fix some dynamic unsupported rules

mandiant · Oct 26, 2023 · 1df337f · 1df337f
1 parent d2bdc2e
commit 1df337f
Show file tree

Hide file tree

Showing 19 changed files with 23 additions and 19 deletions.
diff --git a/collection/credit-card/parse-credit-card-information.yml b/collection/credit-card/parse-credit-card-information.yml
@@ -6,7 +6,7 @@ rule:
       - "@_re_fox"
     scopes:
       static: function
-      dynamic: unsupported  # requires mnemonic, Not features
+      dynamic: unsupported  # requires mnemonic features
     mbc:
       - Data::Check String [C0019]
     examples:

diff --git a/compiler/vb/compiled-from-visual-basic.yml b/compiler/vb/compiled-from-visual-basic.yml
@@ -6,7 +6,7 @@ rule:
       - "@williballenthin"
     scopes:
       static: file
-      dynamic: unsupported  # requires import features
+      dynamic: file
     examples:
       - 9bca6b99e7981208af4c7925b96fb9cf
   features:

diff --git a/data-manipulation/hashing/md5/hash-data-with-md5.yml b/data-manipulation/hashing/md5/hash-data-with-md5.yml
@@ -8,7 +8,7 @@ rule:
       - [email protected]
     scopes:
       static: function
-      dynamic: unsupported  # requires offset, Not features
+      dynamic: thread
     mbc:
       - Cryptography::Cryptographic Hash::MD5 [C0029.001]
     references:
@@ -34,6 +34,10 @@ rule:
         - and:
           - number: 0x8003 = CALG_MD5
           - api: advapi32.CryptCreateHash
+      - call:
+        - and:
+          - number: 0x8003 = CALG_MD5
+          - api: advapi32.CryptCreateHash
       - and:
         - format: dotnet
         - or:

diff --git a/host-interaction/service/run-as-service.yml b/host-interaction/service/run-as-service.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unspecified  # TODO upgrade manually, contains subscope
+      dynamic: file
     mbc:
       - Anti-Behavioral Analysis::Conditional Execution::Runs as Service [B0025.007]
     examples:

diff --git a/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml b/lib/validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml
@@ -6,7 +6,7 @@ rule:
     lib: true
     scopes:
       static: function
-      dynamic: unsupported  # requires characteristic, offset, mnemonic, Not features
+      dynamic: unsupported  # requires characteristic, offset, mnemonic features
     mbc:
       - Data::Checksum::Luhn [C0032.002]
     examples:

diff --git a/load-code/pe/enumerate-pe-sections.yml b/load-code/pe/enumerate-pe-sections.yml
@@ -7,7 +7,7 @@ rule:
       - "@mr-tz"
     scopes:
       static: function
-      dynamic: unsupported  # requires offset, Not, operand[1].offset, characteristic, mnemonic, basicblock features
+      dynamic: unsupported  # requires offset, operand[1].offset, characteristic, mnemonic, basicblock features
     mbc:
       - Discovery::Code Discovery::Enumerate PE Sections [B0046.001]
     references:

diff --git a/nursery/implement-com-dll.yml b/nursery/implement-com-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     references:
       - https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-dllgetclassobject
   features:

diff --git a/nursery/inspect-load-icon-resource.yml b/nursery/inspect-load-icon-resource.yml
@@ -7,7 +7,7 @@ rule:
       - [email protected]
     scopes:
       static: basic block
-      dynamic: unsupported  # requires Not, mnemonic features
+      dynamic: unsupported  # requires mnemonic features
   features:
     # check if call to LoadIcon fails when first argument is NULL
     # and second argument is not a valid predefined icon - LoadIcon

diff --git a/nursery/reference-base58-string.yml b/nursery/reference-base58-string.yml
@@ -7,7 +7,7 @@ rule:
     description: Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0, I, O, and l). Base58 is used to represent bitcoin addresses.
     scopes:
       static: file
-      dynamic: unsupported  # requires  features
+      dynamic: file
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:

diff --git a/persistence/act-as-dhcp-server-callout-dll.yml b/persistence/act-as-dhcp-server-callout-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Server Software Component [T1505]
     references:

diff --git a/persistence/act-as-dns-server-plugin-dll.yml b/persistence/act-as-dns-server-plugin-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Server Software Component [T1505]
     references:

diff --git a/persistence/authentication-process/act-as-credential-manager-dll.yml b/persistence/authentication-process/act-as-credential-manager-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008]
     examples:

diff --git a/persistence/authentication-process/act-as-password-filter-dll.yml b/persistence/authentication-process/act-as-password-filter-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Modify Authentication Process::Password Filter DLL [T1556.002]
     examples:

diff --git a/persistence/authentication-process/act-as-security-support-provider-dll.yml b/persistence/authentication-process/act-as-security-support-provider-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005]
     references:

diff --git a/persistence/authentication-process/act-as-subauthentication-package-dll.yml b/persistence/authentication-process/act-as-subauthentication-package-dll.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002]
     references:

diff --git a/persistence/iis/persist-via-iis-module.yml b/persistence/iis/persist-via-iis-module.yml
@@ -7,7 +7,7 @@ rule:
     description: IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters.
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Server Software Component::IIS Components [T1505.004]
     examples:

diff --git a/persistence/iis/persist-via-isapi-extension.yml b/persistence/iis/persist-via-isapi-extension.yml
@@ -7,7 +7,7 @@ rule:
     description: Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests.
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Server Software Component::IIS Components [T1505.004]
     examples:

diff --git a/persistence/office/act-as-excel-xll-add-in.yml b/persistence/office/act-as-excel-xll-add-in.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Office Application Startup::Add-ins [T1137.006]
     references:

diff --git a/persistence/office/act-as-word-wll-add-in.yml b/persistence/office/act-as-word-wll-add-in.yml
@@ -6,7 +6,7 @@ rule:
       - [email protected]
     scopes:
       static: file
-      dynamic: unsupported  # requires export features
+      dynamic: file
     att&ck:
       - Persistence::Office Application Startup::Add-ins [T1137.006]
     references: