From 54308899027bf3c43e41067b0f986f1be55449ee Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 24 Nov 2023 11:51:37 +0100 Subject: [PATCH] update scopes --- .../anti-av/patch-antimalware-scan-interface-function.yml | 4 +++- .../encoding/encode-data-using-add-xor-sub-operations.yml | 4 +++- .../bundled-with-dotnet-single-file-deployment.yml | 4 +++- .../internal-dotnet-single-file-deployment-limitation.yml | 4 +++- nursery/access-camera-in-dotnet-on-android.yml | 4 +++- nursery/capture-microphone-audio-in-dotnet-on-android.yml | 4 +++- nursery/capture-screenshot-in-dotnet-on-android.yml | 4 +++- nursery/check-for-incoming-call-in-dotnet-on-android.yml | 4 +++- nursery/check-for-outgoing-call-in-dotnet-on-android.yml | 4 +++- nursery/compiled-with-xamarin.yml | 4 +++- nursery/get-os-version-in-dotnet-on-android.yml | 4 +++- 11 files changed, 33 insertions(+), 11 deletions(-) diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 14130f2d..446a093d 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -4,7 +4,9 @@ rule: namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com - scope: function + scopes: + static: function + dynamic: thread att&ck: - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: diff --git a/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml b/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml index 6c4455c2..214e4fdd 100644 --- a/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml +++ b/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml @@ -5,7 +5,9 @@ rule: authors: - jakub.jozwiak@mandiant.com description: Data encoding using a sequence of ADD/XOR/SUB (or SUB/XOR/ADD) operations common for PlugX but also used by other malware families. - scope: function + scopes: + static: function + dynamic: unsupported # requires basic block, characteristic, mnemonic features att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] mbc: diff --git a/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml b/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml index 799a0a57..99054c85 100644 --- a/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml +++ b/executable/dotnet-singlefile/bundled-with-dotnet-single-file-deployment.yml @@ -4,7 +4,9 @@ rule: namespace: executable/dotnet-singlefile authors: - sara.rincon@mandiant.com - scope: file + scopes: + static: file + dynamic: file references: - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli - https://github.com/dotnet/runtime/blob/84de9b678613675e0444b265905c82d33dae33a8/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs diff --git a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml index f29348d0..a327840e 100644 --- a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml +++ b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml @@ -11,7 +11,9 @@ rule: The size of the single file in a self-contained application is large since it includes the runtime and the framework libraries. The main application and the libraries are contained in the overlay section. You may need to extract the runtime configuration files such as *.deps.json and *.runtimeconfig.json files to determine the main .NET library and extract it with the tool SingleFileExtractor. - scope: file + scopes: + static: file + dynamic: file examples: - 0da87fccbf7687a6c7ab38087dea8b8f32c2b1fb6546101485b7167d18d9c406 features: diff --git a/nursery/access-camera-in-dotnet-on-android.yml b/nursery/access-camera-in-dotnet-on-android.yml index c2051be0..d4f24fff 100644 --- a/nursery/access-camera-in-dotnet-on-android.yml +++ b/nursery/access-camera-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/hardware/camera authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires .NET API feature features: - or: - api: Android.Hardware.Camera::Open diff --git a/nursery/capture-microphone-audio-in-dotnet-on-android.yml b/nursery/capture-microphone-audio-in-dotnet-on-android.yml index 802811f3..091ecdf6 100644 --- a/nursery/capture-microphone-audio-in-dotnet-on-android.yml +++ b/nursery/capture-microphone-audio-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: collection/microphone authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires .NET API features features: - and: - api: Android.Media.AudioRecord::StartRecording diff --git a/nursery/capture-screenshot-in-dotnet-on-android.yml b/nursery/capture-screenshot-in-dotnet-on-android.yml index 7e5bbb14..e8252926 100644 --- a/nursery/capture-screenshot-in-dotnet-on-android.yml +++ b/nursery/capture-screenshot-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: collection/screenshot authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires .NET API feature features: - or: - api: Android.Media.Projection.MediaProjectionManager::CreateScreenCaptureIntent diff --git a/nursery/check-for-incoming-call-in-dotnet-on-android.yml b/nursery/check-for-incoming-call-in-dotnet-on-android.yml index 3c45983e..5158cf03 100644 --- a/nursery/check-for-incoming-call-in-dotnet-on-android.yml +++ b/nursery/check-for-incoming-call-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features: - and: - property/read: Android.Content.Intent::Action diff --git a/nursery/check-for-outgoing-call-in-dotnet-on-android.yml b/nursery/check-for-outgoing-call-in-dotnet-on-android.yml index 936e49ed..72247007 100644 --- a/nursery/check-for-outgoing-call-in-dotnet-on-android.yml +++ b/nursery/check-for-outgoing-call-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires property features: - and: - property/read: Android.Content.Intent::Action diff --git a/nursery/compiled-with-xamarin.yml b/nursery/compiled-with-xamarin.yml index a7494eb2..7e71d326 100644 --- a/nursery/compiled-with-xamarin.yml +++ b/nursery/compiled-with-xamarin.yml @@ -4,7 +4,9 @@ rule: namespace: compiler/xamarin authors: - michael.hunhoff@mandiant.com - scope: file + scopes: + static: file + dynamic: file features: - or: - namespace: Xamarin.Essentials diff --git a/nursery/get-os-version-in-dotnet-on-android.yml b/nursery/get-os-version-in-dotnet-on-android.yml index a946512b..38c39fb0 100644 --- a/nursery/get-os-version-in-dotnet-on-android.yml +++ b/nursery/get-os-version-in-dotnet-on-android.yml @@ -4,7 +4,9 @@ rule: namespace: host-interaction/os/info authors: - michael.hunhoff@mandiant.com - scope: function + scopes: + static: function + dynamic: unsupported # requires class features features: - and: - class: Android.OS.Build