read file on Windows

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: read file on Windows
    namespace: host-interaction/file-system/read
    authors:
      - moritz.raabe@mandiant.com
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: span of calls
    mbc:
      - File System::Read File [C0051]
    examples:
      - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B
  features:
    - or:
      - and:
        - os: windows
        - optional:
          - and:
            - number: 0x80000000 = GENERIC_READ
            - match: create or open file
        - or:
          - api: kernel32.ReadFile
          - api: ReadFileEx
          - api: NtReadFile
          - api: ZwReadFile
          - api: LZRead
          - api: _read
          - api: fread

last edited: 2026-03-12 17:41:24