v9.0.0

Summary

Added: 3 rules
Modified: 375 rules
Renamed: 9 rules
Deleted: 0 rules

Detailed release changes: rules v8.0.1...v9.0.0

Added rules (3)

• data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml
• data-manipulation/encryption/use-bigint-function.yml
• internal/limitation/dynamic/internal-dotnet-file-limitation.yml

Modified rules (375)

• anti-analysis/anti-av/check-for-sandbox-and-av-modules.yml
• anti-analysis/anti-av/overwrite-dll-text-section-to-remove-hooks.yml
• anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
• anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml
• anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml
• anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml
• anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
• anti-analysis/anti-emulation/wine/check-if-process-is-running-under-wine.yml
• anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml
• anti-analysis/anti-forensic/crash-the-windows-event-logging-service.yml
• anti-analysis/anti-forensic/impersonate-file-version-information.yml
• anti-analysis/anti-forensic/self-deletion/self-delete-using-alternate-data-streams.yml
• anti-analysis/anti-forensic/self-deletion/self-delete.yml
• anti-analysis/anti-forensic/timestomp/timestomp-file.yml
• anti-analysis/anti-vm/vm-detection/check-for-microsoft-office-emulation.yml
• anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-device.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-process-name.yml
• anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-registry.yml
• anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml
• anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-virtualbox.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml
• anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-xen.yml
• collection/acquire-credentials-from-windows-credential-manager.yml
• collection/browser/gather-firefox-profile-information.yml
• collection/database/sql/reference-sql-statements.yml
• collection/database/wmi/reference-wmi-statements.yml
• collection/file-managers/gather-3d-ftp-information.yml
• collection/file-managers/gather-alftp-information.yml
• collection/file-managers/gather-bitkinex-information.yml
• collection/file-managers/gather-blazeftp-information.yml
• collection/file-managers/gather-bulletproof-ftp-information.yml
• collection/file-managers/gather-classicftp-information.yml
• collection/file-managers/gather-coreftp-information.yml
• collection/file-managers/gather-cuteftp-information.yml
• collection/file-managers/gather-cyberduck-information.yml
• collection/file-managers/gather-direct-ftp-information.yml
• collection/file-managers/gather-directory-opus-information.yml
• collection/file-managers/gather-expandrive-information.yml
• collection/file-managers/gather-faststone-browser-information.yml
• collection/file-managers/gather-fasttrack-ftp-information.yml
• collection/file-managers/gather-ffftp-information.yml
• collection/file-managers/gather-filezilla-information.yml
• collection/file-managers/gather-flashfxp-information.yml
• collection/file-managers/gather-fling-ftp-information.yml
• collection/file-managers/gather-freshftp-information.yml
• collection/file-managers/gather-frigate3-information.yml
• collection/file-managers/gather-ftp-commander-information.yml
• collection/file-managers/gather-ftp-explorer-information.yml
• collection/file-managers/gather-ftp-voyager-information.yml
• collection/file-managers/gather-ftpgetter-information.yml
• collection/file-managers/gather-ftpinfo-information.yml
• collection/file-managers/gather-ftpnow-information.yml
• collection/file-managers/gather-ftprush-information.yml
• collection/file-managers/gather-ftpshell-information.yml
• collection/file-managers/gather-global-downloader-information.yml
• collection/file-managers/gather-goftp-information.yml
• collection/file-managers/gather-leapftp-information.yml
• collection/file-managers/gather-netdrive-information.yml
• collection/file-managers/gather-nexusfile-information.yml
• collection/file-managers/gather-nova-ftp-information.yml
• collection/file-managers/gather-robo-ftp-information.yml
• collection/file-managers/gather-securefx-information.yml
• collection/file-managers/gather-smart-ftp-information.yml
• collection/file-managers/gather-softx-ftp-information.yml
• collection/file-managers/gather-southriver-webdrive-information.yml
• collection/file-managers/gather-staff-ftp-information.yml
• collection/file-managers/gather-total-commander-information.yml
• collection/file-managers/gather-turbo-ftp-information.yml
• collection/file-managers/gather-ultrafxp-information.yml
• collection/file-managers/gather-winscp-information.yml
• collection/file-managers/gather-winzip-information.yml
• collection/file-managers/gather-wise-ftp-information.yml
• collection/file-managers/gather-ws-ftp-information.yml
• collection/file-managers/gather-xftp-information.yml
• collection/get-geographical-location.yml
• collection/group-policy/discover-group-policy-via-gpresult.yml
• collection/keylog/log-keystrokes.yml
• collection/microphone/capture-microphone-audio.yml
• collection/network/capture-network-configuration-via-ipconfig.yml
• collection/network/capture-packets-using-sharppcap.yml
• collection/network/capture-public-ip.yml
• collection/network/get-domain-trust-relationships.yml
• collection/network/get-mac-address-on-windows.yml
• collection/screenshot/capture-screenshot-via-keybd-event.yml
• collection/screenshot/capture-screenshot.yml
• collection/webcam/capture-webcam-image.yml
• communication/c2/file-transfer/download-and-write-a-file.yml
• communication/c2/file-transfer/write-and-execute-a-file.yml
• communication/c2/shell/create-reverse-shell-on-linux.yml
• communication/c2/shell/create-reverse-shell.yml
• communication/c2/shell/execute-shell-command-and-capture-output.yml
• communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml
• communication/ftp/send/send-file-using-ftp.yml
• communication/http/client/connect-to-http-server.yml
• communication/http/client/connect-to-url.yml
• communication/http/client/create-http-request.yml
• communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml
• communication/http/client/read-data-from-internet.yml
• communication/http/client/receive-http-response.yml
• communication/http/client/send-file-via-http.yml
• communication/http/client/send-http-request.yml
• communication/http/reference-http-user-agent-string.yml
• communication/http/server/receive-http-request.yml
• communication/http/server/start-http-server.yml
• communication/http/set-http-header.yml
• communication/icmp/send-icmp-echo-request.yml
• communication/mailslot/create-mailslot.yml
• communication/mailslot/read-from-mailslot.yml
• communication/named-pipe/create/create-two-anonymous-pipes.yml
• communication/named-pipe/read/read-pipe.yml
• communication/named-pipe/write/write-pipe.yml
• communication/receive-data.yml
• communication/send-data.yml
• communication/socket/create-vmci-socket.yml
• communication/socket/tcp/connect-tcp-socket.yml
• communication/socket/tcp/create-tcp-socket-via-raw-afd-driver.yml
• communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml
• communication/tcp/client/act-as-tcp-client.yml
• communication/tcp/serve/start-tcp-server.yml
• compiler/perl2exe/compiled-with-perl2exe.yml
• data-manipulation/compression/compress-data-using-lzo.yml
• data-manipulation/compression/compress-data-via-winapi.yml
• data-manipulation/compression/create-cabinet-on-windows.yml
• data-manipulation/compression/extract-cabinet-on-windows.yml
• data-manipulation/encryption/aes/encrypt-data-using-aes-via-winapi.yml
• data-manipulation/encryption/des/encrypt-data-using-des-via-winapi.yml
• data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml
• data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml
• data-manipulation/encryption/encrypt-or-decrypt-via-wincrypt.yml
• data-manipulation/encryption/import-public-key.yml
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction032.yml
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-systemfunction033.yml
• data-manipulation/encryption/rc4/encrypt-data-using-rc4-via-winapi.yml
• data-manipulation/encryption/rc6/encrypt-data-using-rc6.yml
• data-manipulation/encryption/rsa/reference-public-rsa-key.yml
• data-manipulation/hashing/hash-data-via-wincrypt.yml
• data-manipulation/hashing/md5/hash-data-with-md5.yml
• data-manipulation/hashing/sha1/hash-data-using-sha1.yml
• data-manipulation/hashing/sha224/hash-data-using-sha224.yml
• data-manipulation/hashing/sha256/hash-data-using-sha256.yml
• data-manipulation/hashing/sha384/hash-data-using-sha384.yml
• data-manipulation/hashing/sha512/hash-data-using-sha512.yml
• data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml
• data-manipulation/prng/generate-random-numbers-via-winapi.yml
• data-manipulation/prng/mersenne/generate-random-numbers-using-a-mersenne-twister.yml
• executable/resource/access-dotnet-resource.yml
• executable/resource/extract-resource-via-kernel32-functions.yml
• host-interaction/bootloader/disable-code-signing.yml
• host-interaction/bootloader/manipulate-boot-configuration.yml
• host-interaction/bootloader/manipulate-safe-mode-programs.yml
• host-interaction/clipboard/open-clipboard.yml
• host-interaction/clipboard/read-clipboard-data.yml
• host-interaction/clipboard/write-clipboard-data.yml
• host-interaction/console/manipulate-console-buffer.yml
• host-interaction/driver/complete-processing-asynchronous-io-request.yml
• host-interaction/driver/create-device-object.yml
• host-interaction/driver/disable-driver-code-integrity.yml
• host-interaction/driver/interact-with-driver-via-ioctl.yml
• host-interaction/environment-variable/get-comspec-environment-variable.yml
• host-interaction/file-system/bypass-mark-of-the-web.yml
• host-interaction/file-system/create-virtual-file-system-in-dotnet.yml
• host-interaction/file-system/delete/delete-file.yml
• host-interaction/file-system/files/list/enumerate-files-on-linux.yml
• host-interaction/file-system/files/list/enumerate-files-on-windows.yml
• host-interaction/file-system/meta/get-file-version-info.yml
• host-interaction/file-system/read/read-file-on-linux.yml
• host-interaction/file-system/read/read-file-on-windows.yml
• host-interaction/file-system/read/read-file-via-mapping.yml
• host-interaction/file-system/read/read-ini-file.yml
• host-interaction/file-system/read/read-virtual-disk.yml
• host-interaction/file-system/windows-file-protection/bypass-windows-file-protection.yml
• host-interaction/file-system/write/write-file-on-linux.yml
• host-interaction/filter/enumerate-minifilter-drivers.yml
• host-interaction/firewall/modify/access-firewall-policy-via-inetfwpolicy2.yml
• host-interaction/firewall/modify/access-firewall-rule-properties-via-inetfwrule.yml
• host-interaction/gui/logon/references-logon-banner.yml
• host-interaction/gui/session/lock/lock-the-desktop.yml
• host-interaction/gui/switch-active-desktop.yml
• host-interaction/gui/taskbar/find/find-taskbar.yml
• host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml
• host-interaction/gui/window/get-text/get-graphical-window-text.yml
• host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml
• host-interaction/hardware/cpu/get-cpu-information.yml
• host-interaction/hardware/cpu/get-number-of-processor-cores.yml
• host-interaction/hardware/keyboard/get-keyboard-layout.yml
• host-interaction/hardware/keyboard/simulate-ctrl-alt-del.yml
• host-interaction/hardware/memory/get-memory-information.yml
• host-interaction/hardware/storage/get-disk-size.yml
• host-interaction/log/clfs/read-data-from-clfs-log-container.yml
• host-interaction/mutex/check-mutex-and-exit.yml
• host-interaction/mutex/check-mutex.yml
• host-interaction/mutex/create-mutex.yml
• host-interaction/mutex/create-semaphore-on-linux.yml
• host-interaction/mutex/lock-semaphore-on-linux.yml
• host-interaction/mutex/unlock-semaphore-on-linux.yml
• host-interaction/network/address/get-local-ipv4-addresses.yml
• host-interaction/network/connectivity/set-tcp-connection-state.yml
• host-interaction/network/domain/enumerate-domain-computers-via-ldap.yml
• host-interaction/network/domain/get-domain-controller-name.yml
• host-interaction/network/interface/get-networking-interfaces.yml
• host-interaction/network/traffic/filter/enumerate-network-filters-via-wfp-api.yml
• host-interaction/os/info/get-system-information-on-windows.yml
• host-interaction/os/version/get-kernel-version.yml
• host-interaction/os/version/get-linux-distribution.yml
• host-interaction/process/create/create-process-suspended.yml
• host-interaction/process/inject/allocate-or-change-rwx-memory.yml
• host-interaction/process/inject/allocate-user-process-rwx-memory.yml
• host-interaction/process/inject/attach-user-process-memory.yml
• host-interaction/process/inject/free-user-process-memory.yml
• host-interaction/process/inject/hijack-thread-execution.yml
• host-interaction/process/inject/inject-apc.yml
• host-interaction/process/inject/inject-dll.yml
• host-interaction/process/inject/inject-shellcode-using-a-file-mapping-object.yml
• host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml
• host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml
• host-interaction/process/inject/inject-thread.yml
• host-interaction/process/inject/use-process-replacement.yml
• host-interaction/process/list/enumerate-processes-on-remote-desktop-session-host.yml
• host-interaction/process/list/enumerate-processes.yml
• host-interaction/process/list/find-process-by-pid.yml
• host-interaction/process/list/get-explorer-pid.yml
• host-interaction/process/map-section-object.yml
• host-interaction/process/modify/acquire-debug-privileges.yml
• host-interaction/process/modify/modify-access-privileges.yml
• host-interaction/process/modules/list/enumerate-process-modules.yml
• host-interaction/process/terminate/terminate-process.yml
• host-interaction/registry/delete/delete-registry-key.yml
• host-interaction/registry/delete/delete-registry-value.yml
• host-interaction/registry/query-or-enumerate-registry-key.yml
• host-interaction/registry/query-or-enumerate-registry-value.yml
• host-interaction/registry/set-registry-key-via-offline-registry-library.yml
• host-interaction/service/continue-service.yml
• host-interaction/service/create/create-service.yml
• host-interaction/service/delete/delete-service.yml
• host-interaction/service/modify/modify-service.yml
• host-interaction/service/pause-service.yml
• host-interaction/service/start/start-service.yml
• host-interaction/service/stop/stop-service.yml
• host-interaction/session/get-current-user-on-linux.yml
• host-interaction/session/get-logon-sessions.yml
• host-interaction/session/get-session-integrity-level.yml
• host-interaction/session/get-session-user-name.yml
• host-interaction/session/get-token-membership.yml
• host-interaction/thread/create/create-thread.yml
• host-interaction/thread/list/enumerate-threads.yml
• host-interaction/thread/tls/set-thread-local-storage-value.yml
• host-interaction/uac/bypass/bypass-uac-via-appinfo-alpc.yml
• host-interaction/uac/bypass/bypass-uac-via-icmluautil.yml
• host-interaction/uac/bypass/bypass-uac-via-rpc.yml
• host-interaction/uac/bypass/bypass-uac-via-token-manipulation.yml
• impact/inhibit-system-recovery/delete-volume-shadow-copies.yml
• impact/wipe-disk/wipe-mbr/overwrite-master-boot-record-mbr.yml
• lib/allocate-memory.yml
• lib/change-memory-protection.yml
• lib/create-or-open-file.yml
• lib/create-or-open-section-object.yml
• linking/runtime-linking/link-many-functions-at-runtime.yml
• load-code/dotnet/load-windows-common-language-runtime.yml
• load-code/pe/access-pe-header.yml
• load-code/pe/inspect-section-memory-permissions.yml
• load-code/powershell/run-powershell-expression.yml
• load-code/shellcode/execute-shellcode-via-copyfile2.yml
• load-code/shellcode/execute-shellcode-via-createthreadpoolwait.yml
• load-code/shellcode/execute-shellcode-via-windows-callback-function.yml
• load-code/shellcode/execute-shellcode-via-windows-fibers.yml
• load-code/shellcode/spawn-thread-to-rwx-shellcode.yml
• malware-family/plugx/match-known-plugx-module.yml
• nursery/access-wmi-data-in-dotnet.yml
• nursery/add-value-to-global-atom-table.yml
• nursery/append-data-to-clfs-log-container.yml
• nursery/build-docker-image.yml
• nursery/bypass-hidden-api-restrictions-via-jni-on-android.yml
• nursery/bypass-uac-via-scheduled-task-environment-variable.yml
• nursery/capture-webcam-video.yml
• nursery/check-for-process-debug-object.yml
• nursery/check-for-windows-sandbox-via-mutex.yml
• nursery/check-for-windows-sandbox-via-subdirectory.yml
• nursery/check-license-value.yml
• nursery/collect-ssh-keys.yml
• nursery/compile-csharp-in-dotnet.yml
• nursery/compile-visual-basic-in-dotnet.yml
• nursery/connect-network-resource.yml
• nursery/create-container.yml
• nursery/create-process-via-wmi-in-dotnet.yml
• nursery/create-registry-key-via-stdregprov.yml
• nursery/delete-internet-cache.yml
• nursery/delete-registry-key-via-stdregprov.yml
• nursery/delete-registry-value-via-stdregprov.yml
• nursery/destroy-software-breakpoint-capability.yml
• nursery/display-service-notification-message-box.yml
• nursery/enable-safe-mode-boot.yml
• nursery/encrypt-data-using-salsa20-or-chacha.yml
• nursery/encrypt-or-decrypt-data-via-bcrypt.yml
• nursery/enumerate-device-drivers-on-linux.yml
• nursery/enumerate-device-drivers-on-windows.yml
• nursery/enumerate-disk-volumes.yml
• nursery/enumerate-files-in-dotnet.yml
• nursery/enumerate-internet-cache.yml
• nursery/enumerate-network-shares.yml
• nursery/enumerate-processes-that-use-resource.yml
• nursery/enumerate-processes-via-procfs.yml
• nursery/execute-sqlite-statement-in-dotnet.yml
• nursery/get-client-handle-via-schannel.yml
• nursery/get-current-process-command-line.yml
• nursery/get-mac-address-in-dotnet.yml
• nursery/get-mac-address-on-linux.yml
• nursery/get-os-information-via-kuser_shared_data.yml
• nursery/get-process-image-filename.yml
• nursery/get-proxy.yml
• nursery/get-session-information.yml
• nursery/get-storage-device-properties.yml
• nursery/get-system-information-on-linux.yml
• nursery/get-token-privileges.yml
• nursery/hash-data-using-ripemd256.yml
• nursery/hash-data-using-ripemd320.yml
• nursery/hash-data-using-sha1-via-wincrypt.yml
• nursery/hash-data-using-sha512managed-in-dotnet.yml
• nursery/hash-data-via-bcrypt.yml
• nursery/hook-routines-via-lsplant.yml
• nursery/hook-routines-via-microsoft-detours.yml
• nursery/impersonate-user.yml
• nursery/initialize-hashing-via-wincrypt.yml
• nursery/link-function-at-runtime-on-linux.yml
• nursery/list-containers.yml
• nursery/list-drag-and-drop-files.yml
• nursery/load-packed-dex-via-jiagu-on-android.yml
• nursery/log-keystrokes-via-input-method-manager.yml
• nursery/make-an-http-request-with-a-cookie.yml
• nursery/migrate-process-to-active-window-station.yml
• nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml
• nursery/persist-via-gnome-autostart-on-linux.yml
• nursery/prompt-user-for-credentials.yml
• nursery/query-or-enumerate-registry-key-via-stdregprov.yml
• nursery/query-or-enumerate-registry-value-via-stdregprov.yml
• nursery/read-and-send-data-from-client-to-server.yml
• nursery/read-process-memory.yml
• nursery/receive-and-write-data-from-server-to-client.yml
• nursery/reference-114dns-dns-server.yml
• nursery/reference-alidns-dns-server.yml
• nursery/reference-cloudflare-dns-server.yml
• nursery/reference-comodo-secure-dns-server.yml
• nursery/reference-google-public-dns-server.yml
• nursery/reference-hurricane-electric-dns-server.yml
• nursery/reference-kornet-dns-server.yml
• nursery/reference-l3-dns-server.yml
• nursery/reference-opendns-dns-server.yml
• nursery/reference-quad9-dns-server.yml
• nursery/reference-verisign-dns-server.yml
• nursery/resize-volume-shadow-copy-storage.yml
• nursery/resolve-function-by-djb2-hash.yml
• nursery/resolve-function-by-fnv-1a-hash.yml
• nursery/resolve-function-by-hash.yml
• nursery/run-in-container.yml
• nursery/send-data-to-internet.yml
• nursery/send-http-request-with-host-header.yml
• nursery/send-request-in-dotnet.yml
• nursery/set-registry-value-via-stdregprov.yml
• nursery/set-thread-name-on-linux.yml
• nursery/terminate-process-by-name-in-dotnet.yml
• nursery/unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml
• nursery/unmount-volume-via-ioctl.yml
• persistence/exchange/act-as-exchange-transport-agent.yml
• persistence/office/act-as-office-com-add-in.yml
• persistence/persist-via-desktop-autostart.yml
• persistence/persist-via-shell-profile-or-rc-file.yml
• persistence/registry/appinitdlls/disable-appinit_dlls-code-signature-enforcement.yml
• persistence/service/persist-via-rc-script.yml
• persistence/startup-folder/write-file-to-startup-folder.yml
• targeting/automated-teller-machine/ncr/reference-ncr-atm-library-routines.yml
• targeting/language/identify-system-language-via-api.yml

Renamed rules (9)

• communication/c2/file-transfer/upload-file-to-onedrive.yml (was nursery/upload-file-to-onedrive.yml)
• internal/limitation/static/internal-autohotkey-file-limitation.yml (was internal/limitation/file/internal-autohotkey-file-limitation.yml)
• internal/limitation/static/internal-autoit-file-limitation.yml (was internal/limitation/file/internal-autoit-file-limitation.yml)
• internal/limitation/static/internal-dotnet-single-file-deployment-limitation.yml (was internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml)
• internal/limitation/static/internal-installer-file-limitation.yml (was internal/limitation/file/internal-installer-file-limitation.yml)
• internal/limitation/static/internal-packer-file-limitation.yml (was internal/limitation/file/internal-packer-file-limitation.yml)
• internal/limitation/static/internal-visual-basic-file-limitation.yml (was internal/limitation/file/internal-visual-basic-file-limitation.yml)
• nursery/decrypt-data-using-rsa-via-winapi.yml (was nursery/decrypt-data-using-rsa.yml)
• nursery/encrypt-data-using-rsa-via-winapi.yml (was nursery/encrypt-data-using-rsa.yml)