diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml index 6ded3c61..018e3585 100644 --- a/collection/network/get-mac-address-on-windows.yml +++ b/collection/network/get-mac-address-on-windows.yml @@ -17,22 +17,20 @@ rule: examples: - al-khaser_x64.exe_:0x14001A1BC features: - - or: - - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress - - and: - - os: windows - - or: - - and: - - api: iphlpapi.GetAdaptersInfo - - or: - - offset: 0x194 = IP_ADAPTER_INFO.Address - - offset: 0x195 = IP_ADAPTER_INFO.Address+1 - - offset: 0x196 = IP_ADAPTER_INFO.Address+2 - - offset: 0x197 = IP_ADAPTER_INFO.Address+3 - - offset: 0x198 = IP_ADAPTER_INFO.Address+4 - - offset: 0x199 = IP_ADAPTER_INFO.Address+5 - - optional: - - string: "%02X-%02X-%02X-%02X-%02X-%02X" - - and: - - api: iphlpapi.GetAdaptersAddresses - - offset: 0x2C = PhysicalAddress + - and: + - os: windows + - or: + - and: + - api: iphlpapi.GetAdaptersInfo + - or: + - offset: 0x194 = IP_ADAPTER_INFO.Address + - offset: 0x195 = IP_ADAPTER_INFO.Address+1 + - offset: 0x196 = IP_ADAPTER_INFO.Address+2 + - offset: 0x197 = IP_ADAPTER_INFO.Address+3 + - offset: 0x198 = IP_ADAPTER_INFO.Address+4 + - offset: 0x199 = IP_ADAPTER_INFO.Address+5 + - optional: + - string: "%02X-%02X-%02X-%02X-%02X-%02X" + - and: + - api: iphlpapi.GetAdaptersAddresses + - offset: 0x2C = PhysicalAddress diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml index 5922183a..fcb01482 100644 --- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml +++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml @@ -48,13 +48,3 @@ rule: - api: RtlAllocateHeap - match: contain loop - characteristic: indirect call - - or: - - api: System.IO.DirectoryInfo::GetFiles - - api: System.IO.DirectoryInfo::EnumerateFiles - - api: System.IO.Directory::GetFiles - - api: System.IO.Directory::EnumerateFiles - - api: System.IO.Directory::EnumerateFileSystemEntries - - api: System.IO.DirectoryInfo::GetDirectories - - api: System.IO.DirectoryInfo::EnumerateDirectories - - api: System.IO.Directory::GetDirectories - - api: System.IO.Directory::EnumerateDirectories diff --git a/nursery/enumerate-files-in-dotnet.yml b/nursery/enumerate-files-in-dotnet.yml new file mode 100644 index 00000000..db3e09a1 --- /dev/null +++ b/nursery/enumerate-files-in-dotnet.yml @@ -0,0 +1,27 @@ +rule: + meta: + name: enumerate files in .NET + namespace: host-interaction/file-system/files/list + authors: + - moritz.raabe@mandiant.com + - anushka.virgaonkar@mandiant.com + scopes: + static: function + dynamic: thread + att&ck: + - Discovery::File and Directory Discovery [T1083] + mbc: + - Discovery::File and Directory Discovery [E1083] + references: + - https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b + features: + - or: + - api: System.IO.DirectoryInfo::GetFiles + - api: System.IO.DirectoryInfo::EnumerateFiles + - api: System.IO.Directory::GetFiles + - api: System.IO.Directory::EnumerateFiles + - api: System.IO.Directory::EnumerateFileSystemEntries + - api: System.IO.DirectoryInfo::GetDirectories + - api: System.IO.DirectoryInfo::EnumerateDirectories + - api: System.IO.Directory::GetDirectories + - api: System.IO.Directory::EnumerateDirectories diff --git a/nursery/get-mac-address-in-dotnet.yml b/nursery/get-mac-address-in-dotnet.yml new file mode 100644 index 00000000..43a3aeba --- /dev/null +++ b/nursery/get-mac-address-in-dotnet.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: get MAC address in .NET + namespace: collection/network + authors: + - moritz.raabe@mandiant.com + - michael.hunhoff@mandiant.com + - echernofsky@google.com + scopes: + static: function + dynamic: thread + att&ck: + - Discovery::System Information Discovery [T1082] + features: + - or: + - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress