get MAC address on Windows

rule:
  meta:
    name: get MAC address on Windows
    namespace: collection/network
    authors:
      - moritz.raabe@mandiant.com
      - michael.hunhoff@mandiant.com
      - echernofsky@google.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::System Information Discovery [T1082]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L128
      - https://evasions.checkpoint.com/techniques/network.html#check-if-mac-address-is-specific
    examples:
      - al-khaser_x64.exe_:0x14001A1BC
  features:
    - and:
      - os: windows
      - or:
        - and:
          - api: iphlpapi.GetAdaptersInfo
          - or:
            - offset: 0x194 = IP_ADAPTER_INFO.Address
            - offset: 0x195 = IP_ADAPTER_INFO.Address+1
            - offset: 0x196 = IP_ADAPTER_INFO.Address+2
            - offset: 0x197 = IP_ADAPTER_INFO.Address+3
            - offset: 0x198 = IP_ADAPTER_INFO.Address+4
            - offset: 0x199 = IP_ADAPTER_INFO.Address+5
          - optional:
            - string: "%02X-%02X-%02X-%02X-%02X-%02X"
        - and:
          - api: iphlpapi.GetAdaptersAddresses
          - offset: 0x2C = PhysicalAddress