From a7a68ee55e3122c689436c058c6b31d54d7cae75 Mon Sep 17 00:00:00 2001
From: mr-tz <moritz.raabe@mandiant.com>
Date: Fri, 19 May 2023 10:36:07 +0200
Subject: [PATCH 1/2] remove very common rule

---
 .../section/rsrc/contain-a-resource-rsrc-section.yml  | 11 -----------
 .../extract-resource-via-kernel32-functions.yml       |  2 +-
 2 files changed, 1 insertion(+), 12 deletions(-)
 delete mode 100644 executable/pe/section/rsrc/contain-a-resource-rsrc-section.yml

diff --git a/executable/pe/section/rsrc/contain-a-resource-rsrc-section.yml b/executable/pe/section/rsrc/contain-a-resource-rsrc-section.yml
deleted file mode 100644
index c68d40522..000000000
--- a/executable/pe/section/rsrc/contain-a-resource-rsrc-section.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-rule:
-  meta:
-    name: contain a resource (.rsrc) section
-    namespace: executable/pe/section/rsrc
-    authors:
-      - moritz.raabe@mandiant.com
-    scope: file
-    examples:
-      - A933A1A402775CFA94B6BEE0963F4B46:0x41fd25
-  features:
-    - section: .rsrc
diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml
index 2599839bc..d9e5ad4d2 100644
--- a/executable/resource/extract-resource-via-kernel32-functions.yml
+++ b/executable/resource/extract-resource-via-kernel32-functions.yml
@@ -18,7 +18,7 @@ rule:
           - api: kernel32.LockResource
           - api: LdrAccessResource
         - optional:
-          - match: contain a resource (.rsrc) section
+          - section: .rsrc
           - api: kernel32.GetModuleHandle
           # may occur in parent function, see 0664B09A86EC2DF7DFE01A93E184A1FA23DF66EA82CAB39000944E418EC1F7B2
           - or:

From 0de18f77aa4cf8323d8cd5cef02584fbb387ef54 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Fri, 19 May 2023 11:52:42 +0200
Subject: [PATCH 2/2] Update
 executable/resource/extract-resource-via-kernel32-functions.yml

---
 executable/resource/extract-resource-via-kernel32-functions.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/executable/resource/extract-resource-via-kernel32-functions.yml b/executable/resource/extract-resource-via-kernel32-functions.yml
index d9e5ad4d2..beddea449 100644
--- a/executable/resource/extract-resource-via-kernel32-functions.yml
+++ b/executable/resource/extract-resource-via-kernel32-functions.yml
@@ -18,7 +18,6 @@ rule:
           - api: kernel32.LockResource
           - api: LdrAccessResource
         - optional:
-          - section: .rsrc
           - api: kernel32.GetModuleHandle
           # may occur in parent function, see 0664B09A86EC2DF7DFE01A93E184A1FA23DF66EA82CAB39000944E418EC1F7B2
           - or: