mandiant · williballenthin · Dec 17, 2024 · Dec 17, 2024 · Jan 16, 2025 · Jan 17, 2025
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Execution::Command and Scripting Interpreter::Windows Command Shell [T1059.003]
     mbc:

diff --git a/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml b/anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: call
     mbc:
       - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
       - Anti-Behavioral Analysis::Sandbox Detection [B0007]

diff --git a/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml b/anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: span of calls
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]
     references:

diff --git a/...is/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml b/...is/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]
     examples:

diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:

diff --git a/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml b/anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001]
     examples:

diff --git a/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml b/anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
     references:

diff --git a/anti-analysis/anti-forensic/impersonate-file-version-information.yml b/anti-analysis/anti-forensic/impersonate-file-version-information.yml
@@ -7,7 +7,7 @@ rule:
     description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application.
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Indicator Removal [T1070]
     references:

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml b/anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml
@@ -7,7 +7,7 @@ rule:
       - "@mr-tz"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

diff --git a/anti-analysis/anti-forensic/timestomp/timestomp-file.yml b/anti-analysis/anti-forensic/timestomp/timestomp-file.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Indicator Removal::Timestomp [T1070.006]
     examples:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml b/anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml
@@ -7,7 +7,7 @@ rule:
       - "[email protected]"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion [T1497]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: basic block
-      dynamic: thread
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004]
     examples:

diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
     examples:

diff --git a/collection/database/sql/reference-sql-statements.yml b/collection/database/sql/reference-sql-statements.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Collection::Data from Information Repositories [T1213]
     examples:

diff --git a/collection/database/wmi/reference-wmi-statements.yml b/collection/database/wmi/reference-wmi-statements.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Collection::Data from Information Repositories [T1213]
     examples:

diff --git a/collection/file-managers/gather-3d-ftp-information.yml b/collection/file-managers/gather-3d-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-alftp-information.yml b/collection/file-managers/gather-alftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-bitkinex-information.yml b/collection/file-managers/gather-bitkinex-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-blazeftp-information.yml b/collection/file-managers/gather-blazeftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-bulletproof-ftp-information.yml b/collection/file-managers/gather-bulletproof-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-classicftp-information.yml b/collection/file-managers/gather-classicftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
-      dynamic: span of calls
+      dynamic: call
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-coreftp-information.yml b/collection/file-managers/gather-coreftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-cuteftp-information.yml b/collection/file-managers/gather-cuteftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-cyberduck-information.yml b/collection/file-managers/gather-cyberduck-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-direct-ftp-information.yml b/collection/file-managers/gather-direct-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-directory-opus-information.yml b/collection/file-managers/gather-directory-opus-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-expandrive-information.yml b/collection/file-managers/gather-expandrive-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-faststone-browser-information.yml b/collection/file-managers/gather-faststone-browser-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-fasttrack-ftp-information.yml b/collection/file-managers/gather-fasttrack-ftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references:

diff --git a/collection/file-managers/gather-ffftp-information.yml b/collection/file-managers/gather-ffftp-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: thread
+      dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores [T1555]
     references: