mandiant
diff --git a/‎anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
Lines changed: 1 addition & 1 deletion b/‎anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
Lines changed: 1 addition & 1 deletion b/‎anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
100755100644 b/‎data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml
100755100644
diff --git a/‎data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml
100755100644 b/‎data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml
100755100644
diff --git a/‎data-manipulation/encryption/tea/decrypt-data-using-tea.yml
100755100644 b/‎data-manipulation/encryption/tea/decrypt-data-using-tea.yml
100755100644
diff --git a/‎data-manipulation/encryption/tea/encrypt-data-using-tea.yml
100755100644 b/‎data-manipulation/encryption/tea/encrypt-data-using-tea.yml
100755100644
diff --git a/‎data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml
100755100644 b/‎data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml
100755100644
diff --git a/‎data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
100755100644 b/‎data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml
100755100644
diff --git a/‎host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎host-interaction/log/clfs/read-data-from-clfs-log-container.yml
100755100644 b/‎host-interaction/log/clfs/read-data-from-clfs-log-container.yml
100755100644
diff --git a/‎host-interaction/process/create/create-process-on-linux.yml
Lines changed: 1 addition & 1 deletion b/‎host-interaction/process/create/create-process-on-linux.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎host-interaction/process/get-process-heap-flags-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml renamed to ‎lib/calculate-modulo-256-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎lib/calculate-modulo-256-via-x86-assembly-via-x86-assembly.yml renamed to ‎lib/calculate-modulo-256-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎lib/get-os-version.yml
Lines changed: 1 addition & 1 deletion b/‎lib/get-os-version.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
Lines changed: 2 additions & 2 deletions b/‎linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion b/‎linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎load-code/pe/resolve-function-by-parsing-pe-exports.yml
100755100644 b/‎load-code/pe/resolve-function-by-parsing-pe-exports.yml
100755100644
diff --git a/‎nursery/append-data-to-clfs-log-container.yml
100755100644 b/‎nursery/append-data-to-clfs-log-container.yml
100755100644
diff --git a/‎nursery/hash-data-using-ripemd128.yml
100755100644 b/‎nursery/hash-data-using-ripemd128.yml
100755100644
diff --git a/‎nursery/hash-data-using-ripemd256.yml
100755100644 b/‎nursery/hash-data-using-ripemd256.yml
100755100644
diff --git a/‎nursery/hash-data-using-ripemd320.yml
100755100644 b/‎nursery/hash-data-using-ripemd320.yml
100755100644
@@ -15,5 +15,5 @@ rule:
       - Practical Malware Analysis Lab 16-01.exe_:0x403530
   features:
     - and:
-      - match: PEB access
+      - match: PEB access via x86 assembly
       - offset: 2 = PEB.BeingDebugged
@@ -18,7 +18,7 @@ rule:
     - and:
       - basic block:
         - and:
-          - match: PEB access
+          - match: PEB access via x86 assembly
           - or:
             - and:
               - arch: i386
 
@@ -13,4 +13,4 @@ rule:
       - a5c70086b3bc4fe64f4e7a0aa452e620
   features:
     - or:
-      - count(match(contain pusha popa sequence)): 10 or more
+      - count(match(contain pusha popa sequence via x86 assembly)): 10 or more
@@ -17,7 +17,7 @@ rule:
   features:
     - or:
       - and:
-        - match: PEB access
+        - match: PEB access via x86 assembly
         - or:
           - and:
             - arch: i386
 
@@ -20,7 +20,7 @@ rule:
       - or:
         - api: execve
         - and:
-          - match: execute syscall
+          - match: execute syscall via x86 assembly
           - arch: aarch64
           - number: 0xdd = execve
         - api: execl
 
@@ -15,7 +15,7 @@ rule:
       - al-khaser_x86.exe_:0x425470
   features:
     - and:
-      - match: PEB access
+      - match: PEB access via x86 assembly
       - or:
         - and:
           - arch: i386
 
@@ -15,7 +15,7 @@ rule:
       - al-khaser_x86.exe_:0x425470
   features:
     - and:
-      - match: PEB access
+      - match: PEB access via x86 assembly
       - or:
         - and:
           - arch: i386
 
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: calculate modulo 256 via x86 assembly via x86 assembly
+    name: calculate modulo 256 via x86 assembly
     authors:
       - [email protected]
     lib: true
 
@@ -21,7 +21,7 @@ rule:
       - api: RtlGetNtVersionNumbers
       - api: GetProductInfo
       - and:
-        - match: PEB access
+        - match: PEB access via x86 assembly
         - or:
           - and:
             - arch: i386
 
@@ -20,7 +20,7 @@ rule:
         - arch: i386
         - description: x32
 
-        - match: PEB access
+        - match: PEB access via x86 assembly
 
         # x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0
         # checking for fs:0 and a (possibly unrelated) number or offset often results in false positives
@@ -37,7 +37,7 @@ rule:
         - arch: amd64
         - description: x64
 
-        - match: PEB access
+        - match: PEB access via x86 assembly
 
         - offset: 0x18 = PEB.LDR_DATA
 
 
@@ -17,7 +17,7 @@ rule:
   features:
     - and:
       # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink
-      - match: access PEB ldr_data
+      - match: access PEB ldr_data via x86 assembly
       # -> current module -> ntdll
       - count(offset(0)): 2
       # -> kernel32 -> LDR_DATA_TABLE_ENTRY.DllBase
 
@@ -17,7 +17,7 @@ rule:
   features:
     - and:
       # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink
-      - match: access PEB ldr_data
+      - match: access PEB ldr_data via x86 assembly
       # -> current module
       - count(offset(0)): 1
       # -> ntdll -> LDR_DATA_TABLE_ENTRY.DllBase