initial commit

anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - "@_re_fox"
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
       - Anti-Behavioral Analysis::Sandbox Detection [B0007]

anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
     mbc:

anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]
       - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]

anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]
     examples:

anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032]
     examples:

anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]
     examples:

anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010]
     references:

anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012]
     references:

anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034]
     examples:

anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:

anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate)
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008]
     references:

anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-disasm
     authors:
       - [email protected]
-    scope: file
+    scopes:
+      static: file
+      dynamic: unspecified   # rule hasn't been migrated yet
     mbc:
       - Anti-Static Analysis::Disassembler Evasion [B0012]
     examples:

anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-emulation/wine
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic/clear-logs
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001]
     examples:

anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
     references:

anti-analysis/anti-forensic/impersonate-file-version-information.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application.
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Indicator Removal [T1070]
     references:

anti-analysis/anti-forensic/patch-process-command-line.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Process Injection [T1055]
     mbc:

anti-analysis/anti-forensic/self-deletion/self-delete.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - "@mr-tz"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

anti-analysis/anti-forensic/spoof-parent-pid.yml

@@ -5,7 +5,9 @@ rule:
     namespace: anti-analysis/anti-forensic
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]
     references:

anti-analysis/anti-forensic/timestomp/timestomp-file.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic/timestomp
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Indicator Removal::Timestomp [T1070.006]
     examples:

anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment.
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
     references:

anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - "@_re_fox"
       - "[email protected]"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion [T1497]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - BitsOfBinary
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified   # rule hasn't been migrated yet
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc: