get disk information

rule:
  meta:
    name: get disk information
    namespace: host-interaction/hardware/storage
    authors:
      - moritz.raabe@mandiant.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Discovery::System Information Discovery [T1082]
    mbc:
      - Discovery::System Information Discovery [E1082]
    examples:
      - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0
      - 972B219F18379907A045431303F4DA7D:0x41064E
  features:
    - or:
      - api: kernel32.GetDriveType
      - api: kernel32.GetLogicalDrives
      - api: kernel32.GetVolumeInformation
      - api: kernel32.GetVolumeNameForVolumeMountPoint
      - api: kernel32.GetVolumePathNamesForVolumeName
      - api: kernel32.GetLogicalDriveStrings
      - api: kernel32.QueryDosDevice
      - property/read: System.IO.DriveInfo::VolumeLabel
      - property/read: System.IO.DriveInfo::DriveType
      - property/read: System.IO.DriveInfo::DriveFormat
      - property/read: System.IO.DriveInfo::Name