refactor(rules): Adapt rules to *.path filter fields

All rules referencing file.name/image.name/registry.key.name are adapted to use the new *.path fields. This effectively leads to a breaking change, that's why all affected rules minimum engine version is bumped.
rabbitstack · Dec 20, 2024 · 0799c5e · 0799c5e
1 parent 0677c5e
commit 0799c5e
Show file tree

Hide file tree

Showing 35 changed files with 114 additions and 114 deletions.
diff --git a/rules/credentail_access_file_access_to_sam_database.yml b/rules/credentail_access_file_access_to_sam_database.yml
@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
       '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
@@ -32,4 +32,4 @@ condition: >
       '?:\\Windows\\System32\\lsass.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml b/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dump preparation via SilentProcessExit
 id: d325e426-f89a-4f7c-b655-3874dad07986
-version: 1.0.0
+version: 1.0.1
 description: |
   Adversaries may exploit the SilentProcessExit debugging technique to conduct
   LSASS memory dump via WerFault.exe (Windows Error Reporting) binary by creating
@@ -27,8 +27,8 @@ references:
 condition: >
   modify_registry
     and
-  registry.key.name
+  registry.path
     imatches
   'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*'
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_lsass_memory_dump_via_wer.yml b/rules/credential_access_lsass_memory_dump_via_wer.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dump via Windows Error Reporting
 id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7
-version: 1.0.0
+version: 1.0.1
 description: |
   Adversaries may abuse Windows Error Reporting service to dump LSASS memory.
   The ALPC protocol can send a message to report an exception on LSASS and
@@ -22,6 +22,6 @@ condition: >
   sequence
   maxspan 2m
     |spawn_process and ps.child.name in ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
-    |write_minidump_file and file.name icontains 'lsass'| by ps.uuid
+    |write_minidump_file and file.path icontains 'lsass'| by ps.uuid
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_lsass_memory_dumping.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -39,7 +39,7 @@ condition: >
 output: >
   Detected an attempt by `%1.ps.name` process to access and read
   the memory of the **Local Security And Authority Subsystem Service**
-  and subsequently write the `%2.file.name` dump file to the disk device
+  and subsequently write the `%2.file.path` dump file to the disk device
 severity: critical
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml
@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.0
+version: 1.0.1
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -30,10 +30,10 @@ condition: >
     | by ps.child.uuid
     |open_registry
       and
-     registry.key.name imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
+     registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
       and
       not
-     registry.key.name imatches
+     registry.path imatches
       (
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
@@ -68,4 +68,4 @@ condition: >
        )
       | by ps.uuid
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml b/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Active Directory domain database
 id: a30c100e-28d0-4aa0-b98d-0d38025c2c29
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects suspicious access to the Active Directory domain database.
   Adversaries may attempt to access or create a copy of the Active Directory
@@ -19,7 +19,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit',
       '?:\\WINDOWS\\NTDS\\ntds.dit'
@@ -32,4 +32,4 @@ condition: >
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_suspicious_access_to_unattended_panther_files.yml b/rules/credential_access_suspicious_access_to_unattended_panther_files.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Unattended Panther files
 id: d305fb15-6ad1-4d61-a84b-ada462f23a55
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies suspicious to access to unattend.xml files where credentials
   are commonly stored within the Panther directory. Adversaries may search local
@@ -19,7 +19,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Windows\\Panther\\Unattend\\Unattended.xml',
       '?:\\Windows\\Panther\\Unattend\\Unattend.xml',
@@ -35,4 +35,4 @@ condition: >
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml b/rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Windows DPAPI Master Keys
 id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects suspicious processes accessing the Windows Data Protection API Master keys
   which is a sign of potential credential stealing.
@@ -26,7 +26,7 @@ references:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\Users\\*',
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-5-21*\\*',
@@ -42,4 +42,4 @@ condition: >
       '?:\\Windows\\SysWOW64\\*'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_suspicious_access_to_windows_manager_files.yml b/rules/credential_access_suspicious_access_to_windows_manager_files.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Credential Manager files
 id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*',
       '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*'
@@ -31,4 +31,4 @@ condition: >
       '?:\\Windows\\System32\\lsass.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_suspicious_access_to_windows_vault_files.yml b/rules/credential_access_suspicious_access_to_windows_vault_files.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Vault files
 id: 44400221-f98d-424a-9388-497c75b18924
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies attempts from adversaries to acquire credentials from Vault files.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*',
       '?:\\ProgramData\\Microsoft\\Vault\\*'
@@ -34,4 +34,4 @@ condition: >
       '?:\\Windows\\System32\\svchost.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_unusual_access_to_ssh_keys.yml b/rules/credential_access_unusual_access_to_ssh_keys.yml
@@ -1,6 +1,6 @@
 name: Unusual access to SSH keys
 id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies access by unusual process to saved SSH keys.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches '?:\\Users\\*\\.ssh\\known_hosts'
+  file.path imatches '?:\\Users\\*\\.ssh\\known_hosts'
     and
     not
   ps.exe imatches
@@ -37,4 +37,4 @@ condition: >
       'WinSCP.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml
@@ -1,6 +1,6 @@
 name: Unusual access to Web Browser Credential stores
 id: 9d889b2b-ca13-4a04-8919-ff1151f23a71
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies access to Web Browser Credential stores by unusual processes.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches web_browser_cred_stores
+  file.path imatches web_browser_cred_stores
     and
   ps.name not iin web_browser_binaries
     and
@@ -31,4 +31,4 @@ condition: >
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpCopyAccelerator.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/credential_access_unusual_access_to_windows_credential_history.yml b/rules/credential_access_unusual_access_to_windows_credential_history.yml
@@ -1,6 +1,6 @@
 name: Unusual access to Windows Credential history files
 id: 9d94062f-2cf3-407c-bd65-4072fe4b167f
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects unusual accesses to the Windows Credential history file.
   The CREDHIST file contains all previous password-linked master key hashes used by
@@ -20,7 +20,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST'
+  file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST'
     and
     not
   ps.exe imatches
@@ -31,4 +31,4 @@ condition: >
       '?:\\Windows\\ccmcache\\*.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml
@@ -1,6 +1,6 @@
 name: AppDomain Manager injection via CLR search order hijacking
 id: 9319fafd-b7dc-4d85-b41a-54a8d4f1ab18
-version: 1.0.0
+version: 1.0.1
 description: |
   Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. 
   The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments 
@@ -25,12 +25,12 @@ references:
   - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
 
 condition: >
-  (load_unsigned_or_untrusted_module) and ((base(dir(image.name)) ~= base(image.name, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith base(image.name, false)))
+  (load_unsigned_or_untrusted_module) and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name))
     and
   pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
 
 output: >
-  Process %ps.exe loaded untrusted .NET assembly %image.name from suspicious location
+  Process %ps.exe loaded untrusted .NET assembly %image.path from suspicious location
 severity: high
 
-min-engine-version: 2.3.0
+min-engine-version: 2.4.0
diff --git a/rules/defense_evasion_clear_eventlog.yml b/rules/defense_evasion_clear_eventlog.yml
@@ -1,6 +1,6 @@
 name: Clear Eventlog
 id: 692d3143-e1fb-4dab-8c9c-3109ff80ec85
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies attempts to clear Windows event log stores. Adversaries attempt to evade detection or 
   destroy forensic evidence on a system to cover their trails and slow down incident response.
@@ -19,11 +19,11 @@ condition: >
   sequence
   maxspan 1m
   by file.object
-    |set_file_information and kevt.pid != 4 and file.info_class = 'EOF' and file.info.eof_size > 50000 and file.name imatches '?:\\Windows\\System32\\winevt\\Logs\\*.evtx'|
+    |set_file_information and kevt.pid != 4 and file.info_class = 'EOF' and file.info.eof_size > 50000 and file.path imatches '?:\\Windows\\System32\\winevt\\Logs\\*.evtx'|
     |set_file_information and file.info_class = 'Allocation' and file.info.allocation_size > 50000|
 
 output: >
-  Windows Eventlog store %1.file.name was cleared
+  Windows Eventlog store %1.file.path was cleared
 severity: medium
 
-min-engine-version: 2.3.0
+min-engine-version: 2.4.0
diff --git a/rules/defense_evasion_dll_loaded_via_apc_queue.yml b/rules/defense_evasion_dll_loaded_via_apc_queue.yml
@@ -1,6 +1,6 @@
 name: DLL loaded via APC queue
 id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies loading of a DLL with a callstack originating from the thread
   alertable state that led to the execution of an APC routine. This may be
@@ -16,7 +16,7 @@ references:
   - https://github.com/Idov31/Cronos
 
 condition: >
-  load_dll and base(image.name) iin 
+  load_dll and image.name iin 
     (
       'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
       'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
@@ -30,4 +30,4 @@ condition: >
     and
   thread.callstack.symbols imatches ('KernelBase.dll!Sleep*')
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0
diff --git a/rules/defense_evasion_dll_loaded_via_callback_function.yml b/rules/defense_evasion_dll_loaded_via_callback_function.yml
@@ -1,6 +1,6 @@
 name: DLL loaded via a callback function
 id: c7f46d0a-10b2-421a-b33c-f4df79599f2e
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying
   the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback
@@ -20,7 +20,7 @@ condition: >
   sequence
   maxspan 2m
    |spawn_process| by ps.child.uuid
-   |load_dll and base(image.name) iin 
+   |load_dll and image.name iin 
       (
         'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
         'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
@@ -36,7 +36,7 @@ condition: >
    | by ps.uuid
 
 output: >
-  %2.image.name loaded from callback function by process %ps.exe
+  %2.image.path loaded from callback function by process %ps.exe
 severity: high
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0