From 20d2218df7d48770f8a872a693cbc6b03b5f743b Mon Sep 17 00:00:00 2001 From: Mike Hunhoff Date: Wed, 22 Nov 2023 11:05:26 -0700 Subject: [PATCH] init add of Xamarin rules (#824) * init add of Xamarin rules * Update and rename get-system-information-in-dotnet-on-android.yml to get-os-version-in-dotnet-on-android.yml --- communication/socket/tcp/create-tcp-socket.yml | 2 ++ nursery/access-camera-in-dotnet-on-android.yml | 10 ++++++++++ ...apture-microphone-audio-in-dotnet-on-android.yml | 13 +++++++++++++ nursery/capture-screenshot-in-dotnet-on-android.yml | 10 ++++++++++ ...check-for-incoming-call-in-dotnet-on-android.yml | 12 ++++++++++++ ...check-for-outgoing-call-in-dotnet-on-android.yml | 11 +++++++++++ nursery/compiled-with-xamarin.yml | 10 ++++++++++ nursery/get-os-version-in-dotnet-on-android.yml | 10 ++++++++++ 8 files changed, 78 insertions(+) create mode 100644 nursery/access-camera-in-dotnet-on-android.yml create mode 100644 nursery/capture-microphone-audio-in-dotnet-on-android.yml create mode 100644 nursery/capture-screenshot-in-dotnet-on-android.yml create mode 100644 nursery/check-for-incoming-call-in-dotnet-on-android.yml create mode 100644 nursery/check-for-outgoing-call-in-dotnet-on-android.yml create mode 100644 nursery/compiled-with-xamarin.yml create mode 100644 nursery/get-os-version-in-dotnet-on-android.yml diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml index 070e22f4f..936ab0aa7 100644 --- a/communication/socket/tcp/create-tcp-socket.yml +++ b/communication/socket/tcp/create-tcp-socket.yml @@ -6,6 +6,7 @@ rule: - william.ballenthin@mandiant.com - joakim@intezer.com - anushka.virgaonkar@mandiant.com + - michael.hunhoff@mandiant.com scope: basic block mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] @@ -21,4 +22,5 @@ rule: - api: ws2_32.socket - api: ws2_32.WSASocket - api: socket + - api: System.Net.Sockets.Socket::ctor - property/read: System.Net.Sockets.TcpClient::Client diff --git a/nursery/access-camera-in-dotnet-on-android.yml b/nursery/access-camera-in-dotnet-on-android.yml new file mode 100644 index 000000000..c2051be09 --- /dev/null +++ b/nursery/access-camera-in-dotnet-on-android.yml @@ -0,0 +1,10 @@ +rule: + meta: + name: access camera in .NET on Android + namespace: host-interaction/hardware/camera + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - or: + - api: Android.Hardware.Camera::Open diff --git a/nursery/capture-microphone-audio-in-dotnet-on-android.yml b/nursery/capture-microphone-audio-in-dotnet-on-android.yml new file mode 100644 index 000000000..802811f36 --- /dev/null +++ b/nursery/capture-microphone-audio-in-dotnet-on-android.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: capture microphone audio in .NET on Android + namespace: collection/microphone + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - and: + - api: Android.Media.AudioRecord::StartRecording + - optional: + - api: Android.Media.AudioRecord::Release + - api: Android.Media.AudioRecord::Stop diff --git a/nursery/capture-screenshot-in-dotnet-on-android.yml b/nursery/capture-screenshot-in-dotnet-on-android.yml new file mode 100644 index 000000000..7e5bbb149 --- /dev/null +++ b/nursery/capture-screenshot-in-dotnet-on-android.yml @@ -0,0 +1,10 @@ +rule: + meta: + name: capture screenshot in .NET on Android + namespace: collection/screenshot + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - or: + - api: Android.Media.Projection.MediaProjectionManager::CreateScreenCaptureIntent diff --git a/nursery/check-for-incoming-call-in-dotnet-on-android.yml b/nursery/check-for-incoming-call-in-dotnet-on-android.yml new file mode 100644 index 000000000..3c45983ec --- /dev/null +++ b/nursery/check-for-incoming-call-in-dotnet-on-android.yml @@ -0,0 +1,12 @@ +rule: + meta: + name: check for incoming call in .NET on Android + namespace: host-interaction + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - and: + - property/read: Android.Content.Intent::Action + - string: "android.intent.action.PHONE_STATE" + - property/read: Android.Telephony.TelephonyManager::ExtraStateRinging diff --git a/nursery/check-for-outgoing-call-in-dotnet-on-android.yml b/nursery/check-for-outgoing-call-in-dotnet-on-android.yml new file mode 100644 index 000000000..936e49ed1 --- /dev/null +++ b/nursery/check-for-outgoing-call-in-dotnet-on-android.yml @@ -0,0 +1,11 @@ +rule: + meta: + name: check for outgoing call in .NET on Android + namespace: host-interaction + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - and: + - property/read: Android.Content.Intent::Action + - string: "android.intent.action.NEW_OUTGOING_CALL" diff --git a/nursery/compiled-with-xamarin.yml b/nursery/compiled-with-xamarin.yml new file mode 100644 index 000000000..a7494eb28 --- /dev/null +++ b/nursery/compiled-with-xamarin.yml @@ -0,0 +1,10 @@ +rule: + meta: + name: compiled with Xamarin + namespace: compiler/xamarin + authors: + - michael.hunhoff@mandiant.com + scope: file + features: + - or: + - namespace: Xamarin.Essentials diff --git a/nursery/get-os-version-in-dotnet-on-android.yml b/nursery/get-os-version-in-dotnet-on-android.yml new file mode 100644 index 000000000..a946512b5 --- /dev/null +++ b/nursery/get-os-version-in-dotnet-on-android.yml @@ -0,0 +1,10 @@ +rule: + meta: + name: get OS version in .NET on Android + namespace: host-interaction/os/info + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - and: + - class: Android.OS.Build