Pull out .NET features (#866)

* pull out .NET features

* Create get-mac-address-in-net.yml

* pull out .NET features

* Create enumerate-files-in-net.yml

* rename file

* rename file

collection/network/get-mac-address-on-windows.yml

@@ -17,22 +17,20 @@ rule:
     examples:
       - al-khaser_x64.exe_:0x14001A1BC
   features:
-    - or:
-      - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress
-      - and:
-        - os: windows
-        - or:
-          - and:
-            - api: iphlpapi.GetAdaptersInfo
-            - or:
-              - offset: 0x194 = IP_ADAPTER_INFO.Address
-              - offset: 0x195 = IP_ADAPTER_INFO.Address+1
-              - offset: 0x196 = IP_ADAPTER_INFO.Address+2
-              - offset: 0x197 = IP_ADAPTER_INFO.Address+3
-              - offset: 0x198 = IP_ADAPTER_INFO.Address+4
-              - offset: 0x199 = IP_ADAPTER_INFO.Address+5
-            - optional:
-              - string: "%02X-%02X-%02X-%02X-%02X-%02X"
-          - and:
-            - api: iphlpapi.GetAdaptersAddresses
-            - offset: 0x2C = PhysicalAddress
+    - and:
+      - os: windows
+      - or:
+        - and:
+          - api: iphlpapi.GetAdaptersInfo
+          - or:
+            - offset: 0x194 = IP_ADAPTER_INFO.Address
+            - offset: 0x195 = IP_ADAPTER_INFO.Address+1
+            - offset: 0x196 = IP_ADAPTER_INFO.Address+2
+            - offset: 0x197 = IP_ADAPTER_INFO.Address+3
+            - offset: 0x198 = IP_ADAPTER_INFO.Address+4
+            - offset: 0x199 = IP_ADAPTER_INFO.Address+5
+          - optional:
+            - string: "%02X-%02X-%02X-%02X-%02X-%02X"
+        - and:
+          - api: iphlpapi.GetAdaptersAddresses
+          - offset: 0x2C = PhysicalAddress

host-interaction/file-system/files/list/enumerate-files-on-windows.yml

@@ -48,13 +48,3 @@ rule:
           - api: RtlAllocateHeap
           - match: contain loop
           - characteristic: indirect call
-      - or:
-        - api: System.IO.DirectoryInfo::GetFiles
-        - api: System.IO.DirectoryInfo::EnumerateFiles
-        - api: System.IO.Directory::GetFiles
-        - api: System.IO.Directory::EnumerateFiles
-        - api: System.IO.Directory::EnumerateFileSystemEntries
-        - api: System.IO.DirectoryInfo::GetDirectories
-        - api: System.IO.DirectoryInfo::EnumerateDirectories
-        - api: System.IO.Directory::GetDirectories
-        - api: System.IO.Directory::EnumerateDirectories

nursery/enumerate-files-in-dotnet.yml

@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: enumerate files in .NET
+    namespace: host-interaction/file-system/files/list
+    authors:
+      - [email protected]
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Discovery::File and Directory Discovery [T1083]
+    mbc:
+      - Discovery::File and Directory Discovery [E1083]
+    references:
+      - https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b
+  features:
+    - or:
+      - api: System.IO.DirectoryInfo::GetFiles
+      - api: System.IO.DirectoryInfo::EnumerateFiles
+      - api: System.IO.Directory::GetFiles
+      - api: System.IO.Directory::EnumerateFiles
+      - api: System.IO.Directory::EnumerateFileSystemEntries
+      - api: System.IO.DirectoryInfo::GetDirectories
+      - api: System.IO.DirectoryInfo::EnumerateDirectories
+      - api: System.IO.Directory::GetDirectories
+      - api: System.IO.Directory::EnumerateDirectories

nursery/get-mac-address-in-dotnet.yml

@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get MAC address in .NET
+    namespace: collection/network
+    authors:
+      - [email protected]
+      - [email protected]
+      - [email protected]
+    scopes:
+      static: function
+      dynamic: thread
+    att&ck:
+      - Discovery::System Information Discovery [T1082]
+  features:
+    - or:
+      - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress