From ea4cba7cca5d2c5ba53e63215ca2dbd892db2896 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Mon, 16 Dec 2024 09:44:51 +0000 Subject: [PATCH] tmp: update to newscope (placeholder) --- README.md | 2 +- anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml | 2 +- .../anti-av/overwrite-dll-text-section-to-remove-hooks.yml | 2 +- .../anti-av/patch-antimalware-scan-interface-function.yml | 2 +- .../anti-av/patch-event-tracing-for-windows-function.yml | 2 +- .../debugger-detection/check-for-outputdebugstring-error.yml | 2 +- .../debugger-detection/check-for-protected-handle-exception.yml | 2 +- .../check-for-time-delay-via-queryperformancecounter.yml | 2 +- .../debugger-detection/check-process-job-object.yml | 2 +- .../debugger-evasion/hide-thread-from-debugger.yml | 2 +- .../wine/check-if-process-is-running-under-wine.yml | 2 +- .../anti-forensic/clear-logs/clear-windows-event-logs.yml | 2 +- .../anti-forensic/crash-the-windows-event-logging-service.yml | 2 +- .../anti-forensic/impersonate-file-version-information.yml | 2 +- .../self-deletion/self-delete-using-alternate-data-streams.yml | 2 +- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 2 +- anti-analysis/anti-forensic/timestomp/timestomp-file.yml | 2 +- .../vm-detection/check-for-microsoft-office-emulation.yml | 2 +- .../vm-detection/check-for-sandbox-username-or-hostname.yml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 73697eada..fc1e9cdb7 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml index b8d988045..a95e74a55 100644 --- a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml +++ b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread + dynamic: newscope mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] - Anti-Behavioral Analysis::Sandbox Detection [B0007] diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml index d94e257af..807662fbd 100644 --- a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml +++ b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 446a093d8..f2d2419f7 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index e6b51df19..b6382ddf9 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml index 22a2cbc99..9d15ccc35 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: newscope mbc: - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 0a64a2e82..2c775834b 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml index f1656e395..11e171005 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index ef93144b0..df7df93f0 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index fe4208219..ffc2cedd2 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml index 61e60213c..a2fc0d5f7 100644 --- a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml +++ b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index 797171c94..6082cd910 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml index 5f0ad7240..8e25a1c88 100644 --- a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml +++ b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml index c21faefe4..629b81d5b 100644 --- a/anti-analysis/anti-forensic/impersonate-file-version-information.yml +++ b/anti-analysis/anti-forensic/impersonate-file-version-information.yml @@ -7,7 +7,7 @@ rule: description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 15cce5d91..fda47f953 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index c467d957d..22bd75d8a 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml index 2041fc937..f2ea4e589 100644 --- a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml +++ b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Indicator Removal::Timestomp [T1070.006] examples: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml index 6471461d7..e73635326 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml index 8b7e3e9ad..d5fe942a2 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml @@ -7,7 +7,7 @@ rule: - "echernofsky@google.com" scopes: static: function - dynamic: thread + dynamic: newscope att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: