From 4449de5bc17f957f7a2b7bf8151b3a586432055b Mon Sep 17 00:00:00 2001 From: jorik <47347649+jorik-utwente@users.noreply.github.com> Date: Thu, 31 Oct 2024 10:07:32 +0100 Subject: [PATCH] change scope to call for atomic operations --- host-interaction/file-system/copy/copy-file.yml | 11 +++++------ host-interaction/file-system/move/move-file.yml | 9 ++++----- .../file-system/write/write-file-on-windows.yml | 11 +++++------ .../registry/create/set-registry-value.yml | 2 +- 4 files changed, 15 insertions(+), 18 deletions(-) diff --git a/host-interaction/file-system/copy/copy-file.yml b/host-interaction/file-system/copy/copy-file.yml index ff047b0e..47326983 100644 --- a/host-interaction/file-system/copy/copy-file.yml +++ b/host-interaction/file-system/copy/copy-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: call mbc: - File System::Copy File [C0045] examples: @@ -26,8 +26,7 @@ rule: - number: 2 = FO_COPY - or: - api: kernel32.SHFileOperation - - call: - - and: - - number: 2 = FO_COPY - - or: - - api: kernel32.SHFileOperation + - and: + - number: 2 = FO_COPY + - or: + - api: kernel32.SHFileOperation diff --git a/host-interaction/file-system/move/move-file.yml b/host-interaction/file-system/move/move-file.yml index 757bcf34..834ebd2f 100644 --- a/host-interaction/file-system/move/move-file.yml +++ b/host-interaction/file-system/move/move-file.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: call mbc: - File System::Move File [C0063] examples: @@ -27,7 +27,6 @@ rule: - number: 1 = FO_MOVE - or: - api: kernel32.SHFileOperation - - call: - - and: - - number: 1 = FO_MOVE - - api: kernel32.SHFileOperation + - and: + - number: 1 = FO_MOVE + - api: kernel32.SHFileOperation diff --git a/host-interaction/file-system/write/write-file-on-windows.yml b/host-interaction/file-system/write/write-file-on-windows.yml index d1cd4c8b..1f4a9630 100644 --- a/host-interaction/file-system/write/write-file-on-windows.yml +++ b/host-interaction/file-system/write/write-file-on-windows.yml @@ -7,7 +7,7 @@ rule: - anushka.virgaonkar@mandiant.com scopes: static: function - dynamic: thread + dynamic: call mbc: - File System::Writes File [C0052] examples: @@ -24,11 +24,10 @@ rule: - number: 0x40000000 = GENERIC_WRITE - number: 0x2 = FILE_WRITE_DATA - match: create or open file - - call: - - or: - - number: 0x40000000 = GENERIC_WRITE - - number: 0x2 = FILE_WRITE_DATA - - match: create or open file + - or: + - number: 0x40000000 = GENERIC_WRITE + - number: 0x2 = FILE_WRITE_DATA + - match: create or open file - or: - api: kernel32.WriteFile - api: kernel32.WriteFileEx diff --git a/host-interaction/registry/create/set-registry-value.yml b/host-interaction/registry/create/set-registry-value.yml index 866a753b..20a5433c 100644 --- a/host-interaction/registry/create/set-registry-value.yml +++ b/host-interaction/registry/create/set-registry-value.yml @@ -7,7 +7,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: thread + dynamic: call mbc: - Operating System::Registry::Set Registry Key [C0036.001] examples: