From 0b22cd84b7fda2d336430c8466d00d5f25698b3d Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 25 Mar 2025 21:20:34 +0100 Subject: [PATCH] chore(rules): Format rule conditions --- ..._access_credential_discovery_via_vaultcmd.yml | 6 ++---- ..._dump_preparation_via_silent_process_exit.yml | 8 ++------ ...spicious_security_package_loaded_by_lsass.yml | 6 ++---- ...dential_access_unusual_access_to_ssh_keys.yml | 6 ++---- ...l_access_to_web_browser_credential_stores.yml | 6 ++---- ...sual_access_to_windows_credential_history.yml | 6 ++---- ...evasion_dll_sideloading_via_copied_binary.yml | 6 ++---- ...evasion_process_spawned_via_remote_thread.yml | 9 ++------- ...m_macro_enabled_microsoft_office_document.yml | 6 ++---- ...ss_macro_execution_via_script_interpreter.yml | 15 +++------------ ...m_macro_enabled_microsoft_office_document.yml | 6 ++---- ...spicious_microsoft_office_embedded_object.yml | 6 ++---- ...n_via_startup_folder_executable_or_script.yml | 16 +++------------- ...erpreter_or_untrusted_process_persistence.yml | 16 +++------------- ...picious_startup_shell_folder_modification.yml | 6 ++---- ...unusual_process_modified_registry_run_key.yml | 6 ++---- 16 files changed, 35 insertions(+), 95 deletions(-) diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml index ac0898ddb..3cc80dcf4 100644 --- a/rules/credential_access_credential_discovery_via_vaultcmd.yml +++ b/rules/credential_access_credential_discovery_via_vaultcmd.yml @@ -1,6 +1,6 @@ name: Credential discovery via VaultCmd.exe id: 2ce607d3-5a14-4628-be8a-22bcde97dab5 -version: 1.0.0 +version: 1.0.1 description: | Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, displays and deletes stored credentials. @@ -16,9 +16,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - spawn_process - and - ps.child.name ~= 'VaultCmd.exe' + spawn_process and ps.child.name ~= 'VaultCmd.exe' and ps.child.args in ( diff --git a/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml b/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml index 2ad2fa726..dcf2248a0 100644 --- a/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml +++ b/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml @@ -1,6 +1,6 @@ name: LSASS memory dump preparation via SilentProcessExit id: d325e426-f89a-4f7c-b655-3874dad07986 -version: 1.0.1 +version: 1.0.2 description: | Adversaries may exploit the SilentProcessExit debugging technique to conduct LSASS memory dump via WerFault.exe (Windows Error Reporting) binary by creating @@ -25,10 +25,6 @@ references: - https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2 condition: > - modify_registry - and - registry.path - imatches - 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*' + modify_registry and registry.path imatches 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*' min-engine-version: 2.4.0 diff --git a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml index 1c665324e..1472acec9 100644 --- a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml +++ b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml @@ -1,6 +1,6 @@ name: Suspicious security package DLL loaded id: 2c74f176-9a95-4344-a1aa-15aa06e16919 -version: 1.1.0 +version: 1.1.1 description: | Attackers can abuse Windows Security Support Provider and Authentication Packages to dynamically inject a Security Package into the Local Security Authority Subsystem Service @@ -20,9 +20,7 @@ references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package condition: > - ps.name ~= 'lsass.exe' - and - thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') + ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll') and (load_unsigned_or_untrusted_module) diff --git a/rules/credential_access_unusual_access_to_ssh_keys.yml b/rules/credential_access_unusual_access_to_ssh_keys.yml index dc680d3ba..269dd7aee 100644 --- a/rules/credential_access_unusual_access_to_ssh_keys.yml +++ b/rules/credential_access_unusual_access_to_ssh_keys.yml @@ -1,6 +1,6 @@ name: Unusual access to SSH keys id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60 -version: 1.0.1 +version: 1.0.2 description: | Identifies access by unusual process to saved SSH keys. labels: @@ -15,9 +15,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1552/001/ condition: > - open_file - and - file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' + open_file and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts' and not ps.exe imatches diff --git a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml index 2cafbbbd1..6eb093b0b 100644 --- a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml +++ b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml @@ -1,6 +1,6 @@ name: Unusual access to Web Browser Credential stores id: 9d889b2b-ca13-4a04-8919-ff1151f23a71 -version: 1.0.1 +version: 1.0.2 description: | Identifies access to Web Browser Credential stores by unusual processes. labels: @@ -15,9 +15,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/003/ condition: > - open_file - and - file.path imatches web_browser_cred_stores + open_file and file.path imatches web_browser_cred_stores and ps.name not iin web_browser_binaries and diff --git a/rules/credential_access_unusual_access_to_windows_credential_history.yml b/rules/credential_access_unusual_access_to_windows_credential_history.yml index f24a4ded0..e470dc42a 100644 --- a/rules/credential_access_unusual_access_to_windows_credential_history.yml +++ b/rules/credential_access_unusual_access_to_windows_credential_history.yml @@ -1,6 +1,6 @@ name: Unusual access to Windows Credential history files id: 9d94062f-2cf3-407c-bd65-4072fe4b167f -version: 1.0.1 +version: 1.0.2 description: | Detects unusual accesses to the Windows Credential history file. The CREDHIST file contains all previous password-linked master key hashes used by @@ -18,9 +18,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/ condition: > - open_file - and - file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST' + open_file and file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST' and not ps.exe imatches diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml index 6b02811cf..033a9a306 100644 --- a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml +++ b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml @@ -1,6 +1,6 @@ name: DLL Side-Loading via a copied binary id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c -version: 1.0.1 +version: 1.0.2 description: | Identifies when a binary is copied to a directory and shortly followed by the loading of an unsigned DLL from the same directory. Adversaries may @@ -24,9 +24,7 @@ condition: > and thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*') | by file.path - |(load_dll) and dir(image.path) ~= dir(ps.exe) - and - pe.cert.subject icontains 'Microsoft' and pe.is_trusted + |(load_dll) and dir(image.path) ~= dir(ps.exe) and pe.cert.subject icontains 'Microsoft' and pe.is_trusted and (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED') | by ps.exe diff --git a/rules/defense_evasion_process_spawned_via_remote_thread.yml b/rules/defense_evasion_process_spawned_via_remote_thread.yml index 5247c6b87..ac362ddf1 100644 --- a/rules/defense_evasion_process_spawned_via_remote_thread.yml +++ b/rules/defense_evasion_process_spawned_via_remote_thread.yml @@ -1,6 +1,6 @@ name: Process spawned via remote thread id: 9a2c7b40-4e5f-4edf-b02e-79cd33c9a137 -version: 1.0.0 +version: 1.0.1 description: | Identifies the creation of a process with the parent call stack not revealing normal API functions for process creation. This may be a @@ -16,12 +16,7 @@ labels: condition: > spawn_process and - thread.callstack.symbols imatches - ( - 'ntdll.dll!ZwCreateThreadEx*', - 'ntdll.dll!NtCreateThreadEx*', - 'ntdll.dll!RtlCreateUserThread' - ) + thread.callstack.symbols imatches ('ntdll.dll!ZwCreateThreadEx*', 'ntdll.dll!NtCreateThreadEx*', 'ntdll.dll!RtlCreateUserThread') and not thread.callstack.symbols imatches ('*CreateProcess*', '*CreateUserProcess*') diff --git a/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml index 6f825fe0b..939e2f389 100644 --- a/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml +++ b/rules/initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml @@ -1,6 +1,6 @@ name: Executable file creation from a macro-enabled Microsoft Office document id: fffcce75-2427-406e-9597-1f49b0c9ad5b -version: 1.0.0 +version: 1.0.1 description: | Identifies the Microsoft Office process writing an executable file type and the call stack reveals the file creation was originated from the Microsoft @@ -18,9 +18,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ condition: > - create_file - and - ps.name in msoffice_binaries + create_file and ps.name in msoffice_binaries and thread.callstack.modules imatches 'vbe?.dll' and diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml index 6f57d99a8..ef83078e6 100644 --- a/rules/initial_access_macro_execution_via_script_interpreter.yml +++ b/rules/initial_access_macro_execution_via_script_interpreter.yml @@ -1,6 +1,6 @@ name: Macro execution via script interpreter id: 845404de-df6f-472f-bd74-72148a7f5166 -version: 1.0.0 +version: 1.0.1 description: | Identifies the execution of the Windows scripting interpreter spawning a Microsoft Office process to execute suspicious Visual Basic macro. @@ -21,18 +21,9 @@ condition: > |spawn_process and ps.parent.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll' and - ( - spawn_process + (spawn_process or (create_remote_thread) or (modify_registry) or (create_file) or - (create_remote_thread) - or - (modify_registry) - or - (create_file) - or - ( - load_module and not image.name imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*') - ) + (load_module and not image.name imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*')) ) | by ps.uuid diff --git a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml index 5c2cde268..713bdb56e 100644 --- a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml +++ b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml @@ -1,6 +1,6 @@ name: Process spawned from macro-enabled Microsoft Office document id: 47521206-e19d-4608-9dbc-dc3a1df99db5 -version: 1.0.0 +version: 1.0.1 description: | Identifies the execution of the child process spawned by Microsoft Office parent process where the call stack contains the Visual Basic @@ -18,9 +18,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ condition: > - spawn_process - and - ps.name iin msoffice_binaries + spawn_process and ps.name iin msoffice_binaries and ( thread.callstack.modules imatches ('*vbe?.dll') diff --git a/rules/initial_access_suspicious_microsoft_office_embedded_object.yml b/rules/initial_access_suspicious_microsoft_office_embedded_object.yml index 630c50b48..724e262c4 100644 --- a/rules/initial_access_suspicious_microsoft_office_embedded_object.yml +++ b/rules/initial_access_suspicious_microsoft_office_embedded_object.yml @@ -1,6 +1,6 @@ name: Suspicious Microsoft Office embedded object id: 47368d49-1192-4059-9c55-6bbc4fd1a73a -version: 1.0.0 +version: 1.0.1 description: | Identifies Microsoft Office processes dropping a file with suspicious extension and with the call stack indicating operations to save or load @@ -17,9 +17,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ condition: > - create_file - and - ps.name iin msoffice_binaries + create_file and ps.name iin msoffice_binaries and thread.callstack.symbols imatches ('*!OleSaveStream*', '*!OleLoad*', '*!OleCreate*') and diff --git a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml index ec3f5ae93..e737ddcc1 100644 --- a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml +++ b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml @@ -1,6 +1,6 @@ name: Network connection via startup folder executable or script id: 09b7278d-42e3-4792-9f00-dee38baecfad -version: 1.0.1 +version: 1.0.2 description: | Identifies the execution of unsigned binary or script from the Startup folder followed by network inbound or outbound connection. @@ -20,19 +20,9 @@ condition: > maxspan 5m by ps.uuid | - ( - load_untrusted_executable - and - image.path imatches startup_locations - ) + (load_untrusted_executable and image.path imatches startup_locations) or - ( - load_executable - and - ps.name in script_interpreters - and - ps.cmdline imatches startup_locations - ) + (load_executable and ps.name in script_interpreters and ps.cmdline imatches startup_locations) | |((inbound_network) or (outbound_network)) and ps.cmdline imatches startup_locations| diff --git a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml index ffa34b867..14ace3905 100644 --- a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml +++ b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml @@ -1,6 +1,6 @@ name: Script interpreter host or untrusted process persistence id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea -version: 1.0.3 +version: 1.0.4 description: | Identifies the script interpreter or untrusted process writing to commonly abused run keys or the Startup folder locations. @@ -18,19 +18,9 @@ labels: condition: > (modify_registry or create_file) and - ( - ps.name in script_interpreters - or - ps.parent.name in script_interpreters - or - pe.is_trusted = false - ) + (ps.name in script_interpreters or ps.parent.name in script_interpreters or pe.is_trusted = false) and - ( - registry.path imatches registry_run_keys - or - file.path imatches startup_locations - ) + (registry.path imatches registry_run_keys or file.path imatches startup_locations) and not ps.exe imatches diff --git a/rules/persistence_suspicious_startup_shell_folder_modification.yml b/rules/persistence_suspicious_startup_shell_folder_modification.yml index 86c8b30f1..a864901df 100644 --- a/rules/persistence_suspicious_startup_shell_folder_modification.yml +++ b/rules/persistence_suspicious_startup_shell_folder_modification.yml @@ -1,6 +1,6 @@ name: Suspicious Startup shell folder modification id: 7a4082f6-f7e3-49bd-9514-dbc8dd4e68ad -version: 1.0.1 +version: 1.0.2 description: | Detects when adversaries attempt to modify the default Startup folder path to to circumvent runtime rules that hunt for file @@ -17,9 +17,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - modify_registry - and - registry.path imatches startup_shell_folder_registry_keys + modify_registry and registry.path imatches startup_shell_folder_registry_keys and not ( diff --git a/rules/persistence_unusual_process_modified_registry_run_key.yml b/rules/persistence_unusual_process_modified_registry_run_key.yml index 055e8dee8..b96975dec 100644 --- a/rules/persistence_unusual_process_modified_registry_run_key.yml +++ b/rules/persistence_unusual_process_modified_registry_run_key.yml @@ -1,6 +1,6 @@ name: Unusual process modified registry run key id: 921508a5-b627-4c02-a295-6c6863c0897b -version: 1.0.1 +version: 1.0.2 description: | Identifies an attempt by unusual Windows native processes to modify the run key and gain persistence on users logons or machine reboots. @@ -16,9 +16,7 @@ labels: subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/ condition: > - modify_registry - and - ps.exe imatches '?:\\Windows\\*' + modify_registry and ps.exe imatches '?:\\Windows\\*' and registry.path imatches registry_run_keys and