rabbitstack · rabbitstack · Mar 26, 2025 · Mar 25, 2025
diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml
@@ -1,6 +1,6 @@
 name: Credential discovery via VaultCmd.exe
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects the usage of the VaultCmd tool to list Windows Credentials.
   VaultCmd creates, displays and deletes stored credentials.
@@ -16,9 +16,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  spawn_process
-    and
-  ps.child.name ~= 'VaultCmd.exe'
+  spawn_process and ps.child.name ~= 'VaultCmd.exe'
     and
   ps.child.args in
     (

diff --git a/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml b/rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dump preparation via SilentProcessExit
 id: d325e426-f89a-4f7c-b655-3874dad07986
-version: 1.0.1
+version: 1.0.2
 description: |
   Adversaries may exploit the SilentProcessExit debugging technique to conduct
   LSASS memory dump via WerFault.exe (Windows Error Reporting) binary by creating
@@ -25,10 +25,6 @@ references:
   - https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2
 
 condition: >
-  modify_registry
-    and
-  registry.path
-    imatches
-  'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*'
+  modify_registry and registry.path imatches 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*'
 
 min-engine-version: 2.4.0
diff --git a/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml b/rules/credential_access_suspicious_security_package_loaded_by_lsass.yml
@@ -1,6 +1,6 @@
 name: Suspicious security package DLL loaded
 id: 2c74f176-9a95-4344-a1aa-15aa06e16919
-version: 1.1.0
+version: 1.1.1
 description: |
   Attackers can abuse Windows Security Support Provider and Authentication Packages to
   dynamically inject a Security Package into the Local Security Authority Subsystem Service
@@ -20,9 +20,7 @@ references:
   - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package
 
 condition: >
-  ps.name ~= 'lsass.exe'
-    and
-  thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll')
+  ps.name ~= 'lsass.exe' and thread.callstack.modules imatches ('?:\\Windows\\System32\\sspisrv.dll')
     and
   (load_unsigned_or_untrusted_module)
 

diff --git a/rules/credential_access_unusual_access_to_ssh_keys.yml b/rules/credential_access_unusual_access_to_ssh_keys.yml
@@ -1,6 +1,6 @@
 name: Unusual access to SSH keys
 id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies access by unusual process to saved SSH keys.
 labels:
@@ -15,9 +15,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1552/001/
 
 condition: >
-  open_file
-    and
-  file.path imatches '?:\\Users\\*\\.ssh\\known_hosts'
+  open_file and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts'
     and
     not
   ps.exe imatches

diff --git a/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml b/rules/credential_access_unusual_access_to_web_browser_credential_stores.yml
@@ -1,6 +1,6 @@
 name: Unusual access to Web Browser Credential stores
 id: 9d889b2b-ca13-4a04-8919-ff1151f23a71
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies access to Web Browser Credential stores by unusual processes.
 labels:
@@ -15,9 +15,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/003/
 
 condition: >
-  open_file
-    and
-  file.path imatches web_browser_cred_stores
+  open_file and file.path imatches web_browser_cred_stores
     and
   ps.name not iin web_browser_binaries
     and

diff --git a/rules/credential_access_unusual_access_to_windows_credential_history.yml b/rules/credential_access_unusual_access_to_windows_credential_history.yml
@@ -1,6 +1,6 @@
 name: Unusual access to Windows Credential history files
 id: 9d94062f-2cf3-407c-bd65-4072fe4b167f
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects unusual accesses to the Windows Credential history file.
   The CREDHIST file contains all previous password-linked master key hashes used by
@@ -18,9 +18,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  open_file
-    and
-  file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST'
+  open_file and file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST'
     and
     not
   ps.exe imatches

diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml
@@ -1,6 +1,6 @@
 name: DLL Side-Loading via a copied binary
 id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies when a binary is copied to a directory and shortly followed
   by the loading of an unsigned DLL from the same directory. Adversaries may
@@ -24,9 +24,7 @@ condition: >
       and
      thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*')
     | by file.path
-    |(load_dll) and dir(image.path) ~= dir(ps.exe)
-      and
-     pe.cert.subject icontains 'Microsoft' and pe.is_trusted
+    |(load_dll) and dir(image.path) ~= dir(ps.exe) and pe.cert.subject icontains 'Microsoft' and pe.is_trusted
       and
      (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
     | by ps.exe

diff --git a/rules/defense_evasion_process_spawned_via_remote_thread.yml b/rules/defense_evasion_process_spawned_via_remote_thread.yml
@@ -1,6 +1,6 @@
 name: Process spawned via remote thread
 id: 9a2c7b40-4e5f-4edf-b02e-79cd33c9a137
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the creation of a process with the parent call stack not
   revealing normal API functions for process creation. This may be a
@@ -16,12 +16,7 @@ labels:
 condition: >
   spawn_process
     and
-  thread.callstack.symbols imatches
-    (
-      'ntdll.dll!ZwCreateThreadEx*',
-      'ntdll.dll!NtCreateThreadEx*',
-      'ntdll.dll!RtlCreateUserThread'
-    )
+  thread.callstack.symbols imatches ('ntdll.dll!ZwCreateThreadEx*', 'ntdll.dll!NtCreateThreadEx*', 'ntdll.dll!RtlCreateUserThread')
     and
     not
   thread.callstack.symbols imatches ('*CreateProcess*', '*CreateUserProcess*')

diff --git a/.../initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml b/.../initial_access_executable_file_creation_from_macro_enabled_microsoft_office_document.yml
@@ -1,6 +1,6 @@
 name: Executable file creation from a macro-enabled Microsoft Office document
 id: fffcce75-2427-406e-9597-1f49b0c9ad5b
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the Microsoft Office process writing an executable file type and
   the call stack reveals the file creation was originated from the Microsoft
@@ -18,9 +18,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
 
 condition: >
-  create_file
-    and
-  ps.name in msoffice_binaries
+  create_file and ps.name in msoffice_binaries
     and
   thread.callstack.modules imatches 'vbe?.dll'
     and

diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml
@@ -1,6 +1,6 @@
 name: Macro execution via script interpreter
 id: 845404de-df6f-472f-bd74-72148a7f5166
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the execution of the Windows scripting interpreter spawning
   a Microsoft Office process to execute suspicious Visual Basic macro.
@@ -21,18 +21,9 @@ condition: >
     |spawn_process and ps.parent.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid
     |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll'
       and
-     (
-      spawn_process
+     (spawn_process or (create_remote_thread) or (modify_registry) or (create_file)
         or
-      (create_remote_thread)
-        or
-      (modify_registry)
-        or
-      (create_file)
-        or
-      (
-        load_module and not image.name imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*')
-      )
+      (load_module and not image.name imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*'))
      )
     | by ps.uuid
 

diff --git a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml
@@ -1,6 +1,6 @@
 name: Process spawned from macro-enabled Microsoft Office document
 id: 47521206-e19d-4608-9dbc-dc3a1df99db5
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the execution of the child process spawned by Microsoft
   Office parent process where the call stack contains the Visual Basic
@@ -18,9 +18,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
 
 condition: >
-  spawn_process
-    and
-  ps.name iin msoffice_binaries
+  spawn_process and ps.name iin msoffice_binaries
     and
   (
     thread.callstack.modules imatches ('*vbe?.dll')

diff --git a/rules/initial_access_suspicious_microsoft_office_embedded_object.yml b/rules/initial_access_suspicious_microsoft_office_embedded_object.yml
@@ -1,6 +1,6 @@
 name: Suspicious Microsoft Office embedded object
 id: 47368d49-1192-4059-9c55-6bbc4fd1a73a
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies Microsoft Office processes dropping a file with suspicious
   extension and with the call stack indicating operations to save or load
@@ -17,9 +17,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/
 
 condition: >
-  create_file
-    and
-  ps.name iin msoffice_binaries
+  create_file and ps.name iin msoffice_binaries
     and
   thread.callstack.symbols imatches ('*!OleSaveStream*', '*!OleLoad*', '*!OleCreate*')
     and

diff --git a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml
@@ -1,6 +1,6 @@
 name: Network connection via startup folder executable or script
 id: 09b7278d-42e3-4792-9f00-dee38baecfad
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies the execution of unsigned binary or script from the
   Startup folder followed by network inbound or outbound connection.
@@ -20,19 +20,9 @@ condition: >
   maxspan 5m
   by ps.uuid
     |
-      (
-        load_untrusted_executable
-          and
-        image.path imatches startup_locations
-      )
+      (load_untrusted_executable and image.path imatches startup_locations)
         or
-      (
-        load_executable
-          and
-        ps.name in script_interpreters
-          and
-        ps.cmdline imatches startup_locations
-      )
+      (load_executable and ps.name in script_interpreters and ps.cmdline imatches startup_locations)
     |
     |((inbound_network) or (outbound_network)) and ps.cmdline imatches startup_locations|
 

diff --git a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml
@@ -1,6 +1,6 @@
 name: Script interpreter host or untrusted process persistence
 id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the script interpreter or untrusted process writing
   to commonly abused run keys or the Startup folder locations.
@@ -18,19 +18,9 @@ labels:
 condition: >
   (modify_registry or create_file)
     and
-  (
-    ps.name in script_interpreters
-      or
-    ps.parent.name in script_interpreters
-      or
-    pe.is_trusted = false
-  )
+  (ps.name in script_interpreters or ps.parent.name in script_interpreters or pe.is_trusted = false)
     and
-  (
-    registry.path imatches registry_run_keys
-      or
-    file.path imatches startup_locations
-  )
+  (registry.path imatches registry_run_keys or file.path imatches startup_locations)
     and
     not
   ps.exe imatches

diff --git a/rules/persistence_suspicious_startup_shell_folder_modification.yml b/rules/persistence_suspicious_startup_shell_folder_modification.yml
@@ -1,6 +1,6 @@
 name: Suspicious Startup shell folder modification
 id: 7a4082f6-f7e3-49bd-9514-dbc8dd4e68ad
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects when adversaries attempt to modify the default Startup
   folder path to to circumvent runtime rules that hunt for file
@@ -17,9 +17,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/
 
 condition: >
-  modify_registry
-    and
-  registry.path imatches startup_shell_folder_registry_keys
+  modify_registry and registry.path imatches startup_shell_folder_registry_keys
     and
     not
   (

diff --git a/rules/persistence_unusual_process_modified_registry_run_key.yml b/rules/persistence_unusual_process_modified_registry_run_key.yml
@@ -1,6 +1,6 @@
 name: Unusual process modified registry run key
 id: 921508a5-b627-4c02-a295-6c6863c0897b
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies an attempt by unusual Windows native processes to modify
   the run key and gain persistence on users logons or machine reboots.
@@ -16,9 +16,7 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1547/001/
 
 condition: >
-  modify_registry
-    and
-  ps.exe imatches '?:\\Windows\\*'
+  modify_registry and ps.exe imatches '?:\\Windows\\*'
     and
   registry.path imatches registry_run_keys
     and