Merge pull request #795 from mandiant/fix-20230713-lints

fix lints
mandiant · Jul 13, 2023 · 7e100e1 · 7e100e1
2 parents e51b74e + 800186a
commit 7e100e1
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 7 deletions.
diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -19,8 +19,8 @@ rule:
       - match: link function at runtime on Windows
       - or:
         - api: kernel32.VirtualProtect
-        - api: ntdll.NtProtectVirtualMemory
-        - api: ntdll.ZwProtectVirtualMemory
+        - api: ntdll.NtProtectVirtualMemory  # exported by only ntdll, not ntoskrnl
+        - api: ZwProtectVirtualMemory  # exported by both ntdll and ntoskrnl
         - string: "VirtualProtect"
         - string: "NtProtectVirtualMemory"
         - string: "ZwProtectVirtualMemory"

diff --git a/...tect-VM-via-disk-hardware-WMI-queries.yml → ...tect-vm-via-disk-hardware-wmi-queries.yml b/...tect-VM-via-disk-hardware-WMI-queries.yml → ...tect-vm-via-disk-hardware-wmi-queries.yml
@@ -1,7 +1,7 @@
 # generated using capa explorer for IDA Pro
 rule:
   meta:
-    name: detect VM via disk hardware WMI queries 
+    name: detect VM via disk hardware WMI queries
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - [email protected]

diff --git a/...-via-motherboard-hardware-WMI-queries.yml → ...-via-motherboard-hardware-wmi-queries.yml b/...-via-motherboard-hardware-WMI-queries.yml → ...-via-motherboard-hardware-wmi-queries.yml
diff --git a/...dows-directory-from-kuser_shared_data.yml → ...dows-directory-from-kuser_shared_data.yml b/...dows-directory-from-kuser_shared_data.yml → ...dows-directory-from-kuser_shared_data.yml
diff --git a/...indows-directory-using-indirect-calls.yml → ...indows-directory-using-indirect-calls.yml b/...indows-directory-using-indirect-calls.yml → ...indows-directory-using-indirect-calls.yml
@@ -10,8 +10,6 @@ rule:
     mbc:
       - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02]
       - Data::Encode Data::XOR [C0026.002]
-    examples:
-      - 9176F177BD88686C6BEB29D8BB05F20C:0x180001000
   features:
     - and:
       - match: write file on Windows

diff --git a/nursery/encrypt-data-using-aes.yml b/nursery/encrypt-data-using-aes.yml
@@ -15,8 +15,6 @@ rule:
     references:
       - https://github.com/JusticeRage/Manalyze/blob/8e77642c911d5d82b5f43b198667ab8c77a88763/bin/yara_rules/findcrypt.yara#L351
       - https://github.com/creaktive/tsh/blob/53b822b9a07d8cc65f1f31c915cf834a2944e833/aes.c
-    examples:
-      - D6EFF9EFA6F93CDE95E7A4194C1BC6EE:0x180002F50
   features:
     - or:
       - bytes: 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 = AES_SBOX_ENC