dotnet: adding new rules based on recent samples (#1082)

mike-hunhoff · web-flow · commit 7a52b6f9c053 · 2025-11-07T08:39:46.000+01:00
* dotnet: adding new rules based on recent samples
diff --git a/communication/http/client/receive-http-response.yml b/communication/http/client/receive-http-response.yml
@@ -3,7 +3,7 @@ rule:
     name: receive HTTP response
     namespace: communication/http/client
     authors:
-      - michael.hunhoff@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: function
       dynamic: span of calls
@@ -13,9 +13,13 @@ rule:
       - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002790
   features:
     - or:
-      - api: System.Net.WebRequest::GetResponse
       - api: winhttp.WinHttpReceiveResponse
       - and:
         - api: winhttp.WinHttpReadData
         - optional:
           - api: winhttp.WinHttpQueryDataAvailable
+      - and:
+        - format: dotnet
+        - or:
+          - api: System.Net.WebRequest::GetResponse
+          - class: System.Net.Http.HttpResponseMessage
diff --git a/communication/http/client/send-http-request.yml b/communication/http/client/send-http-request.yml
@@ -4,7 +4,7 @@ rule:
     namespace: communication/http/client
     authors:
       - moritz.raabe@mandiant.com
-      - michael.hunhoff@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: function
       dynamic: span of calls
@@ -15,8 +15,6 @@ rule:
       - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x100026E0
   features:
     - or:
-      - api: System.Net.WebRequest::GetResponse
-      - api: System.Net.WebRequest::GetResponseAsync
       - and:
         - or:
           - api: wininet.HttpOpenRequest
@@ -34,3 +32,18 @@ rule:
       - and:
         - match: send data on socket
         - string: /HTTP/i
+      - and:
+        - format: dotnet
+        - or:
+          - api: System.Net.WebRequest::GetResponse
+          - api: System.Net.WebRequest::GetResponseAsync
+          - api: System.Net.Http.HttpClient::PostAsync
+          - api: System.Net.Http.HttpClient::GetAsync
+          - api: System.Net.Http.HttpClient::GetByteArrayAsync
+          - api: System.Net.Http.HttpClient::GetStreamAsync
+          - api: System.Net.Http.HttpClient::GetStringAsync
+          - api: System.Net.Http.HttpClient::Send
+          - api: System.Net.Http.HttpClient::SendAsync
+          - api: System.Net.Http.HttpClientHandler::Send
+          - api: System.Net.Http.HttpClientHandler::SendAsync
+          - class: System.Net.Http.HttpRequestMessage
diff --git a/data-manipulation/hashing/sha256/hash-data-using-sha256.yml b/data-manipulation/hashing/sha256/hash-data-using-sha256.yml
@@ -6,6 +6,7 @@ rule:
       - moritz.raabe@mandiant.com
       - anushka.virgaonkar@mandiant.com
       - william.ballenthin@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: function
       dynamic: span of calls
@@ -50,4 +51,5 @@ rule:
           - api: System.Security.Cryptography.SHA256CryptoServiceProvider::Initialize
           - api: System.Security.Cryptography.SHA256::Create
           - api: System.Security.Cryptography.SHA256Managed::ctor
-        - api: System.Security.Cryptography.HashAlgorithm::ComputeHash
+        - optional:
+          - api: System.Security.Cryptography.HashAlgorithm::ComputeHash
diff --git a/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml b/data-manipulation/json/use-dotnet-library-newtonsoftjson.yml
@@ -4,6 +4,7 @@ rule:
     namespace: data-manipulation/json
     authors:
       - "@johnk3r"
+      - mehunhoff@google.com
     scopes:
       static: file
       dynamic: file
@@ -13,5 +14,5 @@ rule:
       - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173
   features:
     - and:
-      - match: compiled to the .NET platform
-      - string: "Newtonsoft.Json"
+      - format: dotnet
+      - namespace: Newtonsoft.Json
diff --git a/nursery/compiled-from-fsharp.yml b/nursery/compiled-from-fsharp.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: compiled from FSharp
+    namespace: compiler/fsharp
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: file
+      dynamic: file
+  features:
+    - and:
+      - format: dotnet
+      - namespace: Microsoft.FSharp.Core
diff --git a/nursery/decrypt-data-using-aes-via-dotnet.yml b/nursery/decrypt-data-using-aes-via-dotnet.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: decrypt data using AES via .NET
+    namespace: data-manipulation/encryption/aes
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Defense Evasion::Obfuscated Files or Information [T1027]
+    mbc:
+      - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
+  features:
+    - and:
+      - format: dotnet
+      - api: System.Security.Cryptography.Aes::Create
+      - api: System.Security.Cryptography.SymmetricAlgorithm::CreateDecryptor
diff --git a/nursery/get-dotnet-assembly-entry-point.yml b/nursery/get-dotnet-assembly-entry-point.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get .NET assembly entry point
+    namespace: load-code/dotnet
+    authors:
+      - mehunhoff@google.com
+    scopes:
+      static: function
+      dynamic: span of calls
+  features:
+    - and:
+      - format: dotnet
+      - property/read: System.Reflection.Assembly::EntryPoint
