tighten scopes

mandiant · Feb 3, 2025 · 4455439 · 4455439
1 parent 501ba74
commit 4455439
Show file tree

Hide file tree

Showing 9 changed files with 13 additions and 13 deletions.
diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
@@ -6,8 +6,8 @@ rule:
       - michael.hunhoff@mandiant.com
       - jakub.jozwiak@mandiant.com
     scopes:
-      static: function
-      dynamic: span of calls
+      static: basic block
+      dynamic: call
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:

diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
@@ -6,7 +6,7 @@ rule:
       - william.ballenthin@mandiant.com
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]

diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml
@@ -5,8 +5,8 @@ rule:
     authors:
       - richard.weiss@mandiant.com
     scopes:
-      static: function
-      dynamic: span of calls
+      static: basic block
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:

diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml
@@ -5,8 +5,8 @@ rule:
     authors:
       - daniel.stepanic@elastic.co
     scopes:
-      static: function
-      dynamic: span of calls
+      static: basic block
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:

diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
@@ -6,8 +6,8 @@ rule:
       - william.ballenthin@mandiant.com
       - richard.weiss@mandiant.com
     scopes:
-      static: function
-      dynamic: span of calls
+      static: basic block
+      dynamic: call
     mbc:
       - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]
     references:

diff --git a/host-interaction/process/inject/allocate-or-change-rwx-memory.yml b/host-interaction/process/inject/allocate-or-change-rwx-memory.yml
@@ -5,7 +5,7 @@ rule:
     authors:
       - "@mr-tz"
     scopes:
-      static: function
+      static: basic block
       dynamic: span of calls
     mbc:
       - Memory::Allocate Memory [C0007]

diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml
@@ -6,7 +6,7 @@ rule:
       - "@mr-tz"
     lib: true
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     mbc:
       - Memory::Allocate Memory [C0007]

diff --git a/lib/allocate-or-change-rw-memory.yml b/lib/allocate-or-change-rw-memory.yml
@@ -6,7 +6,7 @@ rule:
       - "@mr-tz"
     lib: true
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     mbc:
       - Memory::Allocate Memory [C0007]

diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml
@@ -5,7 +5,7 @@ rule:
       - "@mr-tz"
     lib: true
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     mbc:
       - Memory::Change Memory Protection [C0008]