read file on Windows

rule:
  meta:
    name: read file on Windows
    namespace: host-interaction/file-system/read
    authors:
      - moritz.raabe@mandiant.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - File System::Read File [C0051]
    examples:
      - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B
  features:
    - or:
      - and:
        - os: windows
        - optional:
          - and:
            - number: 0x80000000 = GENERIC_READ
            - match: create or open file
        - or:
          - api: kernel32.ReadFile
          - api: ReadFileEx
          - api: NtReadFile
          - api: ZwReadFile
          - api: LZRead
          - api: _read
          - api: fread
      - api: System.IO.File::ReadAllBytes
      - api: System.IO.File::ReadAllBytesAsync
      - api: System.IO.File::ReadAllLines
      - api: System.IO.File::ReadAllLinesAsync
      - api: System.IO.File::ReadAllText
      - api: System.IO.File::ReadAllTextAsync
      - api: System.IO.File::ReadLines