fix the scope of some rules with dependencies

ref: mandiant/capa#2124
mandiant · Jun 6, 2024 · e6befc9 · e6befc9
1 parent c454ffb
commit e6befc9
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 9 deletions.
diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml
@@ -5,7 +5,7 @@ rule:
     authors:
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     att&ck:
       - Collection::Input Capture::Keylogging [T1056.001]

diff --git a/host-interaction/gui/set-application-hook.yml b/host-interaction/gui/set-application-hook.yml
@@ -5,12 +5,11 @@ rule:
     authors:
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
-      dynamic: thread
+      static: instruction
+      dynamic: call
     examples:
       - Practical Malware Analysis Lab 12-03.exe_:0x401000
   features:
-    - and:
-      - or:
-        - api: user32.SetWindowsHookEx
-        - api: user32.UnhookWindowsHookEx
+    - or:
+      - api: user32.SetWindowsHookEx
+      - api: user32.UnhookWindowsHookEx
diff --git a/linking/runtime-linking/link-function-at-runtime-on-windows.yml b/linking/runtime-linking/link-function-at-runtime-on-windows.yml
@@ -6,8 +6,8 @@ rule:
       - moritz.raabe@mandiant.com
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
-      dynamic: unsupported  # requires characteristic features
+      static: instruction
+      dynamic: call
     att&ck:
       - Execution::Shared Modules [T1129]
     examples: