From 8d205d0e74caab573121e63fdc3c5c04dd4ea683 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:44:21 +0100
Subject: [PATCH 1/6] pull out .NET features

---
 .../network/get-mac-address-on-windows.yml    | 36 +++++++++----------
 1 file changed, 17 insertions(+), 19 deletions(-)

diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml
index 6ded3c61..018e3585 100644
--- a/collection/network/get-mac-address-on-windows.yml
+++ b/collection/network/get-mac-address-on-windows.yml
@@ -17,22 +17,20 @@ rule:
     examples:
       - al-khaser_x64.exe_:0x14001A1BC
   features:
-    - or:
-      - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress
-      - and:
-        - os: windows
-        - or:
-          - and:
-            - api: iphlpapi.GetAdaptersInfo
-            - or:
-              - offset: 0x194 = IP_ADAPTER_INFO.Address
-              - offset: 0x195 = IP_ADAPTER_INFO.Address+1
-              - offset: 0x196 = IP_ADAPTER_INFO.Address+2
-              - offset: 0x197 = IP_ADAPTER_INFO.Address+3
-              - offset: 0x198 = IP_ADAPTER_INFO.Address+4
-              - offset: 0x199 = IP_ADAPTER_INFO.Address+5
-            - optional:
-              - string: "%02X-%02X-%02X-%02X-%02X-%02X"
-          - and:
-            - api: iphlpapi.GetAdaptersAddresses
-            - offset: 0x2C = PhysicalAddress
+    - and:
+      - os: windows
+      - or:
+        - and:
+          - api: iphlpapi.GetAdaptersInfo
+          - or:
+            - offset: 0x194 = IP_ADAPTER_INFO.Address
+            - offset: 0x195 = IP_ADAPTER_INFO.Address+1
+            - offset: 0x196 = IP_ADAPTER_INFO.Address+2
+            - offset: 0x197 = IP_ADAPTER_INFO.Address+3
+            - offset: 0x198 = IP_ADAPTER_INFO.Address+4
+            - offset: 0x199 = IP_ADAPTER_INFO.Address+5
+          - optional:
+            - string: "%02X-%02X-%02X-%02X-%02X-%02X"
+        - and:
+          - api: iphlpapi.GetAdaptersAddresses
+          - offset: 0x2C = PhysicalAddress

From b247baaefd18ab2c59adbe2b16a2dc41a0aaaa67 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:47:00 +0100
Subject: [PATCH 2/6] Create get-mac-address-in-net.yml

---
 nursery/get-mac-address-in-net.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 nursery/get-mac-address-in-net.yml

diff --git a/nursery/get-mac-address-in-net.yml b/nursery/get-mac-address-in-net.yml
new file mode 100644
index 00000000..43a3aeba
--- /dev/null
+++ b/nursery/get-mac-address-in-net.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get MAC address in .NET
+    namespace: collection/network
+    authors:
+      - moritz.raabe@mandiant.com
+      - michael.hunhoff@mandiant.com
+      - echernofsky@google.com
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Discovery::System Information Discovery [T1082]
+  features:
+    - or:
+      - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress

From 84eaee6d57fe55135c36c8a7e612313a59b88cfe Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:49:52 +0100
Subject: [PATCH 3/6] pull out .NET features

---
 .../files/list/enumerate-files-on-windows.yml          | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml
index 5922183a..fcb01482 100644
--- a/host-interaction/file-system/files/list/enumerate-files-on-windows.yml
+++ b/host-interaction/file-system/files/list/enumerate-files-on-windows.yml
@@ -48,13 +48,3 @@ rule:
           - api: RtlAllocateHeap
           - match: contain loop
           - characteristic: indirect call
-      - or:
-        - api: System.IO.DirectoryInfo::GetFiles
-        - api: System.IO.DirectoryInfo::EnumerateFiles
-        - api: System.IO.Directory::GetFiles
-        - api: System.IO.Directory::EnumerateFiles
-        - api: System.IO.Directory::EnumerateFileSystemEntries
-        - api: System.IO.DirectoryInfo::GetDirectories
-        - api: System.IO.DirectoryInfo::EnumerateDirectories
-        - api: System.IO.Directory::GetDirectories
-        - api: System.IO.Directory::EnumerateDirectories

From 3bd7a477b139bc1bd099fbf419792fda58f324cf Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:52:11 +0100
Subject: [PATCH 4/6] Create enumerate-files-in-net.yml

---
 nursery/enumerate-files-in-net.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 nursery/enumerate-files-in-net.yml

diff --git a/nursery/enumerate-files-in-net.yml b/nursery/enumerate-files-in-net.yml
new file mode 100644
index 00000000..db3e09a1
--- /dev/null
+++ b/nursery/enumerate-files-in-net.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: enumerate files in .NET
+    namespace: host-interaction/file-system/files/list
+    authors:
+      - moritz.raabe@mandiant.com
+      - anushka.virgaonkar@mandiant.com
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Discovery::File and Directory Discovery [T1083]
+    mbc:
+      - Discovery::File and Directory Discovery [E1083]
+    references:
+      - https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b
+  features:
+    - or:
+      - api: System.IO.DirectoryInfo::GetFiles
+      - api: System.IO.DirectoryInfo::EnumerateFiles
+      - api: System.IO.Directory::GetFiles
+      - api: System.IO.Directory::EnumerateFiles
+      - api: System.IO.Directory::EnumerateFileSystemEntries
+      - api: System.IO.DirectoryInfo::GetDirectories
+      - api: System.IO.DirectoryInfo::EnumerateDirectories
+      - api: System.IO.Directory::GetDirectories
+      - api: System.IO.Directory::EnumerateDirectories

From e8f1a06c8cbdf9c583e8feb933511485d2e2ecb5 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:54:53 +0100
Subject: [PATCH 5/6] rename file

---
 .../{enumerate-files-in-net.yml => enumerate-files-in-dotnet.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename nursery/{enumerate-files-in-net.yml => enumerate-files-in-dotnet.yml} (100%)

diff --git a/nursery/enumerate-files-in-net.yml b/nursery/enumerate-files-in-dotnet.yml
similarity index 100%
rename from nursery/enumerate-files-in-net.yml
rename to nursery/enumerate-files-in-dotnet.yml

From 134a98cb805e575586f1279c59021f731f62fbcd Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Sun, 31 Dec 2023 16:55:19 +0100
Subject: [PATCH 6/6] rename file

---
 .../{get-mac-address-in-net.yml => get-mac-address-in-dotnet.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename nursery/{get-mac-address-in-net.yml => get-mac-address-in-dotnet.yml} (100%)

diff --git a/nursery/get-mac-address-in-net.yml b/nursery/get-mac-address-in-dotnet.yml
similarity index 100%
rename from nursery/get-mac-address-in-net.yml
rename to nursery/get-mac-address-in-dotnet.yml