From 20e80d8c740b6b27a4764a0020628ae9800dfdf0 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 17 Dec 2024 10:25:49 +0000 Subject: [PATCH 1/5] use sequence scope instead of thread scope for "static: function" rules --- README.md | 2 +- .../anti-av/overwrite-dll-text-section-to-remove-hooks.yml | 2 +- .../anti-av/patch-antimalware-scan-interface-function.yml | 2 +- .../anti-av/patch-event-tracing-for-windows-function.yml | 2 +- .../debugger-detection/check-for-protected-handle-exception.yml | 2 +- .../check-for-time-delay-via-queryperformancecounter.yml | 2 +- .../debugger-detection/check-process-job-object.yml | 2 +- .../debugger-evasion/hide-thread-from-debugger.yml | 2 +- .../wine/check-if-process-is-running-under-wine.yml | 2 +- .../anti-forensic/clear-logs/clear-windows-event-logs.yml | 2 +- .../anti-forensic/impersonate-file-version-information.yml | 2 +- .../self-deletion/self-delete-using-alternate-data-streams.yml | 2 +- anti-analysis/anti-forensic/self-deletion/self-delete.yml | 2 +- anti-analysis/anti-forensic/timestomp/timestomp-file.yml | 2 +- .../vm-detection/check-for-microsoft-office-emulation.yml | 2 +- .../vm-detection/check-for-sandbox-username-or-hostname.yml | 2 +- .../check-for-windows-sandbox-via-genuine-state.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-process-name.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-registry.yml | 2 +- .../vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml | 2 +- .../detect-vm-via-motherboard-hardware-wmi-queries.yml | 2 +- .../acquire-credentials-from-windows-credential-manager.yml | 2 +- collection/browser/gather-firefox-profile-information.yml | 2 +- collection/database/sql/reference-sql-statements.yml | 2 +- collection/database/wmi/reference-wmi-statements.yml | 2 +- collection/file-managers/gather-3d-ftp-information.yml | 2 +- collection/file-managers/gather-alftp-information.yml | 2 +- collection/file-managers/gather-bitkinex-information.yml | 2 +- collection/file-managers/gather-blazeftp-information.yml | 2 +- collection/file-managers/gather-bulletproof-ftp-information.yml | 2 +- collection/file-managers/gather-classicftp-information.yml | 2 +- collection/file-managers/gather-coreftp-information.yml | 2 +- collection/file-managers/gather-cuteftp-information.yml | 2 +- collection/file-managers/gather-cyberduck-information.yml | 2 +- collection/file-managers/gather-direct-ftp-information.yml | 2 +- collection/file-managers/gather-directory-opus-information.yml | 2 +- collection/file-managers/gather-expandrive-information.yml | 2 +- .../file-managers/gather-faststone-browser-information.yml | 2 +- collection/file-managers/gather-fasttrack-ftp-information.yml | 2 +- collection/file-managers/gather-ffftp-information.yml | 2 +- collection/file-managers/gather-filezilla-information.yml | 2 +- collection/file-managers/gather-flashfxp-information.yml | 2 +- collection/file-managers/gather-fling-ftp-information.yml | 2 +- collection/file-managers/gather-freshftp-information.yml | 2 +- collection/file-managers/gather-frigate3-information.yml | 2 +- collection/file-managers/gather-ftp-commander-information.yml | 2 +- collection/file-managers/gather-ftp-explorer-information.yml | 2 +- collection/file-managers/gather-ftp-voyager-information.yml | 2 +- collection/file-managers/gather-ftpgetter-information.yml | 2 +- collection/file-managers/gather-ftpinfo-information.yml | 2 +- collection/file-managers/gather-ftpnow-information.yml | 2 +- collection/file-managers/gather-ftprush-information.yml | 2 +- collection/file-managers/gather-ftpshell-information.yml | 2 +- .../file-managers/gather-global-downloader-information.yml | 2 +- collection/file-managers/gather-goftp-information.yml | 2 +- collection/file-managers/gather-leapftp-information.yml | 2 +- collection/file-managers/gather-netdrive-information.yml | 2 +- collection/file-managers/gather-nexusfile-information.yml | 2 +- collection/file-managers/gather-nova-ftp-information.yml | 2 +- collection/file-managers/gather-robo-ftp-information.yml | 2 +- collection/file-managers/gather-securefx-information.yml | 2 +- collection/file-managers/gather-smart-ftp-information.yml | 2 +- collection/file-managers/gather-softx-ftp-information.yml | 2 +- .../file-managers/gather-southriver-webdrive-information.yml | 2 +- collection/file-managers/gather-staff-ftp-information.yml | 2 +- collection/file-managers/gather-total-commander-information.yml | 2 +- collection/file-managers/gather-turbo-ftp-information.yml | 2 +- collection/file-managers/gather-ultrafxp-information.yml | 2 +- collection/file-managers/gather-winscp-information.yml | 2 +- collection/file-managers/gather-winzip-information.yml | 2 +- collection/file-managers/gather-wise-ftp-information.yml | 2 +- collection/file-managers/gather-ws-ftp-information.yml | 2 +- collection/file-managers/gather-xftp-information.yml | 2 +- collection/get-geographical-location.yml | 2 +- collection/group-policy/discover-group-policy-via-gpresult.yml | 2 +- collection/keylog/log-keystrokes.yml | 2 +- collection/microphone/capture-microphone-audio.yml | 2 +- collection/network/capture-packets-using-sharppcap.yml | 2 +- collection/network/capture-public-ip.yml | 2 +- collection/network/get-domain-trust-relationships.yml | 2 +- collection/network/get-mac-address-on-windows.yml | 2 +- collection/screenshot/capture-screenshot-via-keybd-event.yml | 2 +- collection/screenshot/capture-screenshot.yml | 2 +- collection/webcam/capture-webcam-image.yml | 2 +- communication/c2/file-transfer/download-and-write-a-file.yml | 2 +- communication/c2/file-transfer/write-and-execute-a-file.yml | 2 +- communication/c2/shell/create-reverse-shell-on-linux.yml | 2 +- communication/c2/shell/create-reverse-shell.yml | 2 +- .../c2/shell/execute-shell-command-and-capture-output.yml | 2 +- .../execute-shell-command-received-from-socket-on-linux.yml | 2 +- communication/ftp/send/send-file-using-ftp.yml | 2 +- communication/http/client/connect-to-http-server.yml | 2 +- communication/http/client/connect-to-url.yml | 2 +- communication/http/client/create-http-request.yml | 2 +- .../decompress-http-response-via-iencodingfilterfactory.yml | 2 +- communication/http/client/read-data-from-internet.yml | 2 +- communication/http/client/receive-http-response.yml | 2 +- communication/http/client/send-http-request.yml | 2 +- communication/http/reference-http-user-agent-string.yml | 2 +- communication/http/server/receive-http-request.yml | 2 +- communication/http/server/start-http-server.yml | 2 +- communication/http/set-http-header.yml | 2 +- communication/icmp/send-icmp-echo-request.yml | 2 +- communication/mailslot/create-mailslot.yml | 2 +- communication/mailslot/read-from-mailslot.yml | 2 +- communication/named-pipe/create/create-two-anonymous-pipes.yml | 2 +- communication/named-pipe/read/read-pipe.yml | 2 +- communication/named-pipe/write/write-pipe.yml | 2 +- communication/receive-data.yml | 2 +- communication/send-data.yml | 2 +- communication/socket/tcp/connect-tcp-socket.yml | 2 +- communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml | 2 +- communication/tcp/client/act-as-tcp-client.yml | 2 +- communication/tcp/serve/start-tcp-server.yml | 2 +- compiler/perl2exe/compiled-with-perl2exe.yml | 2 +- data-manipulation/compression/compress-data-using-lzo.yml | 2 +- data-manipulation/compression/compress-data-via-winapi.yml | 2 +- data-manipulation/compression/create-cabinet-on-windows.yml | 2 +- data-manipulation/compression/extract-cabinet-on-windows.yml | 2 +- .../encryption/aes/encrypt-data-using-aes-via-winapi.yml | 2 +- .../encryption/des/encrypt-data-using-des-via-winapi.yml | 2 +- .../encryption/encrypt-data-using-memfrob-from-glibc.yml | 2 +- .../encryption/encrypt-or-decrypt-via-wincrypt.yml | 2 +- data-manipulation/encryption/import-public-key.yml | 2 +- .../rc4/encrypt-data-using-rc4-via-systemfunction032.yml | 2 +- .../rc4/encrypt-data-using-rc4-via-systemfunction033.yml | 2 +- .../encryption/rc4/encrypt-data-using-rc4-via-winapi.yml | 2 +- data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml | 2 +- data-manipulation/encryption/rsa/reference-public-rsa-key.yml | 2 +- data-manipulation/hashing/hash-data-via-wincrypt.yml | 2 +- data-manipulation/hashing/md5/hash-data-with-md5.yml | 2 +- data-manipulation/hashing/sha1/hash-data-using-sha1.yml | 2 +- data-manipulation/hashing/sha224/hash-data-using-sha224.yml | 2 +- data-manipulation/hashing/sha256/hash-data-using-sha256.yml | 2 +- data-manipulation/hashing/sha384/hash-data-using-sha384.yml | 2 +- data-manipulation/hashing/sha512/hash-data-using-sha512.yml | 2 +- .../prng/generate-random-numbers-via-rtlgenrandom.yml | 2 +- data-manipulation/prng/generate-random-numbers-via-winapi.yml | 2 +- .../generate-random-numbers-using-a-mersenne-twister.yml | 2 +- executable/resource/access-dotnet-resource.yml | 2 +- executable/resource/extract-resource-via-kernel32-functions.yml | 2 +- host-interaction/bootloader/disable-code-signing.yml | 2 +- host-interaction/bootloader/manipulate-boot-configuration.yml | 2 +- host-interaction/bootloader/manipulate-safe-mode-programs.yml | 2 +- host-interaction/clipboard/open-clipboard.yml | 2 +- host-interaction/clipboard/read-clipboard-data.yml | 2 +- host-interaction/clipboard/write-clipboard-data.yml | 2 +- host-interaction/console/manipulate-console-buffer.yml | 2 +- host-interaction/driver/create-device-object.yml | 2 +- host-interaction/driver/disable-driver-code-integrity.yml | 2 +- .../environment-variable/get-comspec-environment-variable.yml | 2 +- host-interaction/file-system/bypass-mark-of-the-web.yml | 2 +- .../file-system/create-virtual-file-system-in-dotnet.yml | 2 +- host-interaction/file-system/delete/delete-file.yml | 2 +- .../file-system/files/list/enumerate-files-on-linux.yml | 2 +- .../file-system/files/list/enumerate-files-on-windows.yml | 2 +- host-interaction/file-system/meta/get-file-version-info.yml | 2 +- host-interaction/file-system/read/read-file-on-linux.yml | 2 +- host-interaction/file-system/read/read-file-on-windows.yml | 2 +- host-interaction/file-system/read/read-file-via-mapping.yml | 2 +- host-interaction/file-system/read/read-ini-file.yml | 2 +- host-interaction/file-system/read/read-virtual-disk.yml | 2 +- .../windows-file-protection/bypass-windows-file-protection.yml | 2 +- host-interaction/file-system/write/write-file-on-linux.yml | 2 +- host-interaction/filter/enumerate-minifilter-drivers.yml | 2 +- .../modify/access-firewall-policy-via-inetfwpolicy2.yml | 2 +- .../modify/access-firewall-rule-properties-via-inetfwrule.yml | 2 +- host-interaction/gui/session/lock/lock-the-desktop.yml | 2 +- host-interaction/gui/switch-active-desktop.yml | 2 +- host-interaction/gui/taskbar/find/find-taskbar.yml | 2 +- host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml | 2 +- .../gui/window/get-text/get-graphical-window-text.yml | 2 +- host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml | 2 +- host-interaction/hardware/cpu/get-cpu-information.yml | 2 +- host-interaction/hardware/cpu/get-number-of-processor-cores.yml | 2 +- host-interaction/hardware/keyboard/get-keyboard-layout.yml | 2 +- host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml | 2 +- host-interaction/hardware/memory/get-memory-information.yml | 2 +- host-interaction/hardware/storage/get-disk-size.yml | 2 +- host-interaction/log/clfs/read-data-from-clfs-log-container.yml | 2 +- host-interaction/mutex/check-mutex-and-exit.yml | 2 +- host-interaction/mutex/create-semaphore-on-linux.yml | 2 +- host-interaction/mutex/lock-semaphore-on-linux.yml | 2 +- host-interaction/mutex/unlock-semaphore-on-linux.yml | 2 +- host-interaction/network/address/get-local-ipv4-addresses.yml | 2 +- .../network/connectivity/set-tcp-connection-state.yml | 2 +- .../network/domain/enumerate-domain-computers-via-ldap.yml | 2 +- host-interaction/network/domain/get-domain-controller-name.yml | 2 +- .../network/interface/get-networking-interfaces.yml | 2 +- .../traffic/filter/enumerate-network-filters-via-wfp-api.yml | 2 +- host-interaction/os/info/get-system-information-on-windows.yml | 2 +- host-interaction/os/version/get-kernel-version.yml | 2 +- host-interaction/os/version/get-linux-distribution.yml | 2 +- .../process/inject/allocate-user-process-rwx-memory.yml | 2 +- host-interaction/process/inject/attach-user-process-memory.yml | 2 +- host-interaction/process/inject/free-user-process-memory.yml | 2 +- host-interaction/process/inject/hijack-thread-execution.yml | 2 +- host-interaction/process/inject/inject-apc.yml | 2 +- host-interaction/process/inject/inject-dll.yml | 2 +- .../inject/inject-shellcode-using-a-file-mapping-object.yml | 2 +- .../inject/inject-shellcode-using-extra-window-memory.yml | 2 +- .../inject/inject-shellcode-using-window-subclass-procedure.yml | 2 +- host-interaction/process/inject/inject-thread.yml | 2 +- host-interaction/process/inject/use-process-replacement.yml | 2 +- .../list/enumerate-processes-on-remote-desktop-session-host.yml | 2 +- host-interaction/process/list/enumerate-processes.yml | 2 +- host-interaction/process/list/find-process-by-pid.yml | 2 +- host-interaction/process/map-section-object.yml | 2 +- host-interaction/process/modify/modify-access-privileges.yml | 2 +- .../process/modules/list/enumerate-process-modules.yml | 2 +- host-interaction/process/terminate/terminate-process.yml | 2 +- host-interaction/registry/delete/delete-registry-key.yml | 2 +- host-interaction/registry/delete/delete-registry-value.yml | 2 +- host-interaction/registry/query-or-enumerate-registry-key.yml | 2 +- host-interaction/registry/query-or-enumerate-registry-value.yml | 2 +- .../registry/set-registry-key-via-offline-registry-library.yml | 2 +- host-interaction/service/continue-service.yml | 2 +- host-interaction/service/create/create-service.yml | 2 +- host-interaction/service/delete/delete-service.yml | 2 +- host-interaction/service/modify/modify-service.yml | 2 +- host-interaction/service/pause-service.yml | 2 +- host-interaction/service/start/start-service.yml | 2 +- host-interaction/service/stop/stop-service.yml | 2 +- host-interaction/session/get-current-user-on-linux.yml | 2 +- host-interaction/session/get-logon-sessions.yml | 2 +- host-interaction/session/get-session-integrity-level.yml | 2 +- host-interaction/session/get-session-user-name.yml | 2 +- host-interaction/session/get-token-membership.yml | 2 +- host-interaction/thread/list/enumerate-threads.yml | 2 +- host-interaction/thread/tls/set-thread-local-storage-value.yml | 2 +- host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml | 2 +- host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml | 2 +- host-interaction/uac/bypass/bypass-uac-via-rpc.yml | 2 +- .../uac/bypass/bypass-uac-via-token-manipulation.yml | 2 +- impact/inhibit-system-recovery/delete-volume-shadow-copies.yml | 2 +- impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml | 2 +- lib/create-or-open-section-object.yml | 2 +- linking/runtime-linking/link-many-functions-at-runtime.yml | 2 +- load-code/pe/access-pe-header.yml | 2 +- load-code/pe/inspect-section-memory-permissions.yml | 2 +- load-code/powershell/run-powershell-expression.yml | 2 +- load-code/shellcode/execute-shellcode-via-copyfile2.yml | 2 +- .../shellcode/execute-shellcode-via-createthreadpoolwait.yml | 2 +- .../execute-shellcode-via-windows-callback-function.yml | 2 +- load-code/shellcode/execute-shellcode-via-windows-fibers.yml | 2 +- load-code/shellcode/spawn-thread-to-rwx-shellcode.yml | 2 +- malware-family/plugx/match-known-plugx-module.yml | 2 +- nursery/access-wmi-data-in-dotnet.yml | 2 +- nursery/add-value-to-global-atom-table.yml | 2 +- nursery/append-data-to-clfs-log-container.yml | 2 +- nursery/build-docker-image.yml | 2 +- nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml | 2 +- nursery/bypass-uac-via-scheduled-task-environment-variable.yml | 2 +- nursery/capture-webcam-video.yml | 2 +- nursery/check-for-process-debug-object.yml | 2 +- nursery/check-for-windows-sandbox-via-mutex.yml | 2 +- nursery/check-license-value.yml | 2 +- nursery/collect-ssh-keys.yml | 2 +- nursery/compile-csharp-in-dotnet.yml | 2 +- nursery/compile-visual-basic-in-dotnet.yml | 2 +- nursery/connect-network-resource.yml | 2 +- nursery/create-container.yml | 2 +- nursery/create-process-via-wmi-in-dotnet.yml | 2 +- nursery/create-registry-key-via-stdregprov.yml | 2 +- nursery/delete-internet-cache.yml | 2 +- nursery/delete-registry-key-via-stdregprov.yml | 2 +- nursery/delete-registry-value-via-stdregprov.yml | 2 +- nursery/destroy-software-breakpoint-capability.yml | 2 +- nursery/display-service-notification-message-box.yml | 2 +- nursery/enable-safe-mode-boot.yml | 2 +- nursery/encrypt-data-using-salsa20-or-chacha.yml | 2 +- nursery/encrypt-or-decrypt-data-via-bcrypt.yml | 2 +- nursery/enumerate-device-drivers-on-linux.yml | 2 +- nursery/enumerate-device-drivers-on-windows.yml | 2 +- nursery/enumerate-disk-volumes.yml | 2 +- nursery/enumerate-files-in-dotnet.yml | 2 +- nursery/enumerate-internet-cache.yml | 2 +- nursery/enumerate-network-shares.yml | 2 +- nursery/enumerate-processes-that-use-resource.yml | 2 +- nursery/enumerate-processes-via-procfs.yml | 2 +- nursery/execute-sqlite-statement-in-dotnet.yml | 2 +- nursery/get-client-handle-via-schannel.yml | 2 +- nursery/get-current-process-command-line.yml | 2 +- nursery/get-mac-address-in-dotnet.yml | 2 +- nursery/get-mac-address-on-linux.yml | 2 +- nursery/get-os-information-via-kuser_shared_data.yml | 2 +- nursery/get-proxy.yml | 2 +- nursery/get-session-information.yml | 2 +- nursery/get-storage-device-properties.yml | 2 +- nursery/get-system-information-on-linux.yml | 2 +- nursery/get-token-privileges.yml | 2 +- nursery/hash-data-using-ripemd256.yml | 2 +- nursery/hash-data-using-ripemd320.yml | 2 +- nursery/hash-data-using-sha1-via-wincrypt.yml | 2 +- nursery/hash-data-using-sha512managed-in-dotnet.yml | 2 +- nursery/hash-data-via-bcrypt.yml | 2 +- nursery/hook-routines-via-microsoft-detours.yml | 2 +- nursery/impersonate-user.yml | 2 +- nursery/initialize-hashing-via-wincrypt.yml | 2 +- nursery/link-function-at-runtime-on-linux.yml | 2 +- nursery/list-containers.yml | 2 +- nursery/list-drag-and-drop-files.yml | 2 +- nursery/load-packed-dex-via-jiagu-on-android.yml | 2 +- nursery/log-keystrokes-via-input-method-manager.yml | 2 +- nursery/make-an-http-request-with-a-cookie.yml | 2 +- nursery/migrate-process-to-active-window-station.yml | 2 +- nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml | 2 +- nursery/persist-via-gnome-autostart-on-linux.yml | 2 +- nursery/prompt-user-for-credentials.yml | 2 +- nursery/query-or-enumerate-registry-key-via-stdregprov.yml | 2 +- nursery/query-or-enumerate-registry-value-via-stdregprov.yml | 2 +- nursery/read-and-send-data-from-client-to-server.yml | 2 +- nursery/read-process-memory.yml | 2 +- nursery/receive-and-write-data-from-server-to-client.yml | 2 +- nursery/reference-114dns-dns-server.yml | 2 +- nursery/reference-alidns-dns-server.yml | 2 +- nursery/reference-cloudflare-dns-server.yml | 2 +- nursery/reference-comodo-secure-dns-server.yml | 2 +- nursery/reference-google-public-dns-server.yml | 2 +- nursery/reference-hurricane-electric-dns-server.yml | 2 +- nursery/reference-kornet-dns-server.yml | 2 +- nursery/reference-l3-dns-server.yml | 2 +- nursery/reference-opendns-dns-server.yml | 2 +- nursery/reference-quad9-dns-server.yml | 2 +- nursery/reference-verisign-dns-server.yml | 2 +- nursery/resolve-function-by-djb2-hash.yml | 2 +- nursery/resolve-function-by-fnv-1a-hash.yml | 2 +- nursery/resolve-function-by-hash.yml | 2 +- nursery/run-in-container.yml | 2 +- nursery/send-data-to-internet.yml | 2 +- nursery/send-http-request-with-host-header.yml | 2 +- nursery/send-request-in-dotnet.yml | 2 +- nursery/set-registry-value-via-stdregprov.yml | 2 +- nursery/terminate-process-by-name-in-dotnet.yml | 2 +- nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml | 2 +- persistence/exchange/act-as-exchange-transport-agent.yml | 2 +- persistence/persist-via-desktop-autostart.yml | 2 +- persistence/persist-via-shell-profile-or-rc-file.yml | 2 +- .../disable-appinit_dlls-code-signature-enforcement.yml | 2 +- persistence/service/persist-via-rc-script.yml | 2 +- persistence/startup-folder/write-file-to-startup-folder.yml | 2 +- .../ncr/reference-ncr-atm-library-routines.yml | 2 +- targeting/language/identify-system-language-via-api.yml | 2 +- 343 files changed, 343 insertions(+), 343 deletions(-) diff --git a/README.md b/README.md index 73697ead..0362da32 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml index d94e257a..8604e8d7 100644 --- a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml +++ b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 446a093d..20ae6e2d 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index e6b51df1..fa07fd07 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 0a64a2e8..9315f51c 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml index f1656e39..f4c901bf 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index ef93144b..fffe9d39 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index fe420821..bb64961f 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml index 61e60213..c7569989 100644 --- a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml +++ b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index 797171c9..81be1b53 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml index c21faefe..74006c27 100644 --- a/anti-analysis/anti-forensic/impersonate-file-version-information.yml +++ b/anti-analysis/anti-forensic/impersonate-file-version-information.yml @@ -7,7 +7,7 @@ rule: description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 15cce5d9..30240f02 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index c467d957..8cedcd9a 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml index 2041fc93..328cb320 100644 --- a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml +++ b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Indicator Removal::Timestomp [T1070.006] examples: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml index 6471461d..d76b46bf 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml index 8b7e3e9a..0ac2b045 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml @@ -7,7 +7,7 @@ rule: - "echernofsky@google.com" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 1e6f5f7d..06a58cdd 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml index cb727295..4e5d49de 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml index a6cbfbec..f234c003 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index 2425a19a..e916a28a 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -7,7 +7,7 @@ rule: - anders.vejlby@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index cba1a9eb..1d46b8a9 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -7,7 +7,7 @@ rule: - anders.vejlby@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index 7097dced..e9c3d189 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] examples: diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index e60fae03..3c69f977 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -7,7 +7,7 @@ rule: - still@teamt5.org scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml index fb7daa57..8d1a2798 100644 --- a/collection/database/sql/reference-sql-statements.yml +++ b/collection/database/sql/reference-sql-statements.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml index 18bbcf72..e345020a 100644 --- a/collection/database/wmi/reference-wmi-statements.yml +++ b/collection/database/wmi/reference-wmi-statements.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml index 183e7e6c..5b26a494 100644 --- a/collection/file-managers/gather-3d-ftp-information.yml +++ b/collection/file-managers/gather-3d-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml index c177630d..afa78f07 100644 --- a/collection/file-managers/gather-alftp-information.yml +++ b/collection/file-managers/gather-alftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml index 610692a2..15a9d388 100644 --- a/collection/file-managers/gather-bitkinex-information.yml +++ b/collection/file-managers/gather-bitkinex-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml index 50c464f3..03bcaa35 100644 --- a/collection/file-managers/gather-blazeftp-information.yml +++ b/collection/file-managers/gather-blazeftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml index eff43d32..62fbb969 100644 --- a/collection/file-managers/gather-bulletproof-ftp-information.yml +++ b/collection/file-managers/gather-bulletproof-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml index 9fa41274..73cc1863 100644 --- a/collection/file-managers/gather-classicftp-information.yml +++ b/collection/file-managers/gather-classicftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml index 052fb224..3e13a2ed 100644 --- a/collection/file-managers/gather-coreftp-information.yml +++ b/collection/file-managers/gather-coreftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml index 78c21fd9..fa45182c 100644 --- a/collection/file-managers/gather-cuteftp-information.yml +++ b/collection/file-managers/gather-cuteftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml index dd094e44..6886d2d9 100644 --- a/collection/file-managers/gather-cyberduck-information.yml +++ b/collection/file-managers/gather-cyberduck-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml index 30b4d1b8..d5a50939 100644 --- a/collection/file-managers/gather-direct-ftp-information.yml +++ b/collection/file-managers/gather-direct-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml index 93e6ca5a..16190f56 100644 --- a/collection/file-managers/gather-directory-opus-information.yml +++ b/collection/file-managers/gather-directory-opus-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml index 0fec6df2..1b07ee24 100644 --- a/collection/file-managers/gather-expandrive-information.yml +++ b/collection/file-managers/gather-expandrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml index 94d48120..d118331d 100644 --- a/collection/file-managers/gather-faststone-browser-information.yml +++ b/collection/file-managers/gather-faststone-browser-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml index 3c210f01..3f07be43 100644 --- a/collection/file-managers/gather-fasttrack-ftp-information.yml +++ b/collection/file-managers/gather-fasttrack-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml index 7ab79002..08e73436 100644 --- a/collection/file-managers/gather-ffftp-information.yml +++ b/collection/file-managers/gather-ffftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-filezilla-information.yml b/collection/file-managers/gather-filezilla-information.yml index 9f9b48e2..ea86b2c6 100644 --- a/collection/file-managers/gather-filezilla-information.yml +++ b/collection/file-managers/gather-filezilla-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-flashfxp-information.yml b/collection/file-managers/gather-flashfxp-information.yml index cfd1e836..e74a6d97 100644 --- a/collection/file-managers/gather-flashfxp-information.yml +++ b/collection/file-managers/gather-flashfxp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fling-ftp-information.yml b/collection/file-managers/gather-fling-ftp-information.yml index e09ac5ab..2abf8047 100644 --- a/collection/file-managers/gather-fling-ftp-information.yml +++ b/collection/file-managers/gather-fling-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-freshftp-information.yml b/collection/file-managers/gather-freshftp-information.yml index 74965be6..d250fd34 100644 --- a/collection/file-managers/gather-freshftp-information.yml +++ b/collection/file-managers/gather-freshftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-frigate3-information.yml b/collection/file-managers/gather-frigate3-information.yml index cd97ad7f..167cbfc7 100644 --- a/collection/file-managers/gather-frigate3-information.yml +++ b/collection/file-managers/gather-frigate3-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-commander-information.yml b/collection/file-managers/gather-ftp-commander-information.yml index 49f236ba..1f72c3f3 100644 --- a/collection/file-managers/gather-ftp-commander-information.yml +++ b/collection/file-managers/gather-ftp-commander-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-explorer-information.yml b/collection/file-managers/gather-ftp-explorer-information.yml index 7c4733db..11750640 100644 --- a/collection/file-managers/gather-ftp-explorer-information.yml +++ b/collection/file-managers/gather-ftp-explorer-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-voyager-information.yml b/collection/file-managers/gather-ftp-voyager-information.yml index ee724d4c..323fdfe6 100644 --- a/collection/file-managers/gather-ftp-voyager-information.yml +++ b/collection/file-managers/gather-ftp-voyager-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpgetter-information.yml b/collection/file-managers/gather-ftpgetter-information.yml index 3a2412b7..a00488c3 100644 --- a/collection/file-managers/gather-ftpgetter-information.yml +++ b/collection/file-managers/gather-ftpgetter-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpinfo-information.yml b/collection/file-managers/gather-ftpinfo-information.yml index e3fbfe1b..19389ea6 100644 --- a/collection/file-managers/gather-ftpinfo-information.yml +++ b/collection/file-managers/gather-ftpinfo-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpnow-information.yml b/collection/file-managers/gather-ftpnow-information.yml index 5e3fe704..077d9746 100644 --- a/collection/file-managers/gather-ftpnow-information.yml +++ b/collection/file-managers/gather-ftpnow-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-ftprush-information.yml b/collection/file-managers/gather-ftprush-information.yml index 9fbb5292..3494da0c 100644 --- a/collection/file-managers/gather-ftprush-information.yml +++ b/collection/file-managers/gather-ftprush-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpshell-information.yml b/collection/file-managers/gather-ftpshell-information.yml index 50ff8d90..db0418e9 100644 --- a/collection/file-managers/gather-ftpshell-information.yml +++ b/collection/file-managers/gather-ftpshell-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-global-downloader-information.yml b/collection/file-managers/gather-global-downloader-information.yml index bc3ee446..41b2c102 100644 --- a/collection/file-managers/gather-global-downloader-information.yml +++ b/collection/file-managers/gather-global-downloader-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-goftp-information.yml b/collection/file-managers/gather-goftp-information.yml index c9766053..ef0c3dcb 100644 --- a/collection/file-managers/gather-goftp-information.yml +++ b/collection/file-managers/gather-goftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-leapftp-information.yml b/collection/file-managers/gather-leapftp-information.yml index 425d7667..fdd48aeb 100644 --- a/collection/file-managers/gather-leapftp-information.yml +++ b/collection/file-managers/gather-leapftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-netdrive-information.yml b/collection/file-managers/gather-netdrive-information.yml index 652e2a1e..7b70fd04 100644 --- a/collection/file-managers/gather-netdrive-information.yml +++ b/collection/file-managers/gather-netdrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nexusfile-information.yml b/collection/file-managers/gather-nexusfile-information.yml index 97107817..7d5f0a85 100644 --- a/collection/file-managers/gather-nexusfile-information.yml +++ b/collection/file-managers/gather-nexusfile-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nova-ftp-information.yml b/collection/file-managers/gather-nova-ftp-information.yml index d6ef1623..3960ddac 100644 --- a/collection/file-managers/gather-nova-ftp-information.yml +++ b/collection/file-managers/gather-nova-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-robo-ftp-information.yml b/collection/file-managers/gather-robo-ftp-information.yml index c35cef85..8a3cb335 100644 --- a/collection/file-managers/gather-robo-ftp-information.yml +++ b/collection/file-managers/gather-robo-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-securefx-information.yml b/collection/file-managers/gather-securefx-information.yml index 90f4a390..68013873 100644 --- a/collection/file-managers/gather-securefx-information.yml +++ b/collection/file-managers/gather-securefx-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-smart-ftp-information.yml b/collection/file-managers/gather-smart-ftp-information.yml index abefbdbf..61315d9a 100644 --- a/collection/file-managers/gather-smart-ftp-information.yml +++ b/collection/file-managers/gather-smart-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-softx-ftp-information.yml b/collection/file-managers/gather-softx-ftp-information.yml index e785cfd7..53f18b8a 100644 --- a/collection/file-managers/gather-softx-ftp-information.yml +++ b/collection/file-managers/gather-softx-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-southriver-webdrive-information.yml b/collection/file-managers/gather-southriver-webdrive-information.yml index 7bb733d8..70022532 100644 --- a/collection/file-managers/gather-southriver-webdrive-information.yml +++ b/collection/file-managers/gather-southriver-webdrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-staff-ftp-information.yml b/collection/file-managers/gather-staff-ftp-information.yml index a4ed16d6..22d5946e 100644 --- a/collection/file-managers/gather-staff-ftp-information.yml +++ b/collection/file-managers/gather-staff-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-total-commander-information.yml b/collection/file-managers/gather-total-commander-information.yml index a8375545..16fb0bb5 100644 --- a/collection/file-managers/gather-total-commander-information.yml +++ b/collection/file-managers/gather-total-commander-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-turbo-ftp-information.yml b/collection/file-managers/gather-turbo-ftp-information.yml index 5ee2ebe9..126f2c5d 100644 --- a/collection/file-managers/gather-turbo-ftp-information.yml +++ b/collection/file-managers/gather-turbo-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ultrafxp-information.yml b/collection/file-managers/gather-ultrafxp-information.yml index 6476c708..000ce309 100644 --- a/collection/file-managers/gather-ultrafxp-information.yml +++ b/collection/file-managers/gather-ultrafxp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-winscp-information.yml b/collection/file-managers/gather-winscp-information.yml index d6266afb..e3608b70 100644 --- a/collection/file-managers/gather-winscp-information.yml +++ b/collection/file-managers/gather-winscp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-winzip-information.yml b/collection/file-managers/gather-winzip-information.yml index 775f081d..a490bc6c 100644 --- a/collection/file-managers/gather-winzip-information.yml +++ b/collection/file-managers/gather-winzip-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-wise-ftp-information.yml b/collection/file-managers/gather-wise-ftp-information.yml index 1cb33b96..668eb976 100644 --- a/collection/file-managers/gather-wise-ftp-information.yml +++ b/collection/file-managers/gather-wise-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ws-ftp-information.yml b/collection/file-managers/gather-ws-ftp-information.yml index c6f3fbfb..829c0c88 100644 --- a/collection/file-managers/gather-ws-ftp-information.yml +++ b/collection/file-managers/gather-ws-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-xftp-information.yml b/collection/file-managers/gather-xftp-information.yml index 838fa928..35b2a36a 100644 --- a/collection/file-managers/gather-xftp-information.yml +++ b/collection/file-managers/gather-xftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/get-geographical-location.yml b/collection/get-geographical-location.yml index 761ba38f..ac6f1871 100644 --- a/collection/get-geographical-location.yml +++ b/collection/get-geographical-location.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Location Discovery [T1614] examples: diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index f1421276..73835604 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Group Policy Discovery [T1615] examples: diff --git a/collection/keylog/log-keystrokes.yml b/collection/keylog/log-keystrokes.yml index 9caf9e25..2f8e1ccc 100644 --- a/collection/keylog/log-keystrokes.yml +++ b/collection/keylog/log-keystrokes.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Input Capture::Keylogging [T1056.001] examples: diff --git a/collection/microphone/capture-microphone-audio.yml b/collection/microphone/capture-microphone-audio.yml index a8599690..1fa1a193 100644 --- a/collection/microphone/capture-microphone-audio.yml +++ b/collection/microphone/capture-microphone-audio.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Audio Capture [T1123] examples: diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml index 4d8c60fc..0f88c67a 100644 --- a/collection/network/capture-packets-using-sharppcap.yml +++ b/collection/network/capture-packets-using-sharppcap.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Network Sniffing [T1040] references: diff --git a/collection/network/capture-public-ip.yml b/collection/network/capture-public-ip.yml index b60ebb4a..ca66442e 100644 --- a/collection/network/capture-public-ip.yml +++ b/collection/network/capture-public-ip.yml @@ -7,7 +7,7 @@ rule: - "still@teamt5.org" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/get-domain-trust-relationships.yml b/collection/network/get-domain-trust-relationships.yml index 9af3d1df..7e4a1123 100644 --- a/collection/network/get-domain-trust-relationships.yml +++ b/collection/network/get-domain-trust-relationships.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Domain Trust Discovery [T1482] examples: diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml index 018e3585..86414bc8 100644 --- a/collection/network/get-mac-address-on-windows.yml +++ b/collection/network/get-mac-address-on-windows.yml @@ -8,7 +8,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/collection/screenshot/capture-screenshot-via-keybd-event.yml b/collection/screenshot/capture-screenshot-via-keybd-event.yml index 515be39a..6b2dacd5 100644 --- a/collection/screenshot/capture-screenshot-via-keybd-event.yml +++ b/collection/screenshot/capture-screenshot-via-keybd-event.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index bbba9441..dc4847bb 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/webcam/capture-webcam-image.yml b/collection/webcam/capture-webcam-image.yml index 8783c61e..0383197f 100644 --- a/collection/webcam/capture-webcam-image.yml +++ b/collection/webcam/capture-webcam-image.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Video Capture [T1125] examples: diff --git a/communication/c2/file-transfer/download-and-write-a-file.yml b/communication/c2/file-transfer/download-and-write-a-file.yml index 42f305d8..32748a4b 100644 --- a/communication/c2/file-transfer/download-and-write-a-file.yml +++ b/communication/c2/file-transfer/download-and-write-a-file.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Command and Control::Ingress Tool Transfer [T1105] mbc: diff --git a/communication/c2/file-transfer/write-and-execute-a-file.yml b/communication/c2/file-transfer/write-and-execute-a-file.yml index dd974053..ec019ee1 100644 --- a/communication/c2/file-transfer/write-and-execute-a-file.yml +++ b/communication/c2/file-transfer/write-and-execute-a-file.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/communication/c2/shell/create-reverse-shell-on-linux.yml b/communication/c2/shell/create-reverse-shell-on-linux.yml index 3197bcf7..0f08b279 100644 --- a/communication/c2/shell/create-reverse-shell-on-linux.yml +++ b/communication/c2/shell/create-reverse-shell-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] mbc: diff --git a/communication/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml index a05615e5..e33e983d 100644 --- a/communication/c2/shell/create-reverse-shell.yml +++ b/communication/c2/shell/create-reverse-shell.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/communication/c2/shell/execute-shell-command-and-capture-output.yml b/communication/c2/shell/execute-shell-command-and-capture-output.yml index a5c49df2..37b6c95b 100644 --- a/communication/c2/shell/execute-shell-command-and-capture-output.yml +++ b/communication/c2/shell/execute-shell-command-and-capture-output.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] references: diff --git a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml index b3869dca..7351f2b4 100644 --- a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml +++ b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] examples: diff --git a/communication/ftp/send/send-file-using-ftp.yml b/communication/ftp/send/send-file-using-ftp.yml index 43a92868..04257c1f 100644 --- a/communication/ftp/send/send-file-using-ftp.yml +++ b/communication/ftp/send/send-file-using-ftp.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::FTP Communication::Send File [C0004.001] - Communication::FTP Communication::WinINet [C0004.002] diff --git a/communication/http/client/connect-to-http-server.yml b/communication/http/client/connect-to-http-server.yml index 8f958bfb..0980a702 100644 --- a/communication/http/client/connect-to-http-server.yml +++ b/communication/http/client/connect-to-http-server.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Connect to Server [C0002.009] examples: diff --git a/communication/http/client/connect-to-url.yml b/communication/http/client/connect-to-url.yml index 918fbadb..e868569a 100644 --- a/communication/http/client/connect-to-url.yml +++ b/communication/http/client/connect-to-url.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Open URL [C0002.004] examples: diff --git a/communication/http/client/create-http-request.yml b/communication/http/client/create-http-request.yml index f86d6699..fd41c7e7 100644 --- a/communication/http/client/create-http-request.yml +++ b/communication/http/client/create-http-request.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml index 52a7b68a..f5bf78cd 100644 --- a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml +++ b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/read-data-from-internet.yml b/communication/http/client/read-data-from-internet.yml index 4c48f76b..4b6918fe 100644 --- a/communication/http/client/read-data-from-internet.yml +++ b/communication/http/client/read-data-from-internet.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/receive-http-response.yml b/communication/http/client/receive-http-response.yml index ccabd60d..1aa62c46 100644 --- a/communication/http/client/receive-http-response.yml +++ b/communication/http/client/receive-http-response.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml index 8bc1aaf3..248132f2 100644 --- a/communication/http/client/send-http-request.yml +++ b/communication/http/client/send-http-request.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Send Request [C0002.003] examples: diff --git a/communication/http/reference-http-user-agent-string.yml b/communication/http/reference-http-user-agent-string.yml index 4607be79..d7e77936 100644 --- a/communication/http/reference-http-user-agent-string.yml +++ b/communication/http/reference-http-user-agent-string.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication [C0002] references: diff --git a/communication/http/server/receive-http-request.yml b/communication/http/server/receive-http-request.yml index 15fe2811..89383f4f 100644 --- a/communication/http/server/receive-http-request.yml +++ b/communication/http/server/receive-http-request.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Receive Request [C0002.015] examples: diff --git a/communication/http/server/start-http-server.yml b/communication/http/server/start-http-server.yml index c6fe087c..9181323a 100644 --- a/communication/http/server/start-http-server.yml +++ b/communication/http/server/start-http-server.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Start Server [C0002.018] examples: diff --git a/communication/http/set-http-header.yml b/communication/http/set-http-header.yml index 9500b92a..b07bbed8 100644 --- a/communication/http/set-http-header.yml +++ b/communication/http/set-http-header.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Set Header [C0002.013] examples: diff --git a/communication/icmp/send-icmp-echo-request.yml b/communication/icmp/send-icmp-echo-request.yml index 31a777d7..df5fe1c2 100644 --- a/communication/icmp/send-icmp-echo-request.yml +++ b/communication/icmp/send-icmp-echo-request.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::ICMP Communication::Echo Request [C0014.002] references: diff --git a/communication/mailslot/create-mailslot.yml b/communication/mailslot/create-mailslot.yml index 8cf723f3..ac3dcbea 100644 --- a/communication/mailslot/create-mailslot.yml +++ b/communication/mailslot/create-mailslot.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/mailslot/read-from-mailslot.yml b/communication/mailslot/read-from-mailslot.yml index 25b72f13..3bcf13c9 100644 --- a/communication/mailslot/read-from-mailslot.yml +++ b/communication/mailslot/read-from-mailslot.yml @@ -6,7 +6,7 @@ rule: - nick.simonian@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/named-pipe/create/create-two-anonymous-pipes.yml b/communication/named-pipe/create/create-two-anonymous-pipes.yml index 3a0ae45d..6ad454c2 100644 --- a/communication/named-pipe/create/create-two-anonymous-pipes.yml +++ b/communication/named-pipe/create/create-two-anonymous-pipes.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/read/read-pipe.yml b/communication/named-pipe/read/read-pipe.yml index 6347df84..5ecf1d65 100644 --- a/communication/named-pipe/read/read-pipe.yml +++ b/communication/named-pipe/read/read-pipe.yml @@ -8,7 +8,7 @@ rule: description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output. scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication::Read Pipe [C0003.003] examples: diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml index 53735f63..34a51efb 100644 --- a/communication/named-pipe/write/write-pipe.yml +++ b/communication/named-pipe/write/write-pipe.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Interprocess Communication::Write Pipe [C0003.004] examples: diff --git a/communication/receive-data.yml b/communication/receive-data.yml index 8e52081f..c57ad7a2 100644 --- a/communication/receive-data.yml +++ b/communication/receive-data.yml @@ -7,7 +7,7 @@ rule: description: all known techniques for receiving data from a potential C2 server scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Command and Control::C2 Communication::Receive Data [B0030.002] examples: diff --git a/communication/send-data.yml b/communication/send-data.yml index 04982dea..a4597698 100644 --- a/communication/send-data.yml +++ b/communication/send-data.yml @@ -8,7 +8,7 @@ rule: description: all known techniques for sending data to a potential C2 server scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Command and Control::C2 Communication::Send Data [B0030.001] examples: diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 11b82a30..783948aa 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Connect Socket [C0001.004] examples: diff --git a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml index a409c583..95426272 100644 --- a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml +++ b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] examples: diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml index f89560e9..dae32049 100644 --- a/communication/tcp/client/act-as-tcp-client.yml +++ b/communication/tcp/client/act-as-tcp-client.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::TCP Client [C0001.008] examples: diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml index f3996f22..d32d4a3d 100644 --- a/communication/tcp/serve/start-tcp-server.yml +++ b/communication/tcp/serve/start-tcp-server.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Start TCP Server [C0001.005] examples: diff --git a/compiler/perl2exe/compiled-with-perl2exe.yml b/compiler/perl2exe/compiled-with-perl2exe.yml index b8724e47..da962ebd 100644 --- a/compiler/perl2exe/compiled-with-perl2exe.yml +++ b/compiler/perl2exe/compiled-with-perl2exe.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 features: diff --git a/data-manipulation/compression/compress-data-using-lzo.yml b/data-manipulation/compression/compress-data-using-lzo.yml index f16c7517..01634de6 100644 --- a/data-manipulation/compression/compress-data-using-lzo.yml +++ b/data-manipulation/compression/compress-data-using-lzo.yml @@ -8,7 +8,7 @@ rule: description: detects the compression routine from LZO scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/compress-data-via-winapi.yml b/data-manipulation/compression/compress-data-via-winapi.yml index 3fad4753..32d3fed7 100644 --- a/data-manipulation/compression/compress-data-via-winapi.yml +++ b/data-manipulation/compression/compress-data-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/create-cabinet-on-windows.yml b/data-manipulation/compression/create-cabinet-on-windows.yml index bf192b0d..e938c1c3 100644 --- a/data-manipulation/compression/create-cabinet-on-windows.yml +++ b/data-manipulation/compression/create-cabinet-on-windows.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/extract-cabinet-on-windows.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml index 8c674532..bd92d983 100644 --- a/data-manipulation/compression/extract-cabinet-on-windows.yml +++ b/data-manipulation/compression/extract-cabinet-on-windows.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml index 86c78647..7a890bed 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml index f84760fc..4c4b33c1 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml index b96a7f5d..f3997163 100644 --- a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml +++ b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml @@ -6,7 +6,7 @@ rule: - zander.work@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml index d73c6d35..a395ce75 100644 --- a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml +++ b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/import-public-key.yml b/data-manipulation/encryption/import-public-key.yml index 53764f55..8847f2ba 100644 --- a/data-manipulation/encryption/import-public-key.yml +++ b/data-manipulation/encryption/import-public-key.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Encryption Key::Import Public Key [C0028.001] examples: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml index 094e83d2..473b0442 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml @@ -6,7 +6,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml index ba2d1a86..04bd8ccf 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml index 582a627e..d9f768d6 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml index 8fd7578b..859a68e3 100644 --- a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml +++ b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml index f4d96a98..1dfa7548 100644 --- a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml +++ b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Encryption Key [C0028] references: diff --git a/data-manipulation/hashing/hash-data-via-wincrypt.yml b/data-manipulation/hashing/hash-data-via-wincrypt.yml index d84ae236..309dcec5 100644 --- a/data-manipulation/hashing/hash-data-via-wincrypt.yml +++ b/data-manipulation/hashing/hash-data-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash [C0029] examples: diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml index eb6b296d..37dc932a 100644 --- a/data-manipulation/hashing/md5/hash-data-with-md5.yml +++ b/data-manipulation/hashing/md5/hash-data-with-md5.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml index 35503c97..28dd842f 100644 --- a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml +++ b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::SHA1 [C0029.002] examples: diff --git a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml index cfaa86e2..93828132 100644 --- a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml +++ b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::SHA224 [C0029.004] references: diff --git a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml index 4da48ab3..4e69b47f 100644 --- a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml +++ b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Cryptographic Hash::SHA256 [C0029.003] references: diff --git a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml index d4ed183c..e4a5d89a 100644 --- a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml +++ b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml index 02bbe90c..241b24a8 100644 --- a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml +++ b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index 8e125230..4079062d 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -7,7 +7,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] references: diff --git a/data-manipulation/prng/generate-random-numbers-via-winapi.yml b/data-manipulation/prng/generate-random-numbers-via-winapi.yml index 1bca70b8..02699a2b 100644 --- a/data-manipulation/prng/generate-random-numbers-via-winapi.yml +++ b/data-manipulation/prng/generate-random-numbers-via-winapi.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] examples: diff --git a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml index ab35eff5..d72a5e81 100644 --- a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml +++ b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] examples: diff --git a/executable/resource/access-dotnet-resource.yml b/executable/resource/access-dotnet-resource.yml index c8c7726f..3ee831a8 100644 --- a/executable/resource/access-dotnet-resource.yml +++ b/executable/resource/access-dotnet-resource.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173:0x06000084 features: diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml index 92513950..43971082 100644 --- a/executable/resource/extract-resource-via-kernel32-functions.yml +++ b/executable/resource/extract-resource-via-kernel32-functions.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence examples: - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000 - Practical Malware Analysis Lab 01-04.exe_:0x4011FC diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml index d116b6e0..01a1a4ba 100644 --- a/host-interaction/bootloader/disable-code-signing.yml +++ b/host-interaction/bootloader/disable-code-signing.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] examples: diff --git a/host-interaction/bootloader/manipulate-boot-configuration.yml b/host-interaction/bootloader/manipulate-boot-configuration.yml index b91396ed..57105959 100644 --- a/host-interaction/bootloader/manipulate-boot-configuration.yml +++ b/host-interaction/bootloader/manipulate-boot-configuration.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options examples: diff --git a/host-interaction/bootloader/manipulate-safe-mode-programs.yml b/host-interaction/bootloader/manipulate-safe-mode-programs.yml index 145f0fb4..1ab5b104 100644 --- a/host-interaction/bootloader/manipulate-safe-mode-programs.yml +++ b/host-interaction/bootloader/manipulate-safe-mode-programs.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] examples: diff --git a/host-interaction/clipboard/open-clipboard.yml b/host-interaction/clipboard/open-clipboard.yml index 5765585a..11fc2edd 100644 --- a/host-interaction/clipboard/open-clipboard.yml +++ b/host-interaction/clipboard/open-clipboard.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Clipboard Data [T1115] examples: diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index 37ae798a..20587b12 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Clipboard Data [T1115] references: diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml index dead8a80..d91a3210 100644 --- a/host-interaction/clipboard/write-clipboard-data.yml +++ b/host-interaction/clipboard/write-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Impact::Clipboard Modification [E1510] references: diff --git a/host-interaction/console/manipulate-console-buffer.yml b/host-interaction/console/manipulate-console-buffer.yml index 21fa1f52..c940481f 100644 --- a/host-interaction/console/manipulate-console-buffer.yml +++ b/host-interaction/console/manipulate-console-buffer.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Operating System::Console [C0033] references: diff --git a/host-interaction/driver/create-device-object.yml b/host-interaction/driver/create-device-object.yml index 894d95b4..28e9d53e 100644 --- a/host-interaction/driver/create-device-object.yml +++ b/host-interaction/driver/create-device-object.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence examples: - Practical Malware Analysis Lab 10-03.sys_:0x00010706 features: diff --git a/host-interaction/driver/disable-driver-code-integrity.yml b/host-interaction/driver/disable-driver-code-integrity.yml index bbc6e07c..60a67472 100644 --- a/host-interaction/driver/disable-driver-code-integrity.yml +++ b/host-interaction/driver/disable-driver-code-integrity.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml index f5afed21..52715062 100644 --- a/host-interaction/environment-variable/get-comspec-environment-variable.yml +++ b/host-interaction/environment-variable/get-comspec-environment-variable.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/file-system/bypass-mark-of-the-web.yml b/host-interaction/file-system/bypass-mark-of-the-web.yml index 11759fb7..5a9958aa 100644 --- a/host-interaction/file-system/bypass-mark-of-the-web.yml +++ b/host-interaction/file-system/bypass-mark-of-the-web.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005] examples: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index 3f47b1b8..0e362dc4 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] mbc: diff --git a/host-interaction/file-system/delete/delete-file.yml b/host-interaction/file-system/delete/delete-file.yml index 2e945c9d..ba88ea9a 100644 --- a/host-interaction/file-system/delete/delete-file.yml +++ b/host-interaction/file-system/delete/delete-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Delete File [C0047] examples: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml index d8c4340f..5880fdaf 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index fcb01482..3f809abc 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/get-file-version-info.yml b/host-interaction/file-system/meta/get-file-version-info.yml index c61ccc59..a8ab1e88 100644 --- a/host-interaction/file-system/meta/get-file-version-info.yml +++ b/host-interaction/file-system/meta/get-file-version-info.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/read/read-file-on-linux.yml b/host-interaction/file-system/read/read-file-on-linux.yml index 6d1b3073..a41e77c4 100644 --- a/host-interaction/file-system/read/read-file-on-linux.yml +++ b/host-interaction/file-system/read/read-file-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml index e04212ad..0d09a30b 100644 --- a/host-interaction/file-system/read/read-file-on-windows.yml +++ b/host-interaction/file-system/read/read-file-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-via-mapping.yml b/host-interaction/file-system/read/read-file-via-mapping.yml index 5337c472..b5858045 100644 --- a/host-interaction/file-system/read/read-file-via-mapping.yml +++ b/host-interaction/file-system/read/read-file-via-mapping.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-ini-file.yml b/host-interaction/file-system/read/read-ini-file.yml index cd5d8984..65fda069 100644 --- a/host-interaction/file-system/read/read-ini-file.yml +++ b/host-interaction/file-system/read/read-ini-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-virtual-disk.yml b/host-interaction/file-system/read/read-virtual-disk.yml index b81bdc4e..1a07fdc8 100644 --- a/host-interaction/file-system/read/read-virtual-disk.yml +++ b/host-interaction/file-system/read/read-virtual-disk.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Read Virtual Disk [C0056] references: diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml index e6ccaa07..412803ba 100644 --- a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml +++ b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007] examples: diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml index 7a2f12fa..eb056fe5 100644 --- a/host-interaction/file-system/write/write-file-on-linux.yml +++ b/host-interaction/file-system/write/write-file-on-linux.yml @@ -7,7 +7,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/filter/enumerate-minifilter-drivers.yml b/host-interaction/filter/enumerate-minifilter-drivers.yml index bac74e8f..7ceb3428 100644 --- a/host-interaction/filter/enumerate-minifilter-drivers.yml +++ b/host-interaction/filter/enumerate-minifilter-drivers.yml @@ -6,7 +6,7 @@ rule: - aseel.kayal@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts diff --git a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml index a0893a36..9b034d87 100644 --- a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml +++ b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] references: diff --git a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml index 42427cc9..5ef9b148 100644 --- a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml +++ b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] references: diff --git a/host-interaction/gui/session/lock/lock-the-desktop.yml b/host-interaction/gui/session/lock/lock-the-desktop.yml index af0d1042..b27490f5 100644 --- a/host-interaction/gui/session/lock/lock-the-desktop.yml +++ b/host-interaction/gui/session/lock/lock-the-desktop.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Impact::Endpoint Denial of Service [T1499] examples: diff --git a/host-interaction/gui/switch-active-desktop.yml b/host-interaction/gui/switch-active-desktop.yml index 5160f6bb..2a379a06 100644 --- a/host-interaction/gui/switch-active-desktop.yml +++ b/host-interaction/gui/switch-active-desktop.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/host-interaction/gui/taskbar/find/find-taskbar.yml b/host-interaction/gui/taskbar/find/find-taskbar.yml index 8e6bb745..5bf96719 100644 --- a/host-interaction/gui/taskbar/find/find-taskbar.yml +++ b/host-interaction/gui/taskbar/find/find-taskbar.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::Taskbar Discovery [B0043] examples: diff --git a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml index cc6b2e63..c0422753 100644 --- a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml +++ b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Hide Artifacts [T1564] examples: diff --git a/host-interaction/gui/window/get-text/get-graphical-window-text.yml b/host-interaction/gui/window/get-text/get-graphical-window-text.yml index 2dd99b57..d9c1756f 100644 --- a/host-interaction/gui/window/get-text/get-graphical-window-text.yml +++ b/host-interaction/gui/window/get-text/get-graphical-window-text.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::Application Window Discovery [E1010] examples: diff --git a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml index 0673777c..980035d0 100644 --- a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml +++ b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Impact::Modify Hardware::CDROM [B0042.001] examples: diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index fce00394..8f858f88 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml index 73693717..de199af8 100644 --- a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml +++ b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/keyboard/get-keyboard-layout.yml b/host-interaction/hardware/keyboard/get-keyboard-layout.yml index b31c6141..b78a65c7 100644 --- a/host-interaction/hardware/keyboard/get-keyboard-layout.yml +++ b/host-interaction/hardware/keyboard/get-keyboard-layout.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: diff --git a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml index 794d2000..5fb4b0ea 100644 --- a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml +++ b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001] examples: diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml index c8328003..72d7f444 100644 --- a/host-interaction/hardware/memory/get-memory-information.yml +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index 10a61b09..396f18b4 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml index 6bc8f818..116ccd4f 100755 --- a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml +++ b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml @@ -7,7 +7,7 @@ rule: - blaine.stancill@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] references: diff --git a/host-interaction/mutex/check-mutex-and-exit.yml b/host-interaction/mutex/check-mutex-and-exit.yml index 58a5f43d..3934a5ae 100644 --- a/host-interaction/mutex/check-mutex-and-exit.yml +++ b/host-interaction/mutex/check-mutex-and-exit.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Process::Check Mutex [C0043] - Process::Terminate Process [C0018] diff --git a/host-interaction/mutex/create-semaphore-on-linux.yml b/host-interaction/mutex/create-semaphore-on-linux.yml index 03146022..79d6b4fe 100644 --- a/host-interaction/mutex/create-semaphore-on-linux.yml +++ b/host-interaction/mutex/create-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0 features: diff --git a/host-interaction/mutex/lock-semaphore-on-linux.yml b/host-interaction/mutex/lock-semaphore-on-linux.yml index e0802d96..47e4e78b 100644 --- a/host-interaction/mutex/lock-semaphore-on-linux.yml +++ b/host-interaction/mutex/lock-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/mutex/unlock-semaphore-on-linux.yml b/host-interaction/mutex/unlock-semaphore-on-linux.yml index 66c1a41e..f2e1b1a8 100644 --- a/host-interaction/mutex/unlock-semaphore-on-linux.yml +++ b/host-interaction/mutex/unlock-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: thread + dynamic: sequence examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/network/address/get-local-ipv4-addresses.yml b/host-interaction/network/address/get-local-ipv4-addresses.yml index 4b57f8cd..1e5d485e 100644 --- a/host-interaction/network/address/get-local-ipv4-addresses.yml +++ b/host-interaction/network/address/get-local-ipv4-addresses.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml index 44fa848b..8af06b9a 100644 --- a/host-interaction/network/connectivity/set-tcp-connection-state.yml +++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml @@ -7,7 +7,7 @@ rule: description: The SetTcpEntry function sets the state of a TCP connection. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses [T1562] references: diff --git a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml index a176f31f..6686f400 100644 --- a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml +++ b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml @@ -7,7 +7,7 @@ rule: description: Looks for an LDAP query and related Windows API calls used to enumerate other computers on the Windows domain that a computer is connected to. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-controller-name.yml b/host-interaction/network/domain/get-domain-controller-name.yml index 43768e97..2f926817 100644 --- a/host-interaction/network/domain/get-domain-controller-name.yml +++ b/host-interaction/network/domain/get-domain-controller-name.yml @@ -7,7 +7,7 @@ rule: description: Looks for calls to Windows APIs that can be used to determine the name of the domain controller for a Windows domain that a computer is connected to. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/interface/get-networking-interfaces.yml b/host-interaction/network/interface/get-networking-interfaces.yml index b807c106..150fd5e6 100644 --- a/host-interaction/network/interface/get-networking-interfaces.yml +++ b/host-interaction/network/interface/get-networking-interfaces.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml index 97af7ed5..b562204b 100644 --- a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml +++ b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterenum0 - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c diff --git a/host-interaction/os/info/get-system-information-on-windows.yml b/host-interaction/os/info/get-system-information-on-windows.yml index 4520cf7c..9b6e916d 100644 --- a/host-interaction/os/info/get-system-information-on-windows.yml +++ b/host-interaction/os/info/get-system-information-on-windows.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-kernel-version.yml b/host-interaction/os/version/get-kernel-version.yml index f68f290e..41126b10 100644 --- a/host-interaction/os/version/get-kernel-version.yml +++ b/host-interaction/os/version/get-kernel-version.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml index 12b0cfda..1d01bc02 100644 --- a/host-interaction/os/version/get-linux-distribution.yml +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml index 3dc6af4c..2d6a46ad 100644 --- a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/host-interaction/process/inject/attach-user-process-memory.yml b/host-interaction/process/inject/attach-user-process-memory.yml index 4f8fa5c0..c9447cd9 100644 --- a/host-interaction/process/inject/attach-user-process-memory.yml +++ b/host-interaction/process/inject/attach-user-process-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/free-user-process-memory.yml b/host-interaction/process/inject/free-user-process-memory.yml index f42f7a3d..081c21bd 100644 --- a/host-interaction/process/inject/free-user-process-memory.yml +++ b/host-interaction/process/inject/free-user-process-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/hijack-thread-execution.yml b/host-interaction/process/inject/hijack-thread-execution.yml index 9a43ccfc..6b3e0581 100644 --- a/host-interaction/process/inject/hijack-thread-execution.yml +++ b/host-interaction/process/inject/hijack-thread-execution.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml index da9102f8..c8179382 100644 --- a/host-interaction/process/inject/inject-apc.yml +++ b/host-interaction/process/inject/inject-apc.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004] examples: diff --git a/host-interaction/process/inject/inject-dll.yml b/host-interaction/process/inject/inject-dll.yml index adc9c90a..76120443 100644 --- a/host-interaction/process/inject/inject-dll.yml +++ b/host-interaction/process/inject/inject-dll.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] references: diff --git a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml index 9f7be243..12cb8d4b 100644 --- a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml +++ b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml index 3add357b..8070de26 100644 --- a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml +++ b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml index 2d10da4d..87a2fe2b 100644 --- a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-thread.yml b/host-interaction/process/inject/inject-thread.yml index b83848f2..8e1b7634 100644 --- a/host-interaction/process/inject/inject-thread.yml +++ b/host-interaction/process/inject/inject-thread.yml @@ -7,7 +7,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/use-process-replacement.yml b/host-interaction/process/inject/use-process-replacement.yml index 18e5c0c6..1bada8da 100644 --- a/host-interaction/process/inject/use-process-replacement.yml +++ b/host-interaction/process/inject/use-process-replacement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Process Injection::Process Hollowing [T1055.012] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml index a2591024..78657180 100644 --- a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml +++ b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/enumerate-processes.yml b/host-interaction/process/list/enumerate-processes.yml index d790b129..78b57883 100644 --- a/host-interaction/process/list/enumerate-processes.yml +++ b/host-interaction/process/list/enumerate-processes.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/find-process-by-pid.yml b/host-interaction/process/list/find-process-by-pid.yml index 881be3f3..ee983d72 100644 --- a/host-interaction/process/list/find-process-by-pid.yml +++ b/host-interaction/process/list/find-process-by-pid.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/map-section-object.yml b/host-interaction/process/map-section-object.yml index 52fbac7a..c4e1885a 100644 --- a/host-interaction/process/map-section-object.yml +++ b/host-interaction/process/map-section-object.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence examples: - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0 features: diff --git a/host-interaction/process/modify/modify-access-privileges.yml b/host-interaction/process/modify/modify-access-privileges.yml index 49f98971..691c0fd1 100644 --- a/host-interaction/process/modify/modify-access-privileges.yml +++ b/host-interaction/process/modify/modify-access-privileges.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml index 10ee51ca..dfbc619e 100644 --- a/host-interaction/process/modules/list/enumerate-process-modules.yml +++ b/host-interaction/process/modules/list/enumerate-process-modules.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index 5e5197c4..6af7f120 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/registry/delete/delete-registry-key.yml b/host-interaction/registry/delete/delete-registry-key.yml index 0760a49e..6a45d8cc 100644 --- a/host-interaction/registry/delete/delete-registry-key.yml +++ b/host-interaction/registry/delete/delete-registry-key.yml @@ -8,7 +8,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/delete/delete-registry-value.yml b/host-interaction/registry/delete/delete-registry-value.yml index 39a77d94..de44c944 100644 --- a/host-interaction/registry/delete/delete-registry-value.yml +++ b/host-interaction/registry/delete/delete-registry-value.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-key.yml b/host-interaction/registry/query-or-enumerate-registry-key.yml index 62d672d1..be0837b0 100644 --- a/host-interaction/registry/query-or-enumerate-registry-key.yml +++ b/host-interaction/registry/query-or-enumerate-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-value.yml b/host-interaction/registry/query-or-enumerate-registry-value.yml index 855da49e..43802500 100644 --- a/host-interaction/registry/query-or-enumerate-registry-value.yml +++ b/host-interaction/registry/query-or-enumerate-registry-value.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml index 66b1a58d..34088062 100644 --- a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index 5715989a..a7a5127d 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml index 6358c083..cd9db656 100644 --- a/host-interaction/service/create/create-service.yml +++ b/host-interaction/service/create/create-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/delete/delete-service.yml b/host-interaction/service/delete/delete-service.yml index 6aa8fe16..d32b04fa 100644 --- a/host-interaction/service/delete/delete-service.yml +++ b/host-interaction/service/delete/delete-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/modify/modify-service.yml b/host-interaction/service/modify/modify-service.yml index 18297751..68baa23f 100644 --- a/host-interaction/service/modify/modify-service.yml +++ b/host-interaction/service/modify/modify-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index c4667131..e9724a67 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/start/start-service.yml b/host-interaction/service/start/start-service.yml index 33d110b9..86f7ae69 100644 --- a/host-interaction/service/start/start-service.yml +++ b/host-interaction/service/start/start-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index dcd6ebac..3192a552 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Impact::Service Stop [T1489] diff --git a/host-interaction/session/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml index 89974972..d503bc2a 100644 --- a/host-interaction/session/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-logon-sessions.yml b/host-interaction/session/get-logon-sessions.yml index 70956342..eb0b3ffa 100644 --- a/host-interaction/session/get-logon-sessions.yml +++ b/host-interaction/session/get-logon-sessions.yml @@ -7,7 +7,7 @@ rule: description: Looks for imported Windows APIs being called to enumerate user sessions. scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/session/get-session-integrity-level.yml b/host-interaction/session/get-session-integrity-level.yml index a07c7a25..9e7d17d5 100644 --- a/host-interaction/session/get-session-integrity-level.yml +++ b/host-interaction/session/get-session-integrity-level.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml index f9673dfb..d6e62bb4 100644 --- a/host-interaction/session/get-session-user-name.yml +++ b/host-interaction/session/get-session-user-name.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] - Discovery::Account Discovery [T1087] diff --git a/host-interaction/session/get-token-membership.yml b/host-interaction/session/get-token-membership.yml index 54b399b1..58e1422c 100644 --- a/host-interaction/session/get-token-membership.yml +++ b/host-interaction/session/get-token-membership.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/thread/list/enumerate-threads.yml b/host-interaction/thread/list/enumerate-threads.yml index cdf6ddf5..db792978 100644 --- a/host-interaction/thread/list/enumerate-threads.yml +++ b/host-interaction/thread/list/enumerate-threads.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] mbc: diff --git a/host-interaction/thread/tls/set-thread-local-storage-value.yml b/host-interaction/thread/tls/set-thread-local-storage-value.yml index 1fd8bd8c..5a84bd56 100644 --- a/host-interaction/thread/tls/set-thread-local-storage-value.yml +++ b/host-interaction/thread/tls/set-thread-local-storage-value.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Process::Set Thread Local Storage Value [C0041] examples: diff --git a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml index 7ffef285..d4210209 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml @@ -6,7 +6,7 @@ rule: - richard.cole@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml index 7e90cb1b..a2f0ebdc 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml index 27fcaf27..3c33b8b2 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml @@ -7,7 +7,7 @@ rule: - david@edeca.net scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml index 7a9795b1..a99f8561 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml @@ -7,7 +7,7 @@ rule: - david.cannings@pwc.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml index 3f09f537..bba4d42b 100644 --- a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml +++ b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Impact::Inhibit System Recovery [T1490] - Defense Evasion::Indicator Removal::File Deletion [T1070.004] diff --git a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml index 3257c3f0..e2168d2a 100644 --- a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml +++ b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Impact::Disk Wipe::Disk Structure Wipe [T1561.002] mbc: diff --git a/lib/create-or-open-section-object.yml b/lib/create-or-open-section-object.yml index 6def76ae..905eb9b1 100644 --- a/lib/create-or-open-section-object.yml +++ b/lib/create-or-open-section-object.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: function - dynamic: thread + dynamic: sequence examples: - daa13ae302fe8b618ddbf590537443ef:0x401116 features: diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index f2c6fbd3..0ad8e96b 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/access-pe-header.yml b/load-code/pe/access-pe-header.yml index 926024df..ae687ddd 100644 --- a/load-code/pe/access-pe-header.yml +++ b/load-code/pe/access-pe-header.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/inspect-section-memory-permissions.yml b/load-code/pe/inspect-section-memory-permissions.yml index 1c5383ad..e1a0e298 100644 --- a/load-code/pe/inspect-section-memory-permissions.yml +++ b/load-code/pe/inspect-section-memory-permissions.yml @@ -7,7 +7,7 @@ rule: description: "translate section memory permissions (specified in the 'Characteristics' field of the image section header) into page protection constants" scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Discovery::Code Discovery::Inspect Section Memory Permissions [B0046.002] examples: diff --git a/load-code/powershell/run-powershell-expression.yml b/load-code/powershell/run-powershell-expression.yml index 1c35b86d..71ecb96a 100644 --- a/load-code/powershell/run-powershell-expression.yml +++ b/load-code/powershell/run-powershell-expression.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-copyfile2.yml b/load-code/shellcode/execute-shellcode-via-copyfile2.yml index 023c4958..1e4762e1 100644 --- a/load-code/shellcode/execute-shellcode-via-copyfile2.yml +++ b/load-code/shellcode/execute-shellcode-via-copyfile2.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CopyFile2/CopyFile2.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml index 70006b7d..c6cf7543 100644 --- a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml +++ b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CreateThreadPoolWait/CreateThreadPoolWait.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml index 01fdd48c..450fec00 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml @@ -9,7 +9,7 @@ rule: description: Detect usage of various WinAPI functions that accept callback functions as parameters in order to execute arbitrary shellcode scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Reflective Code Loading [T1620] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml index 5dbb1f4c..49baeba4 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Defense Evasion::Process Injection::Injection via Windows Fibers [E1055.m05] references: diff --git a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml index d165499a..2ef4257f 100644 --- a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml +++ b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Memory::Allocate Memory [C0007] - Process::Create Thread [C0038] diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml index a0acd251..684acc63 100644 --- a/malware-family/plugx/match-known-plugx-module.yml +++ b/malware-family/plugx/match-known-plugx-module.yml @@ -8,7 +8,7 @@ rule: description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode) scopes: static: function - dynamic: thread + dynamic: sequence references: - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html diff --git a/nursery/access-wmi-data-in-dotnet.yml b/nursery/access-wmi-data-in-dotnet.yml index 1ea66ad5..c9ade539 100644 --- a/nursery/access-wmi-data-in-dotnet.yml +++ b/nursery/access-wmi-data-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/add-value-to-global-atom-table.yml b/nursery/add-value-to-global-atom-table.yml index 9e338a0b..20a0950f 100644 --- a/nursery/add-value-to-global-atom-table.yml +++ b/nursery/add-value-to-global-atom-table.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows - https://github.com/BreakingMalwareResearch/atom-bombing diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml index 07ecd9e5..8e14a3e8 100755 --- a/nursery/append-data-to-clfs-log-container.yml +++ b/nursery/append-data-to-clfs-log-container.yml @@ -7,7 +7,7 @@ rule: - blaine.stancill@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/windows/win32/api/clfsw32/ - https://github.com/libyal/libfsclfs/blob/main/documenation/Common%20Log%20File%20System%20(CLFS).asciidoc diff --git a/nursery/build-docker-image.yml b/nursery/build-docker-image.yml index cdf1dc0e..43cfd46f 100644 --- a/nursery/build-docker-image.yml +++ b/nursery/build-docker-image.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Build Image on Host [T1612] references: diff --git a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml index baaad79a..80429670 100644 --- a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml +++ b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml @@ -7,7 +7,7 @@ rule: description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use scopes: static: function - dynamic: thread + dynamic: sequence references: - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions features: diff --git a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml index ec31d517..b0f59e32 100644 --- a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml +++ b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/nursery/capture-webcam-video.yml b/nursery/capture-webcam-video.yml index e1dd86c5..a48af60c 100644 --- a/nursery/capture-webcam-video.yml +++ b/nursery/capture-webcam-video.yml @@ -7,7 +7,7 @@ rule: description: Rule that detects a system's webcam being used to capture video scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Video Capture [T1125] features: diff --git a/nursery/check-for-process-debug-object.yml b/nursery/check-for-process-debug-object.yml index ba44d8c1..e1178cf9 100644 --- a/nursery/check-for-process-debug-object.yml +++ b/nursery/check-for-process-debug-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-for-windows-sandbox-via-mutex.yml b/nursery/check-for-windows-sandbox-via-mutex.yml index 9e16518a..67fc01fc 100644 --- a/nursery/check-for-windows-sandbox-via-mutex.yml +++ b/nursery/check-for-windows-sandbox-via-mutex.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-license-value.yml b/nursery/check-license-value.yml index bcf84c1e..769aed48 100644 --- a/nursery/check-license-value.yml +++ b/nursery/check-license-value.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml index 644e61ae..77d38aa4 100644 --- a/nursery/collect-ssh-keys.yml +++ b/nursery/collect-ssh-keys.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Credential Access::Unsecured Credentials::Private Keys [T1552.004] features: diff --git a/nursery/compile-csharp-in-dotnet.yml b/nursery/compile-csharp-in-dotnet.yml index e9b1ae93..59d2930b 100644 --- a/nursery/compile-csharp-in-dotnet.yml +++ b/nursery/compile-csharp-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-visual-basic-in-dotnet.yml b/nursery/compile-visual-basic-in-dotnet.yml index d14c489a..53718bff 100644 --- a/nursery/compile-visual-basic-in-dotnet.yml +++ b/nursery/compile-visual-basic-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/connect-network-resource.yml b/nursery/connect-network-resource.yml index 2394a08a..c5018a95 100644 --- a/nursery/connect-network-resource.yml +++ b/nursery/connect-network-resource.yml @@ -7,7 +7,7 @@ rule: description: connect to disk or print resource scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/create-container.yml b/nursery/create-container.yml index e047c097..9ac9d3d9 100644 --- a/nursery/create-container.yml +++ b/nursery/create-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Deploy Container [T1610] references: diff --git a/nursery/create-process-via-wmi-in-dotnet.yml b/nursery/create-process-via-wmi-in-dotnet.yml index 92d4d776..fe6e5448 100644 --- a/nursery/create-process-via-wmi-in-dotnet.yml +++ b/nursery/create-process-via-wmi-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/create-registry-key-via-stdregprov.yml b/nursery/create-registry-key-via-stdregprov.yml index 41d27b5b..7ab4d3d7 100644 --- a/nursery/create-registry-key-via-stdregprov.yml +++ b/nursery/create-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-internet-cache.yml b/nursery/delete-internet-cache.yml index 47ac9b54..4f7eb60b 100644 --- a/nursery/delete-internet-cache.yml +++ b/nursery/delete-internet-cache.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: enumerate internet cache diff --git a/nursery/delete-registry-key-via-stdregprov.yml b/nursery/delete-registry-key-via-stdregprov.yml index 2db744a1..85dff7a9 100644 --- a/nursery/delete-registry-key-via-stdregprov.yml +++ b/nursery/delete-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-registry-value-via-stdregprov.yml b/nursery/delete-registry-value-via-stdregprov.yml index 3ac76ac5..f39d0fe5 100644 --- a/nursery/delete-registry-value-via-stdregprov.yml +++ b/nursery/delete-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/destroy-software-breakpoint-capability.yml b/nursery/destroy-software-breakpoint-capability.yml index dca3106c..eb1666ea 100644 --- a/nursery/destroy-software-breakpoint-capability.yml +++ b/nursery/destroy-software-breakpoint-capability.yml @@ -6,7 +6,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.microsoft.com/en-us/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ - https://anti-debug.checkpoint.com/techniques/assembly.html diff --git a/nursery/display-service-notification-message-box.yml b/nursery/display-service-notification-message-box.yml index 7bf65439..ed4bda77 100644 --- a/nursery/display-service-notification-message-box.yml +++ b/nursery/display-service-notification-message-box.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - number: 0x200000 = service notification diff --git a/nursery/enable-safe-mode-boot.yml b/nursery/enable-safe-mode-boot.yml index 1807ee02..c9683b22 100644 --- a/nursery/enable-safe-mode-boot.yml +++ b/nursery/enable-safe-mode-boot.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] features: diff --git a/nursery/encrypt-data-using-salsa20-or-chacha.yml b/nursery/encrypt-data-using-salsa20-or-chacha.yml index 5fc26d21..de06d943 100644 --- a/nursery/encrypt-data-using-salsa20-or-chacha.yml +++ b/nursery/encrypt-data-using-salsa20-or-chacha.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml index 02fb47b4..2924df5c 100644 --- a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml +++ b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/enumerate-device-drivers-on-linux.yml b/nursery/enumerate-device-drivers-on-linux.yml index c73df788..6e9147af 100644 --- a/nursery/enumerate-device-drivers-on-linux.yml +++ b/nursery/enumerate-device-drivers-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Device Driver Discovery [T1652] features: diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml index 8288e507..2abd915c 100644 --- a/nursery/enumerate-device-drivers-on-windows.yml +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Device Driver Discovery [T1652] references: diff --git a/nursery/enumerate-disk-volumes.yml b/nursery/enumerate-disk-volumes.yml index c8c8c085..a03a5206 100644 --- a/nursery/enumerate-disk-volumes.yml +++ b/nursery/enumerate-disk-volumes.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/enumerate-files-in-dotnet.yml b/nursery/enumerate-files-in-dotnet.yml index db3e09a1..ccb21c79 100644 --- a/nursery/enumerate-files-in-dotnet.yml +++ b/nursery/enumerate-files-in-dotnet.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/nursery/enumerate-internet-cache.yml b/nursery/enumerate-internet-cache.yml index 759366dd..b8296701 100644 --- a/nursery/enumerate-internet-cache.yml +++ b/nursery/enumerate-internet-cache.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: wininet.FindFirstUrlCacheEntry diff --git a/nursery/enumerate-network-shares.yml b/nursery/enumerate-network-shares.yml index 25f5e92b..1baa2496 100644 --- a/nursery/enumerate-network-shares.yml +++ b/nursery/enumerate-network-shares.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Network Share Discovery [T1135] features: diff --git a/nursery/enumerate-processes-that-use-resource.yml b/nursery/enumerate-processes-that-use-resource.yml index 4b9f3033..a548487e 100644 --- a/nursery/enumerate-processes-that-use-resource.yml +++ b/nursery/enumerate-processes-that-use-resource.yml @@ -6,7 +6,7 @@ rule: - "@Ana06" scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners # examples: diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml index 3914c2a8..cc5ee888 100644 --- a/nursery/enumerate-processes-via-procfs.yml +++ b/nursery/enumerate-processes-via-procfs.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/execute-sqlite-statement-in-dotnet.yml b/nursery/execute-sqlite-statement-in-dotnet.yml index 72533ea8..d92da4a2 100644 --- a/nursery/execute-sqlite-statement-in-dotnet.yml +++ b/nursery/execute-sqlite-statement-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/get-client-handle-via-schannel.yml b/nursery/get-client-handle-via-schannel.yml index ae2eb5df..0e7a32a0 100644 --- a/nursery/get-client-handle-via-schannel.yml +++ b/nursery/get-client-handle-via-schannel.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-current-process-command-line.yml b/nursery/get-current-process-command-line.yml index df4c844d..b639e1e7 100644 --- a/nursery/get-current-process-command-line.yml +++ b/nursery/get-current-process-command-line.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - os: linux diff --git a/nursery/get-mac-address-in-dotnet.yml b/nursery/get-mac-address-in-dotnet.yml index 43a3aeba..ea69efa3 100644 --- a/nursery/get-mac-address-in-dotnet.yml +++ b/nursery/get-mac-address-in-dotnet.yml @@ -8,7 +8,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-mac-address-on-linux.yml b/nursery/get-mac-address-on-linux.yml index ffcafe35..58485e9e 100644 --- a/nursery/get-mac-address-on-linux.yml +++ b/nursery/get-mac-address-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-os-information-via-kuser_shared_data.yml b/nursery/get-os-information-via-kuser_shared_data.yml index ed0d6f8f..05e4f61a 100644 --- a/nursery/get-os-information-via-kuser_shared_data.yml +++ b/nursery/get-os-information-via-kuser_shared_data.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/nursery/get-proxy.yml b/nursery/get-proxy.yml index 7f495675..1d667ad6 100644 --- a/nursery/get-proxy.yml +++ b/nursery/get-proxy.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-session-information.yml b/nursery/get-session-information.yml index 23d33682..e9fae8b9 100644 --- a/nursery/get-session-information.yml +++ b/nursery/get-session-information.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Owner/User Discovery [T1033] features: diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index dc1cb3ed..ed0cd9a4 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index 3d829469..47a82615 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-token-privileges.yml b/nursery/get-token-privileges.yml index bc64f7de..aea1a7da 100644 --- a/nursery/get-token-privileges.yml +++ b/nursery/get-token-privileges.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml index 6cc08aaf..c8878ada 100755 --- a/nursery/hash-data-using-ripemd256.yml +++ b/nursery/hash-data-using-ripemd256.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://en.wikipedia.org/wiki/RIPEMD-256 features: diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml index a8fc6f67..c0782858 100755 --- a/nursery/hash-data-using-ripemd320.yml +++ b/nursery/hash-data-using-ripemd320.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://en.wikipedia.org/wiki/RIPEMD-320 features: diff --git a/nursery/hash-data-using-sha1-via-wincrypt.yml b/nursery/hash-data-using-sha1-via-wincrypt.yml index 3be8c8f8..0eb3b34d 100644 --- a/nursery/hash-data-using-sha1-via-wincrypt.yml +++ b/nursery/hash-data-using-sha1-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - or: - and: diff --git a/nursery/hash-data-using-sha512managed-in-dotnet.yml b/nursery/hash-data-using-sha512managed-in-dotnet.yml index 16886f25..9f8027fb 100644 --- a/nursery/hash-data-using-sha512managed-in-dotnet.yml +++ b/nursery/hash-data-using-sha512managed-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - jonathanlepore@google.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha512managed features: diff --git a/nursery/hash-data-via-bcrypt.yml b/nursery/hash-data-via-bcrypt.yml index 34e14c97..b7af6eb8 100644 --- a/nursery/hash-data-via-bcrypt.yml +++ b/nursery/hash-data-via-bcrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/hook-routines-via-microsoft-detours.yml b/nursery/hook-routines-via-microsoft-detours.yml index 9499d230..62c6a22c 100644 --- a/nursery/hook-routines-via-microsoft-detours.yml +++ b/nursery/hook-routines-via-microsoft-detours.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf features: diff --git a/nursery/impersonate-user.yml b/nursery/impersonate-user.yml index c6f6f451..c0f65154 100644 --- a/nursery/impersonate-user.yml +++ b/nursery/impersonate-user.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001] features: diff --git a/nursery/initialize-hashing-via-wincrypt.yml b/nursery/initialize-hashing-via-wincrypt.yml index b5797530..eaa99b51 100644 --- a/nursery/initialize-hashing-via-wincrypt.yml +++ b/nursery/initialize-hashing-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: advapi32.CryptCreateHash diff --git a/nursery/link-function-at-runtime-on-linux.yml b/nursery/link-function-at-runtime-on-linux.yml index 3132e37c..bb1e803d 100644 --- a/nursery/link-function-at-runtime-on-linux.yml +++ b/nursery/link-function-at-runtime-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Shared Modules [T1129] features: diff --git a/nursery/list-containers.yml b/nursery/list-containers.yml index 0c6c38c1..00350c23 100644 --- a/nursery/list-containers.yml +++ b/nursery/list-containers.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::Container and Resource Discovery [T1613] references: diff --git a/nursery/list-drag-and-drop-files.yml b/nursery/list-drag-and-drop-files.yml index f9b0dfe4..83a89bd7 100644 --- a/nursery/list-drag-and-drop-files.yml +++ b/nursery/list-drag-and-drop-files.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/load-packed-dex-via-jiagu-on-android.yml b/nursery/load-packed-dex-via-jiagu-on-android.yml index bd1b153d..4c56f129 100644 --- a/nursery/load-packed-dex-via-jiagu-on-android.yml +++ b/nursery/load-packed-dex-via-jiagu-on-android.yml @@ -6,7 +6,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://github.com/Frezrik/Jiagu features: diff --git a/nursery/log-keystrokes-via-input-method-manager.yml b/nursery/log-keystrokes-via-input-method-manager.yml index ef23de6e..cc80ca75 100644 --- a/nursery/log-keystrokes-via-input-method-manager.yml +++ b/nursery/log-keystrokes-via-input-method-manager.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/nursery/make-an-http-request-with-a-cookie.yml b/nursery/make-an-http-request-with-a-cookie.yml index c056237f..65b803a7 100644 --- a/nursery/make-an-http-request-with-a-cookie.yml +++ b/nursery/make-an-http-request-with-a-cookie.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: send HTTP request diff --git a/nursery/migrate-process-to-active-window-station.yml b/nursery/migrate-process-to-active-window-station.yml index 541b4a68..4d902172 100644 --- a/nursery/migrate-process-to-active-window-station.yml +++ b/nursery/migrate-process-to-active-window-station.yml @@ -7,7 +7,7 @@ rule: description: set process to the active window station so it can receive GUI events. commonly seen in keyloggers. scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html - https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops diff --git a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml index 58f91138..a27c332a 100644 --- a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml +++ b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml @@ -6,7 +6,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - os: android diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml index 32048170..88b75d93 100644 --- a/nursery/persist-via-gnome-autostart-on-linux.yml +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - os: linux diff --git a/nursery/prompt-user-for-credentials.yml b/nursery/prompt-user-for-credentials.yml index 303c4ced..cfbbc6fa 100644 --- a/nursery/prompt-user-for-credentials.yml +++ b/nursery/prompt-user-for-credentials.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials features: diff --git a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml index 1dc167b9..0b9df019 100644 --- a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml index 063f4234..7c995002 100644 --- a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml index 6d181534..0a5f604f 100644 --- a/nursery/read-and-send-data-from-client-to-server.yml +++ b/nursery/read-and-send-data-from-client-to-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: host-interaction/file-system/read diff --git a/nursery/read-process-memory.yml b/nursery/read-process-memory.yml index db460b90..6d6c44fe 100644 --- a/nursery/read-process-memory.yml +++ b/nursery/read-process-memory.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: kernel32.ReadProcessMemory diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml index 369dbf19..c9f69986 100644 --- a/nursery/receive-and-write-data-from-server-to-client.yml +++ b/nursery/receive-and-write-data-from-server-to-client.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: receive data diff --git a/nursery/reference-114dns-dns-server.yml b/nursery/reference-114dns-dns-server.yml index c1ac922a..b52152e5 100644 --- a/nursery/reference-114dns-dns-server.yml +++ b/nursery/reference-114dns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.114dns.com/ - https://www.amazon.com/ask/questions/Tx27CUHKMM403NP diff --git a/nursery/reference-alidns-dns-server.yml b/nursery/reference-alidns-dns-server.yml index 1a35101a..696f2c4b 100644 --- a/nursery/reference-alidns-dns-server.yml +++ b/nursery/reference-alidns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.alidns.com/ # examples: diff --git a/nursery/reference-cloudflare-dns-server.yml b/nursery/reference-cloudflare-dns-server.yml index dd7e512c..9fd7d5b2 100644 --- a/nursery/reference-cloudflare-dns-server.yml +++ b/nursery/reference-cloudflare-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-comodo-secure-dns-server.yml b/nursery/reference-comodo-secure-dns-server.yml index b7664ff2..5eaf10df 100644 --- a/nursery/reference-comodo-secure-dns-server.yml +++ b/nursery/reference-comodo-secure-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-google-public-dns-server.yml b/nursery/reference-google-public-dns-server.yml index fccdc8e7..5815adcb 100644 --- a/nursery/reference-google-public-dns-server.yml +++ b/nursery/reference-google-public-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server - https://developers.google.com/speed/public-dns/docs/using diff --git a/nursery/reference-hurricane-electric-dns-server.yml b/nursery/reference-hurricane-electric-dns-server.yml index c90176fe..bfd2c1ea 100644 --- a/nursery/reference-hurricane-electric-dns-server.yml +++ b/nursery/reference-hurricane-electric-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://dns.he.net/ - https://dnslytics.com/ip/216.66.1.2 diff --git a/nursery/reference-kornet-dns-server.yml b/nursery/reference-kornet-dns-server.yml index f08d6b3c..add6a03d 100644 --- a/nursery/reference-kornet-dns-server.yml +++ b/nursery/reference-kornet-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://whatismyipaddress.com/ip/168.126.63.1 # examples: diff --git a/nursery/reference-l3-dns-server.yml b/nursery/reference-l3-dns-server.yml index 0a0f1f98..45ba4e6d 100644 --- a/nursery/reference-l3-dns-server.yml +++ b/nursery/reference-l3-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.quora.com/What-is-a-4-2-2-1-DNS-server features: diff --git a/nursery/reference-opendns-dns-server.yml b/nursery/reference-opendns-dns-server.yml index 128ed617..e0a68d41 100644 --- a/nursery/reference-opendns-dns-server.yml +++ b/nursery/reference-opendns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-quad9-dns-server.yml b/nursery/reference-quad9-dns-server.yml index 74188a33..4c9732b1 100644 --- a/nursery/reference-quad9-dns-server.yml +++ b/nursery/reference-quad9-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-verisign-dns-server.yml b/nursery/reference-verisign-dns-server.yml index 626ae4b9..6b0528cc 100644 --- a/nursery/reference-verisign-dns-server.yml +++ b/nursery/reference-verisign-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/resolve-function-by-djb2-hash.yml b/nursery/resolve-function-by-djb2-hash.yml index 49d40508..3c5ec73a 100644 --- a/nursery/resolve-function-by-djb2-hash.yml +++ b/nursery/resolve-function-by-djb2-hash.yml @@ -7,7 +7,7 @@ rule: description: known import name hashes calculated using the non-cryptographic djb2 hashing algorithm scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/nursery/resolve-function-by-fnv-1a-hash.yml b/nursery/resolve-function-by-fnv-1a-hash.yml index 7f323956..91f8d6fb 100644 --- a/nursery/resolve-function-by-fnv-1a-hash.yml +++ b/nursery/resolve-function-by-fnv-1a-hash.yml @@ -7,7 +7,7 @@ rule: description: known import name hashes calculated using the non-cryptographic FNV-1a hashing algorithm scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/resolve-function-by-hash.yml b/nursery/resolve-function-by-hash.yml index 9e84d6a6..cb219c7e 100644 --- a/nursery/resolve-function-by-hash.yml +++ b/nursery/resolve-function-by-hash.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/run-in-container.yml b/nursery/run-in-container.yml index dd96985a..4d7cb40d 100644 --- a/nursery/run-in-container.yml +++ b/nursery/run-in-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Execution::Container Administration Command [T1609] references: diff --git a/nursery/send-data-to-internet.yml b/nursery/send-data-to-internet.yml index 44e1a3a6..c2ffa3a7 100644 --- a/nursery/send-data-to-internet.yml +++ b/nursery/send-data-to-internet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - optional: diff --git a/nursery/send-http-request-with-host-header.yml b/nursery/send-http-request-with-host-header.yml index 4e54322f..959694ba 100644 --- a/nursery/send-http-request-with-host-header.yml +++ b/nursery/send-http-request-with-host-header.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - match: send HTTP request diff --git a/nursery/send-request-in-dotnet.yml b/nursery/send-request-in-dotnet.yml index 9c66ac39..4233995a 100644 --- a/nursery/send-request-in-dotnet.yml +++ b/nursery/send-request-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonakr@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc: diff --git a/nursery/set-registry-value-via-stdregprov.yml b/nursery/set-registry-value-via-stdregprov.yml index ecc12bb5..61ea9b56 100644 --- a/nursery/set-registry-value-via-stdregprov.yml +++ b/nursery/set-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/terminate-process-by-name-in-dotnet.yml b/nursery/terminate-process-by-name-in-dotnet.yml index d54e5029..4488795a 100644 --- a/nursery/terminate-process-by-name-in-dotnet.yml +++ b/nursery/terminate-process-by-name-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - api: System.Diagnostics.Process::GetProcessesByName diff --git a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml index 2f5426f2..bd2c68dc 100644 --- a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml +++ b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml @@ -7,7 +7,7 @@ rule: description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs scopes: static: function - dynamic: thread + dynamic: sequence features: - and: - or: diff --git a/persistence/exchange/act-as-exchange-transport-agent.yml b/persistence/exchange/act-as-exchange-transport-agent.yml index e6148126..c3cc8f39 100644 --- a/persistence/exchange/act-as-exchange-transport-agent.yml +++ b/persistence/exchange/act-as-exchange-transport-agent.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Server Software Component::Transport Agent [T1505.002] references: diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml index 13809bb3..e2a4030e 100644 --- a/persistence/persist-via-desktop-autostart.yml +++ b/persistence/persist-via-desktop-autostart.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] examples: diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml index b4d149f4..351c54da 100644 --- a/persistence/persist-via-shell-profile-or-rc-file.yml +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] examples: diff --git a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml index 2f4b7292..b05e9079 100644 --- a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml +++ b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@fireye.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml index 11c4c0fa..742e0729 100644 --- a/persistence/service/persist-via-rc-script.yml +++ b/persistence/service/persist-via-rc-script.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] examples: diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 2b88013d..0f463ec6 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -7,7 +7,7 @@ rule: - j.j.vannielen@utwente.nl scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml index 7354fd6e..4a23a7d2 100644 --- a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml +++ b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/language/identify-system-language-via-api.yml b/targeting/language/identify-system-language-via-api.yml index 7ba9a0a2..5535d56f 100644 --- a/targeting/language/identify-system-language-via-api.yml +++ b/targeting/language/identify-system-language-via-api.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: From 1f4c7a4e3d140e5427a560b6857c89b351a9dfc3 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 17 Dec 2024 10:27:49 +0000 Subject: [PATCH 2/5] use sequence scope instead of thread scope for "static: basic block" rules --- anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml | 2 +- .../debugger-detection/check-for-outputdebugstring-error.yml | 2 +- .../anti-forensic/crash-the-windows-event-logging-service.yml | 2 +- .../vm-detection/check-for-windows-sandbox-via-device.yml | 2 +- .../network/capture-network-configuration-via-ipconfig.yml | 2 +- communication/http/client/send-file-via-http.yml | 2 +- communication/socket/create-vmci-socket.yml | 2 +- .../driver/complete-processing-asynchronous-io-request.yml | 2 +- host-interaction/driver/interact-with-driver-via-ioctl.yml | 2 +- host-interaction/gui/logon/references-logon-banner.yml | 2 +- host-interaction/mutex/check-mutex.yml | 2 +- .../process/inject/allocate-or-change-rwx-memory.yml | 2 +- host-interaction/process/list/get-explorer-pid.yml | 2 +- host-interaction/process/modify/acquire-debug-privileges.yml | 2 +- host-interaction/thread/create/create-thread.yml | 2 +- nursery/check-for-windows-sandbox-via-subdirectory.yml | 2 +- nursery/get-process-image-filename.yml | 2 +- nursery/hook-routines-via-lsplant.yml | 2 +- nursery/set-thread-name-on-linux.yml | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml index b8d98804..6c1a6c91 100644 --- a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml +++ b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] - Anti-Behavioral Analysis::Sandbox Detection [B0007] diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml index 22a2cbc9..0a89a9e7 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] examples: diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml index 5f0ad724..dde35dba 100644 --- a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml +++ b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml index 387e6143..832d8287 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml index f5733c48..42527534 100644 --- a/collection/network/capture-network-configuration-via-ipconfig.yml +++ b/collection/network/capture-network-configuration-via-ipconfig.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread + dynamic: sequence att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml index ef552a97..252b53ee 100644 --- a/communication/http/client/send-file-via-http.yml +++ b/communication/http/client/send-file-via-http.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Communication::HTTP Communication::Send Data [C0002.005] examples: diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index 1083ac03..1407e694 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/host-interaction/driver/complete-processing-asynchronous-io-request.yml b/host-interaction/driver/complete-processing-asynchronous-io-request.yml index dd52f7ad..3dab003b 100644 --- a/host-interaction/driver/complete-processing-asynchronous-io-request.yml +++ b/host-interaction/driver/complete-processing-asynchronous-io-request.yml @@ -7,7 +7,7 @@ rule: description: signals that driver has finished all processing for a given IRP (part of major function) scopes: static: basic block - dynamic: thread + dynamic: sequence examples: - Practical Malware Analysis Lab 10-03.sys_:0x10666 features: diff --git a/host-interaction/driver/interact-with-driver-via-ioctl.yml b/host-interaction/driver/interact-with-driver-via-ioctl.yml index cb24ea09..5e13bb48 100644 --- a/host-interaction/driver/interact-with-driver-via-ioctl.yml +++ b/host-interaction/driver/interact-with-driver-via-ioctl.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence examples: - Practical Malware Analysis Lab 10-03.exe_:0x40108c features: diff --git a/host-interaction/gui/logon/references-logon-banner.yml b/host-interaction/gui/logon/references-logon-banner.yml index b05623f1..f4ea8920 100644 --- a/host-interaction/gui/logon/references-logon-banner.yml +++ b/host-interaction/gui/logon/references-logon-banner.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: thread + dynamic: sequence examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC features: diff --git a/host-interaction/mutex/check-mutex.yml b/host-interaction/mutex/check-mutex.yml index c9929ff9..900120e5 100644 --- a/host-interaction/mutex/check-mutex.yml +++ b/host-interaction/mutex/check-mutex.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Process::Check Mutex [C0043] examples: diff --git a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml index 1393a89d..bb2fbae5 100644 --- a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/host-interaction/process/list/get-explorer-pid.yml b/host-interaction/process/list/get-explorer-pid.yml index 1ec555cb..155fcc3d 100644 --- a/host-interaction/process/list/get-explorer-pid.yml +++ b/host-interaction/process/list/get-explorer-pid.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/modify/acquire-debug-privileges.yml b/host-interaction/process/modify/acquire-debug-privileges.yml index 97bc43ea..24cc1e5e 100644 --- a/host-interaction/process/modify/acquire-debug-privileges.yml +++ b/host-interaction/process/modify/acquire-debug-privileges.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml index fc2f9e8c..aa03f2bb 100644 --- a/host-interaction/thread/create/create-thread.yml +++ b/host-interaction/thread/create/create-thread.yml @@ -9,7 +9,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence mbc: - Process::Create Thread [C0038] examples: diff --git a/nursery/check-for-windows-sandbox-via-subdirectory.yml b/nursery/check-for-windows-sandbox-via-subdirectory.yml index d5dba245..ded4da43 100644 --- a/nursery/check-for-windows-sandbox-via-subdirectory.yml +++ b/nursery/check-for-windows-sandbox-via-subdirectory.yml @@ -6,7 +6,7 @@ rule: - "echernofsky@google.com" scopes: static: basic block - dynamic: thread + dynamic: sequence att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/get-process-image-filename.yml b/nursery/get-process-image-filename.yml index fc250690..1ca653cd 100644 --- a/nursery/get-process-image-filename.yml +++ b/nursery/get-process-image-filename.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence features: - or: - and: diff --git a/nursery/hook-routines-via-lsplant.yml b/nursery/hook-routines-via-lsplant.yml index 8d20b485..72120540 100644 --- a/nursery/hook-routines-via-lsplant.yml +++ b/nursery/hook-routines-via-lsplant.yml @@ -7,7 +7,7 @@ rule: description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization scopes: static: basic block - dynamic: thread + dynamic: sequence references: - https://github.com/LSPosed/LSPlant features: diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml index 5d1cc0ef..8177edb6 100644 --- a/nursery/set-thread-name-on-linux.yml +++ b/nursery/set-thread-name-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: sequence features: - and: - or: From 52b9f09caff4ab85c2e6238705fae55ce29ea00c Mon Sep 17 00:00:00 2001 From: Mike Hunhoff Date: Thu, 16 Jan 2025 16:06:10 -0700 Subject: [PATCH 3/5] make runtime linking rules more concise --- .../link-many-functions-at-runtime.yml | 18 +++--------------- nursery/link-function-at-runtime-on-linux.yml | 5 +---- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index 0ad8e96b..d6cfc39b 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -7,24 +7,12 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: thread att&ck: - Execution::Shared Modules [T1129] examples: - b7b5e1253710d8927cbe07d52d2d2e10:0x401000 features: - or: - - and: - - os: windows - - match: link function at runtime on Windows - - or: - - count(api(kernel32.GetProcAddress)): 5 or more - - count(api(ntdll.LdrGetProcedureAddress)): 5 or more - - and: - - or: - - os: linux - - os: android - - match: link function at runtime on Linux - - or: - - count(api(dlsym)): 5 or more - - count(api(dlvsym)): 5 or more + - count(match(link function at runtime on Windows)): 5 or more + - count(match(link function at runtime on Linux)): 5 or more diff --git a/nursery/link-function-at-runtime-on-linux.yml b/nursery/link-function-at-runtime-on-linux.yml index bb1e803d..958bb238 100644 --- a/nursery/link-function-at-runtime-on-linux.yml +++ b/nursery/link-function-at-runtime-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: call att&ck: - Execution::Shared Modules [T1129] features: @@ -14,9 +14,6 @@ rule: - or: - os: linux - os: android - - or: - - api: dlopen - - api: dlmopen - or: - api: dlsym - api: dlvsym From a528f9a3be9c18b1af423c3319e859287bd4efdf Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Fri, 17 Jan 2025 10:45:35 +0000 Subject: [PATCH 4/5] doc: describe sequence scope --- doc/format.md | 83 ++++++++++++++++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 30 deletions(-) diff --git a/doc/format.md b/doc/format.md index 8d1256a6..102ab53d 100644 --- a/doc/format.md +++ b/doc/format.md @@ -154,6 +154,7 @@ Here are the common fields: - **`file`**: matches features across the whole file. - `scopes.dynamic`: - **`call`**: match features at each traced API call site, such as API name and argument values. + - **`sequence`**: match features against a across a sliding window of API calls within a thread. - **`thread`**: match features within each thread, such as sequence of API names. - **`process`**: match features within each process. - **`file`**: matches features across the whole file, including from the executable file features *and* across the entire runtime trace. @@ -372,39 +373,40 @@ capa matches features at multiple scopes, starting small (e.g., `instruction`) a | file | high level conclusions, like encryptor, backdoor, or statically linked with some library | | global | the features available at every scope, like architecture or OS | -| dynamic scope | best for... | -|---------------|------------------------------------------------------------------------------------------| -| call | single API call and its arguments | -| thread | sequence of related API calls | -| process | combinations of other capabilities found within a (potentially multi-threaded) program | -| file | high level conclusions, like encryptor, backdoor, or statically linked with some library | -| global | the features available at every scope, like architecture or OS | +| dynamic scope | best for... | +|---------------|------------------------------------------------------------------------------------------------| +| call | single API call and its arguments | +| sequence | behaviors that span multiple API calls, but less than an entire thread, which may be very long | +| thread | combinations of capabilities from multiple separate sequence scopes (uncommon) | +| process | combinations of other capabilities found within a (potentially multi-threaded) program | +| file | high level conclusions, like encryptor, backdoor, or statically linked with some library | +| global | the features available at every scope, like architecture or OS | In general, capa collects and merges the features from lower scopes into higher scopes; for example, features extracted from individual instructions are merged into the function scope that contains the instructions. This way, you can use the match results against instructions ("the constant X is for crypto algorithm Y") to recognize function-level capabilities ("crypto function Z"). -| feature | static scope | dynamic scope | -|-----------------------------------|---------------------------------------------|--------------------------------| -| [api](#api) | instruction ↦ basic block ↦ function ↦ file | call ↦ thread ↦ process ↦ file | -| [string](#string-and-substring) | instruction ↦ ... | call ↦ ... | -| [bytes](#bytes) | instruction ↦ ... | call ↦ ... | -| [number](#number) | instruction ↦ ... | call ↦ ... | -| [characteristic](#characteristic) | instruction ↦ ... | - | -| [mnemonic](#mnemonic) | instruction ↦ ... | - | -| [operand](#operand) | instruction ↦ ... | - | -| [offset](#offset) | instruction ↦ ... | - | -| [com](#com) | instruction ↦ ... | - | -| [namespace](#namespace) | instruction ↦ ... | - | -| [class](#class) | instruction ↦ ... | - | -| [property](#property) | instruction ↦ ... | - | -| [export](#export) | file | file | -| [import](#import) | file | file | -| [section](#section) | file | file | -| [function-name](#function-name) | file | - | -| [os](#os) | global | global | -| [arch](#arch) | global | global | -| [format](#format) | global | global | +| feature | static scope | dynamic scope | +|-----------------------------------|---------------------------------------------|--------------------------------------------| +| [api](#api) | instruction ↦ basic block ↦ function ↦ file | call ↦ sequence ↦ thread ↦ process ↦ file | +| [string](#string-and-substring) | instruction ↦ ... | call ↦ ... | +| [bytes](#bytes) | instruction ↦ ... | call ↦ ... | +| [number](#number) | instruction ↦ ... | call ↦ ... | +| [characteristic](#characteristic) | instruction ↦ ... | - | +| [mnemonic](#mnemonic) | instruction ↦ ... | - | +| [operand](#operand) | instruction ↦ ... | - | +| [offset](#offset) | instruction ↦ ... | - | +| [com](#com) | instruction ↦ ... | - | +| [namespace](#namespace) | instruction ↦ ... | - | +| [class](#class) | instruction ↦ ... | - | +| [property](#property) | instruction ↦ ... | - | +| [export](#export) | file | file | +| [import](#import) | file | file | +| [section](#section) | file | file | +| [function-name](#function-name) | file | - | +| [os](#os) | global | global | +| [arch](#arch) | global | global | +| [format](#format) | global | global | ## static analysis scopes @@ -467,10 +469,31 @@ The following features are relevant at this scope and above: - [string and substring](#string-and-substring) - [bytes](#bytes) +### sequence features + +Sequence scope matches features across a sliding window of API calls within a thread. +This scope is useful for identifying behaviors that span multiple API calls, such as `OpenFile`/`ReadFile`/`CloseFile`, + without having to analyze an entire thread, which may be very long. + +Sequence scope does not enforce ordering of calls, but rather matches a set of calls within the window. +The current window size is 20 API calls. +This was chosen to balance the need to capture logic across multiple calls while balancing performance tradeoffs. + +When a "sequence" rule matches, it only reports the first match in a series of overlapping sequences to avoid flooding the user with repeated results, such as when a program executes a behavior in a tight loop. However, other rules can match against these "hammered" matches. + +There are no sequence-specific features. + ### thread features -Thread features stem from combinations of features from the call scopes that are found within the same thread. -This is useful for matching a sequence of API calls, such as `OpenFile`/`ReadFile`/`CloseFile`. +Thread scope matches behaviors from call and sequence scopes found within the same thread. + +While uncommon, this can be useful when a rule considers the entire collection of behaviors within a thread, + or at least a very long sequence of calls. +You might do this to make conclusions about a thread's complete activity, + such as "background thread that periodically injects browser processes". + +However, this scope is susceptible to false positives, as a thread may contain a huge number of events that aren't guaranteed to be directly related. +Therefore, prefer to use sequence scope, when possible. There are no thread-specific features. From 6cb2ec010b4d0679612295301d0b3e6336da4f33 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Fri, 17 Jan 2025 12:45:18 +0000 Subject: [PATCH 5/5] rename "sequence" scope to "span of calls" scope --- README.md | 2 +- .../check-for-sandbox-and-av-modules.yml | 2 +- ...write-dll-text-section-to-remove-hooks.yml | 2 +- ...ch-antimalware-scan-interface-function.yml | 2 +- ...tch-event-tracing-for-windows-function.yml | 2 +- .../check-for-outputdebugstring-error.yml | 2 +- .../check-for-protected-handle-exception.yml | 2 +- ...time-delay-via-queryperformancecounter.yml | 2 +- .../check-process-job-object.yml | 2 +- .../hide-thread-from-debugger.yml | 2 +- ...check-if-process-is-running-under-wine.yml | 2 +- .../clear-logs/clear-windows-event-logs.yml | 2 +- ...rash-the-windows-event-logging-service.yml | 2 +- .../impersonate-file-version-information.yml | 2 +- ...lf-delete-using-alternate-data-streams.yml | 2 +- .../self-deletion/self-delete.yml | 2 +- .../timestomp/timestomp-file.yml | 2 +- .../check-for-microsoft-office-emulation.yml | 2 +- ...check-for-sandbox-username-or-hostname.yml | 2 +- .../check-for-windows-sandbox-via-device.yml | 2 +- ...-for-windows-sandbox-via-genuine-state.yml | 2 +- ...k-for-windows-sandbox-via-process-name.yml | 2 +- ...check-for-windows-sandbox-via-registry.yml | 2 +- ...etect-vm-via-disk-hardware-wmi-queries.yml | 2 +- ...m-via-motherboard-hardware-wmi-queries.yml | 2 +- ...ntials-from-windows-credential-manager.yml | 2 +- .../gather-firefox-profile-information.yml | 2 +- .../database/sql/reference-sql-statements.yml | 2 +- .../database/wmi/reference-wmi-statements.yml | 2 +- .../gather-3d-ftp-information.yml | 2 +- .../gather-alftp-information.yml | 2 +- .../gather-bitkinex-information.yml | 2 +- .../gather-blazeftp-information.yml | 2 +- .../gather-bulletproof-ftp-information.yml | 2 +- .../gather-classicftp-information.yml | 2 +- .../gather-coreftp-information.yml | 2 +- .../gather-cuteftp-information.yml | 2 +- .../gather-cyberduck-information.yml | 2 +- .../gather-direct-ftp-information.yml | 2 +- .../gather-directory-opus-information.yml | 2 +- .../gather-expandrive-information.yml | 2 +- .../gather-faststone-browser-information.yml | 2 +- .../gather-fasttrack-ftp-information.yml | 2 +- .../gather-ffftp-information.yml | 2 +- .../gather-filezilla-information.yml | 2 +- .../gather-flashfxp-information.yml | 2 +- .../gather-fling-ftp-information.yml | 2 +- .../gather-freshftp-information.yml | 2 +- .../gather-frigate3-information.yml | 2 +- .../gather-ftp-commander-information.yml | 2 +- .../gather-ftp-explorer-information.yml | 2 +- .../gather-ftp-voyager-information.yml | 2 +- .../gather-ftpgetter-information.yml | 2 +- .../gather-ftpinfo-information.yml | 2 +- .../gather-ftpnow-information.yml | 2 +- .../gather-ftprush-information.yml | 2 +- .../gather-ftpshell-information.yml | 2 +- .../gather-global-downloader-information.yml | 2 +- .../gather-goftp-information.yml | 2 +- .../gather-leapftp-information.yml | 2 +- .../gather-netdrive-information.yml | 2 +- .../gather-nexusfile-information.yml | 2 +- .../gather-nova-ftp-information.yml | 2 +- .../gather-robo-ftp-information.yml | 2 +- .../gather-securefx-information.yml | 2 +- .../gather-smart-ftp-information.yml | 2 +- .../gather-softx-ftp-information.yml | 2 +- ...gather-southriver-webdrive-information.yml | 2 +- .../gather-staff-ftp-information.yml | 2 +- .../gather-total-commander-information.yml | 2 +- .../gather-turbo-ftp-information.yml | 2 +- .../gather-ultrafxp-information.yml | 2 +- .../gather-winscp-information.yml | 2 +- .../gather-winzip-information.yml | 2 +- .../gather-wise-ftp-information.yml | 2 +- .../gather-ws-ftp-information.yml | 2 +- .../file-managers/gather-xftp-information.yml | 2 +- collection/get-geographical-location.yml | 2 +- .../discover-group-policy-via-gpresult.yml | 2 +- collection/keylog/log-keystrokes.yml | 2 +- .../microphone/capture-microphone-audio.yml | 2 +- ...ure-network-configuration-via-ipconfig.yml | 2 +- .../capture-packets-using-sharppcap.yml | 2 +- collection/network/capture-public-ip.yml | 2 +- .../get-domain-trust-relationships.yml | 2 +- .../network/get-mac-address-on-windows.yml | 2 +- .../capture-screenshot-via-keybd-event.yml | 2 +- collection/screenshot/capture-screenshot.yml | 2 +- collection/webcam/capture-webcam-image.yml | 2 +- .../download-and-write-a-file.yml | 2 +- .../write-and-execute-a-file.yml | 2 +- .../shell/create-reverse-shell-on-linux.yml | 2 +- .../c2/shell/create-reverse-shell.yml | 2 +- ...ecute-shell-command-and-capture-output.yml | 2 +- ...-command-received-from-socket-on-linux.yml | 2 +- .../ftp/send/send-file-using-ftp.yml | 2 +- .../http/client/connect-to-http-server.yml | 2 +- communication/http/client/connect-to-url.yml | 2 +- .../http/client/create-http-request.yml | 2 +- ...tp-response-via-iencodingfilterfactory.yml | 2 +- .../http/client/read-data-from-internet.yml | 2 +- .../http/client/receive-http-response.yml | 2 +- .../http/client/send-file-via-http.yml | 2 +- .../http/client/send-http-request.yml | 2 +- .../http/reference-http-user-agent-string.yml | 2 +- .../http/server/receive-http-request.yml | 2 +- .../http/server/start-http-server.yml | 2 +- communication/http/set-http-header.yml | 2 +- communication/icmp/send-icmp-echo-request.yml | 2 +- communication/mailslot/create-mailslot.yml | 2 +- communication/mailslot/read-from-mailslot.yml | 2 +- .../create/create-two-anonymous-pipes.yml | 2 +- communication/named-pipe/read/read-pipe.yml | 2 +- communication/named-pipe/write/write-pipe.yml | 2 +- communication/receive-data.yml | 2 +- communication/send-data.yml | 2 +- communication/socket/create-vmci-socket.yml | 2 +- .../socket/tcp/connect-tcp-socket.yml | 2 +- .../tcp/send/send-tcp-data-via-wfp-api.yml | 2 +- .../tcp/client/act-as-tcp-client.yml | 2 +- communication/tcp/serve/start-tcp-server.yml | 2 +- compiler/perl2exe/compiled-with-perl2exe.yml | 2 +- .../compression/compress-data-using-lzo.yml | 2 +- .../compression/compress-data-via-winapi.yml | 2 +- .../compression/create-cabinet-on-windows.yml | 2 +- .../extract-cabinet-on-windows.yml | 2 +- .../aes/encrypt-data-using-aes-via-winapi.yml | 2 +- .../des/encrypt-data-using-des-via-winapi.yml | 2 +- .../encrypt-data-using-memfrob-from-glibc.yml | 2 +- .../encrypt-or-decrypt-via-wincrypt.yml | 2 +- .../encryption/import-public-key.yml | 2 +- ...t-data-using-rc4-via-systemfunction032.yml | 2 +- ...t-data-using-rc4-via-systemfunction033.yml | 2 +- .../rc4/encrypt-data-using-rc4-via-winapi.yml | 2 +- .../encryption/rc6/encrypt-data-using-rc6.yml | 2 +- .../rsa/reference-public-rsa-key.yml | 2 +- .../hashing/hash-data-via-wincrypt.yml | 2 +- .../hashing/md5/hash-data-with-md5.yml | 2 +- .../hashing/sha1/hash-data-using-sha1.yml | 2 +- .../hashing/sha224/hash-data-using-sha224.yml | 2 +- .../hashing/sha256/hash-data-using-sha256.yml | 2 +- .../hashing/sha384/hash-data-using-sha384.yml | 2 +- .../hashing/sha512/hash-data-using-sha512.yml | 2 +- ...nerate-random-numbers-via-rtlgenrandom.yml | 2 +- .../generate-random-numbers-via-winapi.yml | 2 +- ...andom-numbers-using-a-mersenne-twister.yml | 2 +- doc/format.md | 66 +++++++++---------- .../resource/access-dotnet-resource.yml | 2 +- ...xtract-resource-via-kernel32-functions.yml | 2 +- .../bootloader/disable-code-signing.yml | 2 +- .../manipulate-boot-configuration.yml | 2 +- .../manipulate-safe-mode-programs.yml | 2 +- host-interaction/clipboard/open-clipboard.yml | 2 +- .../clipboard/read-clipboard-data.yml | 2 +- .../clipboard/write-clipboard-data.yml | 2 +- .../console/manipulate-console-buffer.yml | 2 +- ...ete-processing-asynchronous-io-request.yml | 2 +- .../driver/create-device-object.yml | 2 +- .../driver/disable-driver-code-integrity.yml | 2 +- .../driver/interact-with-driver-via-ioctl.yml | 2 +- .../get-comspec-environment-variable.yml | 2 +- .../file-system/bypass-mark-of-the-web.yml | 2 +- .../create-virtual-file-system-in-dotnet.yml | 2 +- .../file-system/delete/delete-file.yml | 2 +- .../files/list/enumerate-files-on-linux.yml | 2 +- .../files/list/enumerate-files-on-windows.yml | 2 +- .../meta/get-file-version-info.yml | 2 +- .../file-system/read/read-file-on-linux.yml | 2 +- .../file-system/read/read-file-on-windows.yml | 2 +- .../read/read-file-via-mapping.yml | 2 +- .../file-system/read/read-ini-file.yml | 2 +- .../file-system/read/read-virtual-disk.yml | 2 +- .../bypass-windows-file-protection.yml | 2 +- .../file-system/write/write-file-on-linux.yml | 2 +- .../filter/enumerate-minifilter-drivers.yml | 2 +- ...cess-firewall-policy-via-inetfwpolicy2.yml | 2 +- ...irewall-rule-properties-via-inetfwrule.yml | 2 +- .../gui/logon/references-logon-banner.yml | 2 +- .../gui/session/lock/lock-the-desktop.yml | 2 +- .../gui/switch-active-desktop.yml | 2 +- .../gui/taskbar/find/find-taskbar.yml | 2 +- .../taskbar/hide/hide-the-windows-taskbar.yml | 2 +- .../get-text/get-graphical-window-text.yml | 2 +- .../cdrom/manipulate-cd-rom-drive.yml | 2 +- .../hardware/cpu/get-cpu-information.yml | 2 +- .../cpu/get-number-of-processor-cores.yml | 2 +- .../hardware/keyboard/get-keyboard-layout.yml | 2 +- .../keyboard/simulate-ctrl-alt-del.yml | 2 +- .../memory/get-memory-information.yml | 2 +- .../hardware/storage/get-disk-size.yml | 2 +- .../read-data-from-clfs-log-container.yml | 2 +- .../mutex/check-mutex-and-exit.yml | 2 +- host-interaction/mutex/check-mutex.yml | 2 +- .../mutex/create-semaphore-on-linux.yml | 2 +- .../mutex/lock-semaphore-on-linux.yml | 2 +- .../mutex/unlock-semaphore-on-linux.yml | 2 +- .../address/get-local-ipv4-addresses.yml | 2 +- .../connectivity/set-tcp-connection-state.yml | 2 +- .../enumerate-domain-computers-via-ldap.yml | 2 +- .../domain/get-domain-controller-name.yml | 2 +- .../interface/get-networking-interfaces.yml | 2 +- .../enumerate-network-filters-via-wfp-api.yml | 2 +- .../get-system-information-on-windows.yml | 2 +- .../os/version/get-kernel-version.yml | 2 +- .../os/version/get-linux-distribution.yml | 2 +- .../inject/allocate-or-change-rwx-memory.yml | 2 +- .../allocate-user-process-rwx-memory.yml | 2 +- .../inject/attach-user-process-memory.yml | 2 +- .../inject/free-user-process-memory.yml | 2 +- .../inject/hijack-thread-execution.yml | 2 +- .../process/inject/inject-apc.yml | 2 +- .../process/inject/inject-dll.yml | 2 +- ...-shellcode-using-a-file-mapping-object.yml | 2 +- ...ct-shellcode-using-extra-window-memory.yml | 2 +- ...llcode-using-window-subclass-procedure.yml | 2 +- .../process/inject/inject-thread.yml | 2 +- .../inject/use-process-replacement.yml | 2 +- ...ocesses-on-remote-desktop-session-host.yml | 2 +- .../process/list/enumerate-processes.yml | 2 +- .../process/list/find-process-by-pid.yml | 2 +- .../process/list/get-explorer-pid.yml | 2 +- .../process/map-section-object.yml | 2 +- .../modify/acquire-debug-privileges.yml | 2 +- .../modify/modify-access-privileges.yml | 2 +- .../list/enumerate-process-modules.yml | 2 +- .../process/terminate/terminate-process.yml | 2 +- .../registry/delete/delete-registry-key.yml | 2 +- .../registry/delete/delete-registry-value.yml | 2 +- .../query-or-enumerate-registry-key.yml | 2 +- .../query-or-enumerate-registry-value.yml | 2 +- ...istry-key-via-offline-registry-library.yml | 2 +- host-interaction/service/continue-service.yml | 2 +- .../service/create/create-service.yml | 2 +- .../service/delete/delete-service.yml | 2 +- .../service/modify/modify-service.yml | 2 +- host-interaction/service/pause-service.yml | 2 +- .../service/start/start-service.yml | 2 +- .../service/stop/stop-service.yml | 2 +- .../session/get-current-user-on-linux.yml | 2 +- .../session/get-logon-sessions.yml | 2 +- .../session/get-session-integrity-level.yml | 2 +- .../session/get-session-user-name.yml | 2 +- .../session/get-token-membership.yml | 2 +- .../thread/create/create-thread.yml | 2 +- .../thread/list/enumerate-threads.yml | 2 +- .../tls/set-thread-local-storage-value.yml | 2 +- .../bypass/bypass-uac-via-appinfo-alpc.yml | 2 +- .../uac/bypass/bypass-uac-via-icmluautil.yml | 2 +- .../uac/bypass/bypass-uac-via-rpc.yml | 2 +- .../bypass-uac-via-token-manipulation.yml | 2 +- .../delete-volume-shadow-copies.yml | 2 +- .../overwrite-master-boot-record-mbr.yml | 2 +- lib/create-or-open-section-object.yml | 2 +- load-code/pe/access-pe-header.yml | 2 +- .../pe/inspect-section-memory-permissions.yml | 2 +- .../powershell/run-powershell-expression.yml | 2 +- .../execute-shellcode-via-copyfile2.yml | 2 +- ...ute-shellcode-via-createthreadpoolwait.yml | 2 +- ...hellcode-via-windows-callback-function.yml | 2 +- .../execute-shellcode-via-windows-fibers.yml | 2 +- .../spawn-thread-to-rwx-shellcode.yml | 2 +- .../plugx/match-known-plugx-module.yml | 2 +- nursery/access-wmi-data-in-dotnet.yml | 2 +- nursery/add-value-to-global-atom-table.yml | 2 +- nursery/append-data-to-clfs-log-container.yml | 2 +- nursery/build-docker-image.yml | 2 +- ...en-api-restrictions-via-jni-on-android.yml | 2 +- ...ia-scheduled-task-environment-variable.yml | 2 +- nursery/capture-webcam-video.yml | 2 +- nursery/check-for-process-debug-object.yml | 2 +- .../check-for-windows-sandbox-via-mutex.yml | 2 +- ...k-for-windows-sandbox-via-subdirectory.yml | 2 +- nursery/check-license-value.yml | 2 +- nursery/collect-ssh-keys.yml | 2 +- nursery/compile-csharp-in-dotnet.yml | 2 +- nursery/compile-visual-basic-in-dotnet.yml | 2 +- nursery/connect-network-resource.yml | 2 +- nursery/create-container.yml | 2 +- nursery/create-process-via-wmi-in-dotnet.yml | 2 +- .../create-registry-key-via-stdregprov.yml | 2 +- nursery/delete-internet-cache.yml | 2 +- .../delete-registry-key-via-stdregprov.yml | 2 +- .../delete-registry-value-via-stdregprov.yml | 2 +- ...destroy-software-breakpoint-capability.yml | 2 +- ...splay-service-notification-message-box.yml | 2 +- nursery/dynamic-add-veh.yml | 20 ++++++ nursery/enable-safe-mode-boot.yml | 2 +- .../encrypt-data-using-salsa20-or-chacha.yml | 2 +- .../encrypt-or-decrypt-data-via-bcrypt.yml | 2 +- nursery/enumerate-device-drivers-on-linux.yml | 2 +- .../enumerate-device-drivers-on-windows.yml | 2 +- nursery/enumerate-disk-volumes.yml | 2 +- nursery/enumerate-files-in-dotnet.yml | 2 +- nursery/enumerate-internet-cache.yml | 2 +- nursery/enumerate-network-shares.yml | 2 +- .../enumerate-processes-that-use-resource.yml | 2 +- nursery/enumerate-processes-via-procfs.yml | 2 +- .../execute-sqlite-statement-in-dotnet.yml | 2 +- nursery/get-client-handle-via-schannel.yml | 2 +- nursery/get-current-process-command-line.yml | 2 +- nursery/get-mac-address-in-dotnet.yml | 2 +- nursery/get-mac-address-on-linux.yml | 2 +- ...t-os-information-via-kuser_shared_data.yml | 2 +- nursery/get-process-image-filename.yml | 2 +- nursery/get-proxy.yml | 2 +- nursery/get-session-information.yml | 2 +- nursery/get-storage-device-properties.yml | 2 +- nursery/get-system-information-on-linux.yml | 2 +- nursery/get-token-privileges.yml | 2 +- nursery/hash-data-using-ripemd256.yml | 2 +- nursery/hash-data-using-ripemd320.yml | 2 +- nursery/hash-data-using-sha1-via-wincrypt.yml | 2 +- ...ash-data-using-sha512managed-in-dotnet.yml | 2 +- nursery/hash-data-via-bcrypt.yml | 2 +- nursery/hook-routines-via-lsplant.yml | 2 +- .../hook-routines-via-microsoft-detours.yml | 2 +- nursery/impersonate-user.yml | 2 +- nursery/initialize-hashing-via-wincrypt.yml | 2 +- nursery/list-containers.yml | 2 +- nursery/list-drag-and-drop-files.yml | 2 +- .../load-packed-dex-via-jiagu-on-android.yml | 2 +- ...og-keystrokes-via-input-method-manager.yml | 2 +- .../make-an-http-request-with-a-cookie.yml | 2 +- ...grate-process-to-active-window-station.yml | 2 +- ...acklist-or-denylist-via-jni-on-android.yml | 2 +- .../persist-via-gnome-autostart-on-linux.yml | 2 +- nursery/prompt-user-for-credentials.yml | 2 +- ...-enumerate-registry-key-via-stdregprov.yml | 2 +- ...numerate-registry-value-via-stdregprov.yml | 2 +- ...ad-and-send-data-from-client-to-server.yml | 2 +- nursery/read-process-memory.yml | 2 +- ...e-and-write-data-from-server-to-client.yml | 2 +- nursery/reference-114dns-dns-server.yml | 2 +- nursery/reference-alidns-dns-server.yml | 2 +- nursery/reference-cloudflare-dns-server.yml | 2 +- .../reference-comodo-secure-dns-server.yml | 2 +- .../reference-google-public-dns-server.yml | 2 +- ...eference-hurricane-electric-dns-server.yml | 2 +- nursery/reference-kornet-dns-server.yml | 2 +- nursery/reference-l3-dns-server.yml | 2 +- nursery/reference-opendns-dns-server.yml | 2 +- nursery/reference-quad9-dns-server.yml | 2 +- nursery/reference-verisign-dns-server.yml | 2 +- nursery/resolve-function-by-djb2-hash.yml | 2 +- nursery/resolve-function-by-fnv-1a-hash.yml | 2 +- nursery/resolve-function-by-hash.yml | 2 +- nursery/run-in-container.yml | 2 +- nursery/send-data-to-internet.yml | 2 +- .../send-http-request-with-host-header.yml | 2 +- nursery/send-request-in-dotnet.yml | 2 +- nursery/set-registry-value-via-stdregprov.yml | 2 +- nursery/set-thread-name-on-linux.yml | 2 +- .../terminate-process-by-name-in-dotnet.yml | 2 +- ...ged-call-via-dynamic-pinvoke-in-dotnet.yml | 2 +- .../act-as-exchange-transport-agent.yml | 2 +- persistence/persist-via-desktop-autostart.yml | 2 +- .../persist-via-shell-profile-or-rc-file.yml | 2 +- ...ppinit_dlls-code-signature-enforcement.yml | 2 +- persistence/service/persist-via-rc-script.yml | 2 +- .../write-file-to-startup-folder.yml | 2 +- .../reference-ncr-atm-library-routines.yml | 2 +- .../identify-system-language-via-api.yml | 2 +- 362 files changed, 413 insertions(+), 393 deletions(-) create mode 100644 nursery/dynamic-add-veh.yml diff --git a/README.md b/README.md index 0362da32..dcd1cd0c 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml index 6c1a6c91..0c5f26ab 100644 --- a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml +++ b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] - Anti-Behavioral Analysis::Sandbox Detection [B0007] diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml index 8604e8d7..363e2461 100644 --- a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml +++ b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 20ae6e2d..83dcdcda 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index fa07fd07..aded04e5 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml index 0a89a9e7..ae856b67 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index 9315f51c..042fa189 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml index f4c901bf..af6d0e10 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] examples: diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index fffe9d39..06a523c2 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index bb64961f..3bdcd317 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml index c7569989..a2512ff0 100644 --- a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml +++ b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index 81be1b53..d490ea14 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml index dde35dba..5aad600a 100644 --- a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml +++ b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] references: diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml index 74006c27..f5a6dc02 100644 --- a/anti-analysis/anti-forensic/impersonate-file-version-information.yml +++ b/anti-analysis/anti-forensic/impersonate-file-version-information.yml @@ -7,7 +7,7 @@ rule: description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Indicator Removal [T1070] references: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml index 30240f02..32a8dec0 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 8cedcd9a..c5cac688 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] mbc: diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml index 328cb320..3f3d9496 100644 --- a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml +++ b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Indicator Removal::Timestomp [T1070.006] examples: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml index d76b46bf..4a4a68b5 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml index 0ac2b045..0ed4a190 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml @@ -7,7 +7,7 @@ rule: - "echernofsky@google.com" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion [T1497] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml index 832d8287..6054461f 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 06a58cdd..4f697f5d 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml index 4e5d49de..0477193d 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml index f234c003..ed97bb53 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index e916a28a..76b8e36c 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -7,7 +7,7 @@ rule: - anders.vejlby@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index 1d46b8a9..4b063f8b 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -7,7 +7,7 @@ rule: - anders.vejlby@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml index e9c3d189..9c54a668 100644 --- a/collection/acquire-credentials-from-windows-credential-manager.yml +++ b/collection/acquire-credentials-from-windows-credential-manager.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004] examples: diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 3c69f977..12220f78 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -7,7 +7,7 @@ rule: - still@teamt5.org scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml index 8d1a2798..39175d2c 100644 --- a/collection/database/sql/reference-sql-statements.yml +++ b/collection/database/sql/reference-sql-statements.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml index e345020a..f2e68694 100644 --- a/collection/database/wmi/reference-wmi-statements.yml +++ b/collection/database/wmi/reference-wmi-statements.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Data from Information Repositories [T1213] examples: diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml index 5b26a494..8f2affc5 100644 --- a/collection/file-managers/gather-3d-ftp-information.yml +++ b/collection/file-managers/gather-3d-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml index afa78f07..1bb3decd 100644 --- a/collection/file-managers/gather-alftp-information.yml +++ b/collection/file-managers/gather-alftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml index 15a9d388..fc647cdb 100644 --- a/collection/file-managers/gather-bitkinex-information.yml +++ b/collection/file-managers/gather-bitkinex-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml index 03bcaa35..33824139 100644 --- a/collection/file-managers/gather-blazeftp-information.yml +++ b/collection/file-managers/gather-blazeftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml index 62fbb969..92fcf56d 100644 --- a/collection/file-managers/gather-bulletproof-ftp-information.yml +++ b/collection/file-managers/gather-bulletproof-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml index 73cc1863..85752d04 100644 --- a/collection/file-managers/gather-classicftp-information.yml +++ b/collection/file-managers/gather-classicftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml index 3e13a2ed..151b4be7 100644 --- a/collection/file-managers/gather-coreftp-information.yml +++ b/collection/file-managers/gather-coreftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml index fa45182c..46eafab8 100644 --- a/collection/file-managers/gather-cuteftp-information.yml +++ b/collection/file-managers/gather-cuteftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml index 6886d2d9..67ccdd4d 100644 --- a/collection/file-managers/gather-cyberduck-information.yml +++ b/collection/file-managers/gather-cyberduck-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml index d5a50939..7b98513d 100644 --- a/collection/file-managers/gather-direct-ftp-information.yml +++ b/collection/file-managers/gather-direct-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml index 16190f56..60213509 100644 --- a/collection/file-managers/gather-directory-opus-information.yml +++ b/collection/file-managers/gather-directory-opus-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml index 1b07ee24..592ec28d 100644 --- a/collection/file-managers/gather-expandrive-information.yml +++ b/collection/file-managers/gather-expandrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml index d118331d..def179f0 100644 --- a/collection/file-managers/gather-faststone-browser-information.yml +++ b/collection/file-managers/gather-faststone-browser-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml index 3f07be43..8cb5ec88 100644 --- a/collection/file-managers/gather-fasttrack-ftp-information.yml +++ b/collection/file-managers/gather-fasttrack-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml index 08e73436..f5348342 100644 --- a/collection/file-managers/gather-ffftp-information.yml +++ b/collection/file-managers/gather-ffftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-filezilla-information.yml b/collection/file-managers/gather-filezilla-information.yml index ea86b2c6..7bd955b9 100644 --- a/collection/file-managers/gather-filezilla-information.yml +++ b/collection/file-managers/gather-filezilla-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-flashfxp-information.yml b/collection/file-managers/gather-flashfxp-information.yml index e74a6d97..d3515e81 100644 --- a/collection/file-managers/gather-flashfxp-information.yml +++ b/collection/file-managers/gather-flashfxp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-fling-ftp-information.yml b/collection/file-managers/gather-fling-ftp-information.yml index 2abf8047..e70f44a5 100644 --- a/collection/file-managers/gather-fling-ftp-information.yml +++ b/collection/file-managers/gather-fling-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-freshftp-information.yml b/collection/file-managers/gather-freshftp-information.yml index d250fd34..768f21a3 100644 --- a/collection/file-managers/gather-freshftp-information.yml +++ b/collection/file-managers/gather-freshftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-frigate3-information.yml b/collection/file-managers/gather-frigate3-information.yml index 167cbfc7..4c2587f2 100644 --- a/collection/file-managers/gather-frigate3-information.yml +++ b/collection/file-managers/gather-frigate3-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-commander-information.yml b/collection/file-managers/gather-ftp-commander-information.yml index 1f72c3f3..b53067b8 100644 --- a/collection/file-managers/gather-ftp-commander-information.yml +++ b/collection/file-managers/gather-ftp-commander-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-explorer-information.yml b/collection/file-managers/gather-ftp-explorer-information.yml index 11750640..49786300 100644 --- a/collection/file-managers/gather-ftp-explorer-information.yml +++ b/collection/file-managers/gather-ftp-explorer-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftp-voyager-information.yml b/collection/file-managers/gather-ftp-voyager-information.yml index 323fdfe6..a9d3ea19 100644 --- a/collection/file-managers/gather-ftp-voyager-information.yml +++ b/collection/file-managers/gather-ftp-voyager-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpgetter-information.yml b/collection/file-managers/gather-ftpgetter-information.yml index a00488c3..fdb50ae2 100644 --- a/collection/file-managers/gather-ftpgetter-information.yml +++ b/collection/file-managers/gather-ftpgetter-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpinfo-information.yml b/collection/file-managers/gather-ftpinfo-information.yml index 19389ea6..25e59354 100644 --- a/collection/file-managers/gather-ftpinfo-information.yml +++ b/collection/file-managers/gather-ftpinfo-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpnow-information.yml b/collection/file-managers/gather-ftpnow-information.yml index 077d9746..ea465fca 100644 --- a/collection/file-managers/gather-ftpnow-information.yml +++ b/collection/file-managers/gather-ftpnow-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-ftprush-information.yml b/collection/file-managers/gather-ftprush-information.yml index 3494da0c..19d18ef3 100644 --- a/collection/file-managers/gather-ftprush-information.yml +++ b/collection/file-managers/gather-ftprush-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ftpshell-information.yml b/collection/file-managers/gather-ftpshell-information.yml index db0418e9..03bbd615 100644 --- a/collection/file-managers/gather-ftpshell-information.yml +++ b/collection/file-managers/gather-ftpshell-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-global-downloader-information.yml b/collection/file-managers/gather-global-downloader-information.yml index 41b2c102..17412fde 100644 --- a/collection/file-managers/gather-global-downloader-information.yml +++ b/collection/file-managers/gather-global-downloader-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-goftp-information.yml b/collection/file-managers/gather-goftp-information.yml index ef0c3dcb..bc8ee6ee 100644 --- a/collection/file-managers/gather-goftp-information.yml +++ b/collection/file-managers/gather-goftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-leapftp-information.yml b/collection/file-managers/gather-leapftp-information.yml index fdd48aeb..f255ef1e 100644 --- a/collection/file-managers/gather-leapftp-information.yml +++ b/collection/file-managers/gather-leapftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-netdrive-information.yml b/collection/file-managers/gather-netdrive-information.yml index 7b70fd04..87c1fbef 100644 --- a/collection/file-managers/gather-netdrive-information.yml +++ b/collection/file-managers/gather-netdrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nexusfile-information.yml b/collection/file-managers/gather-nexusfile-information.yml index 7d5f0a85..0c272f6f 100644 --- a/collection/file-managers/gather-nexusfile-information.yml +++ b/collection/file-managers/gather-nexusfile-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-nova-ftp-information.yml b/collection/file-managers/gather-nova-ftp-information.yml index 3960ddac..010f6ac2 100644 --- a/collection/file-managers/gather-nova-ftp-information.yml +++ b/collection/file-managers/gather-nova-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-robo-ftp-information.yml b/collection/file-managers/gather-robo-ftp-information.yml index 8a3cb335..d6bbe54e 100644 --- a/collection/file-managers/gather-robo-ftp-information.yml +++ b/collection/file-managers/gather-robo-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-securefx-information.yml b/collection/file-managers/gather-securefx-information.yml index 68013873..cde6e9fd 100644 --- a/collection/file-managers/gather-securefx-information.yml +++ b/collection/file-managers/gather-securefx-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-smart-ftp-information.yml b/collection/file-managers/gather-smart-ftp-information.yml index 61315d9a..7fbf79b1 100644 --- a/collection/file-managers/gather-smart-ftp-information.yml +++ b/collection/file-managers/gather-smart-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-softx-ftp-information.yml b/collection/file-managers/gather-softx-ftp-information.yml index 53f18b8a..a454b733 100644 --- a/collection/file-managers/gather-softx-ftp-information.yml +++ b/collection/file-managers/gather-softx-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-southriver-webdrive-information.yml b/collection/file-managers/gather-southriver-webdrive-information.yml index 70022532..1418ec2f 100644 --- a/collection/file-managers/gather-southriver-webdrive-information.yml +++ b/collection/file-managers/gather-southriver-webdrive-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-staff-ftp-information.yml b/collection/file-managers/gather-staff-ftp-information.yml index 22d5946e..03ee9ef8 100644 --- a/collection/file-managers/gather-staff-ftp-information.yml +++ b/collection/file-managers/gather-staff-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-total-commander-information.yml b/collection/file-managers/gather-total-commander-information.yml index 16fb0bb5..58be4a63 100644 --- a/collection/file-managers/gather-total-commander-information.yml +++ b/collection/file-managers/gather-total-commander-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-turbo-ftp-information.yml b/collection/file-managers/gather-turbo-ftp-information.yml index 126f2c5d..2bb8f828 100644 --- a/collection/file-managers/gather-turbo-ftp-information.yml +++ b/collection/file-managers/gather-turbo-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ultrafxp-information.yml b/collection/file-managers/gather-ultrafxp-information.yml index 000ce309..323ac009 100644 --- a/collection/file-managers/gather-ultrafxp-information.yml +++ b/collection/file-managers/gather-ultrafxp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] examples: diff --git a/collection/file-managers/gather-winscp-information.yml b/collection/file-managers/gather-winscp-information.yml index e3608b70..ba2b0457 100644 --- a/collection/file-managers/gather-winscp-information.yml +++ b/collection/file-managers/gather-winscp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-winzip-information.yml b/collection/file-managers/gather-winzip-information.yml index a490bc6c..1f5ba297 100644 --- a/collection/file-managers/gather-winzip-information.yml +++ b/collection/file-managers/gather-winzip-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-wise-ftp-information.yml b/collection/file-managers/gather-wise-ftp-information.yml index 668eb976..61223d9a 100644 --- a/collection/file-managers/gather-wise-ftp-information.yml +++ b/collection/file-managers/gather-wise-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-ws-ftp-information.yml b/collection/file-managers/gather-ws-ftp-information.yml index 829c0c88..8ecb2563 100644 --- a/collection/file-managers/gather-ws-ftp-information.yml +++ b/collection/file-managers/gather-ws-ftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/file-managers/gather-xftp-information.yml b/collection/file-managers/gather-xftp-information.yml index 35b2a36a..190c130a 100644 --- a/collection/file-managers/gather-xftp-information.yml +++ b/collection/file-managers/gather-xftp-information.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Credentials from Password Stores [T1555] references: diff --git a/collection/get-geographical-location.yml b/collection/get-geographical-location.yml index ac6f1871..ba95dabd 100644 --- a/collection/get-geographical-location.yml +++ b/collection/get-geographical-location.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Location Discovery [T1614] examples: diff --git a/collection/group-policy/discover-group-policy-via-gpresult.yml b/collection/group-policy/discover-group-policy-via-gpresult.yml index 73835604..9d00df3c 100644 --- a/collection/group-policy/discover-group-policy-via-gpresult.yml +++ b/collection/group-policy/discover-group-policy-via-gpresult.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Group Policy Discovery [T1615] examples: diff --git a/collection/keylog/log-keystrokes.yml b/collection/keylog/log-keystrokes.yml index 2f8e1ccc..1a8ba2c7 100644 --- a/collection/keylog/log-keystrokes.yml +++ b/collection/keylog/log-keystrokes.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Input Capture::Keylogging [T1056.001] examples: diff --git a/collection/microphone/capture-microphone-audio.yml b/collection/microphone/capture-microphone-audio.yml index 1fa1a193..4ba54f76 100644 --- a/collection/microphone/capture-microphone-audio.yml +++ b/collection/microphone/capture-microphone-audio.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Audio Capture [T1123] examples: diff --git a/collection/network/capture-network-configuration-via-ipconfig.yml b/collection/network/capture-network-configuration-via-ipconfig.yml index 42527534..379646d9 100644 --- a/collection/network/capture-network-configuration-via-ipconfig.yml +++ b/collection/network/capture-network-configuration-via-ipconfig.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml index 0f88c67a..f7340ecf 100644 --- a/collection/network/capture-packets-using-sharppcap.yml +++ b/collection/network/capture-packets-using-sharppcap.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Network Sniffing [T1040] references: diff --git a/collection/network/capture-public-ip.yml b/collection/network/capture-public-ip.yml index ca66442e..ef40f0c3 100644 --- a/collection/network/capture-public-ip.yml +++ b/collection/network/capture-public-ip.yml @@ -7,7 +7,7 @@ rule: - "still@teamt5.org" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/collection/network/get-domain-trust-relationships.yml b/collection/network/get-domain-trust-relationships.yml index 7e4a1123..0e784ff6 100644 --- a/collection/network/get-domain-trust-relationships.yml +++ b/collection/network/get-domain-trust-relationships.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Domain Trust Discovery [T1482] examples: diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml index 86414bc8..4cf2aa64 100644 --- a/collection/network/get-mac-address-on-windows.yml +++ b/collection/network/get-mac-address-on-windows.yml @@ -8,7 +8,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/collection/screenshot/capture-screenshot-via-keybd-event.yml b/collection/screenshot/capture-screenshot-via-keybd-event.yml index 6b2dacd5..ee923f21 100644 --- a/collection/screenshot/capture-screenshot-via-keybd-event.yml +++ b/collection/screenshot/capture-screenshot-via-keybd-event.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index dc4847bb..75ceb553 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Screen Capture [T1113] mbc: diff --git a/collection/webcam/capture-webcam-image.yml b/collection/webcam/capture-webcam-image.yml index 0383197f..6274139f 100644 --- a/collection/webcam/capture-webcam-image.yml +++ b/collection/webcam/capture-webcam-image.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Video Capture [T1125] examples: diff --git a/communication/c2/file-transfer/download-and-write-a-file.yml b/communication/c2/file-transfer/download-and-write-a-file.yml index 32748a4b..27fecc0b 100644 --- a/communication/c2/file-transfer/download-and-write-a-file.yml +++ b/communication/c2/file-transfer/download-and-write-a-file.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Command and Control::Ingress Tool Transfer [T1105] mbc: diff --git a/communication/c2/file-transfer/write-and-execute-a-file.yml b/communication/c2/file-transfer/write-and-execute-a-file.yml index ec019ee1..dea267a6 100644 --- a/communication/c2/file-transfer/write-and-execute-a-file.yml +++ b/communication/c2/file-transfer/write-and-execute-a-file.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Execution::Install Additional Program [B0023] examples: diff --git a/communication/c2/shell/create-reverse-shell-on-linux.yml b/communication/c2/shell/create-reverse-shell-on-linux.yml index 0f08b279..2905b7a2 100644 --- a/communication/c2/shell/create-reverse-shell-on-linux.yml +++ b/communication/c2/shell/create-reverse-shell-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] mbc: diff --git a/communication/c2/shell/create-reverse-shell.yml b/communication/c2/shell/create-reverse-shell.yml index e33e983d..c8dc7ee6 100644 --- a/communication/c2/shell/create-reverse-shell.yml +++ b/communication/c2/shell/create-reverse-shell.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] mbc: diff --git a/communication/c2/shell/execute-shell-command-and-capture-output.yml b/communication/c2/shell/execute-shell-command-and-capture-output.yml index 37b6c95b..9f0b6def 100644 --- a/communication/c2/shell/execute-shell-command-and-capture-output.yml +++ b/communication/c2/shell/execute-shell-command-and-capture-output.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003] references: diff --git a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml index 7351f2b4..7dfe58fc 100644 --- a/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml +++ b/communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] examples: diff --git a/communication/ftp/send/send-file-using-ftp.yml b/communication/ftp/send/send-file-using-ftp.yml index 04257c1f..0ccba11c 100644 --- a/communication/ftp/send/send-file-using-ftp.yml +++ b/communication/ftp/send/send-file-using-ftp.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::FTP Communication::Send File [C0004.001] - Communication::FTP Communication::WinINet [C0004.002] diff --git a/communication/http/client/connect-to-http-server.yml b/communication/http/client/connect-to-http-server.yml index 0980a702..e3dcb76b 100644 --- a/communication/http/client/connect-to-http-server.yml +++ b/communication/http/client/connect-to-http-server.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Connect to Server [C0002.009] examples: diff --git a/communication/http/client/connect-to-url.yml b/communication/http/client/connect-to-url.yml index e868569a..d6b4f178 100644 --- a/communication/http/client/connect-to-url.yml +++ b/communication/http/client/connect-to-url.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Open URL [C0002.004] examples: diff --git a/communication/http/client/create-http-request.yml b/communication/http/client/create-http-request.yml index fd41c7e7..0319ab99 100644 --- a/communication/http/client/create-http-request.yml +++ b/communication/http/client/create-http-request.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Create Request [C0002.012] examples: diff --git a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml index f5bf78cd..6ed1c61c 100644 --- a/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml +++ b/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/read-data-from-internet.yml b/communication/http/client/read-data-from-internet.yml index 4b6918fe..abd510c7 100644 --- a/communication/http/client/read-data-from-internet.yml +++ b/communication/http/client/read-data-from-internet.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/receive-http-response.yml b/communication/http/client/receive-http-response.yml index 1aa62c46..abe5fd11 100644 --- a/communication/http/client/receive-http-response.yml +++ b/communication/http/client/receive-http-response.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Get Response [C0002.017] examples: diff --git a/communication/http/client/send-file-via-http.yml b/communication/http/client/send-file-via-http.yml index 252b53ee..61fdebd8 100644 --- a/communication/http/client/send-file-via-http.yml +++ b/communication/http/client/send-file-via-http.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Send Data [C0002.005] examples: diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml index 248132f2..176b38db 100644 --- a/communication/http/client/send-http-request.yml +++ b/communication/http/client/send-http-request.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Send Request [C0002.003] examples: diff --git a/communication/http/reference-http-user-agent-string.yml b/communication/http/reference-http-user-agent-string.yml index d7e77936..715e09a1 100644 --- a/communication/http/reference-http-user-agent-string.yml +++ b/communication/http/reference-http-user-agent-string.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication [C0002] references: diff --git a/communication/http/server/receive-http-request.yml b/communication/http/server/receive-http-request.yml index 89383f4f..fcf4087c 100644 --- a/communication/http/server/receive-http-request.yml +++ b/communication/http/server/receive-http-request.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Receive Request [C0002.015] examples: diff --git a/communication/http/server/start-http-server.yml b/communication/http/server/start-http-server.yml index 9181323a..52252d12 100644 --- a/communication/http/server/start-http-server.yml +++ b/communication/http/server/start-http-server.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Start Server [C0002.018] examples: diff --git a/communication/http/set-http-header.yml b/communication/http/set-http-header.yml index b07bbed8..4908d8f5 100644 --- a/communication/http/set-http-header.yml +++ b/communication/http/set-http-header.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::HTTP Communication::Set Header [C0002.013] examples: diff --git a/communication/icmp/send-icmp-echo-request.yml b/communication/icmp/send-icmp-echo-request.yml index df5fe1c2..7d081346 100644 --- a/communication/icmp/send-icmp-echo-request.yml +++ b/communication/icmp/send-icmp-echo-request.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::ICMP Communication::Echo Request [C0014.002] references: diff --git a/communication/mailslot/create-mailslot.yml b/communication/mailslot/create-mailslot.yml index ac3dcbea..7f207a0a 100644 --- a/communication/mailslot/create-mailslot.yml +++ b/communication/mailslot/create-mailslot.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/mailslot/read-from-mailslot.yml b/communication/mailslot/read-from-mailslot.yml index 3bcf13c9..84ffe73e 100644 --- a/communication/mailslot/read-from-mailslot.yml +++ b/communication/mailslot/read-from-mailslot.yml @@ -6,7 +6,7 @@ rule: - nick.simonian@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Interprocess Communication [C0003] references: diff --git a/communication/named-pipe/create/create-two-anonymous-pipes.yml b/communication/named-pipe/create/create-two-anonymous-pipes.yml index 6ad454c2..c8b8b6c7 100644 --- a/communication/named-pipe/create/create-two-anonymous-pipes.yml +++ b/communication/named-pipe/create/create-two-anonymous-pipes.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Interprocess Communication::Create Pipe [C0003.001] examples: diff --git a/communication/named-pipe/read/read-pipe.yml b/communication/named-pipe/read/read-pipe.yml index 5ecf1d65..144050e9 100644 --- a/communication/named-pipe/read/read-pipe.yml +++ b/communication/named-pipe/read/read-pipe.yml @@ -8,7 +8,7 @@ rule: description: PeekNamedPipe isn't required to read from a pipe; however, pipes are often utilized to capture the output of a cmd.exe process. In a multi-thread instance, a new thread is created that calls PeekNamedPipe and ReadFile to obtain the command output. scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Interprocess Communication::Read Pipe [C0003.003] examples: diff --git a/communication/named-pipe/write/write-pipe.yml b/communication/named-pipe/write/write-pipe.yml index 34a51efb..40657288 100644 --- a/communication/named-pipe/write/write-pipe.yml +++ b/communication/named-pipe/write/write-pipe.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Interprocess Communication::Write Pipe [C0003.004] examples: diff --git a/communication/receive-data.yml b/communication/receive-data.yml index c57ad7a2..bf523e0c 100644 --- a/communication/receive-data.yml +++ b/communication/receive-data.yml @@ -7,7 +7,7 @@ rule: description: all known techniques for receiving data from a potential C2 server scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Command and Control::C2 Communication::Receive Data [B0030.002] examples: diff --git a/communication/send-data.yml b/communication/send-data.yml index a4597698..3bb00bfd 100644 --- a/communication/send-data.yml +++ b/communication/send-data.yml @@ -8,7 +8,7 @@ rule: description: all known techniques for sending data to a potential C2 server scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Command and Control::C2 Communication::Send Data [B0030.001] examples: diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml index 1407e694..301c2a1b 100644 --- a/communication/socket/create-vmci-socket.yml +++ b/communication/socket/create-vmci-socket.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Communication::Socket Communication::Create Socket [C0001.003] references: diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 783948aa..e1121eac 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Socket Communication::Connect Socket [C0001.004] examples: diff --git a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml index 95426272..71aa7b76 100644 --- a/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml +++ b/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Socket Communication::Send TCP Data [C0001.014] examples: diff --git a/communication/tcp/client/act-as-tcp-client.yml b/communication/tcp/client/act-as-tcp-client.yml index dae32049..1760fc53 100644 --- a/communication/tcp/client/act-as-tcp-client.yml +++ b/communication/tcp/client/act-as-tcp-client.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Socket Communication::TCP Client [C0001.008] examples: diff --git a/communication/tcp/serve/start-tcp-server.yml b/communication/tcp/serve/start-tcp-server.yml index d32d4a3d..0f19f78c 100644 --- a/communication/tcp/serve/start-tcp-server.yml +++ b/communication/tcp/serve/start-tcp-server.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Communication::Socket Communication::Start TCP Server [C0001.005] examples: diff --git a/compiler/perl2exe/compiled-with-perl2exe.yml b/compiler/perl2exe/compiled-with-perl2exe.yml index da962ebd..c8b077f0 100644 --- a/compiler/perl2exe/compiled-with-perl2exe.yml +++ b/compiler/perl2exe/compiled-with-perl2exe.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 features: diff --git a/data-manipulation/compression/compress-data-using-lzo.yml b/data-manipulation/compression/compress-data-using-lzo.yml index 01634de6..49abecaf 100644 --- a/data-manipulation/compression/compress-data-using-lzo.yml +++ b/data-manipulation/compression/compress-data-using-lzo.yml @@ -8,7 +8,7 @@ rule: description: detects the compression routine from LZO scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Data::Compress Data [C0024] references: diff --git a/data-manipulation/compression/compress-data-via-winapi.yml b/data-manipulation/compression/compress-data-via-winapi.yml index 32d3fed7..e22ea7d2 100644 --- a/data-manipulation/compression/compress-data-via-winapi.yml +++ b/data-manipulation/compression/compress-data-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/create-cabinet-on-windows.yml b/data-manipulation/compression/create-cabinet-on-windows.yml index e938c1c3..44fae2a3 100644 --- a/data-manipulation/compression/create-cabinet-on-windows.yml +++ b/data-manipulation/compression/create-cabinet-on-windows.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Archive Collected Data::Archive via Library [T1560.002] mbc: diff --git a/data-manipulation/compression/extract-cabinet-on-windows.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml index bd92d983..96278b08 100644 --- a/data-manipulation/compression/extract-cabinet-on-windows.yml +++ b/data-manipulation/compression/extract-cabinet-on-windows.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc: diff --git a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml index 7a890bed..d650a43e 100644 --- a/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml +++ b/data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml index 4c4b33c1..7eb16ed8 100644 --- a/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml +++ b/data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml index f3997163..1c6d03db 100644 --- a/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml +++ b/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml @@ -6,7 +6,7 @@ rule: - zander.work@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml index a395ce75..7ea31b7c 100644 --- a/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml +++ b/data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/import-public-key.yml b/data-manipulation/encryption/import-public-key.yml index 8847f2ba..47c68321 100644 --- a/data-manipulation/encryption/import-public-key.yml +++ b/data-manipulation/encryption/import-public-key.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Encryption Key::Import Public Key [C0028.001] examples: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml index 473b0442..256781cd 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml @@ -6,7 +6,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml index 04bd8ccf..0155275b 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml @@ -6,7 +6,7 @@ rule: - daniel.stepanic@elastic.co scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml index d9f768d6..3cfc4066 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml index 859a68e3..2dc6c8ee 100644 --- a/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml +++ b/data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml index 1dfa7548..da9716dc 100644 --- a/data-manipulation/encryption/rsa/reference-public-rsa-key.yml +++ b/data-manipulation/encryption/rsa/reference-public-rsa-key.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Encryption Key [C0028] references: diff --git a/data-manipulation/hashing/hash-data-via-wincrypt.yml b/data-manipulation/hashing/hash-data-via-wincrypt.yml index 309dcec5..9c87ec59 100644 --- a/data-manipulation/hashing/hash-data-via-wincrypt.yml +++ b/data-manipulation/hashing/hash-data-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Cryptographic Hash [C0029] examples: diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml index 37dc932a..374d08a7 100644 --- a/data-manipulation/hashing/md5/hash-data-with-md5.yml +++ b/data-manipulation/hashing/md5/hash-data-with-md5.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Cryptographic Hash::MD5 [C0029.001] references: diff --git a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml index 28dd842f..3cf54e47 100644 --- a/data-manipulation/hashing/sha1/hash-data-using-sha1.yml +++ b/data-manipulation/hashing/sha1/hash-data-using-sha1.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Cryptographic Hash::SHA1 [C0029.002] examples: diff --git a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml index 93828132..91edc969 100644 --- a/data-manipulation/hashing/sha224/hash-data-using-sha224.yml +++ b/data-manipulation/hashing/sha224/hash-data-using-sha224.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Cryptographic Hash::SHA224 [C0029.004] references: diff --git a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml index 4e69b47f..1582f277 100644 --- a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml +++ b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml @@ -8,7 +8,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Cryptographic Hash::SHA256 [C0029.003] references: diff --git a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml index e4a5d89a..0a520dad 100644 --- a/data-manipulation/hashing/sha384/hash-data-using-sha384.yml +++ b/data-manipulation/hashing/sha384/hash-data-using-sha384.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml index 241b24a8..6482bd6e 100644 --- a/data-manipulation/hashing/sha512/hash-data-using-sha512.yml +++ b/data-manipulation/hashing/sha512/hash-data-using-sha512.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.rfc-editor.org/rfc/rfc6234 examples: diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index 4079062d..fc2221ee 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -7,7 +7,7 @@ rule: - richard.weiss@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] references: diff --git a/data-manipulation/prng/generate-random-numbers-via-winapi.yml b/data-manipulation/prng/generate-random-numbers-via-winapi.yml index 02699a2b..3894c05c 100644 --- a/data-manipulation/prng/generate-random-numbers-via-winapi.yml +++ b/data-manipulation/prng/generate-random-numbers-via-winapi.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] examples: diff --git a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml index d72a5e81..2edea44b 100644 --- a/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml +++ b/data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Cryptography::Generate Pseudo-random Sequence [C0021] examples: diff --git a/doc/format.md b/doc/format.md index 102ab53d..5bc6c228 100644 --- a/doc/format.md +++ b/doc/format.md @@ -154,8 +154,8 @@ Here are the common fields: - **`file`**: matches features across the whole file. - `scopes.dynamic`: - **`call`**: match features at each traced API call site, such as API name and argument values. - - **`sequence`**: match features against a across a sliding window of API calls within a thread. - - **`thread`**: match features within each thread, such as sequence of API names. + - **`span of calls`**: match features against a across a sliding window of API calls within a thread. + - **`thread`**: match features within each thread. - **`process`**: match features within each process. - **`file`**: matches features across the whole file, including from the executable file features *and* across the entire runtime trace. @@ -324,7 +324,7 @@ rule: As you'll see in the [extracted features](#extracted-features) section, capa matches features at various scopes, starting small (e.g., `instruction`) and growing large (e.g., `file`). In static analysis, scopes grow from `instruction`, to `basic block`, `function`, and then `file`. In dynamic analysis, scopes grow from `call`, to `thread`, `process`, and then to `file`. -When matching a sequence of API calls, the static scope is often `function` and the dynamic scope is `thread`. When matching a single API call with arguments, the static scope is usually `basic block` and the dynamic scope is `call`. One day we hope to support `call` scope directly in the static analysis flavor. +When matching a sequence of API calls, the static scope is often `function` and the dynamic scope is `span of calls`. When matching a single API call with arguments, the static scope is usually `basic block` and the dynamic scope is `call`. One day we hope to support `call` scope directly in the static analysis flavor. ## features block @@ -376,8 +376,8 @@ capa matches features at multiple scopes, starting small (e.g., `instruction`) a | dynamic scope | best for... | |---------------|------------------------------------------------------------------------------------------------| | call | single API call and its arguments | -| sequence | behaviors that span multiple API calls, but less than an entire thread, which may be very long | -| thread | combinations of capabilities from multiple separate sequence scopes (uncommon) | +| span of calls | behaviors that span multiple API calls, but less than an entire thread, which may be very long | +| thread | combinations of capabilities from multiple separate span-of-calls scopes (uncommon) | | process | combinations of other capabilities found within a (potentially multi-threaded) program | | file | high level conclusions, like encryptor, backdoor, or statically linked with some library | | global | the features available at every scope, like architecture or OS | @@ -386,27 +386,27 @@ In general, capa collects and merges the features from lower scopes into higher for example, features extracted from individual instructions are merged into the function scope that contains the instructions. This way, you can use the match results against instructions ("the constant X is for crypto algorithm Y") to recognize function-level capabilities ("crypto function Z"). -| feature | static scope | dynamic scope | -|-----------------------------------|---------------------------------------------|--------------------------------------------| -| [api](#api) | instruction ↦ basic block ↦ function ↦ file | call ↦ sequence ↦ thread ↦ process ↦ file | -| [string](#string-and-substring) | instruction ↦ ... | call ↦ ... | -| [bytes](#bytes) | instruction ↦ ... | call ↦ ... | -| [number](#number) | instruction ↦ ... | call ↦ ... | -| [characteristic](#characteristic) | instruction ↦ ... | - | -| [mnemonic](#mnemonic) | instruction ↦ ... | - | -| [operand](#operand) | instruction ↦ ... | - | -| [offset](#offset) | instruction ↦ ... | - | -| [com](#com) | instruction ↦ ... | - | -| [namespace](#namespace) | instruction ↦ ... | - | -| [class](#class) | instruction ↦ ... | - | -| [property](#property) | instruction ↦ ... | - | -| [export](#export) | file | file | -| [import](#import) | file | file | -| [section](#section) | file | file | -| [function-name](#function-name) | file | - | -| [os](#os) | global | global | -| [arch](#arch) | global | global | -| [format](#format) | global | global | +| feature | static scope | dynamic scope | +|-----------------------------------|---------------------------------------------|-------------------------------------------------| +| [api](#api) | instruction ↦ basic block ↦ function ↦ file | call ↦ span of calls ↦ thread ↦ process ↦ file | +| [string](#string-and-substring) | instruction ↦ ... | call ↦ ... | +| [bytes](#bytes) | instruction ↦ ... | call ↦ ... | +| [number](#number) | instruction ↦ ... | call ↦ ... | +| [characteristic](#characteristic) | instruction ↦ ... | - | +| [mnemonic](#mnemonic) | instruction ↦ ... | - | +| [operand](#operand) | instruction ↦ ... | - | +| [offset](#offset) | instruction ↦ ... | - | +| [com](#com) | instruction ↦ ... | - | +| [namespace](#namespace) | instruction ↦ ... | - | +| [class](#class) | instruction ↦ ... | - | +| [property](#property) | instruction ↦ ... | - | +| [export](#export) | file | file | +| [import](#import) | file | file | +| [section](#section) | file | file | +| [function-name](#function-name) | file | - | +| [os](#os) | global | global | +| [arch](#arch) | global | global | +| [format](#format) | global | global | ## static analysis scopes @@ -469,23 +469,23 @@ The following features are relevant at this scope and above: - [string and substring](#string-and-substring) - [bytes](#bytes) -### sequence features +### span-of-calls features -Sequence scope matches features across a sliding window of API calls within a thread. +"Span of calls" scope matches features across a sliding window of API calls within a thread. This scope is useful for identifying behaviors that span multiple API calls, such as `OpenFile`/`ReadFile`/`CloseFile`, without having to analyze an entire thread, which may be very long. -Sequence scope does not enforce ordering of calls, but rather matches a set of calls within the window. +The span-of-calls scope does not enforce ordering of calls, but rather matches a set of calls within the window. The current window size is 20 API calls. This was chosen to balance the need to capture logic across multiple calls while balancing performance tradeoffs. -When a "sequence" rule matches, it only reports the first match in a series of overlapping sequences to avoid flooding the user with repeated results, such as when a program executes a behavior in a tight loop. However, other rules can match against these "hammered" matches. +When a span of calls rule matches, it only reports the first match in a series of overlapping spans to avoid flooding the user with repeated results, such as when a program executes a behavior in a tight loop. However, other rules can match against these "hammered" matches. -There are no sequence-specific features. +There are no span-specific features. ### thread features -Thread scope matches behaviors from call and sequence scopes found within the same thread. +Thread scope matches behaviors from call and span-of-calls scopes found within the same thread. While uncommon, this can be useful when a rule considers the entire collection of behaviors within a thread, or at least a very long sequence of calls. @@ -493,7 +493,7 @@ You might do this to make conclusions about a thread's complete activity, such as "background thread that periodically injects browser processes". However, this scope is susceptible to false positives, as a thread may contain a huge number of events that aren't guaranteed to be directly related. -Therefore, prefer to use sequence scope, when possible. +Therefore, prefer to use span-of-calls scope, when possible. There are no thread-specific features. diff --git a/executable/resource/access-dotnet-resource.yml b/executable/resource/access-dotnet-resource.yml index 3ee831a8..d6f724fc 100644 --- a/executable/resource/access-dotnet-resource.yml +++ b/executable/resource/access-dotnet-resource.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173:0x06000084 features: diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml index 43971082..3a4ebfe1 100644 --- a/executable/resource/extract-resource-via-kernel32-functions.yml +++ b/executable/resource/extract-resource-via-kernel32-functions.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - BF88E1BD4A3BDE10B419A622278F1FF7:0x401000 - Practical Malware Analysis Lab 01-04.exe_:0x4011FC diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml index 01a1a4ba..4875da84 100644 --- a/host-interaction/bootloader/disable-code-signing.yml +++ b/host-interaction/bootloader/disable-code-signing.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] examples: diff --git a/host-interaction/bootloader/manipulate-boot-configuration.yml b/host-interaction/bootloader/manipulate-boot-configuration.yml index 57105959..83de38bc 100644 --- a/host-interaction/bootloader/manipulate-boot-configuration.yml +++ b/host-interaction/bootloader/manipulate-boot-configuration.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options examples: diff --git a/host-interaction/bootloader/manipulate-safe-mode-programs.yml b/host-interaction/bootloader/manipulate-safe-mode-programs.yml index 1ab5b104..960bbfa6 100644 --- a/host-interaction/bootloader/manipulate-safe-mode-programs.yml +++ b/host-interaction/bootloader/manipulate-safe-mode-programs.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] examples: diff --git a/host-interaction/clipboard/open-clipboard.yml b/host-interaction/clipboard/open-clipboard.yml index 11fc2edd..2fe548d9 100644 --- a/host-interaction/clipboard/open-clipboard.yml +++ b/host-interaction/clipboard/open-clipboard.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Clipboard Data [T1115] examples: diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index 20587b12..f2f7672f 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Clipboard Data [T1115] references: diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml index d91a3210..ff509daf 100644 --- a/host-interaction/clipboard/write-clipboard-data.yml +++ b/host-interaction/clipboard/write-clipboard-data.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Impact::Clipboard Modification [E1510] references: diff --git a/host-interaction/console/manipulate-console-buffer.yml b/host-interaction/console/manipulate-console-buffer.yml index c940481f..e968ede4 100644 --- a/host-interaction/console/manipulate-console-buffer.yml +++ b/host-interaction/console/manipulate-console-buffer.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Operating System::Console [C0033] references: diff --git a/host-interaction/driver/complete-processing-asynchronous-io-request.yml b/host-interaction/driver/complete-processing-asynchronous-io-request.yml index 3dab003b..1081c523 100644 --- a/host-interaction/driver/complete-processing-asynchronous-io-request.yml +++ b/host-interaction/driver/complete-processing-asynchronous-io-request.yml @@ -7,7 +7,7 @@ rule: description: signals that driver has finished all processing for a given IRP (part of major function) scopes: static: basic block - dynamic: sequence + dynamic: span of calls examples: - Practical Malware Analysis Lab 10-03.sys_:0x10666 features: diff --git a/host-interaction/driver/create-device-object.yml b/host-interaction/driver/create-device-object.yml index 28e9d53e..12113455 100644 --- a/host-interaction/driver/create-device-object.yml +++ b/host-interaction/driver/create-device-object.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - Practical Malware Analysis Lab 10-03.sys_:0x00010706 features: diff --git a/host-interaction/driver/disable-driver-code-integrity.yml b/host-interaction/driver/disable-driver-code-integrity.yml index 60a67472..7bb66231 100644 --- a/host-interaction/driver/disable-driver-code-integrity.yml +++ b/host-interaction/driver/disable-driver-code-integrity.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/host-interaction/driver/interact-with-driver-via-ioctl.yml b/host-interaction/driver/interact-with-driver-via-ioctl.yml index 5e13bb48..0553d353 100644 --- a/host-interaction/driver/interact-with-driver-via-ioctl.yml +++ b/host-interaction/driver/interact-with-driver-via-ioctl.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls examples: - Practical Malware Analysis Lab 10-03.exe_:0x40108c features: diff --git a/host-interaction/environment-variable/get-comspec-environment-variable.yml b/host-interaction/environment-variable/get-comspec-environment-variable.yml index 52715062..ee0ea27e 100644 --- a/host-interaction/environment-variable/get-comspec-environment-variable.yml +++ b/host-interaction/environment-variable/get-comspec-environment-variable.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/file-system/bypass-mark-of-the-web.yml b/host-interaction/file-system/bypass-mark-of-the-web.yml index 5a9958aa..91426d1f 100644 --- a/host-interaction/file-system/bypass-mark-of-the-web.yml +++ b/host-interaction/file-system/bypass-mark-of-the-web.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Subvert Trust Controls::Mark-of-the-Web Bypass [T1553.005] examples: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index 0e362dc4..66d5113c 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] mbc: diff --git a/host-interaction/file-system/delete/delete-file.yml b/host-interaction/file-system/delete/delete-file.yml index ba88ea9a..896861e1 100644 --- a/host-interaction/file-system/delete/delete-file.yml +++ b/host-interaction/file-system/delete/delete-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Delete File [C0047] examples: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml index 5880fdaf..98d885f9 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index 3f809abc..65a2afc1 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/meta/get-file-version-info.yml b/host-interaction/file-system/meta/get-file-version-info.yml index a8ab1e88..9b360703 100644 --- a/host-interaction/file-system/meta/get-file-version-info.yml +++ b/host-interaction/file-system/meta/get-file-version-info.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/host-interaction/file-system/read/read-file-on-linux.yml b/host-interaction/file-system/read/read-file-on-linux.yml index a41e77c4..da94145a 100644 --- a/host-interaction/file-system/read/read-file-on-linux.yml +++ b/host-interaction/file-system/read/read-file-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml index 0d09a30b..9e9e22a8 100644 --- a/host-interaction/file-system/read/read-file-on-windows.yml +++ b/host-interaction/file-system/read/read-file-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-file-via-mapping.yml b/host-interaction/file-system/read/read-file-via-mapping.yml index b5858045..ed970f1f 100644 --- a/host-interaction/file-system/read/read-file-via-mapping.yml +++ b/host-interaction/file-system/read/read-file-via-mapping.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-ini-file.yml b/host-interaction/file-system/read/read-ini-file.yml index 65fda069..87a9c450 100644 --- a/host-interaction/file-system/read/read-ini-file.yml +++ b/host-interaction/file-system/read/read-ini-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Read File [C0051] examples: diff --git a/host-interaction/file-system/read/read-virtual-disk.yml b/host-interaction/file-system/read/read-virtual-disk.yml index 1a07fdc8..7e5508c8 100644 --- a/host-interaction/file-system/read/read-virtual-disk.yml +++ b/host-interaction/file-system/read/read-virtual-disk.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Read Virtual Disk [C0056] references: diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml index 412803ba..65614828 100644 --- a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml +++ b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Defense Evasion::Disable or Evade Security Tools::Bypass Windows File Protection [F0004.007] examples: diff --git a/host-interaction/file-system/write/write-file-on-linux.yml b/host-interaction/file-system/write/write-file-on-linux.yml index eb056fe5..f6fedbbd 100644 --- a/host-interaction/file-system/write/write-file-on-linux.yml +++ b/host-interaction/file-system/write/write-file-on-linux.yml @@ -7,7 +7,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - File System::Writes File [C0052] examples: diff --git a/host-interaction/filter/enumerate-minifilter-drivers.yml b/host-interaction/filter/enumerate-minifilter-drivers.yml index 7ceb3428..4ae71965 100644 --- a/host-interaction/filter/enumerate-minifilter-drivers.yml +++ b/host-interaction/filter/enumerate-minifilter-drivers.yml @@ -6,7 +6,7 @@ rule: - aseel.kayal@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts diff --git a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml index 9b034d87..12a7e69e 100644 --- a/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml +++ b/host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] references: diff --git a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml index 5ef9b148..2475cb89 100644 --- a/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml +++ b/host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Software Discovery::Security Software Discovery [T1518.001] references: diff --git a/host-interaction/gui/logon/references-logon-banner.yml b/host-interaction/gui/logon/references-logon-banner.yml index f4ea8920..36d6cc67 100644 --- a/host-interaction/gui/logon/references-logon-banner.yml +++ b/host-interaction/gui/logon/references-logon-banner.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: basic block - dynamic: sequence + dynamic: span of calls examples: - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC features: diff --git a/host-interaction/gui/session/lock/lock-the-desktop.yml b/host-interaction/gui/session/lock/lock-the-desktop.yml index b27490f5..8cbe4fa4 100644 --- a/host-interaction/gui/session/lock/lock-the-desktop.yml +++ b/host-interaction/gui/session/lock/lock-the-desktop.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Impact::Endpoint Denial of Service [T1499] examples: diff --git a/host-interaction/gui/switch-active-desktop.yml b/host-interaction/gui/switch-active-desktop.yml index 2a379a06..2eba9e78 100644 --- a/host-interaction/gui/switch-active-desktop.yml +++ b/host-interaction/gui/switch-active-desktop.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: diff --git a/host-interaction/gui/taskbar/find/find-taskbar.yml b/host-interaction/gui/taskbar/find/find-taskbar.yml index 5bf96719..2030f8f9 100644 --- a/host-interaction/gui/taskbar/find/find-taskbar.yml +++ b/host-interaction/gui/taskbar/find/find-taskbar.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Discovery::Taskbar Discovery [B0043] examples: diff --git a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml index c0422753..83b01a02 100644 --- a/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml +++ b/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Hide Artifacts [T1564] examples: diff --git a/host-interaction/gui/window/get-text/get-graphical-window-text.yml b/host-interaction/gui/window/get-text/get-graphical-window-text.yml index d9c1756f..5ff4ac48 100644 --- a/host-interaction/gui/window/get-text/get-graphical-window-text.yml +++ b/host-interaction/gui/window/get-text/get-graphical-window-text.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Discovery::Application Window Discovery [E1010] examples: diff --git a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml index 980035d0..379f17f5 100644 --- a/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml +++ b/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Impact::Modify Hardware::CDROM [B0042.001] examples: diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index 8f858f88..26714caa 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml index de199af8..f8ce4a27 100644 --- a/host-interaction/hardware/cpu/get-number-of-processor-cores.yml +++ b/host-interaction/hardware/cpu/get-number-of-processor-cores.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/host-interaction/hardware/keyboard/get-keyboard-layout.yml b/host-interaction/hardware/keyboard/get-keyboard-layout.yml index b78a65c7..90d5c8f2 100644 --- a/host-interaction/hardware/keyboard/get-keyboard-layout.yml +++ b/host-interaction/hardware/keyboard/get-keyboard-layout.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: diff --git a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml index 5fb4b0ea..dc255df6 100644 --- a/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml +++ b/host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml @@ -7,7 +7,7 @@ rule: - johnk3r scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Hardware::Simulate Hardware::Ctrl-Alt-Del [C0057.001] examples: diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml index 72d7f444..da3b7324 100644 --- a/host-interaction/hardware/memory/get-memory-information.yml +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index 396f18b4..d5376722 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] mbc: diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml index 116ccd4f..830a41a2 100755 --- a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml +++ b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml @@ -7,7 +7,7 @@ rule: - blaine.stancill@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Discovery::File and Directory Discovery::Log File [E1083.m01] references: diff --git a/host-interaction/mutex/check-mutex-and-exit.yml b/host-interaction/mutex/check-mutex-and-exit.yml index 3934a5ae..8d175af4 100644 --- a/host-interaction/mutex/check-mutex-and-exit.yml +++ b/host-interaction/mutex/check-mutex-and-exit.yml @@ -7,7 +7,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Process::Check Mutex [C0043] - Process::Terminate Process [C0018] diff --git a/host-interaction/mutex/check-mutex.yml b/host-interaction/mutex/check-mutex.yml index 900120e5..ee9cd0d4 100644 --- a/host-interaction/mutex/check-mutex.yml +++ b/host-interaction/mutex/check-mutex.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Process::Check Mutex [C0043] examples: diff --git a/host-interaction/mutex/create-semaphore-on-linux.yml b/host-interaction/mutex/create-semaphore-on-linux.yml index 79d6b4fe..6e3f795f 100644 --- a/host-interaction/mutex/create-semaphore-on-linux.yml +++ b/host-interaction/mutex/create-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0 features: diff --git a/host-interaction/mutex/lock-semaphore-on-linux.yml b/host-interaction/mutex/lock-semaphore-on-linux.yml index 47e4e78b..7225a759 100644 --- a/host-interaction/mutex/lock-semaphore-on-linux.yml +++ b/host-interaction/mutex/lock-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/mutex/unlock-semaphore-on-linux.yml b/host-interaction/mutex/unlock-semaphore-on-linux.yml index f2e1b1a8..18dac588 100644 --- a/host-interaction/mutex/unlock-semaphore-on-linux.yml +++ b/host-interaction/mutex/unlock-semaphore-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@ramen0x3f" scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 features: diff --git a/host-interaction/network/address/get-local-ipv4-addresses.yml b/host-interaction/network/address/get-local-ipv4-addresses.yml index 1e5d485e..ef0a39b1 100644 --- a/host-interaction/network/address/get-local-ipv4-addresses.yml +++ b/host-interaction/network/address/get-local-ipv4-addresses.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml index 8af06b9a..b0a33a58 100644 --- a/host-interaction/network/connectivity/set-tcp-connection-state.yml +++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml @@ -7,7 +7,7 @@ rule: description: The SetTcpEntry function sets the state of a TCP connection. scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses [T1562] references: diff --git a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml index 6686f400..e49ab6f2 100644 --- a/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml +++ b/host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml @@ -7,7 +7,7 @@ rule: description: Looks for an LDAP query and related Windows API calls used to enumerate other computers on the Windows domain that a computer is connected to. scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/domain/get-domain-controller-name.yml b/host-interaction/network/domain/get-domain-controller-name.yml index 2f926817..2036a7ca 100644 --- a/host-interaction/network/domain/get-domain-controller-name.yml +++ b/host-interaction/network/domain/get-domain-controller-name.yml @@ -7,7 +7,7 @@ rule: description: Looks for calls to Windows APIs that can be used to determine the name of the domain controller for a Windows domain that a computer is connected to. scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] references: diff --git a/host-interaction/network/interface/get-networking-interfaces.yml b/host-interaction/network/interface/get-networking-interfaces.yml index 150fd5e6..81690430 100644 --- a/host-interaction/network/interface/get-networking-interfaces.yml +++ b/host-interaction/network/interface/get-networking-interfaces.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] examples: diff --git a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml index b562204b..8d248972 100644 --- a/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml +++ b/host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmfilterenum0 - https://github.com/netero1010/EDRSilencer/blob/main/EDRSilencer.c diff --git a/host-interaction/os/info/get-system-information-on-windows.yml b/host-interaction/os/info/get-system-information-on-windows.yml index 9b6e916d..7bfa4590 100644 --- a/host-interaction/os/info/get-system-information-on-windows.yml +++ b/host-interaction/os/info/get-system-information-on-windows.yml @@ -7,7 +7,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-kernel-version.yml b/host-interaction/os/version/get-kernel-version.yml index 41126b10..6f158f5b 100644 --- a/host-interaction/os/version/get-kernel-version.yml +++ b/host-interaction/os/version/get-kernel-version.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml index 1d01bc02..b8e95f82 100644 --- a/host-interaction/os/version/get-linux-distribution.yml +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] examples: diff --git a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml index bb2fbae5..5e5769d9 100644 --- a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Memory::Allocate Memory [C0007] examples: diff --git a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml index 2d6a46ad..efbb41f3 100644 --- a/host-interaction/process/inject/allocate-user-process-rwx-memory.yml +++ b/host-interaction/process/inject/allocate-user-process-rwx-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection [T1055] examples: diff --git a/host-interaction/process/inject/attach-user-process-memory.yml b/host-interaction/process/inject/attach-user-process-memory.yml index c9447cd9..877ff5e2 100644 --- a/host-interaction/process/inject/attach-user-process-memory.yml +++ b/host-interaction/process/inject/attach-user-process-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/free-user-process-memory.yml b/host-interaction/process/inject/free-user-process-memory.yml index 081c21bd..6a5fce47 100644 --- a/host-interaction/process/inject/free-user-process-memory.yml +++ b/host-interaction/process/inject/free-user-process-memory.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/hijack-thread-execution.yml b/host-interaction/process/inject/hijack-thread-execution.yml index 6b3e0581..cb4e8a5c 100644 --- a/host-interaction/process/inject/hijack-thread-execution.yml +++ b/host-interaction/process/inject/hijack-thread-execution.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml index c8179382..de507b38 100644 --- a/host-interaction/process/inject/inject-apc.yml +++ b/host-interaction/process/inject/inject-apc.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004] examples: diff --git a/host-interaction/process/inject/inject-dll.yml b/host-interaction/process/inject/inject-dll.yml index 76120443..09c59c94 100644 --- a/host-interaction/process/inject/inject-dll.yml +++ b/host-interaction/process/inject/inject-dll.yml @@ -6,7 +6,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection::Dynamic-link Library Injection [T1055.001] references: diff --git a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml index 12cb8d4b..ce9ec325 100644 --- a/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml +++ b/host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml index 8070de26..baf864d4 100644 --- a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml +++ b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] mbc: diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml index 87a2fe2b..7ec0c7da 100644 --- a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection [T1055] mbc: diff --git a/host-interaction/process/inject/inject-thread.yml b/host-interaction/process/inject/inject-thread.yml index 8e1b7634..241c96bc 100644 --- a/host-interaction/process/inject/inject-thread.yml +++ b/host-interaction/process/inject/inject-thread.yml @@ -7,7 +7,7 @@ rule: - 0x534a@mailbox.org scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection::Thread Execution Hijacking [T1055.003] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/inject/use-process-replacement.yml b/host-interaction/process/inject/use-process-replacement.yml index 1bada8da..ea72a661 100644 --- a/host-interaction/process/inject/use-process-replacement.yml +++ b/host-interaction/process/inject/use-process-replacement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Process Injection::Process Hollowing [T1055.012] - Defense Evasion::Reflective Code Loading [T1620] diff --git a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml index 78657180..0164a758 100644 --- a/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml +++ b/host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/enumerate-processes.yml b/host-interaction/process/list/enumerate-processes.yml index 78b57883..21e6ad8e 100644 --- a/host-interaction/process/list/enumerate-processes.yml +++ b/host-interaction/process/list/enumerate-processes.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/host-interaction/process/list/find-process-by-pid.yml b/host-interaction/process/list/find-process-by-pid.yml index ee983d72..0de6c07a 100644 --- a/host-interaction/process/list/find-process-by-pid.yml +++ b/host-interaction/process/list/find-process-by-pid.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/list/get-explorer-pid.yml b/host-interaction/process/list/get-explorer-pid.yml index 155fcc3d..fcd5169c 100644 --- a/host-interaction/process/list/get-explorer-pid.yml +++ b/host-interaction/process/list/get-explorer-pid.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] references: diff --git a/host-interaction/process/map-section-object.yml b/host-interaction/process/map-section-object.yml index c4e1885a..0358bd88 100644 --- a/host-interaction/process/map-section-object.yml +++ b/host-interaction/process/map-section-object.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - 61908f4d70ce6f16173e76aa42a8c25a:0x4018F0 features: diff --git a/host-interaction/process/modify/acquire-debug-privileges.yml b/host-interaction/process/modify/acquire-debug-privileges.yml index 24cc1e5e..bc388226 100644 --- a/host-interaction/process/modify/acquire-debug-privileges.yml +++ b/host-interaction/process/modify/acquire-debug-privileges.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modify/modify-access-privileges.yml b/host-interaction/process/modify/modify-access-privileges.yml index 691c0fd1..e96fffba 100644 --- a/host-interaction/process/modify/modify-access-privileges.yml +++ b/host-interaction/process/modify/modify-access-privileges.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Privilege Escalation::Access Token Manipulation [T1134] examples: diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml index dfbc619e..2d912af8 100644 --- a/host-interaction/process/modules/list/enumerate-process-modules.yml +++ b/host-interaction/process/modules/list/enumerate-process-modules.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] examples: diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index 6af7f120..10be1348 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Process::Terminate Process [C0018] examples: diff --git a/host-interaction/registry/delete/delete-registry-key.yml b/host-interaction/registry/delete/delete-registry-key.yml index 6a45d8cc..fa491ee5 100644 --- a/host-interaction/registry/delete/delete-registry-key.yml +++ b/host-interaction/registry/delete/delete-registry-key.yml @@ -8,7 +8,7 @@ rule: - johnk3r scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/delete/delete-registry-value.yml b/host-interaction/registry/delete/delete-registry-value.yml index de44c944..74387bc7 100644 --- a/host-interaction/registry/delete/delete-registry-value.yml +++ b/host-interaction/registry/delete/delete-registry-value.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-key.yml b/host-interaction/registry/query-or-enumerate-registry-key.yml index be0837b0..64f22c61 100644 --- a/host-interaction/registry/query-or-enumerate-registry-key.yml +++ b/host-interaction/registry/query-or-enumerate-registry-key.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/query-or-enumerate-registry-value.yml b/host-interaction/registry/query-or-enumerate-registry-value.yml index 43802500..6cef5f71 100644 --- a/host-interaction/registry/query-or-enumerate-registry-value.yml +++ b/host-interaction/registry/query-or-enumerate-registry-value.yml @@ -8,7 +8,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Query Registry [T1012] mbc: diff --git a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml index 34088062..dc5e60eb 100644 --- a/host-interaction/registry/set-registry-key-via-offline-registry-library.yml +++ b/host-interaction/registry/set-registry-key-via-offline-registry-library.yml @@ -6,7 +6,7 @@ rule: - johnk3r scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Modify Registry [T1112] mbc: diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index a7a5127d..2fb1e910 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml index cd9db656..1b01b784 100644 --- a/host-interaction/service/create/create-service.yml +++ b/host-interaction/service/create/create-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/delete/delete-service.yml b/host-interaction/service/delete/delete-service.yml index d32b04fa..d1cc9c01 100644 --- a/host-interaction/service/delete/delete-service.yml +++ b/host-interaction/service/delete/delete-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/modify/modify-service.yml b/host-interaction/service/modify/modify-service.yml index 68baa23f..b0364340 100644 --- a/host-interaction/service/modify/modify-service.yml +++ b/host-interaction/service/modify/modify-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Execution::System Services::Service Execution [T1569.002] diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index e9724a67..be186384 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/start/start-service.yml b/host-interaction/service/start/start-service.yml index 86f7ae69..02456074 100644 --- a/host-interaction/service/start/start-service.yml +++ b/host-interaction/service/start/start-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] examples: diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index 3192a552..74b6d887 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Create or Modify System Process::Windows Service [T1543.003] - Impact::Service Stop [T1489] diff --git a/host-interaction/session/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml index d503bc2a..fbe1e373 100644 --- a/host-interaction/session/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-logon-sessions.yml b/host-interaction/session/get-logon-sessions.yml index eb0b3ffa..0d23b16c 100644 --- a/host-interaction/session/get-logon-sessions.yml +++ b/host-interaction/session/get-logon-sessions.yml @@ -7,7 +7,7 @@ rule: description: Looks for imported Windows APIs being called to enumerate user sessions. scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Account Discovery [T1087] examples: diff --git a/host-interaction/session/get-session-integrity-level.yml b/host-interaction/session/get-session-integrity-level.yml index 9e7d17d5..8fc7854e 100644 --- a/host-interaction/session/get-session-integrity-level.yml +++ b/host-interaction/session/get-session-integrity-level.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml index d6e62bb4..6bc95ad9 100644 --- a/host-interaction/session/get-session-user-name.yml +++ b/host-interaction/session/get-session-user-name.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Owner/User Discovery [T1033] - Discovery::Account Discovery [T1087] diff --git a/host-interaction/session/get-token-membership.yml b/host-interaction/session/get-token-membership.yml index 58e1422c..8b9cd8eb 100644 --- a/host-interaction/session/get-token-membership.yml +++ b/host-interaction/session/get-token-membership.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Owner/User Discovery [T1033] examples: diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml index aa03f2bb..d072956f 100644 --- a/host-interaction/thread/create/create-thread.yml +++ b/host-interaction/thread/create/create-thread.yml @@ -9,7 +9,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls mbc: - Process::Create Thread [C0038] examples: diff --git a/host-interaction/thread/list/enumerate-threads.yml b/host-interaction/thread/list/enumerate-threads.yml index db792978..c52af630 100644 --- a/host-interaction/thread/list/enumerate-threads.yml +++ b/host-interaction/thread/list/enumerate-threads.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] mbc: diff --git a/host-interaction/thread/tls/set-thread-local-storage-value.yml b/host-interaction/thread/tls/set-thread-local-storage-value.yml index 5a84bd56..408068b3 100644 --- a/host-interaction/thread/tls/set-thread-local-storage-value.yml +++ b/host-interaction/thread/tls/set-thread-local-storage-value.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Process::Set Thread Local Storage Value [C0041] examples: diff --git a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml index d4210209..3df8faad 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml @@ -6,7 +6,7 @@ rule: - richard.cole@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml index a2f0ebdc..5414b652 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml index 3c33b8b2..1e3d1ebe 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-rpc.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-rpc.yml @@ -7,7 +7,7 @@ rule: - david@edeca.net scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml index a99f8561..ca7dfbee 100644 --- a/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml +++ b/host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml @@ -7,7 +7,7 @@ rule: - david.cannings@pwc.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml index bba4d42b..302711c6 100644 --- a/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml +++ b/impact/inhibit-system-recovery/delete-volume-shadow-copies.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Impact::Inhibit System Recovery [T1490] - Defense Evasion::Indicator Removal::File Deletion [T1070.004] diff --git a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml index e2168d2a..f9d436e6 100644 --- a/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml +++ b/impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Impact::Disk Wipe::Disk Structure Wipe [T1561.002] mbc: diff --git a/lib/create-or-open-section-object.yml b/lib/create-or-open-section-object.yml index 905eb9b1..62fd733c 100644 --- a/lib/create-or-open-section-object.yml +++ b/lib/create-or-open-section-object.yml @@ -6,7 +6,7 @@ rule: lib: true scopes: static: function - dynamic: sequence + dynamic: span of calls examples: - daa13ae302fe8b618ddbf590537443ef:0x401116 features: diff --git a/load-code/pe/access-pe-header.yml b/load-code/pe/access-pe-header.yml index ae687ddd..387bee34 100644 --- a/load-code/pe/access-pe-header.yml +++ b/load-code/pe/access-pe-header.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Shared Modules [T1129] examples: diff --git a/load-code/pe/inspect-section-memory-permissions.yml b/load-code/pe/inspect-section-memory-permissions.yml index e1a0e298..0833459c 100644 --- a/load-code/pe/inspect-section-memory-permissions.yml +++ b/load-code/pe/inspect-section-memory-permissions.yml @@ -7,7 +7,7 @@ rule: description: "translate section memory permissions (specified in the 'Characteristics' field of the image section header) into page protection constants" scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Discovery::Code Discovery::Inspect Section Memory Permissions [B0046.002] examples: diff --git a/load-code/powershell/run-powershell-expression.yml b/load-code/powershell/run-powershell-expression.yml index 71ecb96a..255bd8f7 100644 --- a/load-code/powershell/run-powershell-expression.yml +++ b/load-code/powershell/run-powershell-expression.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-copyfile2.yml b/load-code/shellcode/execute-shellcode-via-copyfile2.yml index 1e4762e1..feaa382d 100644 --- a/load-code/shellcode/execute-shellcode-via-copyfile2.yml +++ b/load-code/shellcode/execute-shellcode-via-copyfile2.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CopyFile2/CopyFile2.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml index c6cf7543..e389af36 100644 --- a/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml +++ b/load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://github.com/S4R1N/AlternativeShellcodeExec/blob/master/CreateThreadPoolWait/CreateThreadPoolWait.cpp examples: diff --git a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml index 450fec00..e69e48f9 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-callback-function.yml @@ -9,7 +9,7 @@ rule: description: Detect usage of various WinAPI functions that accept callback functions as parameters in order to execute arbitrary shellcode scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Reflective Code Loading [T1620] mbc: diff --git a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml index 49baeba4..36c4e508 100644 --- a/load-code/shellcode/execute-shellcode-via-windows-fibers.yml +++ b/load-code/shellcode/execute-shellcode-via-windows-fibers.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Defense Evasion::Process Injection::Injection via Windows Fibers [E1055.m05] references: diff --git a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml index 2ef4257f..d54a3409 100644 --- a/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml +++ b/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Memory::Allocate Memory [C0007] - Process::Create Thread [C0038] diff --git a/malware-family/plugx/match-known-plugx-module.yml b/malware-family/plugx/match-known-plugx-module.yml index 684acc63..1dccd073 100644 --- a/malware-family/plugx/match-known-plugx-module.yml +++ b/malware-family/plugx/match-known-plugx-module.yml @@ -8,7 +8,7 @@ rule: description: the sample references known PlugX watermarks (hexified YYYYMMDD + command opcode) scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf - https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html diff --git a/nursery/access-wmi-data-in-dotnet.yml b/nursery/access-wmi-data-in-dotnet.yml index c9ade539..339cf263 100644 --- a/nursery/access-wmi-data-in-dotnet.yml +++ b/nursery/access-wmi-data-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/add-value-to-global-atom-table.yml b/nursery/add-value-to-global-atom-table.yml index 20a0950f..8c1b036f 100644 --- a/nursery/add-value-to-global-atom-table.yml +++ b/nursery/add-value-to-global-atom-table.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows - https://github.com/BreakingMalwareResearch/atom-bombing diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml index 8e14a3e8..729c4440 100755 --- a/nursery/append-data-to-clfs-log-container.yml +++ b/nursery/append-data-to-clfs-log-container.yml @@ -7,7 +7,7 @@ rule: - blaine.stancill@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/windows/win32/api/clfsw32/ - https://github.com/libyal/libfsclfs/blob/main/documenation/Common%20Log%20File%20System%20(CLFS).asciidoc diff --git a/nursery/build-docker-image.yml b/nursery/build-docker-image.yml index 43cfd46f..23dd13b3 100644 --- a/nursery/build-docker-image.yml +++ b/nursery/build-docker-image.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Build Image on Host [T1612] references: diff --git a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml index 80429670..27baa42b 100644 --- a/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml +++ b/nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml @@ -7,7 +7,7 @@ rule: description: Starting in Android 9 (API level 28), the platform restricts which non-SDK interfaces your app can use scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://stackoverflow.com/questions/55970137/bypass-androids-hidden-api-restrictions features: diff --git a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml index b0f59e32..cbb53b42 100644 --- a/nursery/bypass-uac-via-scheduled-task-environment-variable.yml +++ b/nursery/bypass-uac-via-scheduled-task-environment-variable.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002] references: diff --git a/nursery/capture-webcam-video.yml b/nursery/capture-webcam-video.yml index a48af60c..416125a5 100644 --- a/nursery/capture-webcam-video.yml +++ b/nursery/capture-webcam-video.yml @@ -7,7 +7,7 @@ rule: description: Rule that detects a system's webcam being used to capture video scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Video Capture [T1125] features: diff --git a/nursery/check-for-process-debug-object.yml b/nursery/check-for-process-debug-object.yml index e1178cf9..61f6ffb5 100644 --- a/nursery/check-for-process-debug-object.yml +++ b/nursery/check-for-process-debug-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls mbc: - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] references: diff --git a/nursery/check-for-windows-sandbox-via-mutex.yml b/nursery/check-for-windows-sandbox-via-mutex.yml index 67fc01fc..5be727aa 100644 --- a/nursery/check-for-windows-sandbox-via-mutex.yml +++ b/nursery/check-for-windows-sandbox-via-mutex.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-for-windows-sandbox-via-subdirectory.yml b/nursery/check-for-windows-sandbox-via-subdirectory.yml index ded4da43..3ddf2ef8 100644 --- a/nursery/check-for-windows-sandbox-via-subdirectory.yml +++ b/nursery/check-for-windows-sandbox-via-subdirectory.yml @@ -6,7 +6,7 @@ rule: - "echernofsky@google.com" scopes: static: basic block - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: diff --git a/nursery/check-license-value.yml b/nursery/check-license-value.yml index 769aed48..aefee5cc 100644 --- a/nursery/check-license-value.yml +++ b/nursery/check-license-value.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] references: diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml index 77d38aa4..255110a7 100644 --- a/nursery/collect-ssh-keys.yml +++ b/nursery/collect-ssh-keys.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Credential Access::Unsecured Credentials::Private Keys [T1552.004] features: diff --git a/nursery/compile-csharp-in-dotnet.yml b/nursery/compile-csharp-in-dotnet.yml index 59d2930b..d28c7e39 100644 --- a/nursery/compile-csharp-in-dotnet.yml +++ b/nursery/compile-csharp-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/compile-visual-basic-in-dotnet.yml b/nursery/compile-visual-basic-in-dotnet.yml index 53718bff..fc3482d1 100644 --- a/nursery/compile-visual-basic-in-dotnet.yml +++ b/nursery/compile-visual-basic-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] features: diff --git a/nursery/connect-network-resource.yml b/nursery/connect-network-resource.yml index c5018a95..6595fac8 100644 --- a/nursery/connect-network-resource.yml +++ b/nursery/connect-network-resource.yml @@ -7,7 +7,7 @@ rule: description: connect to disk or print resource scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - or: diff --git a/nursery/create-container.yml b/nursery/create-container.yml index 9ac9d3d9..8a2494d7 100644 --- a/nursery/create-container.yml +++ b/nursery/create-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Deploy Container [T1610] references: diff --git a/nursery/create-process-via-wmi-in-dotnet.yml b/nursery/create-process-via-wmi-in-dotnet.yml index fe6e5448..b619c6d3 100644 --- a/nursery/create-process-via-wmi-in-dotnet.yml +++ b/nursery/create-process-via-wmi-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Windows Management Instrumentation [T1047] features: diff --git a/nursery/create-registry-key-via-stdregprov.yml b/nursery/create-registry-key-via-stdregprov.yml index 7ab4d3d7..9d1b1739 100644 --- a/nursery/create-registry-key-via-stdregprov.yml +++ b/nursery/create-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-internet-cache.yml b/nursery/delete-internet-cache.yml index 4f7eb60b..bc84a944 100644 --- a/nursery/delete-internet-cache.yml +++ b/nursery/delete-internet-cache.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - match: enumerate internet cache diff --git a/nursery/delete-registry-key-via-stdregprov.yml b/nursery/delete-registry-key-via-stdregprov.yml index 85dff7a9..cee51198 100644 --- a/nursery/delete-registry-key-via-stdregprov.yml +++ b/nursery/delete-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/delete-registry-value-via-stdregprov.yml b/nursery/delete-registry-value-via-stdregprov.yml index f39d0fe5..9a3853d0 100644 --- a/nursery/delete-registry-value-via-stdregprov.yml +++ b/nursery/delete-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/destroy-software-breakpoint-capability.yml b/nursery/destroy-software-breakpoint-capability.yml index eb1666ea..be51968b 100644 --- a/nursery/destroy-software-breakpoint-capability.yml +++ b/nursery/destroy-software-breakpoint-capability.yml @@ -6,7 +6,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.microsoft.com/en-us/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/ - https://anti-debug.checkpoint.com/techniques/assembly.html diff --git a/nursery/display-service-notification-message-box.yml b/nursery/display-service-notification-message-box.yml index ed4bda77..2f9205c1 100644 --- a/nursery/display-service-notification-message-box.yml +++ b/nursery/display-service-notification-message-box.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - number: 0x200000 = service notification diff --git a/nursery/dynamic-add-veh.yml b/nursery/dynamic-add-veh.yml new file mode 100644 index 00000000..b67d192b --- /dev/null +++ b/nursery/dynamic-add-veh.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: dynamic add VEH + namespace: linking/runtime-linking + authors: + - wballenthin@google.com + scopes: + static: unsupported + dynamic: span of calls + features: + - and: + - call: + - and: + - api: LdrGetDllHandle + - string: "kernel32.dll" + - call: + - and: + - api: LdrGetProcedureAddress + - string: "AddVectoredExceptionHandler" + - api: RtlAddVectoredExceptionHandler diff --git a/nursery/enable-safe-mode-boot.yml b/nursery/enable-safe-mode-boot.yml index c9683b22..7ece3105 100644 --- a/nursery/enable-safe-mode-boot.yml +++ b/nursery/enable-safe-mode-boot.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Impair Defenses::Safe Mode Boot [T1562.009] features: diff --git a/nursery/encrypt-data-using-salsa20-or-chacha.yml b/nursery/encrypt-data-using-salsa20-or-chacha.yml index de06d943..70934917 100644 --- a/nursery/encrypt-data-using-salsa20-or-chacha.yml +++ b/nursery/encrypt-data-using-salsa20-or-chacha.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml index 2924df5c..2754664b 100644 --- a/nursery/encrypt-or-decrypt-data-via-bcrypt.yml +++ b/nursery/encrypt-or-decrypt-data-via-bcrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/enumerate-device-drivers-on-linux.yml b/nursery/enumerate-device-drivers-on-linux.yml index 6e9147af..9a5300cc 100644 --- a/nursery/enumerate-device-drivers-on-linux.yml +++ b/nursery/enumerate-device-drivers-on-linux.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Device Driver Discovery [T1652] features: diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml index 2abd915c..068dc3f1 100644 --- a/nursery/enumerate-device-drivers-on-windows.yml +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -6,7 +6,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Device Driver Discovery [T1652] references: diff --git a/nursery/enumerate-disk-volumes.yml b/nursery/enumerate-disk-volumes.yml index a03a5206..c157a39c 100644 --- a/nursery/enumerate-disk-volumes.yml +++ b/nursery/enumerate-disk-volumes.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/enumerate-files-in-dotnet.yml b/nursery/enumerate-files-in-dotnet.yml index ccb21c79..7ebf83b7 100644 --- a/nursery/enumerate-files-in-dotnet.yml +++ b/nursery/enumerate-files-in-dotnet.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::File and Directory Discovery [T1083] mbc: diff --git a/nursery/enumerate-internet-cache.yml b/nursery/enumerate-internet-cache.yml index b8296701..d80af35d 100644 --- a/nursery/enumerate-internet-cache.yml +++ b/nursery/enumerate-internet-cache.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - api: wininet.FindFirstUrlCacheEntry diff --git a/nursery/enumerate-network-shares.yml b/nursery/enumerate-network-shares.yml index 1baa2496..463ee2be 100644 --- a/nursery/enumerate-network-shares.yml +++ b/nursery/enumerate-network-shares.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Network Share Discovery [T1135] features: diff --git a/nursery/enumerate-processes-that-use-resource.yml b/nursery/enumerate-processes-that-use-resource.yml index a548487e..be0c4dbf 100644 --- a/nursery/enumerate-processes-that-use-resource.yml +++ b/nursery/enumerate-processes-that-use-resource.yml @@ -6,7 +6,7 @@ rule: - "@Ana06" scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.malwarebytes.com/blog/threat-intelligence/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners # examples: diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml index cc5ee888..88902f57 100644 --- a/nursery/enumerate-processes-via-procfs.yml +++ b/nursery/enumerate-processes-via-procfs.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Process Discovery [T1057] - Discovery::Software Discovery [T1518] diff --git a/nursery/execute-sqlite-statement-in-dotnet.yml b/nursery/execute-sqlite-statement-in-dotnet.yml index d92da4a2..643b5fab 100644 --- a/nursery/execute-sqlite-statement-in-dotnet.yml +++ b/nursery/execute-sqlite-statement-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - or: diff --git a/nursery/get-client-handle-via-schannel.yml b/nursery/get-client-handle-via-schannel.yml index 0e7a32a0..d6ac052f 100644 --- a/nursery/get-client-handle-via-schannel.yml +++ b/nursery/get-client-handle-via-schannel.yml @@ -6,7 +6,7 @@ rule: - matthew.williams@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] references: diff --git a/nursery/get-current-process-command-line.yml b/nursery/get-current-process-command-line.yml index b639e1e7..b0526ee0 100644 --- a/nursery/get-current-process-command-line.yml +++ b/nursery/get-current-process-command-line.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - os: linux diff --git a/nursery/get-mac-address-in-dotnet.yml b/nursery/get-mac-address-in-dotnet.yml index ea69efa3..de389c12 100644 --- a/nursery/get-mac-address-in-dotnet.yml +++ b/nursery/get-mac-address-in-dotnet.yml @@ -8,7 +8,7 @@ rule: - echernofsky@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-mac-address-on-linux.yml b/nursery/get-mac-address-on-linux.yml index 58485e9e..541f3ec2 100644 --- a/nursery/get-mac-address-on-linux.yml +++ b/nursery/get-mac-address-on-linux.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-os-information-via-kuser_shared_data.yml b/nursery/get-os-information-via-kuser_shared_data.yml index 05e4f61a..157c4e8f 100644 --- a/nursery/get-os-information-via-kuser_shared_data.yml +++ b/nursery/get-os-information-via-kuser_shared_data.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] references: diff --git a/nursery/get-process-image-filename.yml b/nursery/get-process-image-filename.yml index 1ca653cd..aa73039a 100644 --- a/nursery/get-process-image-filename.yml +++ b/nursery/get-process-image-filename.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls features: - or: - and: diff --git a/nursery/get-proxy.yml b/nursery/get-proxy.yml index 1d667ad6..7ea64ac5 100644 --- a/nursery/get-proxy.yml +++ b/nursery/get-proxy.yml @@ -6,7 +6,7 @@ rule: - moritz.raabe@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Network Configuration Discovery [T1016] features: diff --git a/nursery/get-session-information.yml b/nursery/get-session-information.yml index e9fae8b9..a87a1ad1 100644 --- a/nursery/get-session-information.yml +++ b/nursery/get-session-information.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Owner/User Discovery [T1033] features: diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index ed0cd9a4..ef26bc40 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index 47a82615..cec68636 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Information Discovery [T1082] features: diff --git a/nursery/get-token-privileges.yml b/nursery/get-token-privileges.yml index aea1a7da..5d6ab56d 100644 --- a/nursery/get-token-privileges.yml +++ b/nursery/get-token-privileges.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - or: diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml index c8878ada..dee348f5 100755 --- a/nursery/hash-data-using-ripemd256.yml +++ b/nursery/hash-data-using-ripemd256.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://en.wikipedia.org/wiki/RIPEMD-256 features: diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml index c0782858..a402536c 100755 --- a/nursery/hash-data-using-ripemd320.yml +++ b/nursery/hash-data-using-ripemd320.yml @@ -6,7 +6,7 @@ rule: - raymond.leong@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://en.wikipedia.org/wiki/RIPEMD-320 features: diff --git a/nursery/hash-data-using-sha1-via-wincrypt.yml b/nursery/hash-data-using-sha1-via-wincrypt.yml index 0eb3b34d..0729b3fc 100644 --- a/nursery/hash-data-using-sha1-via-wincrypt.yml +++ b/nursery/hash-data-using-sha1-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - or: - and: diff --git a/nursery/hash-data-using-sha512managed-in-dotnet.yml b/nursery/hash-data-using-sha512managed-in-dotnet.yml index 9f8027fb..9ec66f57 100644 --- a/nursery/hash-data-using-sha512managed-in-dotnet.yml +++ b/nursery/hash-data-using-sha512managed-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - jonathanlepore@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha512managed features: diff --git a/nursery/hash-data-via-bcrypt.yml b/nursery/hash-data-via-bcrypt.yml index b7af6eb8..801d12da 100644 --- a/nursery/hash-data-via-bcrypt.yml +++ b/nursery/hash-data-via-bcrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/nursery/hook-routines-via-lsplant.yml b/nursery/hook-routines-via-lsplant.yml index 72120540..646f305b 100644 --- a/nursery/hook-routines-via-lsplant.yml +++ b/nursery/hook-routines-via-lsplant.yml @@ -7,7 +7,7 @@ rule: description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization scopes: static: basic block - dynamic: sequence + dynamic: span of calls references: - https://github.com/LSPosed/LSPlant features: diff --git a/nursery/hook-routines-via-microsoft-detours.yml b/nursery/hook-routines-via-microsoft-detours.yml index 62c6a22c..9ad20d3b 100644 --- a/nursery/hook-routines-via-microsoft-detours.yml +++ b/nursery/hook-routines-via-microsoft-detours.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf features: diff --git a/nursery/impersonate-user.yml b/nursery/impersonate-user.yml index c0f65154..746888d9 100644 --- a/nursery/impersonate-user.yml +++ b/nursery/impersonate-user.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001] features: diff --git a/nursery/initialize-hashing-via-wincrypt.yml b/nursery/initialize-hashing-via-wincrypt.yml index eaa99b51..e3ec366f 100644 --- a/nursery/initialize-hashing-via-wincrypt.yml +++ b/nursery/initialize-hashing-via-wincrypt.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - api: advapi32.CryptCreateHash diff --git a/nursery/list-containers.yml b/nursery/list-containers.yml index 00350c23..107dbe41 100644 --- a/nursery/list-containers.yml +++ b/nursery/list-containers.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::Container and Resource Discovery [T1613] references: diff --git a/nursery/list-drag-and-drop-files.yml b/nursery/list-drag-and-drop-files.yml index 83a89bd7..924c64d3 100644 --- a/nursery/list-drag-and-drop-files.yml +++ b/nursery/list-drag-and-drop-files.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Collection::Clipboard Data [T1115] features: diff --git a/nursery/load-packed-dex-via-jiagu-on-android.yml b/nursery/load-packed-dex-via-jiagu-on-android.yml index 4c56f129..81f48280 100644 --- a/nursery/load-packed-dex-via-jiagu-on-android.yml +++ b/nursery/load-packed-dex-via-jiagu-on-android.yml @@ -6,7 +6,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://github.com/Frezrik/Jiagu features: diff --git a/nursery/log-keystrokes-via-input-method-manager.yml b/nursery/log-keystrokes-via-input-method-manager.yml index cc80ca75..019f6c6d 100644 --- a/nursery/log-keystrokes-via-input-method-manager.yml +++ b/nursery/log-keystrokes-via-input-method-manager.yml @@ -7,7 +7,7 @@ rule: - "@mr-tz" scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - or: diff --git a/nursery/make-an-http-request-with-a-cookie.yml b/nursery/make-an-http-request-with-a-cookie.yml index 65b803a7..87a5ab12 100644 --- a/nursery/make-an-http-request-with-a-cookie.yml +++ b/nursery/make-an-http-request-with-a-cookie.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - match: send HTTP request diff --git a/nursery/migrate-process-to-active-window-station.yml b/nursery/migrate-process-to-active-window-station.yml index 4d902172..3706ff40 100644 --- a/nursery/migrate-process-to-active-window-station.yml +++ b/nursery/migrate-process-to-active-window-station.yml @@ -7,7 +7,7 @@ rule: description: set process to the active window station so it can receive GUI events. commonly seen in keyloggers. scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.installsetupconfig.com/win32programming/windowstationsdesktops13_1.html - https://brianbondy.com/blog/100/understanding-windows-at-a-deeper-level-sessions-window-stations-and-desktops diff --git a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml index a27c332a..09948ee0 100644 --- a/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml +++ b/nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml @@ -6,7 +6,7 @@ rule: - mehunhoff@google.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - os: android diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml index 88b75d93..44ce8400 100644 --- a/nursery/persist-via-gnome-autostart-on-linux.yml +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - os: linux diff --git a/nursery/prompt-user-for-credentials.yml b/nursery/prompt-user-for-credentials.yml index cfbbc6fa..ee85ed02 100644 --- a/nursery/prompt-user-for-credentials.yml +++ b/nursery/prompt-user-for-credentials.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/credentials-collection-via-creduipromptforcredentials features: diff --git a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml index 0b9df019..0bfa3582 100644 --- a/nursery/query-or-enumerate-registry-key-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-key-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml index 7c995002..10907b64 100644 --- a/nursery/query-or-enumerate-registry-value-via-stdregprov.yml +++ b/nursery/query-or-enumerate-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/read-and-send-data-from-client-to-server.yml b/nursery/read-and-send-data-from-client-to-server.yml index 0a5f604f..d137c693 100644 --- a/nursery/read-and-send-data-from-client-to-server.yml +++ b/nursery/read-and-send-data-from-client-to-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - match: host-interaction/file-system/read diff --git a/nursery/read-process-memory.yml b/nursery/read-process-memory.yml index 6d6c44fe..9a06242b 100644 --- a/nursery/read-process-memory.yml +++ b/nursery/read-process-memory.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - api: kernel32.ReadProcessMemory diff --git a/nursery/receive-and-write-data-from-server-to-client.yml b/nursery/receive-and-write-data-from-server-to-client.yml index c9f69986..4decf96d 100644 --- a/nursery/receive-and-write-data-from-server-to-client.yml +++ b/nursery/receive-and-write-data-from-server-to-client.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - match: receive data diff --git a/nursery/reference-114dns-dns-server.yml b/nursery/reference-114dns-dns-server.yml index b52152e5..c7a9d264 100644 --- a/nursery/reference-114dns-dns-server.yml +++ b/nursery/reference-114dns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.114dns.com/ - https://www.amazon.com/ask/questions/Tx27CUHKMM403NP diff --git a/nursery/reference-alidns-dns-server.yml b/nursery/reference-alidns-dns-server.yml index 696f2c4b..7aa4f9aa 100644 --- a/nursery/reference-alidns-dns-server.yml +++ b/nursery/reference-alidns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.alidns.com/ # examples: diff --git a/nursery/reference-cloudflare-dns-server.yml b/nursery/reference-cloudflare-dns-server.yml index 9fd7d5b2..0d0463d9 100644 --- a/nursery/reference-cloudflare-dns-server.yml +++ b/nursery/reference-cloudflare-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-comodo-secure-dns-server.yml b/nursery/reference-comodo-secure-dns-server.yml index 5eaf10df..ef53cbf4 100644 --- a/nursery/reference-comodo-secure-dns-server.yml +++ b/nursery/reference-comodo-secure-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-google-public-dns-server.yml b/nursery/reference-google-public-dns-server.yml index 5815adcb..118be3d8 100644 --- a/nursery/reference-google-public-dns-server.yml +++ b/nursery/reference-google-public-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.techradar.com/news/best-dns-server - https://developers.google.com/speed/public-dns/docs/using diff --git a/nursery/reference-hurricane-electric-dns-server.yml b/nursery/reference-hurricane-electric-dns-server.yml index bfd2c1ea..0fbae522 100644 --- a/nursery/reference-hurricane-electric-dns-server.yml +++ b/nursery/reference-hurricane-electric-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://dns.he.net/ - https://dnslytics.com/ip/216.66.1.2 diff --git a/nursery/reference-kornet-dns-server.yml b/nursery/reference-kornet-dns-server.yml index add6a03d..71b27f2d 100644 --- a/nursery/reference-kornet-dns-server.yml +++ b/nursery/reference-kornet-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://whatismyipaddress.com/ip/168.126.63.1 # examples: diff --git a/nursery/reference-l3-dns-server.yml b/nursery/reference-l3-dns-server.yml index 45ba4e6d..165c038b 100644 --- a/nursery/reference-l3-dns-server.yml +++ b/nursery/reference-l3-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.quora.com/What-is-a-4-2-2-1-DNS-server features: diff --git a/nursery/reference-opendns-dns-server.yml b/nursery/reference-opendns-dns-server.yml index e0a68d41..8cde79e1 100644 --- a/nursery/reference-opendns-dns-server.yml +++ b/nursery/reference-opendns-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-quad9-dns-server.yml b/nursery/reference-quad9-dns-server.yml index 4c9732b1..13c1893b 100644 --- a/nursery/reference-quad9-dns-server.yml +++ b/nursery/reference-quad9-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/reference-verisign-dns-server.yml b/nursery/reference-verisign-dns-server.yml index 6b0528cc..937c7713 100644 --- a/nursery/reference-verisign-dns-server.yml +++ b/nursery/reference-verisign-dns-server.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.techradar.com/news/best-dns-server features: diff --git a/nursery/resolve-function-by-djb2-hash.yml b/nursery/resolve-function-by-djb2-hash.yml index 3c5ec73a..4af27f75 100644 --- a/nursery/resolve-function-by-djb2-hash.yml +++ b/nursery/resolve-function-by-djb2-hash.yml @@ -7,7 +7,7 @@ rule: description: known import name hashes calculated using the non-cryptographic djb2 hashing algorithm scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc: diff --git a/nursery/resolve-function-by-fnv-1a-hash.yml b/nursery/resolve-function-by-fnv-1a-hash.yml index 91f8d6fb..91823895 100644 --- a/nursery/resolve-function-by-fnv-1a-hash.yml +++ b/nursery/resolve-function-by-fnv-1a-hash.yml @@ -7,7 +7,7 @@ rule: description: known import name hashes calculated using the non-cryptographic FNV-1a hashing algorithm scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/resolve-function-by-hash.yml b/nursery/resolve-function-by-hash.yml index cb219c7e..860b7c3e 100644 --- a/nursery/resolve-function-by-hash.yml +++ b/nursery/resolve-function-by-hash.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] references: diff --git a/nursery/run-in-container.yml b/nursery/run-in-container.yml index 4d7cb40d..6b037e80 100644 --- a/nursery/run-in-container.yml +++ b/nursery/run-in-container.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Execution::Container Administration Command [T1609] references: diff --git a/nursery/send-data-to-internet.yml b/nursery/send-data-to-internet.yml index c2ffa3a7..96666a48 100644 --- a/nursery/send-data-to-internet.yml +++ b/nursery/send-data-to-internet.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - optional: diff --git a/nursery/send-http-request-with-host-header.yml b/nursery/send-http-request-with-host-header.yml index 959694ba..070d9f5e 100644 --- a/nursery/send-http-request-with-host-header.yml +++ b/nursery/send-http-request-with-host-header.yml @@ -6,7 +6,7 @@ rule: - anamaria.martinezgom@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - match: send HTTP request diff --git a/nursery/send-request-in-dotnet.yml b/nursery/send-request-in-dotnet.yml index 4233995a..9ade35f5 100644 --- a/nursery/send-request-in-dotnet.yml +++ b/nursery/send-request-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonakr@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc: diff --git a/nursery/set-registry-value-via-stdregprov.yml b/nursery/set-registry-value-via-stdregprov.yml index 61ea9b56..7915720f 100644 --- a/nursery/set-registry-value-via-stdregprov.yml +++ b/nursery/set-registry-value-via-stdregprov.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods features: diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml index 8177edb6..5df8bff1 100644 --- a/nursery/set-thread-name-on-linux.yml +++ b/nursery/set-thread-name-on-linux.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: basic block - dynamic: sequence + dynamic: span of calls features: - and: - or: diff --git a/nursery/terminate-process-by-name-in-dotnet.yml b/nursery/terminate-process-by-name-in-dotnet.yml index 4488795a..2776c8f5 100644 --- a/nursery/terminate-process-by-name-in-dotnet.yml +++ b/nursery/terminate-process-by-name-in-dotnet.yml @@ -6,7 +6,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - api: System.Diagnostics.Process::GetProcessesByName diff --git a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml index bd2c68dc..115d7462 100644 --- a/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml +++ b/nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml @@ -7,7 +7,7 @@ rule: description: https://github.com/bohops/DynamicDotNet/blob/main/dynamic_pinvoke/dynamic_pinvoke_definepinvokemethod_shellcode_runner.cs scopes: static: function - dynamic: sequence + dynamic: span of calls features: - and: - or: diff --git a/persistence/exchange/act-as-exchange-transport-agent.yml b/persistence/exchange/act-as-exchange-transport-agent.yml index c3cc8f39..6bfdfb1f 100644 --- a/persistence/exchange/act-as-exchange-transport-agent.yml +++ b/persistence/exchange/act-as-exchange-transport-agent.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Server Software Component::Transport Agent [T1505.002] references: diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml index e2a4030e..41bfa78c 100644 --- a/persistence/persist-via-desktop-autostart.yml +++ b/persistence/persist-via-desktop-autostart.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] examples: diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml index 351c54da..191ba874 100644 --- a/persistence/persist-via-shell-profile-or-rc-file.yml +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] examples: diff --git a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml index b05e9079..1c01255d 100644 --- a/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml +++ b/persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@fireye.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Event Triggered Execution::AppInit DLLs [T1546.010] - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml index 742e0729..851bc2d4 100644 --- a/persistence/service/persist-via-rc-script.yml +++ b/persistence/service/persist-via-rc-script.yml @@ -6,7 +6,7 @@ rule: - joakim@intezer.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] examples: diff --git a/persistence/startup-folder/write-file-to-startup-folder.yml b/persistence/startup-folder/write-file-to-startup-folder.yml index 0f463ec6..d9cd963f 100644 --- a/persistence/startup-folder/write-file-to-startup-folder.yml +++ b/persistence/startup-folder/write-file-to-startup-folder.yml @@ -7,7 +7,7 @@ rule: - j.j.vannielen@utwente.nl scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] examples: diff --git a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml index 4a23a7d2..a030a44b 100644 --- a/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml +++ b/targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls references: - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html examples: diff --git a/targeting/language/identify-system-language-via-api.yml b/targeting/language/identify-system-language-via-api.yml index 5535d56f..abdf8c04 100644 --- a/targeting/language/identify-system-language-via-api.yml +++ b/targeting/language/identify-system-language-via-api.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: function - dynamic: sequence + dynamic: span of calls att&ck: - Discovery::System Location Discovery::System Language Discovery [T1614.001] examples: