upgrade rules using updated script

mandiant · Nov 24, 2023 · 784c9dc · 784c9dc
1 parent e0d5e95
commit 784c9dc
Show file tree

Hide file tree

Showing 847 changed files with 2,541 additions and 847 deletions.
diff --git a/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: thread  # TODO check if scope call instead
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - "@_re_fox"
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: thread  # TODO check if scope call instead
     mbc:
       - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
       - Anti-Behavioral Analysis::Sandbox Detection [B0007]

diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml b/anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: thread  # TODO check if scope call instead
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: call
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]
       - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires offset, mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]
     references:

diff --git a/...debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml b/...debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unsupported  # requires offset features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires offset, mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032]
     examples:

diff --git a/...is/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/...is/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml b/anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains subscope
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:

diff --git a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate)
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires characteristic, mnemonic features
     mbc:
       - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008]
     references:

diff --git a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-disasm
     authors:
       - [email protected]
-    scope: file
+    scopes:
+      static: file
+      dynamic: file
     mbc:
       - Anti-Static Analysis::Disassembler Evasion [B0012]
     examples:

diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-emulation/wine
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic/clear-logs
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains subscope
     att&ck:
       - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001]
     examples:

diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: thread  # TODO check if scope call instead
     att&ck:
       - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
     references:

diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application.
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Indicator Removal [T1070]
     references:

diff --git a/anti-analysis/anti-forensic/patch-process-command-line.yml b/anti-analysis/anti-forensic/patch-process-command-line.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires characteristic, offset features
     att&ck:
       - Defense Evasion::Process Injection [T1055]
     mbc:

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - "@mr-tz"
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

diff --git a/anti-analysis/anti-forensic/spoof-parent-pid.yml b/anti-analysis/anti-forensic/spoof-parent-pid.yml
@@ -5,7 +5,9 @@ rule:
     namespace: anti-analysis/anti-forensic
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     att&ck:
       - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]
     references:

diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic/timestomp
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Indicator Removal::Timestomp [T1070.006]
     examples:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment.
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires characteristic, mnemonic features
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml
@@ -5,7 +5,9 @@ rule:
     authors:
       - "@_re_fox"
       - "[email protected]"
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion [T1497]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml b/anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - BitsOfBinary
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: thread  # TODO check if scope call instead
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml
@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unsupported  # requires offset features
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc: