diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml index 12b6e475..558553e0 100644 --- a/collection/keylog/log-keystrokes-via-application-hook.yml +++ b/collection/keylog/log-keystrokes-via-application-hook.yml @@ -5,7 +5,7 @@ rule: authors: - michael.hunhoff@mandiant.com scopes: - static: function + static: basic block dynamic: call att&ck: - Collection::Input Capture::Keylogging [T1056.001] diff --git a/host-interaction/gui/set-application-hook.yml b/host-interaction/gui/set-application-hook.yml index 52299cbb..34175330 100644 --- a/host-interaction/gui/set-application-hook.yml +++ b/host-interaction/gui/set-application-hook.yml @@ -5,12 +5,11 @@ rule: authors: - michael.hunhoff@mandiant.com scopes: - static: function - dynamic: thread + static: instruction + dynamic: call examples: - Practical Malware Analysis Lab 12-03.exe_:0x401000 features: - - and: - - or: - - api: user32.SetWindowsHookEx - - api: user32.UnhookWindowsHookEx + - or: + - api: user32.SetWindowsHookEx + - api: user32.UnhookWindowsHookEx diff --git a/linking/runtime-linking/link-function-at-runtime-on-windows.yml b/linking/runtime-linking/link-function-at-runtime-on-windows.yml index 58846573..57fb6f40 100644 --- a/linking/runtime-linking/link-function-at-runtime-on-windows.yml +++ b/linking/runtime-linking/link-function-at-runtime-on-windows.yml @@ -6,8 +6,8 @@ rule: - moritz.raabe@mandiant.com - michael.hunhoff@mandiant.com scopes: - static: function - dynamic: unsupported # requires characteristic features + static: instruction + dynamic: call att&ck: - Execution::Shared Modules [T1129] examples: @@ -19,9 +19,3 @@ rule: - or: - api: kernel32.GetProcAddress - api: ntdll.LdrGetProcedureAddress - - optional: - - characteristic: indirect call - - api: kernel32.LoadLibrary - - api: kernel32.GetModuleHandle - - api: kernel32.GetModuleHandleEx - - api: ntdll.LdrLoadDll