remove redundant matches for dynamic scope (#987)

* remove redundant matches for dynamic scope * fix lints * fix lints * tighten scopes
mandiant · Feb 4, 2025 · 75c16e4 · 75c16e4
1 parent 13b6bc0
commit 75c16e4
Show file tree

Hide file tree

Showing 9 changed files with 80 additions and 81 deletions.
diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
@@ -7,7 +7,7 @@ rule:
       - jakub.jozwiak@mandiant.com
     scopes:
       static: function
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:
@@ -19,23 +19,14 @@ rule:
     examples:
       - 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670
   features:
-    - or:
-      - basic block:
-        - and:
-          - or:
-            - api: NtSetInformationThread
-            - api: ZwSetInformationThread
-          - number: 0x11 = ThreadHideFromDebugger
-      - call:
-        - and:
-          - or:
-            - api: NtSetInformationThread
-            - api: ZwSetInformationThread
-          - number: 0x11 = ThreadHideFromDebugger
-      - and:
-        - or:
-          - string: "NtSetInformationThread"
-          - string: "ZwSetInformationThread"
-        - match: link function at runtime on Windows
-        - api: GetCurrentThread
-        - number: 0x11 = ThreadHideFromDebugger
+    - and:
+      - or:
+        - api: NtSetInformationThread
+        - api: ZwSetInformationThread
+        - basic block:
+          - and:
+            - or:
+              - string: "NtSetInformationThread"
+              - string: "ZwSetInformationThread"
+            - match: link function at runtime on Windows
+      - number: 0x11 = ThreadHideFromDebugger
diff --git a/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml b/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
@@ -24,12 +24,13 @@ rule:
       - api: System.Security.Cryptography.ProtectedData::Protect
       - api: SystemFunction040
       - api: SystemFunction041
-      - and:
-        - match: link function at runtime on Windows
-        - or:
-          # RtlEncryptMemory is available as SystemFunction040 export in Advapi32.dll
-          # CryptProtectMemory is a wrapper function for SystemFunction040
-          - string: "SystemFunction040"
-          # RtlDecryptMemory is available as SystemFunction041 export in Advapi32.dll
-          # CryptUnprotectMemory is a wrapper function for SystemFunction041
-          - string: "SystemFunction041"
+      - basic block:
+        - and:
+          - match: link function at runtime on Windows
+          - or:
+            # RtlEncryptMemory is available as SystemFunction040 export in Advapi32.dll
+            # CryptProtectMemory is a wrapper function for SystemFunction040
+            - string: "SystemFunction040"
+            # RtlDecryptMemory is available as SystemFunction041 export in Advapi32.dll
+            # CryptUnprotectMemory is a wrapper function for SystemFunction041
+            - string: "SystemFunction041"
diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml
@@ -6,7 +6,7 @@ rule:
       - richard.weiss@mandiant.com
     scopes:
       static: function
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:
@@ -20,9 +20,10 @@ rule:
   features:
     - or:
       - api: SystemFunction032
-      - and:
-        - match: link function at runtime on Windows
-        - string: "SystemFunction032"
-        - optional:
-          - string: /advapi32/i
-          - string: /cryptsp/i
+      - basic block:
+        - and:
+          - match: link function at runtime on Windows
+          - string: "SystemFunction032"
+          - optional:
+            - string: /advapi32/i
+            - string: /cryptsp/i
diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml
@@ -6,7 +6,7 @@ rule:
       - daniel.stepanic@elastic.co
     scopes:
       static: function
-      dynamic: span of calls
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:
@@ -19,9 +19,10 @@ rule:
   features:
     - or:
       - api: SystemFunction033
-      - and:
-        - match: link function at runtime on Windows
-        - string: "SystemFunction033"
-        - optional:
-          - string: /advapi32/i
-          - string: /cryptsp/i
+      - basic block:
+        - and:
+          - match: link function at runtime on Windows
+          - string: "SystemFunction033"
+          - optional:
+            - string: /advapi32/i
+            - string: /cryptsp/i
diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
@@ -7,7 +7,7 @@ rule:
       - richard.weiss@mandiant.com
     scopes:
       static: function
-      dynamic: span of calls
+      dynamic: call
     mbc:
       - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003]
     references:
@@ -19,9 +19,10 @@ rule:
   features:
     - or:
       - api: SystemFunction036
-      - and:
-        - match: link function at runtime on Windows
-        - string: "SystemFunction036"
-        - optional:
-          - string: /advapi32/i
-          - string: /cryptsp/i
+      - basic block:
+        - and:
+          - match: link function at runtime on Windows
+          - string: "SystemFunction036"
+          - optional:
+            - string: /advapi32/i
+            - string: /cryptsp/i
diff --git a/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml b/host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml
@@ -16,4 +16,4 @@ rule:
       - string: "sfc_os.dll"
         description: System File Checker
       - number: 0x2 = SfcTerminateWatcherThread
-      - match: linking/runtime-linking
+      - match: link function at runtime on Windows
diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml
@@ -22,13 +22,14 @@ rule:
       - api: ZwAllocateVirtualMemory
       - api: NtMapViewOfSection
       - api: ZwMapViewOfSection
-      - and:
-        - match: link function at runtime on Windows
-        - or:
-          - string: "VirtualAlloc"
-          - string: "VirtualAllocEx"
-          - string: "VirtualAllocExNuma"
-          - string: "NtAllocateVirtualMemory"
-          - string: "ZwAllocateVirtualMemory"
-          - string: "NtMapViewOfSection"
-          - string: "ZwMapViewOfSection"
+      - basic block:
+        - and:
+          - match: link function at runtime on Windows
+          - or:
+            - string: "VirtualAlloc"
+            - string: "VirtualAllocEx"
+            - string: "VirtualAllocExNuma"
+            - string: "NtAllocateVirtualMemory"
+            - string: "ZwAllocateVirtualMemory"
+            - string: "NtMapViewOfSection"
+            - string: "ZwMapViewOfSection"
diff --git a/lib/change-memory-protection.yml b/lib/change-memory-protection.yml
@@ -17,10 +17,11 @@ rule:
       - api: kernel32.VirtualProtectEx
       - api: NtProtectVirtualMemory
       - api: ZwProtectVirtualMemory
-      - and:
-        - match: link function at runtime on Windows
-        - or:
-          - string: "VirtualProtect"
-          - string: "VirtualProtectEx"
-          - string: "NtProtectVirtualMemory"
-          - string: "ZwProtectVirtualMemory"
+      - basic block:
+        - and:
+          - match: link function at runtime on Windows
+          - or:
+            - string: "VirtualProtect"
+            - string: "VirtualProtectEx"
+            - string: "NtProtectVirtualMemory"
+            - string: "ZwProtectVirtualMemory"
diff --git a/load-code/dotnet/load-windows-common-language-runtime.yml b/load-code/dotnet/load-windows-common-language-runtime.yml
@@ -26,23 +26,25 @@ rule:
           - api: mscoree.CorBindToRuntimeByCfg
           - api: mscoree.CorBindToCurrentRuntime
           - api: ole32.CoCreateInstance
-          - and:
-            - or:
-              - string: "CorBindToRuntime"
-              - string: "CorBindToRuntimeEx"
-              - string: "CorBindToRuntimeHost"
-              - string: "CorBindToRuntimeByCfg"
-              - string: "CorBindToCurrentRuntime"
-              - string: "CoCreateInstance"
-            - match: link function at runtime on Windows
+          - basic block:
+            - and:
+              - or:
+                - string: "CorBindToRuntime"
+                - string: "CorBindToRuntimeEx"
+                - string: "CorBindToRuntimeHost"
+                - string: "CorBindToRuntimeByCfg"
+                - string: "CorBindToCurrentRuntime"
+                - string: "CoCreateInstance"
+              - match: link function at runtime on Windows
         - bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost
         - bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost
       - and:
         - description: .NET Framework version 4.x
         - or:
           - api: mscoree.CLRCreateInstance
-          - and:
-            - string: "CLRCreateInstance"
-            - match: link function at runtime on Windows
+          - basic block:
+            - and:
+              - string: "CLRCreateInstance"
+              - match: link function at runtime on Windows
         - bytes: 8D 18 80 92 8E 0E 67 48 B3 0C 7F A8 38 84 E8 DE = CLSID_CLRMetaHost
         - bytes: 9E DB 32 D3 B3 B9 25 41 82 07 A1 48 84 F5 32 16 = IID_ICLRMetaHost