make runtime linking rules more concise

mandiant · Jan 16, 2025 · 52b9f09 · 52b9f09
1 parent 1f4c7a4
commit 52b9f09
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 19 deletions.
diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml
@@ -7,24 +7,12 @@ rule:
       - joakim@intezer.com
     scopes:
       static: function
-      dynamic: sequence
+      dynamic: thread
     att&ck:
       - Execution::Shared Modules [T1129]
     examples:
       - b7b5e1253710d8927cbe07d52d2d2e10:0x401000
   features:
     - or:
-      - and:
-        - os: windows
-        - match: link function at runtime on Windows
-        - or:
-          - count(api(kernel32.GetProcAddress)): 5 or more
-          - count(api(ntdll.LdrGetProcedureAddress)): 5 or more
-      - and:
-        - or:
-          - os: linux
-          - os: android
-        - match: link function at runtime on Linux
-        - or:
-          - count(api(dlsym)): 5 or more
-          - count(api(dlvsym)): 5 or more
+      - count(match(link function at runtime on Windows)): 5 or more
+      - count(match(link function at runtime on Linux)): 5 or more
diff --git a/nursery/link-function-at-runtime-on-linux.yml b/nursery/link-function-at-runtime-on-linux.yml
@@ -6,17 +6,14 @@ rule:
       - joakim@intezer.com
     scopes:
       static: function
-      dynamic: sequence
+      dynamic: call
     att&ck:
       - Execution::Shared Modules [T1129]
   features:
     - and:
       - or:
         - os: linux
         - os: android
-      - or:
-        - api: dlopen
-        - api: dlmopen
       - or:
         - api: dlsym
         - api: dlvsym