v9.3.1

Summary

Added: 0 rules
Modified: 0 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v9.3.0...v9.3.1

v9.3.0

Summary

Added: 21 rules
Modified: 10 rules
Renamed: 4 rules
Deleted: 0 rules

Detailed release changes: rules v9.2.1...v9.3.0

Added rules (21)

• anti-analysis/anti-av/patch-bitdefender-hooking-dll-function.yml
• anti-analysis/anti-forensic/disable-powershell-transcription.yml
• anti-analysis/anti-vm/vm-detection/detect-mouse-movement-via-activity-checks-on-windows.yml
• anti-analysis/packer/dxpack/packed-with-dxpack.yml
• collection/keylog/log-keystrokes-via-direct-input.yml
• host-interaction/file-system/use-io_uring-io-interface-on-linux.yml
• host-interaction/network/enumerate-tcp-connections-via-wmi-com-api.yml
• host-interaction/network/routing-table/create-routing-table-entry.yml
• host-interaction/powershell/bypass-powershell-constrained-language-mode-via-getsystemlockdownpolicy-patch.yml
• linking/static/eclipse-paho-mqtt-c/linked-against-eclipse-paho-mqtt-c.yml
• linking/static/funchook/linked-against-funchook.yml
• linking/static/grpc/linked-against-grpc.yml
• linking/static/plthook/linked-against-plthook.yml
• linking/static/qmqtt/linked-against-qmqtt.yml
• load-code/execute-jscript-via-vsaengine-in-dotnet.yml
• nursery/acquire-load-driver-privileges.yml
• nursery/communicate-using-ftp.yml
• nursery/compiled-from-fsharp.yml
• nursery/create-executable-heap.yml
• nursery/decrypt-data-using-aes-via-dotnet.yml
• nursery/get-dotnet-assembly-entry-point.yml

Modified rules (10)

• anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
• communication/http/client/receive-http-response.yml
• communication/http/client/send-http-request.yml
• communication/http/reference-http-user-agent-string.yml
• data-manipulation/hashing/sha256/hash-data-using-sha256.yml
• data-manipulation/json/use-dotnet-library-newtonsoftjson.yml
• host-interaction/filter/enumerate-minifilter-drivers.yml
• host-interaction/process/modify/acquire-debug-privileges.yml
• host-interaction/process/terminate/terminate-process.yml
• load-code/shellcode/execute-shellcode-via-windows-callback-function.yml

Renamed rules (4)

• collection/keylog/register-raw-input-devices.yml (was nursery/register-raw-input-devices.yml)
• host-interaction/network/routing-table/get-routing-table.yml (was nursery/get-routing-table.yml)
• host-interaction/user/impersonate-user.yml (was nursery/impersonate-user.yml)
• linking/static/hp-socket/linked-against-hp-socket.yml (was nursery/linked-against-hp-socket.yml)

v9.2.1

Summary

Added: 0 rules
Modified: 0 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v9.2.0...v9.2.1

v9.2.0

Summary

Added: 21 rules
Modified: 46 rules
Renamed: 1 rule
Deleted: 0 rules

Detailed release changes: rules v9.1.0...v9.2.0

Added rules (21)

• anti-analysis/anti-forensic/unload-sysmon.yml
• communication/socket/connect-socket.yml
• communication/socket/udp/connect-udp-socket.yml
• data-manipulation/encryption/chaskey/encrypt-data-using-chaskey.yml
• data-manipulation/encryption/speck/encrypt-data-using-speck.yml
• exploitation/enumeration/make-suspicious-ntquerysysteminformation-call.yml
• exploitation/gadgets/load-ntoskrnl.yml
• exploitation/gadgets/resolve-ntoskrnl-gadgets.yml
• exploitation/spraying/make-suspicious-ntfscontrolfile-call.yml
• host-interaction/file-system/write/clear-file-content.yml
• host-interaction/filter/unload-minifilter-driver.yml
• load-code/dotnet/load-assembly-via-iassembly.yml
• malware-family/donut-loader/load-shellcode-via-donut.yml
• nursery/decrypt-data-using-tripledes-in-dotnet.yml
• nursery/disable-device-guard-features-via-registry-on-windows.yml
• nursery/disable-firewall-features-via-registry-on-windows.yml
• nursery/disable-system-features-via-registry-on-windows.yml
• nursery/disable-system-restore-features-via-registry-on-windows.yml
• nursery/disable-windows-defender-features-via-registry-on-windows.yml
• nursery/encrypt-data-using-tripledes-in-dotnet.yml
• nursery/enter-debug-mode-in-dotnet.yml

Modified rules (46)

• anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
• anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs-remotely.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-parallels.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-qemu.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualpc.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml
• communication/dns/reference-dns-over-https-endpoints.yml
• communication/http/server/receive-http-request.yml
• communication/socket/tcp/connect-tcp-socket.yml
• communication/socket/tcp/create-tcp-socket.yml
• data-manipulation/compression/decompress-data-using-aplib.yml
• host-interaction/bootloader/manipulate-boot-configuration.yml
• host-interaction/driver/disable-driver-code-integrity.yml
• host-interaction/gui/taskbar/find/find-taskbar.yml
• host-interaction/gui/window/find/find-graphical-window.yml
• host-interaction/mutex/check-mutex-on-windows.yml
• host-interaction/mutex/create-or-open-mutex-on-windows.yml
• host-interaction/network/address/get-local-ipv4-addresses.yml
• host-interaction/process/inject/allocate-or-change-rwx-memory.yml
• host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml
• linking/runtime-linking/link-function-at-runtime-on-windows.yml
• nursery/enumerate-device-drivers-on-windows.yml
• nursery/impersonate-user.yml
• nursery/persist-via-appcertdlls-registry-key.yml
• nursery/persist-via-autodialdll-registry-key.yml
• nursery/persist-via-bootverificationprogram-registry-key.yml
• nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
• nursery/persist-via-errorhandler-script.yml
• nursery/persist-via-get-variable-hijack.yml
• nursery/persist-via-lsa-registry-key.yml
• nursery/persist-via-natural-language-registry-key.yml
• nursery/persist-via-network-provider-registry-key.yml
• [nursery/persist-via-powershell-prof...

v9.1.0

Summary

Added: 2 rules
Modified: 51 rules
Renamed: 3 rules
Deleted: 0 rules

Detailed release changes: rules v9.0.0...v9.1.0

Added rules (2)

• anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs-remotely.yml
• host-interaction/registry/change-registry-key-timestamp.yml

Modified rules (51)

• anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
• host-interaction/process/create/create-process-suspended.yml
• host-interaction/process/inject/inject-apc.yml
• lib/write-process-memory.yml
• nursery/check-for-windows-sandbox-via-mutex.yml
• nursery/persist-via-aedebug-registry-key.yml
• nursery/persist-via-amsi-registry-key.yml
• nursery/persist-via-app-paths-registry-key.yml
• nursery/persist-via-appcertdlls-registry-key.yml
• nursery/persist-via-application-shimming.yml
• nursery/persist-via-appx-registry-key.yml
• nursery/persist-via-autodialdll-registry-key.yml
• nursery/persist-via-autoplayhandlers-registry-key.yml
• nursery/persist-via-bootverificationprogram-registry-key.yml
• nursery/persist-via-code-signing-registry-key.yml
• nursery/persist-via-com-hijack.yml
• nursery/persist-via-command-processor-registry-key.yml
• nursery/persist-via-contextmenuhandlers-registry-key.yml
• nursery/persist-via-cor_profiler_path-registry-value.yml
• nursery/persist-via-default-file-association-registry-key.yml
• nursery/persist-via-disk-cleanup-handler-registry-key.yml
• nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
• nursery/persist-via-dotnet_startup_hooks-registry-key.yml
• nursery/persist-via-explorer-tools-registry-key.yml
• nursery/persist-via-filter-handlers-registry-key.yml
• nursery/persist-via-group-policy-registry-key.yml
• nursery/persist-via-hhctrl-com-hijack.yml
• nursery/persist-via-htmlhelp-author-registry-key.yml
• nursery/persist-via-image-file-execution-options-registry-key.yml
• nursery/persist-via-lsa-registry-key.yml
• nursery/persist-via-natural-language-registry-key.yml
• nursery/persist-via-netsh-registry-key.yml
• nursery/persist-via-network-provider-registry-key.yml
• nursery/persist-via-path-registry-key.yml
• nursery/persist-via-print-monitors-registry-key.yml
• nursery/persist-via-print-processors-registry-key.yml
• nursery/persist-via-rdp-startup-programs-registry-key.yml
• nursery/persist-via-screensaver-registry-key.yml
• nursery/persist-via-silentprocessexit-registry-key.yml
• nursery/persist-via-telemetrycontroller-registry-key.yml
• nursery/persist-via-timeproviders-registry-key.yml
• nursery/persist-via-ts-initialprogram-registry-key.yml
• nursery/persist-via-userinitmprlogonscript-registry-value.yml
• nursery/persist-via-windows-error-reporting-registry-key.yml
• persistence/registry/appinitdlls/persist-via-appinit_dlls-registry-key.yml
• persistence/registry/ginadll/persist-via-ginadll-registry-key.yml
• persistence/registry/persist-via-active-setup-registry-key.yml
• persistence/registry/run/persist-via-run-registry-key.yml
• persistence/registry/winlogon-helper/persist-via-winlogon-helper-dll-registry-key.yml
• persistence/scheduled-tasks/schedule-task-via-schtasks.yml
• persistence/service/persist-via-windows-service.yml

Renamed rules (3)

• host-interaction/mutex/check-mutex-and-terminate-process-on-windows.yml (was host-interaction/mutex/check-mutex.yml)
• host-interaction/mutex/check-mutex-on-windows.yml (was host-interaction/mutex/check-mutex-and-exit.yml)
• host-interaction/mutex/create-or-open-mutex-on-windows.yml (was host-interaction/mutex/create-mutex.yml)

v9.0.0

Summary

Added: 3 rules
Modified: 375 rules
Renamed: 9 rules
Deleted: 0 rules

Detailed release changes: rules v8.0.1...v9.0.0

Added rules (3)

• data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml
• data-manipulation/encryption/use-bigint-function.yml
• internal/limitation/dynamic/internal-dotnet-file-limitation.yml

Modified rules (375)

• anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
• anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml
• anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
• anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
• anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml
• anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
• anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml
• anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
• anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml
• anti-analysis/anti-forensic/impersonate-file-version-information.yml
• anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
• anti-analysis/anti-forensic/self-deletion/self-delete.yml
• anti-analysis/anti-forensic/timestomp/timestomp-file.yml
• anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml
• anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml
• anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml
• anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml
• collection/acquire-credentials-from-windows-credential-manager.yml
• collection/browser/gather-firefox-profile-information.yml
• collection/database/sql/reference-sql-statements.yml
• collection/database/wmi/reference-wmi-statements.yml
• collection/file-managers/gather-3d-ftp-information.yml
• collection/file-managers/gather-alftp-information.yml
• collection/file-managers/gather-bitkinex-information.yml
• collection/file-managers/gather-blazeftp-information.yml
• collection/file-managers/gather-bulletproof-ftp-information.yml
• collection/file-managers/gather-classicftp-information.yml
• collection/file-managers/gather-coreftp-information.yml
• collection/file-managers/gather-cuteftp-information.yml
• collection/file-managers/gather-cyberduck-information.yml
• collection/file-managers/gather-direct-ftp-information.yml
• collection/file-managers/gather-directory-opus-information.yml
• collection/file-managers/gather-expandrive-information.yml
• collection/file-managers/gather-faststone-browser-information.yml
• collection/file-managers/gather-fasttrack-ftp-information.yml
• collection/file-managers/gather-ffftp-information.yml
• collection/file-managers/gather-filezilla-information.yml
• [collection/file-managers/gather-flashfxp-information.yml](https://github.com/mandiant/capa-r...

v8.0.1

Summary

Added: 0 rules
Modified: 0 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v8.0.0...v8.0.1

v8.0.0

Summary

Added: 54 rules
Modified: 21 rules
Renamed: 1 rule
Deleted: 0 rules

Detailed release changes: rules v7.4.0...v8.0.0

Added rules (54)

• collection/browser/get-chrome-cookiemonster.yml
• collection/browser/get-elevation-service-for-chromium-based-browsers.yml
• collection/get-steam-token.yml
• linking/static/touchsocket/linked-against-touchsocket.yml
• nursery/get-shadow-password-file-entry-on-linux.yml
• nursery/persist-via-aedebug-registry-key.yml
• nursery/persist-via-amsi-registry-key.yml
• nursery/persist-via-app-paths-registry-key.yml
• nursery/persist-via-appcertdlls-registry-key.yml
• nursery/persist-via-application-shimming.yml
• nursery/persist-via-appx-registry-key.yml
• nursery/persist-via-autodialdll-registry-key.yml
• nursery/persist-via-autoplayhandlers-registry-key.yml
• nursery/persist-via-bits-job.yml
• nursery/persist-via-bootverificationprogram-registry-key.yml
• nursery/persist-via-code-signing-registry-key.yml
• nursery/persist-via-com-hijack.yml
• nursery/persist-via-command-processor-registry-key.yml
• nursery/persist-via-contextmenuhandlers-registry-key.yml
• nursery/persist-via-cor_profiler_path-registry-value.yml
• nursery/persist-via-default-file-association-registry-key.yml
• nursery/persist-via-disk-cleanup-handler-registry-key.yml
• nursery/persist-via-dotnet-dbgmanageddebugger-registry-key.yml
• nursery/persist-via-dotnet_startup_hooks-registry-key.yml
• nursery/persist-via-errorhandler-script.yml
• nursery/persist-via-explorer-tools-registry-key.yml
• nursery/persist-via-filter-handlers-registry-key.yml
• nursery/persist-via-get-variable-hijack.yml
• nursery/persist-via-group-policy-registry-key.yml
• nursery/persist-via-hhctrl-com-hijack.yml
• nursery/persist-via-htmlhelp-author-registry-key.yml
• nursery/persist-via-image-file-execution-options-registry-key.yml
• nursery/persist-via-iphlpapi-dll-hijack.yml
• nursery/persist-via-lnk-shortcut.yml
• nursery/persist-via-lsa-registry-key.yml
• nursery/persist-via-natural-language-registry-key.yml
• nursery/persist-via-netsh-registry-key.yml
• nursery/persist-via-network-provider-registry-key.yml
• nursery/persist-via-path-registry-key.yml
• nursery/persist-via-powershell-profile.yml
• nursery/persist-via-print-monitors-registry-key.yml
• nursery/persist-via-print-processors-registry-key.yml
• nursery/persist-via-rdp-startup-programs-registry-key.yml
• nursery/persist-via-silentprocessexit-registry-key.yml
• nursery/persist-via-telemetrycontroller-registry-key.yml
• nursery/persist-via-timeproviders-registry-key.yml
• nursery/persist-via-ts-initialprogram-registry-key.yml
• nursery/persist-via-userinitmprlogonscript-registry-value.yml
• nursery/persist-via-windows-accessibility-tools.yml
• nursery/persist-via-windows-error-reporting-registry-key.yml
• nursery/persist-via-windows-terminal-profile.yml
• nursery/set-shadow-password-file-entry-on-linux.yml
• nursery/write-to-browser-extension-directory.yml
• runtime/dotnet/compiled-with-dotnet-aot.yml

Modified rules (21)

• anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
• data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml
• host-interaction/file-system/copy/copy-file.yml
• host-interaction/file-system/move/move-file.yml
• host-interaction/file-system/write/write-file-on-windows.yml
• host-interaction/process/get-process-filename.yml
• host-interaction/registry/create/set-registry-value.yml
• [h...

v7.4.0

Summary

Added: 14 rules
Modified: 2 rules
Renamed: 0 rules
Deleted: 0 rules

Detailed release changes: rules v7.3.0...v7.4.0

Added rules (14)

• anti-analysis/packer/nmm-protect/packed-with-nmm-protect.yml
• host-interaction/driver/complete-processing-asynchronous-io-request.yml
• host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml
• host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml
• host-interaction/os/hide-shutdown-actions-via-policy.yml
• host-interaction/process/get-process-filename.yml
• host-interaction/registry/open-recentdocs-registry-key.yml
• linking/runtime-linking/populate-syswhispers2-syscall-list.yml
• nursery/access-unmanaged-com-objects-in-dotnet.yml
• nursery/implement-ui-automation-client-in-dotnet.yml
• nursery/interact-with-shortcut-via-iwshshortcut-in-dotnet.yml
• nursery/interact-with-windows-scripting-host-in-dotnet.yml
• nursery/use-dotnet-library-simplejson.yml
• nursery/use-dotnet-library-websocket-sharp.yml

Modified rules (2)

• anti-analysis/anti-vm/vm-detection/check-for-unmoving-mouse-cursor.yml
• nursery/execute-syscall.yml

v7.3.0

Summary

Added: 6 rules
Modified: 1 rule
Renamed: 1 rule
Deleted: 0 rules

Detailed release changes: rules v7.2.0...v7.3.0

Added rules (6)

• host-interaction/network/traffic/filter/delete-network-filter-via-wfp-api.yml
• host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
• linking/static/minhook/linked-against-minhook.yml
• linking/static/sqlite3/linked-against-sqlcipher.yml
• nursery/check-thread-suspend-count-exceeded.yml
• nursery/create-thread-bypassing-process-freeze.yml

Modified rules (1)

• data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml

Renamed rules (1)

• host-interaction/hardware/firmware/get-system-firmware-table.yml (was nursery/get-system-firmware-table.yml)