Merge pull request #908 from mandiant/fix/dependency-scopes

fix the scope of some rules with dependencies
mandiant · Jun 14, 2024 · e63c454 · e63c454
2 parents ea14b38 + 0c7d1bd
commit e63c454
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 15 deletions.
diff --git a/collection/keylog/log-keystrokes-via-application-hook.yml b/collection/keylog/log-keystrokes-via-application-hook.yml
@@ -5,7 +5,7 @@ rule:
     authors:
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
+      static: basic block
       dynamic: call
     att&ck:
       - Collection::Input Capture::Keylogging [T1056.001]

diff --git a/host-interaction/gui/set-application-hook.yml b/host-interaction/gui/set-application-hook.yml
@@ -5,12 +5,11 @@ rule:
     authors:
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
-      dynamic: thread
+      static: instruction
+      dynamic: call
     examples:
       - Practical Malware Analysis Lab 12-03.exe_:0x401000
   features:
-    - and:
-      - or:
-        - api: user32.SetWindowsHookEx
-        - api: user32.UnhookWindowsHookEx
+    - or:
+      - api: user32.SetWindowsHookEx
+      - api: user32.UnhookWindowsHookEx
diff --git a/linking/runtime-linking/link-function-at-runtime-on-windows.yml b/linking/runtime-linking/link-function-at-runtime-on-windows.yml
@@ -6,8 +6,8 @@ rule:
       - moritz.raabe@mandiant.com
       - michael.hunhoff@mandiant.com
     scopes:
-      static: function
-      dynamic: unsupported  # requires characteristic features
+      static: instruction
+      dynamic: call
     att&ck:
       - Execution::Shared Modules [T1129]
     examples:
@@ -19,9 +19,3 @@ rule:
       - or:
         - api: kernel32.GetProcAddress
         - api: ntdll.LdrGetProcedureAddress
-      - optional:
-        - characteristic: indirect call
-        - api: kernel32.LoadLibrary
-        - api: kernel32.GetModuleHandle
-        - api: kernel32.GetModuleHandleEx
-        - api: ntdll.LdrLoadDll