From 37bc4e9a84ca758c51f447b4e6c15217d1d0e594 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 2 Jan 2026 17:37:13 +0100 Subject: [PATCH 1/2] fix(rules): Remove ps.child leftovers from rule outputs --- ...fense_evasion_potential_injection_via_dotnet_debugging.yml | 4 ++-- ...fense_evasion_potential_process_creation_via_shellcode.yml | 4 ++-- rules/defense_evasion_suspicious_access_to_the_hosts_file.yml | 4 ++-- ...e_evasion_suspicious_html_application_script_execution.yml | 4 ++-- rules/defense_evasion_suspicious_xsl_script_execution.yml | 4 ++-- ...initial_access_microsoft_office_file_execution_via_wmi.yml | 2 +- ...cess_potential_clickfix_infection_chain_via_run_window.yml | 4 ++-- ...icious_execution_via_wmi_from_microsoft_office_process.yml | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) diff --git a/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml index 78cd835da..467d72b75 100644 --- a/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml +++ b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml @@ -1,6 +1,6 @@ name: Potential injection via .NET debugging id: 193ebf2f-e365-4f57-a639-275b7cdf0319 -version: 1.0.5 +version: 1.0.6 description: | Identifies creation of a process on behalf of the CLR debugging facility which may be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess @@ -30,7 +30,7 @@ condition: > ps.parent.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe' output: > - Process %ps.exe attached the .NET debugger to process %ps.child.exe for potential code injection + Process %ps.parent.exe attached the .NET debugger to process %ps.exe for potential code injection severity: high min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_potential_process_creation_via_shellcode.yml b/rules/defense_evasion_potential_process_creation_via_shellcode.yml index 27adbd0a1..5c51a3faf 100644 --- a/rules/defense_evasion_potential_process_creation_via_shellcode.yml +++ b/rules/defense_evasion_potential_process_creation_via_shellcode.yml @@ -1,6 +1,6 @@ name: Potential process creation via shellcode id: 7a918532-12d1-4aa2-8c46-8769c67cac07 -version: 1.0.2 +version: 1.0.3 description: | Identifies the creation of a process with stack frames originating from floating memory area while invoking commonly used Windows API functions like WinExec. This behavior is a typical indicator of @@ -21,7 +21,7 @@ condition: > thread.callstack.symbols imatches ('kernel32.dll!WinExec*') output: > - Process %ps.child.exe created via potential shellcode injection by process %ps.exe + Process %ps.exe created via potential shellcode injection by process %ps.parent.exe severity: high min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml index 965b5824e..5d432159f 100644 --- a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml +++ b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml @@ -1,6 +1,6 @@ name: Suspicious access to the hosts file id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2 -version: 1.0.5 +version: 1.0.6 description: > Identifies suspicious process accessing the Windows hosts file for potential tampering. Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the @@ -34,7 +34,7 @@ action: - name: kill output: > - Suspicious process %1.ps.child.exe accessed the hosts file for potential tampering + Suspicious process %1.ps.exe accessed the hosts file for potential tampering severity: medium min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_suspicious_html_application_script_execution.yml b/rules/defense_evasion_suspicious_html_application_script_execution.yml index 296bd0339..870bf0d56 100644 --- a/rules/defense_evasion_suspicious_html_application_script_execution.yml +++ b/rules/defense_evasion_suspicious_html_application_script_execution.yml @@ -1,6 +1,6 @@ name: Suspicious HTML Application script execution id: 4ec64ac2-851d-41b4-b7d2-910c21de334d -version: 1.0.5 +version: 1.0.6 description: | Identifies the execution of scripts via Microsoft HTML Application Host interpreter. Adversaries can proxy the execution of arbitrary script code through a trusted, signed utility to evade defenses. @@ -54,7 +54,7 @@ action: - name: kill output: > - Suspicious HTML Application script execution by mshta process with command line arguments %ps.child.cmdline + Suspicious HTML Application script execution by mshta process with command line arguments %ps.cmdline severity: high min-engine-version: 3.0.0 diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml index 2d5da5660..7b8753958 100644 --- a/rules/defense_evasion_suspicious_xsl_script_execution.yml +++ b/rules/defense_evasion_suspicious_xsl_script_execution.yml @@ -1,6 +1,6 @@ name: Suspicious XSL script execution id: 65136b30-14ae-46dd-b8e5-9dfa99690d74 -version: 1.0.4 +version: 1.0.5 description: | Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding @@ -42,7 +42,7 @@ condition: > |load_dll and image.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')| output: > - Suspicious XSL script executed by process %1.ps.child.name with command line arguments %1.ps.child.args + Suspicious XSL script executed by process %1.ps.name with command line arguments %1.ps.args severity: high min-engine-version: 3.0.0 diff --git a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml index da4812181..59dde9bc6 100644 --- a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml +++ b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml @@ -1,6 +1,6 @@ name: Microsoft Office file execution via WMI id: 50f6efa2-4d7b-4fb7-b1a9-65c3a24d9152 -version: 1.0.3 +version: 1.0.4 description: | Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code. diff --git a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml index e96922272..d071d3658 100644 --- a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml +++ b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml @@ -1,6 +1,6 @@ name: Potential ClickFix infection chain via Run window id: ffe1fc54-2893-4760-ab50-51a83bd71d13 -version: 1.0.4 +version: 1.0.5 description: | Identifies the execution of the process via the Run command dialog box followed by spawning of the potential infostealer process. @@ -42,7 +42,7 @@ action: - name: kill output: > - Potential infostealer process %2.ps.child.exe executed via the Run command window by %1.ps.child.cmdline + Potential infostealer process %2.ps.exe executed via the Run command window by %1.ps.cmdline severity: high min-engine-version: 3.0.0 diff --git a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml index dcbecfd39..bab5186ed 100644 --- a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml +++ b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml @@ -1,6 +1,6 @@ name: Suspicious execution via WMI from a Microsoft Office process id: cc3f0bbe-ec53-40a7-9eed-f0a8a3f7d7fa -version: 1.0.3 +version: 1.0.4 description: | Identifies a suspicious process execution via Windows Management Instrumentation (WMI) originated from the Microsoft Office process loading an unusual WMI DLL. This technique @@ -86,7 +86,7 @@ condition: > ))| output: > - Suspicious process %2.ps.child.exe launched via WMI from Microsoft Office process %1.ps.cmdline + Suspicious process %2.ps.exe launched via WMI from Microsoft Office process %1.ps.parent.cmdline severity: high min-engine-version: 3.0.0 From e998aaec62670a42d7f5dfcd88c61a7a9002584b Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 2 Jan 2026 17:37:45 +0100 Subject: [PATCH 2/2] fix(test): Remove ps.child.uuid from test rule expression --- pkg/filter/ql/parser_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/filter/ql/parser_test.go b/pkg/filter/ql/parser_test.go index 5e5055c9a..0875d77a1 100644 --- a/pkg/filter/ql/parser_test.go +++ b/pkg/filter/ql/parser_test.go @@ -20,12 +20,13 @@ package ql import ( "errors" + "testing" + "time" + "github.com/rabbitstack/fibratus/pkg/config" "github.com/rabbitstack/fibratus/pkg/filter/fields" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "testing" - "time" ) func TestParser(t *testing.T) { @@ -353,7 +354,7 @@ func TestParseSequence(t *testing.T) { `by ps.uuid maxspan 2m - |evt.name = 'CreateProcess'| by ps.child.uuid + |evt.name = 'CreateProcess'| by ps.uuid |evt.name = 'CreateFile'| by ps.uuid `, errors.New("sequence mixes global and per-expression 'by' statements"),