capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

limit use of OS-specifics in .NET rules e.g. "... on Windows"

Open mike-hunhoff opened this issue 2 years ago • 4 comments

.NET is cross-platform so we should not us OS-specific references unless we are absolutely sure e.g. #706 where OS-specific types may be used. Instead, we should use "... in .NET" e.g. "read file in .NET" and, in the case of reading a OS-specific file, opt to add a match for "read file in .NET" alongside OS-specific features.

Overall, I think this change results in less user confusion e.g. #706 we see matches for "read file on Windows" when, in fact, we are looking at a file intended to be run on Android via Mono.

Open to more discussion!

mike-hunhoff avatar Feb 23 '23 19:02 mike-hunhoff

Affects these "on Windows" rules that contain .NET features:

  • rules/collection/network/get-mac-address-on-windows.yml
  • rules/host-interaction/file-system/files/list/enumerate-files-on-windows.yml
  • rules/host-interaction/file-system/read/read-file-on-windows.yml
  • rules/host-interaction/file-system/write/write-file-on-windows.yml
  • rules/host-interaction/process/create/create-process-on-windows.yml

mr-tz avatar Feb 28 '23 13:02 mr-tz

Hi @mike-hunhoff, I would like to work on this issue. Let me know if any additional rules have this issue as well.

Abtaha avatar Apr 04 '23 07:04 Abtaha

Hi @mike-hunhoff, I would like to work on this issue. Let me know if any additional rules have this issue as well.

Great @Abtaha ! @mr-tz included a list of rules above that I believe covers everything. Please reach out if you have any specific questions, we'd be happy to answer them!

mike-hunhoff avatar Apr 04 '23 17:04 mike-hunhoff

The below all contain both .NET and native features (and have ... on linux equivalents). Should we split them up into native and .NET (... in .NET) to clean this up?

  • https://github.com/mandiant/capa-rules/blob/master/collection/network/get-mac-address-on-windows.yml
  • https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/files/list/enumerate-files-on-windows.yml
  • https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/read/read-file-on-windows.yml
  • https://github.com/mandiant/capa-rules/blob/master/host-interaction/file-system/write/write-file-on-windows.yml
  • https://github.com/mandiant/capa-rules/blob/master/host-interaction/process/create/create-process-on-windows.yml

mr-tz avatar Dec 16 '23 07:12 mr-tz