Split .NET features from windows file & process rules (#1130)

* remove .NET features

* create separate read-file-in-dotnet.yml

* remove .NET features

* create separate write-file-dotnet.yml

* split create process rule into windows & .NET

* change static scope to instruction

* change static scope to insn and add dotnet match

* change static & dynamic scope to insn & call and add dotnet match

* change static scope to insn

Author: CosmoWorker

host-interaction/file-system/read/read-file-on-windows.yml

@@ -28,10 +28,3 @@ rule:
           - api: LZRead
           - api: _read
           - api: fread
-      - api: System.IO.File::ReadAllBytes
-      - api: System.IO.File::ReadAllBytesAsync
-      - api: System.IO.File::ReadAllLines
-      - api: System.IO.File::ReadAllLinesAsync
-      - api: System.IO.File::ReadAllText
-      - api: System.IO.File::ReadAllTextAsync
-      - api: System.IO.File::ReadLines

host-interaction/file-system/write/write-file-on-windows.yml

@@ -36,15 +36,3 @@ rule:
           - api: ZwWriteFile
           - api: _fwrite
           - api: fwrite
-      - api: System.IO.File::WriteAllBytes
-      - api: System.IO.File::WriteAllBytesAsync
-      - api: System.IO.File::WriteAllLines
-      - api: System.IO.File::WriteAllLinesAsync
-      - api: System.IO.File::WriteAllText
-      - api: System.IO.File::WriteAllTextAsync
-      - api: System.IO.File::AppendAllLines
-      - api: System.IO.File::AppendAllLinesAsync
-      - api: System.IO.File::AppendAllText
-      - api: System.IO.File::AppendAllTextAsync
-      - api: System.IO.File::AppendText
-      - api: System.IO.FileInfo::AppendText

host-interaction/process/create/create-process-in-dotnet.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: create process in .NET
+    namespace: host-interaction/process/create
+    authors:
+      - moritz.raabe@mandiant.com
+      - social.tarang@gmail.com
+    scopes:
+      static: instruction
+      dynamic: call
+    mbc:
+      - Process::Create Process [C0017]
+    examples:
+      - 692f7fd6d198e804d6af98eb9e390d61:0x6000003
+  features:
+    - or:
+      - api: System.Diagnostics.Process::Start

host-interaction/process/create/create-process-on-windows.yml

@@ -5,29 +5,29 @@ rule:
     authors:
       - moritz.raabe@mandiant.com
     scopes:
-      static: basic block
+      static: instruction
       dynamic: call
     mbc:
       - Process::Create Process [C0017]
     examples:
       - 9324D1A8AE37A36AE560C37448C9705A:0x406DB0
       - Practical Malware Analysis Lab 01-04.exe_:0x4011FC
-      - 692f7fd6d198e804d6af98eb9e390d61:0x6000003
   features:
-    - or:
-      - api: kernel32.WinExec
-      - api: kernel32.CreateProcess
-      - api: shell32.ShellExecute
-      - api: shell32.ShellExecuteEx
-      - api: advapi32.CreateProcessAsUser
-      - api: advapi32.CreateProcessWithLogon
-      - api: advapi32.CreateProcessWithToken
-      - api: kernel32.CreateProcessInternal
-      - api: ntdll.NtCreateUserProcess
-      - api: ntdll.NtCreateProcess
-      - api: ntdll.NtCreateProcessEx
-      - api: ntdll.ZwCreateProcess
-      - api: ZwCreateProcessEx
-      - api: ntdll.ZwCreateUserProcess
-      - api: ntdll.RtlCreateUserProcess
-      - api: System.Diagnostics.Process::Start
+    - and:
+      - os: windows
+      - or:
+        - api: kernel32.WinExec
+        - api: kernel32.CreateProcess
+        - api: shell32.ShellExecute
+        - api: shell32.ShellExecuteEx
+        - api: advapi32.CreateProcessAsUser
+        - api: advapi32.CreateProcessWithLogon
+        - api: advapi32.CreateProcessWithToken
+        - api: kernel32.CreateProcessInternal
+        - api: ntdll.NtCreateUserProcess
+        - api: ntdll.NtCreateProcess
+        - api: ntdll.NtCreateProcessEx
+        - api: ntdll.ZwCreateProcess
+        - api: ZwCreateProcessEx
+        - api: ntdll.ZwCreateUserProcess
+        - api: ntdll.RtlCreateUserProcess

nursery/read-file-in-dotnet.yml

@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: read file in .NET
+    namespace: host-interaction/file-system/read
+    authors:
+      - moritz.raabe@mandiant.com
+      - anushka.virgaonkar@mandiant.com
+    scopes:
+      static: instruction
+      dynamic: call
+    mbc:
+      - File System::Read File [C0051]
+  features:
+    - and:
+      - format: dotnet
+      - or:
+        - api: System.IO.File::ReadAllBytes
+        - api: System.IO.File::ReadAllBytesAsync
+        - api: System.IO.File::ReadAllLines
+        - api: System.IO.File::ReadAllLinesAsync
+        - api: System.IO.File::ReadAllText
+        - api: System.IO.File::ReadAllTextAsync
+        - api: System.IO.File::ReadLines

nursery/write-file-in-dotnet.yml

@@ -0,0 +1,28 @@
+rule:
+  meta:
+    name: write file in .NET
+    namespace: host-interaction/file-system/write
+    authors:
+      - william.ballenthin@mandiant.com
+      - anushka.virgaonkar@mandiant.com
+    scopes:
+      static: instruction
+      dynamic: call
+    mbc:
+      - File System::Writes File [C0052]
+  features:
+    - and:
+      - format: dotnet
+      - or:
+        - api: System.IO.File::WriteAllBytes
+        - api: System.IO.File::WriteAllBytesAsync
+        - api: System.IO.File::WriteAllLines
+        - api: System.IO.File::WriteAllLinesAsync
+        - api: System.IO.File::WriteAllText
+        - api: System.IO.File::WriteAllTextAsync
+        - api: System.IO.File::AppendAllLines
+        - api: System.IO.File::AppendAllLinesAsync
+        - api: System.IO.File::AppendAllText
+        - api: System.IO.File::AppendAllTextAsync
+        - api: System.IO.File::AppendText
+        - api: System.IO.FileInfo::AppendText