cookie.yml b/nursery/make-an-http-request-with-a-cookie.yml index f5f4c83a6..5d9ee8d28 100644 --- a/nursery/make-an-http-request-with-a-cookie.yml +++ b/nursery/make-an-http-request-with-a-cookie.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - match: send HTTP request diff --git a/nursery/manipulate-console-window.yml b/nursery/manipulate-console-window.yml index 0a272ee66..304d3b5df 100644 --- a/nursery/manipulate-console-window.yml +++ b/nursery/manipulate-console-window.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/console authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread mbc: - Operating System::Console [C0033] features: diff --git a/nursery/manipulate-network-credentials-in-dotnet.yml b/nursery/manipulate-network-credentials-in-dotnet.yml index 38a2df967..80be39a92 100644 --- a/nursery/manipulate-network-credentials-in-dotnet.yml +++ b/nursery/manipulate-network-credentials-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/authentication authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: System.Net.NetworkCredential::ctor diff --git a/nursery/manipulate-unmanaged-memory-in-dotnet.yml b/nursery/manipulate-unmanaged-memory-in-dotnet.yml index a754e3695..ed188437f 100644 --- a/nursery/manipulate-unmanaged-memory-in-dotnet.yml +++ b/nursery/manipulate-unmanaged-memory-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/memory authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature class for dynamic scope features: - or: - class: System.Runtime.InteropServices.Marshal diff --git a/nursery/manipulate-user-privileges.yml b/nursery/manipulate-user-privileges.yml index d1745f9a9..1f8e07acf 100644 --- a/nursery/manipulate-user-privileges.yml +++ b/nursery/manipulate-user-privileges.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/user authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: advapi32.LsaAddAccountRights diff --git a/nursery/mark-thread-detached-on-linux.yml b/nursery/mark-thread-detached-on-linux.yml index 3eb0e5f5b..2ab087a1e 100644 --- a/nursery/mark-thread-detached-on-linux.yml +++ b/nursery/mark-thread-detached-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/migrate-process-to-active-window-station.yml b/nursery/migrate-process-to-active-window-station.yml index 3c22d61e5..541b4a68b 100644 --- a/nursery/migrate-process-to-active-window-station.yml +++ b/nursery/migrate-process-to-active-window-station.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: set process to the active window station so it can receive GUI events. commonly seen in keyloggers. - scope: function + scopes: + static: function + dynamic: thread references: - https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html - https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops diff --git a/nursery/mixed-mode.yml b/nursery/mixed-mode.yml index fb328ae8c..1b83eab81 100644 --- a/nursery/mixed-mode.yml +++ b/nursery/mixed-mode.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: file contains managed and unmanaged (native) code, often seen in .NET - scope: file + scopes: + static: file + dynamic: file features: - or: - characteristic: mixed mode diff --git a/nursery/monitor-clipboard-content.yml b/nursery/monitor-clipboard-content.yml index 7dafdb82a..8ff22f39f 100644 --- a/nursery/monitor-clipboard-content.yml +++ b/nursery/monitor-clipboard-content.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/clipboard authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/monitor-local-ipv4-address-changes.yml b/nursery/monitor-local-ipv4-address-changes.yml index fdcab2c28..f95169c97 100644 --- a/nursery/monitor-local-ipv4-address-changes.yml +++ b/nursery/monitor-local-ipv4-address-changes.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/network/address authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/move-directory.yml b/nursery/move-directory.yml index 469200c40..3648ec0ba 100644 --- a/nursery/move-directory.yml +++ b/nursery/move-directory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system/move authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.IO.DirectoryInfo::MoveTo diff --git a/nursery/obfuscated-with-koivm.yml b/nursery/obfuscated-with-koivm.yml index bbbe82ed4..733f1eb19 100644 --- a/nursery/obfuscated-with-koivm.yml +++ b/nursery/obfuscated-with-koivm.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/obfuscation authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains unsupported feature namespace for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/open-cabinet-file.yml b/nursery/open-cabinet-file.yml index 2ee425ee4..4b47bd342 100644 --- a/nursery/open-cabinet-file.yml +++ b/nursery/open-cabinet-file.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files features: diff --git a/nursery/packaged-as-a-createinstall-installer.yml b/nursery/packaged-as-a-createinstall-installer.yml index 6a4e4af55..e9d130189 100644 --- a/nursery/packaged-as-a-createinstall-installer.yml +++ b/nursery/packaged-as-a-createinstall-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/createinstall authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.createinstall.com/ - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ diff --git a/nursery/packaged-as-a-nsis-installer.yml b/nursery/packaged-as-a-nsis-installer.yml index ed7518dc1..825d120be 100644 --- a/nursery/packaged-as-a-nsis-installer.yml +++ b/nursery/packaged-as-a-nsis-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/nsis authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://nsis.sourceforge.io/Main_Page features: diff --git a/nursery/packaged-as-a-pintool.yml b/nursery/packaged-as-a-pintool.yml index 5c8903417..8f75ad933 100644 --- a/nursery/packaged-as-a-pintool.yml +++ b/nursery/packaged-as-a-pintool.yml @@ -4,7 +4,9 @@ rule: namespace: executable/pintool authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://software.intel.com/content/www/us/en/develop/articles/pin-a-dynamic-binary-instrumentation-tool.html - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ diff --git a/nursery/packaged-as-a-winzip-self-extracting-archive.yml b/nursery/packaged-as-a-winzip-self-extracting-archive.yml index 1282614da..b3b7313ae 100644 --- a/nursery/packaged-as-a-winzip-self-extracting-archive.yml +++ b/nursery/packaged-as-a-winzip-self-extracting-archive.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/winzip authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ features: diff --git a/nursery/packaged-as-a-wise-installer.yml b/nursery/packaged-as-a-wise-installer.yml index 1faf43be4..ff81ba786 100644 --- a/nursery/packaged-as-a-wise-installer.yml +++ b/nursery/packaged-as-a-wise-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/wiseinstall authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - string: "WiseMain" diff --git a/nursery/packaged-as-an-installshield-installer.yml b/nursery/packaged-as-an-installshield-installer.yml index e2cd630fc..a3e07e127 100644 --- a/nursery/packaged-as-an-installshield-installer.yml +++ b/nursery/packaged-as-an-installshield-installer.yml @@ -4,7 +4,9 @@ rule: namespace: executable/installer/installshield authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: # AppHelp has an export ApphelpCheckInstallShieldPackage, diff --git a/nursery/packed-with-ccg.yml b/nursery/packed-with-ccg.yml index e2e9ef89a..553dcb36f 100644 --- a/nursery/packed-with-ccg.yml +++ b/nursery/packed-with-ccg.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/ccg authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-crunch.yml b/nursery/packed-with-crunch.yml index 1e53d7540..db8391f83 100644 --- a/nursery/packed-with-crunch.yml +++ b/nursery/packed-with-crunch.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/crunch authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-dragon-armor.yml b/nursery/packed-with-dragon-armor.yml index 8999d02f7..8794419a8 100644 --- a/nursery/packed-with-dragon-armor.yml +++ b/nursery/packed-with-dragon-armor.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/dragon-armor authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-enigma.yml b/nursery/packed-with-enigma.yml index 2428c6dc5..026aa523d 100644 --- a/nursery/packed-with-enigma.yml +++ b/nursery/packed-with-enigma.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/enigma authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-epack.yml b/nursery/packed-with-epack.yml index b67409549..4ac81187e 100644 --- a/nursery/packed-with-epack.yml +++ b/nursery/packed-with-epack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/epack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-maskpe.yml b/nursery/packed-with-maskpe.yml index 220319159..cbacd7829 100644 --- a/nursery/packed-with-maskpe.yml +++ b/nursery/packed-with-maskpe.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/maskpe authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-mew.yml b/nursery/packed-with-mew.yml index c5a180e73..a4fd10a82 100644 --- a/nursery/packed-with-mew.yml +++ b/nursery/packed-with-mew.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/mew authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-mpress.yml b/nursery/packed-with-mpress.yml index f2427db92..0ee836c3e 100644 --- a/nursery/packed-with-mpress.yml +++ b/nursery/packed-with-mpress.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/mpress authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-neolite.yml b/nursery/packed-with-neolite.yml index aa707a904..5c4685686 100644 --- a/nursery/packed-with-neolite.yml +++ b/nursery/packed-with-neolite.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/neolite authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-pepack.yml b/nursery/packed-with-pepack.yml index 5f7d607dd..29a817317 100644 --- a/nursery/packed-with-pepack.yml +++ b/nursery/packed-with-pepack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/pepack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-perplex.yml b/nursery/packed-with-perplex.yml index bffad089a..ed883ddf8 100644 --- a/nursery/packed-with-perplex.yml +++ b/nursery/packed-with-perplex.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/perplex authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-procrypt.yml b/nursery/packed-with-procrypt.yml index f843bbbe7..2d6e1cf99 100644 --- a/nursery/packed-with-procrypt.yml +++ b/nursery/packed-with-procrypt.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/procrypt authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-rpcrypt.yml b/nursery/packed-with-rpcrypt.yml index fbe023f6f..2571e3fe8 100644 --- a/nursery/packed-with-rpcrypt.yml +++ b/nursery/packed-with-rpcrypt.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/rpcrypt authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-seausfx.yml b/nursery/packed-with-seausfx.yml index a2fb371bd..e11fb96fa 100644 --- a/nursery/packed-with-seausfx.yml +++ b/nursery/packed-with-seausfx.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/seausfx authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-shrinker.yml b/nursery/packed-with-shrinker.yml index 00d0c48ec..ecd1fca54 100644 --- a/nursery/packed-with-shrinker.yml +++ b/nursery/packed-with-shrinker.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/shrinker authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-simple-pack.yml b/nursery/packed-with-simple-pack.yml index 2c55466f2..6fa09cc60 100644 --- a/nursery/packed-with-simple-pack.yml +++ b/nursery/packed-with-simple-pack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/simple-pack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-starforce.yml b/nursery/packed-with-starforce.yml index 4eccdc8dc..3f57a90f6 100644 --- a/nursery/packed-with-starforce.yml +++ b/nursery/packed-with-starforce.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/starforce authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-svkp.yml b/nursery/packed-with-svkp.yml index 5630dec5d..7af4feda6 100644 --- a/nursery/packed-with-svkp.yml +++ b/nursery/packed-with-svkp.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/svkp authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-tsuloader.yml b/nursery/packed-with-tsuloader.yml index 16f175499..289bb3a2f 100644 --- a/nursery/packed-with-tsuloader.yml +++ b/nursery/packed-with-tsuloader.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/tsuloader authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-vprotect.yml b/nursery/packed-with-vprotect.yml index 284ba0545..5fedd9817 100644 --- a/nursery/packed-with-vprotect.yml +++ b/nursery/packed-with-vprotect.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/vprotect authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/packed-with-wwpack.yml b/nursery/packed-with-wwpack.yml index 2228228ef..88dd88a4e 100644 --- a/nursery/packed-with-wwpack.yml +++ b/nursery/packed-with-wwpack.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/packer/wwpack authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] mbc: diff --git a/nursery/parse-url.yml b/nursery/parse-url.yml index 4e1577d1c..82c81fcf4 100644 --- a/nursery/parse-url.yml +++ b/nursery/parse-url.yml @@ -5,7 +5,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: wininet.InternetCrackUrl diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml index 74f3cc92f..c8f6e3097 100644 --- a/nursery/persist-via-gnome-autostart-on-linux.yml +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - os: linux diff --git a/nursery/power-down-monitor.yml b/nursery/power-down-monitor.yml index 4522e9beb..fdcf13ee5 100644 --- a/nursery/power-down-monitor.yml +++ b/nursery/power-down-monitor.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/monitor authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - api: user32.SendMessage diff --git a/nursery/prompt-user-for-credentials.yml b/nursery/prompt-user-for-credentials.yml index 7fc786ec8..303c4ced4 100644 --- a/nursery/prompt-user-for-credentials.yml +++ b/nursery/prompt-user-for-credentials.yml @@ -5,7 +5,9 @@ rule: namespace: collection/credentials authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials features: diff --git a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml index 25c1472fc..1dc167b9a 100644 --- a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml index 363084680..063f4234e 100644 --- a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-remote-server-for-available-data.yml b/nursery/query-remote-server-for-available-data.yml index af757da5c..cf98c8bc2 100644 --- a/nursery/query-remote-server-for-available-data.yml +++ b/nursery/query-remote-server-for-available-data.yml @@ -5,7 +5,9 @@ rule: namespace: communication authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: wininet.InternetQueryDataAvailable diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml index 7b2d870b7..9dbfb0fc2 100644 --- a/nursery/read-and-send-data-from-client-to-server.yml +++ b/nursery/read-and-send-data-from-client-to-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/file-transfer authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - match: host-interaction/file-system/read diff --git a/nursery/read-process-memory.yml b/nursery/read-process-memory.yml index 4796d5f5b..db460b902 100644 --- a/nursery/read-process-memory.yml +++ b/nursery/read-process-memory.yml @@ -6,7 +6,9 @@ rule: - matthew.williams@mandiant.com - "@_re_fox" - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: kernel32.ReadProcessMemory diff --git a/nursery/read-raw-disk-data.yml b/nursery/read-raw-disk-data.yml index 8a4d1a4b5..91b928742 100644 --- a/nursery/read-raw-disk-data.yml +++ b/nursery/read-raw-disk-data.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - string: "\\\\.\\PhysicalDrive0" diff --git a/nursery/rebuilt-by-imprec.yml b/nursery/rebuilt-by-imprec.yml index 6afe346ab..5fd0b9a0a 100644 --- a/nursery/rebuilt-by-imprec.yml +++ b/nursery/rebuilt-by-imprec.yml @@ -4,7 +4,9 @@ rule: namespace: executable/imprec authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ features: diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml index 09e72dbbc..2816779d8 100644 --- a/nursery/receive-and-write-data-from-server-to-client.yml +++ b/nursery/receive-and-write-data-from-server-to-client.yml @@ -4,7 +4,9 @@ rule: namespace: communication/c2/file-transfer authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - match: receive data diff --git a/nursery/reference-114dns-dns-server.yml b/nursery/reference-114dns-dns-server.yml index 276169dd6..c1ac922a2 100644 --- a/nursery/reference-114dns-dns-server.yml +++ b/nursery/reference-114dns-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.114dns.com/ - https://www.amazon.com/ask/questions/Tx27CUHKMM403NP diff --git a/nursery/reference-aes-constants.yml b/nursery/reference-aes-constants.yml index f523e98d9..171f5b0cd 100644 --- a/nursery/reference-aes-constants.yml +++ b/nursery/reference-aes-constants.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/encryption/aes authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] features: diff --git a/nursery/reference-alidns-dns-server.yml b/nursery/reference-alidns-dns-server.yml index 45f30f1b9..1a35101ae 100644 --- a/nursery/reference-alidns-dns-server.yml +++ b/nursery/reference-alidns-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.alidns.com/ # examples: diff --git a/nursery/reference-base58-string.yml b/nursery/reference-base58-string.yml index f1d2e324d..e0e2d1566 100644 --- a/nursery/reference-base58-string.yml +++ b/nursery/reference-base58-string.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0, I, O, and l). Base58 is used to represent bitcoin addresses. - scope: file + scopes: + static: file + dynamic: file att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/reference-cloudflare-dns-server.yml b/nursery/reference-cloudflare-dns-server.yml index e3db38007..dd7e512cc 100644 --- a/nursery/reference-cloudflare-dns-server.yml +++ b/nursery/reference-cloudflare-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-comodo-secure-dns-server.yml b/nursery/reference-comodo-secure-dns-server.yml index af5beb86a..b7664ff2c 100644 --- a/nursery/reference-comodo-secure-dns-server.yml +++ b/nursery/reference-comodo-secure-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-cryptocurrency-strings.yml b/nursery/reference-cryptocurrency-strings.yml index 3d0f2c630..f727819fd 100644 --- a/nursery/reference-cryptocurrency-strings.yml +++ b/nursery/reference-cryptocurrency-strings.yml @@ -4,7 +4,9 @@ rule: namespace: impact/cryptocurrency authors: - moritz.raabe@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Impact::Resource Hijacking [T1496] references: diff --git a/nursery/reference-google-public-dns-server.yml b/nursery/reference-google-public-dns-server.yml index ea5d54eab..fccdc8e79 100644 --- a/nursery/reference-google-public-dns-server.yml +++ b/nursery/reference-google-public-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server - https://developers.google.com/speed/public-dns/docs/using diff --git a/nursery/reference-hurricane-electric-dns-server.yml b/nursery/reference-hurricane-electric-dns-server.yml index bb772d8a2..c90176fe0 100644 --- a/nursery/reference-hurricane-electric-dns-server.yml +++ b/nursery/reference-hurricane-electric-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://dns.he.net/ - https://dnslytics.com/ip/216.66.1.2 diff --git a/nursery/reference-kornet-dns-server.yml b/nursery/reference-kornet-dns-server.yml index e02deda01..f08d6b3c5 100644 --- a/nursery/reference-kornet-dns-server.yml +++ b/nursery/reference-kornet-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://whatismyipaddress.com/ip/168.126.63.1 # examples: diff --git a/nursery/reference-l3-dns-server.yml b/nursery/reference-l3-dns-server.yml index b570ed360..0a0f1f98e 100644 --- a/nursery/reference-l3-dns-server.yml +++ b/nursery/reference-l3-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.quora.com/What-is-a-4-2-2-1-DNS-server features: diff --git a/nursery/reference-opendns-dns-server.yml b/nursery/reference-opendns-dns-server.yml index 02f1449c6..128ed6171 100644 --- a/nursery/reference-opendns-dns-server.yml +++ b/nursery/reference-opendns-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-processor-manufacturer-constants.yml b/nursery/reference-processor-manufacturer-constants.yml index 34aef0c97..3c34f08c9 100644 --- a/nursery/reference-processor-manufacturer-constants.yml +++ b/nursery/reference-processor-manufacturer-constants.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/reference-quad9-dns-server.yml b/nursery/reference-quad9-dns-server.yml index c1b715bcb..74188a337 100644 --- a/nursery/reference-quad9-dns-server.yml +++ b/nursery/reference-quad9-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-screen-saver-executable.yml b/nursery/reference-screen-saver-executable.yml index 5c3ffe4c0..f6507eb93 100644 --- a/nursery/reference-screen-saver-executable.yml +++ b/nursery/reference-screen-saver-executable.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Event Triggered Execution::Screensaver [T1546.002] features: diff --git a/nursery/reference-startup-folder.yml b/nursery/reference-startup-folder.yml index bdc762f6d..1ea425441 100644 --- a/nursery/reference-startup-folder.yml +++ b/nursery/reference-startup-folder.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] features: diff --git a/nursery/reference-the-vmware-io-port.yml b/nursery/reference-the-vmware-io-port.yml index 668ee70fb..e663d4739 100644 --- a/nursery/reference-the-vmware-io-port.yml +++ b/nursery/reference-the-vmware-io-port.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-vm/vm-detection authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/reference-verisign-dns-server.yml b/nursery/reference-verisign-dns-server.yml index 721abdc24..626ae4b99 100644 --- a/nursery/reference-verisign-dns-server.yml +++ b/nursery/reference-verisign-dns-server.yml @@ -4,7 +4,9 @@ rule: namespace: communication/dns authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/register-http-server-url.yml b/nursery/register-http-server-url.yml index 241cff21a..7eec08e4c 100644 --- a/nursery/register-http-server-url.yml +++ b/nursery/register-http-server-url.yml @@ -5,7 +5,9 @@ rule: namespace: communication/http/server authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: httpapi.HttpAddUrl diff --git a/nursery/register-raw-input-devices.yml b/nursery/register-raw-input-devices.yml index 90dc25fea..ddfed489c 100644 --- a/nursery/register-raw-input-devices.yml +++ b/nursery/register-raw-input-devices.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/hardware authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - or: - api: user32.RegisterRawInputDevices diff --git a/nursery/resize-volume-shadow-copy-storage.yml b/nursery/resize-volume-shadow-copy-storage.yml index e22bf7dba..13c390757 100644 --- a/nursery/resize-volume-shadow-copy-storage.yml +++ b/nursery/resize-volume-shadow-copy-storage.yml @@ -5,7 +5,9 @@ rule: namespace: impact/inhibit-system-recovery authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - api: kernel32.DeviceIoControl diff --git a/nursery/resolve-function-by-djb2-hash.yml b/nursery/resolve-function-by-djb2-hash.yml index 744e3edf1..49d405084 100644 --- a/nursery/resolve-function-by-djb2-hash.yml +++ b/nursery/resolve-function-by-djb2-hash.yml @@ -5,7 +5,9 @@ rule: authors: - still@teamt5.org description: known import name hashes calculated using the non-cryptographic djb2 hashing algorithm - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/nursery/resolve-function-by-fnv-1a-hash.yml b/nursery/resolve-function-by-fnv-1a-hash.yml index 4973735ea..7f323956a 100644 --- a/nursery/resolve-function-by-fnv-1a-hash.yml +++ b/nursery/resolve-function-by-fnv-1a-hash.yml @@ -5,7 +5,9 @@ rule: authors: - still@teamt5.org description: known import name hashes calculated using the non-cryptographic FNV-1a hashing algorithm - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/resolve-function-by-hash.yml b/nursery/resolve-function-by-hash.yml index 61bcc2f99..9e84d6a67 100644 --- a/nursery/resolve-function-by-hash.yml +++ b/nursery/resolve-function-by-hash.yml @@ -4,7 +4,9 @@ rule: namespace: linking/runtime-linking authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/run-in-container.yml b/nursery/run-in-container.yml index 374d4b2cc..59c454d59 100644 --- a/nursery/run-in-container.yml +++ b/nursery/run-in-container.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/container/docker authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Execution::Container Administration Command [T1609] references: diff --git a/nursery/save-image-in-dotnet.yml b/nursery/save-image-in-dotnet.yml index 7cedd61a1..1277a17e3 100644 --- a/nursery/save-image-in-dotnet.yml +++ b/nursery/save-image-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: collection authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature class for dynamic scope features: - and: - api: System.Drawing.Image::Save diff --git a/nursery/schedule-task-via-itaskservice.yml b/nursery/schedule-task-via-itaskservice.yml index 09c84745b..ddc46cebe 100644 --- a/nursery/schedule-task-via-itaskservice.yml +++ b/nursery/schedule-task-via-itaskservice.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] features: diff --git a/nursery/search-for-credit-card-data.yml b/nursery/search-for-credit-card-data.yml index 1c90a1942..8e881db76 100644 --- a/nursery/search-for-credit-card-data.yml +++ b/nursery/search-for-credit-card-data.yml @@ -4,7 +4,9 @@ rule: namespace: collection/credit-card authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope features: - and: - instruction: diff --git a/nursery/send-data-to-internet.yml b/nursery/send-data-to-internet.yml index 899ade401..2804c7ce2 100644 --- a/nursery/send-data-to-internet.yml +++ b/nursery/send-data-to-internet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - optional: diff --git a/nursery/send-email-in-dotnet.yml b/nursery/send-email-in-dotnet.yml index 4576c7253..ad6fa4c9d 100644 --- a/nursery/send-email-in-dotnet.yml +++ b/nursery/send-email-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/smtp/send authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Web.Mail.SmtpMail::Send diff --git a/nursery/send-http-request-with-host-header.yml b/nursery/send-http-request-with-host-header.yml index 4646f8932..31c469722 100644 --- a/nursery/send-http-request-with-host-header.yml +++ b/nursery/send-http-request-with-host-header.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - anamaria.martinezgom@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - and: - match: send HTTP request diff --git a/nursery/send-keystrokes.yml b/nursery/send-keystrokes.yml index 0fc5eea3b..d01877d5a 100644 --- a/nursery/send-keystrokes.yml +++ b/nursery/send-keystrokes.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/keyboard authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Windows.Forms.SendKeys::Send diff --git a/nursery/send-request-in-dotnet.yml b/nursery/send-request-in-dotnet.yml index b186b92a2..9c66ac39a 100644 --- a/nursery/send-request-in-dotnet.yml +++ b/nursery/send-request-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http/client authors: - anushka.virgaonakr@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc: diff --git a/nursery/send-sms-on-android.yml b/nursery/send-sms-on-android.yml index 825432752..93038748a 100644 --- a/nursery/send-sms-on-android.yml +++ b/nursery/send-sms-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: communication/sms authors: - "@mr-tz" - scope: function + scopes: + static: function + dynamic: thread # att&ck: # - Mobile::SMS Control [T1582] features: diff --git a/nursery/serialize-json-in-dotnet.yml b/nursery/serialize-json-in-dotnet.yml index b23f85ed1..724778648 100644 --- a/nursery/serialize-json-in-dotnet.yml +++ b/nursery/serialize-json-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: data-manipulation/json authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.Web.Script.Serialization.JavaScriptSerializer::Serialize diff --git a/nursery/set-current-directory.yml b/nursery/set-current-directory.yml index 6102bd4e7..f95e6e0b4 100644 --- a/nursery/set-current-directory.yml +++ b/nursery/set-current-directory.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/file-system authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - or: - api: System.IO.Directory::SetCurrentDirectory diff --git a/nursery/set-global-application-hook.yml b/nursery/set-global-application-hook.yml index d634231cd..c4fe59616 100644 --- a/nursery/set-global-application-hook.yml +++ b/nursery/set-global-application-hook.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/gui authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - api: user32.SetWindowsHookEx diff --git a/nursery/set-http-cookie.yml b/nursery/set-http-cookie.yml index 91cc5844f..98e5e6044 100644 --- a/nursery/set-http-cookie.yml +++ b/nursery/set-http-cookie.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] references: diff --git a/nursery/set-http-user-agent-in-dotnet.yml b/nursery/set-http-user-agent-in-dotnet.yml index 8634da64d..1c0c5c2b7 100644 --- a/nursery/set-http-user-agent-in-dotnet.yml +++ b/nursery/set-http-user-agent-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope features: - or: - property/write: System.Net.HttpWebRequest::UserAgent diff --git a/nursery/set-registry-value-via-stdregprov.yml b/nursery/set-registry-value-via-stdregprov.yml index 1f194339a..ecc12bb55 100644 --- a/nursery/set-registry-value-via-stdregprov.yml +++ b/nursery/set-registry-value-via-stdregprov.yml @@ -5,7 +5,9 @@ rule: namespace: host-interaction/registry authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml index 9c9694da0..bd763cf41 100644 --- a/nursery/set-thread-name-on-linux.yml +++ b/nursery/set-thread-name-on-linux.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/thread authors: - michael.hunhoff@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead features: - and: - os: linux diff --git a/nursery/set-web-proxy-in-dotnet.yml b/nursery/set-web-proxy-in-dotnet.yml index 415c5b60a..745cc579b 100644 --- a/nursery/set-web-proxy-in-dotnet.yml +++ b/nursery/set-web-proxy-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: communication/http authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature property for dynamic scope features: - and: - property/write: System.Net.WebRequest::Proxy diff --git a/nursery/terminate-process-by-name-in-dotnet.yml b/nursery/terminate-process-by-name-in-dotnet.yml index 4dbeeb16f..d54e5029b 100644 --- a/nursery/terminate-process-by-name-in-dotnet.yml +++ b/nursery/terminate-process-by-name-in-dotnet.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/terminate authors: - anushka.virgaonkar@mandiant.com - scope: function + scopes: + static: function + dynamic: thread features: - and: - api: System.Diagnostics.Process::GetProcessesByName diff --git a/nursery/terminate-process-by-name.yml b/nursery/terminate-process-by-name.yml index 7b0df849d..51dda73d3 100644 --- a/nursery/terminate-process-by-name.yml +++ b/nursery/terminate-process-by-name.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/process/terminate authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match # examples: # - unpacked Cl0p ransomware features: diff --git a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml index bb317854f..2f5426f23 100644 --- a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml +++ b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs - scope: function + scopes: + static: function + dynamic: thread features: - and: - or: diff --git a/nursery/unmanaged-call.yml b/nursery/unmanaged-call.yml index bb07ed993..2a9396804 100644 --- a/nursery/unmanaged-call.yml +++ b/nursery/unmanaged-call.yml @@ -5,7 +5,9 @@ rule: authors: - michael.hunhoff@mandiant.com description: managed code calls unmanaged (native) code, often seen in .NET - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match features: - or: - characteristic: unmanaged call diff --git a/persistence/act-as-dhcp-server-callout-dll.yml b/persistence/act-as-dhcp-server-callout-dll.yml index 4a3096325..b07342510 100644 --- a/persistence/act-as-dhcp-server-callout-dll.yml +++ b/persistence/act-as-dhcp-server-callout-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Server Software Component [T1505] references: diff --git a/persistence/act-as-dns-server-plugin-dll.yml b/persistence/act-as-dns-server-plugin-dll.yml index b458b41e3..11ac906a9 100644 --- a/persistence/act-as-dns-server-plugin-dll.yml +++ b/persistence/act-as-dns-server-plugin-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Server Software Component [T1505] references: diff --git a/persistence/authentication-process/act-as-credential-manager-dll.yml b/persistence/authentication-process/act-as-credential-manager-dll.yml index 476b650ca..29b726496 100644 --- a/persistence/authentication-process/act-as-credential-manager-dll.yml +++ b/persistence/authentication-process/act-as-credential-manager-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008] examples: diff --git a/persistence/authentication-process/act-as-password-filter-dll.yml b/persistence/authentication-process/act-as-password-filter-dll.yml index a8cbeeb1a..fc90ac552 100644 --- a/persistence/authentication-process/act-as-password-filter-dll.yml +++ b/persistence/authentication-process/act-as-password-filter-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Modify Authentication Process::Password Filter DLL [T1556.002] examples: diff --git a/persistence/authentication-process/act-as-security-support-provider-dll.yml b/persistence/authentication-process/act-as-security-support-provider-dll.yml index 9776f1f03..2f9f60451 100644 --- a/persistence/authentication-process/act-as-security-support-provider-dll.yml +++ b/persistence/authentication-process/act-as-security-support-provider-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005] references: diff --git a/persistence/authentication-process/act-as-subauthentication-package-dll.yml b/persistence/authentication-process/act-as-subauthentication-package-dll.yml index c0def1dd4..936dde16c 100644 --- a/persistence/authentication-process/act-as-subauthentication-package-dll.yml +++ b/persistence/authentication-process/act-as-subauthentication-package-dll.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/authentication-process authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002] references: diff --git a/persistence/create-shortcut-via-ishelllink.yml b/persistence/create-shortcut-via-ishelllink.yml index 94c2cbdad..5c6930051 100644 --- a/persistence/create-shortcut-via-ishelllink.yml +++ b/persistence/create-shortcut-via-ishelllink.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009] references: diff --git a/persistence/exchange/act-as-exchange-transport-agent.yml b/persistence/exchange/act-as-exchange-transport-agent.yml index ae24c8096..e61481268 100644 --- a/persistence/exchange/act-as-exchange-transport-agent.yml +++ b/persistence/exchange/act-as-exchange-transport-agent.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/exchange authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Persistence::Server Software Component::Transport Agent [T1505.002] references: diff --git a/persistence/iis/persist-via-iis-module.yml b/persistence/iis/persist-via-iis-module.yml index cee74ded4..f499c2228 100644 --- a/persistence/iis/persist-via-iis-module.yml +++ b/persistence/iis/persist-via-iis-module.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Server Software Component::IIS Components [T1505.004] examples: diff --git a/persistence/iis/persist-via-isapi-extension.yml b/persistence/iis/persist-via-isapi-extension.yml index 89230c9b8..f568da947 100644 --- a/persistence/iis/persist-via-isapi-extension.yml +++ b/persistence/iis/persist-via-isapi-extension.yml @@ -5,7 +5,9 @@ rule: authors: - william.ballenthin@mandiant.com description: Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Server Software Component::IIS Components [T1505.004] examples: diff --git a/persistence/office/act-as-excel-xll-add-in.yml b/persistence/office/act-as-excel-xll-add-in.yml index 446bdcb92..913d5d196 100644 --- a/persistence/office/act-as-excel-xll-add-in.yml +++ b/persistence/office/act-as-excel-xll-add-in.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/office authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/office/act-as-office-com-add-in.yml b/persistence/office/act-as-office-com-add-in.yml index bfb1dd094..40058739a 100644 --- a/persistence/office/act-as-office-com-add-in.yml +++ b/persistence/office/act-as-office-com-add-in.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/office authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains unsupported feature class for dynamic scope att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/office/act-as-word-wll-add-in.yml b/persistence/office/act-as-word-wll-add-in.yml index 74bebc560..34e939810 100644 --- a/persistence/office/act-as-word-wll-add-in.yml +++ b/persistence/office/act-as-word-wll-add-in.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/office authors: - jakub.jozwiak@mandiant.com - scope: file + scopes: + static: file + dynamic: file att&ck: - Persistence::Office Application Startup::Add-ins [T1137.006] references: diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml index 3a1ed3423..393af5a3d 100644 --- a/persistence/persist-via-desktop-autostart.yml +++ b/persistence/persist-via-desktop-autostart.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] examples: diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml index 73ecb0f2c..d57c45dde 100644 --- a/persistence/persist-via-shell-profile-or-rc-file.yml +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -4,7 +4,9 @@ rule: namespace: persistence authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] examples: diff --git a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml index 42872d58f..016a640c0 100644 --- a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml +++ b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/appinitdlls authors: - william.ballenthin@fireye.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] diff --git a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml index 69863387c..2a2691718 100644 --- a/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml +++ b/persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/appinitdlls authors: - michael.hunhoff@fireye.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] references: diff --git a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml index 0ae9335ed..86504f958 100644 --- a/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml +++ b/persistence/registry/ginadll/persist-via-ginadll-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/ginadll authors: - michael.hunhoff@fireye.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Event Triggered Execution [T1546] examples: diff --git a/persistence/registry/persist-via-active-setup-registry-key.yml b/persistence/registry/persist-via-active-setup-registry-key.yml index 64628d2a9..bcdf38c68 100644 --- a/persistence/registry/persist-via-active-setup-registry-key.yml +++ b/persistence/registry/persist-via-active-setup-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Boot or Logon Autostart Execution::Active Setup [T1547.014] references: diff --git a/persistence/registry/run/persist-via-run-registry-key.yml b/persistence/registry/run/persist-via-run-registry-key.yml index 0f11f5228..ed682563f 100644 --- a/persistence/registry/run/persist-via-run-registry-key.yml +++ b/persistence/registry/run/persist-via-run-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/run authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] mbc: diff --git a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml index b11e8819e..480d1ef11 100644 --- a/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml +++ b/persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/registry/winlogon-helper authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Boot or Logon Autostart Execution::Winlogon Helper DLL [T1547.004] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-at.yml b/persistence/scheduled-tasks/schedule-task-via-at.yml index ad25216ed..8e75a4868 100644 --- a/persistence/scheduled-tasks/schedule-task-via-at.yml +++ b/persistence/scheduled-tasks/schedule-task-via-at.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - joren485 - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Scheduled Task/Job::At [T1053.002] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml b/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml index 5c20d31d3..20d2574cd 100644 --- a/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml +++ b/persistence/scheduled-tasks/schedule-task-via-itaskscheduler.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains unsupported feature bytes for dynamic scope att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml index da75b2be9..6fbeaf577 100644 --- a/persistence/scheduled-tasks/schedule-task-via-schtasks.yml +++ b/persistence/scheduled-tasks/schedule-task-via-schtasks.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/scheduled-tasks authors: - 0x534a@mailbox.org - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] examples: diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml index 1d4c6b0a0..3be10c166 100644 --- a/persistence/service/persist-via-rc-script.yml +++ b/persistence/service/persist-via-rc-script.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/service authors: - joakim@intezer.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] examples: diff --git a/persistence/service/persist-via-windows-service.yml b/persistence/service/persist-via-windows-service.yml index a7b307866..fc86e0934 100644 --- a/persistence/service/persist-via-windows-service.yml +++ b/persistence/service/persist-via-windows-service.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/service authors: - moritz.raabe@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains Subscope att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/persistence/startup-folder/get-startup-folder.yml b/persistence/startup-folder/get-startup-folder.yml index bc6717947..3fcc847f3 100644 --- a/persistence/startup-folder/get-startup-folder.yml +++ b/persistence/startup-folder/get-startup-folder.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com - scope: basic block + scopes: + static: basic block + dynamic: call # TODO check if scope thread instead att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 7ac1c0597..e6ab90b24 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -4,7 +4,9 @@ rule: namespace: persistence/startup-folder authors: - matthew.williams@mandiant.com - scope: function + scopes: + static: function + dynamic: unspecified # TODO upgrade manually, contains match att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/runtime/dotnet/compiled-to-the-dotnet-platform.yml b/runtime/dotnet/compiled-to-the-dotnet-platform.yml index 661c7fa6f..869a0918a 100644 --- a/runtime/dotnet/compiled-to-the-dotnet-platform.yml +++ b/runtime/dotnet/compiled-to-the-dotnet-platform.yml @@ -4,7 +4,9 @@ rule: namespace: runtime/dotnet authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file examples: - b9f5bd514485fb06da39beff051b9fdc features: diff --git a/runtime/dotnet/execute-via-dotnet-startup-hook.yml b/runtime/dotnet/execute-via-dotnet-startup-hook.yml index f3e1b6bbe..75a8c4813 100644 --- a/runtime/dotnet/execute-via-dotnet-startup-hook.yml +++ b/runtime/dotnet/execute-via-dotnet-startup-hook.yml @@ -4,7 +4,9 @@ rule: namespace: runtime/dotnet authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: unspecified # TODO upgrade manually, contains unsupported feature function-name for dynamic scope references: - https://rastamouse.me/net-startup-hooks/ - https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md diff --git a/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml b/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml index 2d150e12a..d82caa4a6 100644 --- a/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml +++ b/targeting/automated-teller-machine/diebold-nixdorf/load-diebold-nixdorf-atm-library.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/diebold-nixdorf authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html examples: diff --git a/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml b/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml index 4d455449e..5988d1b16 100644 --- a/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml +++ b/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/diebold-nixdorf authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.mandiant.com/resources/new-ploutus-variant examples: diff --git a/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml b/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml index 4c8b495a6..52cea4958 100644 --- a/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml +++ b/targeting/automated-teller-machine/identify-atm-dispenser-service-provider.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://doc.axxonsoft.com/confluence/display/atm70en/Configuring+the+connection+to+the+dispenser+service+provider examples: diff --git a/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml b/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml index bd47629a7..5d733dd4b 100644 --- a/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml +++ b/targeting/automated-teller-machine/ncr/load-ncr-atm-library.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/ncr authors: - william.ballenthin@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml index a0973a996..7354fd6e4 100644 --- a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml +++ b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/automated-teller-machine/ncr authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/language/identify-system-language-via-api.yml b/targeting/language/identify-system-language-via-api.yml index 6645fc322..7ba9a0a21 100644 --- a/targeting/language/identify-system-language-via-api.yml +++ b/targeting/language/identify-system-language-via-api.yml @@ -4,7 +4,9 @@ rule: namespace: targeting/language authors: - william.ballenthin@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: