upgraded rules using script

anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - "@_re_fox"
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
       - Anti-Behavioral Analysis::Sandbox Detection [B0007]

anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
     mbc:

anti-analysis/anti-av/protect-spawned-processes-with-mitigation-policies.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-av
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     att&ck:
       - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:

anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains unsupported feature property for dynamic scope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]
       - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]

anti-analysis/anti-debugging/debugger-detection/check-for-hardware-breakpoints.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-kernel-debugger-via-shared-user-data-structure.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]
     examples:

anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified  # TODO upgrade manually, contains match
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-software-breakpoints.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-gettickcount.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032]
     examples:

anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]
     examples:

anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified  # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

anti-analysis/anti-debugging/debugger-detection/check-for-unexpected-memory-writes.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010]
     references:

anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection [B0001]
     references:

anti-analysis/anti-debugging/debugger-detection/check-processdebugport.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012]
     references:

anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034]
     examples:

anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     att&ck:
       - Defense Evasion::Debugger Evasion [T1622]
     mbc:

anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate)
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     mbc:
       - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008]
     references:

anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-disasm
     authors:
       - [email protected]
-    scope: file
+    scopes:
+      static: file
+      dynamic: unspecified  # TODO upgrade manually, contains match
     mbc:
       - Anti-Static Analysis::Disassembler Evasion [B0012]
     examples:

anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-emulation/wine
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic/clear-logs
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     att&ck:
       - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001]
     examples:

anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     att&ck:
       - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]
     references:

anti-analysis/anti-forensic/impersonate-file-version-information.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application.
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Indicator Removal [T1070]
     references:

anti-analysis/anti-forensic/patch-process-command-line.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains Subscope
     att&ck:
       - Defense Evasion::Process Injection [T1055]
     mbc:

anti-analysis/anti-forensic/self-deletion/self-delete.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
       - "@mr-tz"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
     mbc:

anti-analysis/anti-forensic/spoof-parent-pid.yml

@@ -5,7 +5,9 @@ rule:
     namespace: anti-analysis/anti-forensic
     authors:
       - [email protected]
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: call  # TODO check if scope thread instead
     att&ck:
       - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]
     references:

anti-analysis/anti-forensic/timestomp/timestomp-file.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-forensic/timestomp
     authors:
       - [email protected]
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Indicator Removal::Timestomp [T1070.006]
     examples:

anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - [email protected]
     description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment.
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains unsupported feature mnemonic for dynamic scope
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml

@@ -5,7 +5,9 @@ rule:
     authors:
       - "@_re_fox"
       - "[email protected]"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion [T1497]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - BitsOfBinary
-    scope: function
+    scopes:
+      static: function
+      dynamic: thread
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: basic block
+    scopes:
+      static: basic block
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc:

anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-dns-suffix.yml

@@ -4,7 +4,9 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - "@_re_fox"
-    scope: function
+    scopes:
+      static: function
+      dynamic: unspecified  # TODO upgrade manually, contains match
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
     mbc: