Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use "span of calls" scope #973

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

use "span of calls" scope #973

wants to merge 5 commits into from

Conversation

williballenthin
Copy link
Collaborator

@williballenthin williballenthin commented Dec 17, 2024
edited
Loading

like #972
supporting mandiant/capa#2532

sed -i 's/dynamic: thread/dynamic: sequence/g' (rg -l 'static: function' (rg -l 'dynamic: thread'))
sed -i 's/dynamic: thread/dynamic: sequence/g' (rg -l 'static: basic block' (rg -l 'dynamic: thread'))

@mr-tz mr-tz closed this Dec 18, 2024
@mr-tz mr-tz reopened this Dec 18, 2024
This was referenced Dec 18, 2024
Closed
Open
@williballenthin williballenthin changed the title use sequence scope use "span of calls" scope Jan 17, 2025
@williballenthin williballenthin marked this pull request as ready for review January 17, 2025 12:56
@williballenthin williballenthin requested a review from a team January 17, 2025 12:56
mike-hunhoff
mike-hunhoff reviewed Jan 17, 2025
View reviewed changes
anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
@@ -6,7 +6,7 @@ rule:
- "@_re_fox"
scopes:
static: basic block
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: call

anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
@@ -6,7 +6,7 @@ rule:
- "@_re_fox"
scopes:
static: basic block
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: call

mike-hunhoff
mike-hunhoff reviewed Jan 18, 2025
View reviewed changes
anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
@@ -6,7 +6,7 @@ rule:
- "@_re_fox"
scopes:
static: basic block
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: call

mike-hunhoff
mike-hunhoff reviewed Jan 18, 2025
View reviewed changes
collection/database/sql/reference-sql-statements.yml
@@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: span of calls
Suggested change
dynamic: span of calls
dynamic: call

mike-hunhoff
mike-hunhoff reviewed Jan 18, 2025
View reviewed changes
collection/database/wmi/reference-wmi-statements.yml
@@ -6,7 +6,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: call

mike-hunhoff
mike-hunhoff reviewed Jan 18, 2025
View reviewed changes
collection/file-managers/gather-classicftp-information.yml
@@ -6,7 +6,7 @@ rule:
- "@_re_fox"
scopes:
static: function
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: call

mike-hunhoff
mike-hunhoff reviewed Jan 18, 2025
View reviewed changes
collection/get-geographical-location.yml
@@ -8,7 +8,7 @@ rule:
- [email protected]
scopes:
static: function
dynamic: thread
dynamic: span of calls
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
dynamic: span of calls
dynamic: call

mike-hunhoff
mike-hunhoff approved these changes Jan 18, 2025
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I spot checked ~30 of these rules and the changes look reasonable to me.

Generally, we need to asses the existing capa rules (I don't recommend doing it in this PR) for opportunities to tighten up the scopes (I've left comments on a few of these that I noticed here) to reduce FP (and improve performance??). I imagine this would be implemented as a lint that verifies the scopes specified for a new rule are the smallest possible, accounting for match features and whatnot. We should also add a lint that verifies scopes align correctly for match features, iirc we've encountered this in the past, and I'm sure it'll only be more of an issue as we've added new scopes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@williballenthin @mike-hunhoff @mr-tz