rabbitstack · rabbitstack · Jan 3, 2026 · Jan 2, 2026 · Jan 2, 2026
diff --git a/pkg/filter/ql/parser_test.go b/pkg/filter/ql/parser_test.go
@@ -20,12 +20,13 @@ package ql
 
 import (
 	"errors"
+	"testing"
+	"time"
+
 	"github.com/rabbitstack/fibratus/pkg/config"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"testing"
-	"time"
 )
 
 func TestParser(t *testing.T) {
@@ -353,7 +354,7 @@ func TestParseSequence(t *testing.T) {
 
 			`by ps.uuid
 			 maxspan 2m
-			 |evt.name = 'CreateProcess'| by ps.child.uuid
+			 |evt.name = 'CreateProcess'| by ps.uuid
 			 |evt.name = 'CreateFile'| by ps.uuid
 			`,
 			errors.New("sequence mixes global and per-expression 'by' statements"),

diff --git a/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml b/rules/defense_evasion_potential_injection_via_dotnet_debugging.yml
@@ -1,6 +1,6 @@
 name: Potential injection via .NET debugging
 id: 193ebf2f-e365-4f57-a639-275b7cdf0319
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies creation of a process on behalf of the CLR debugging facility which may
   be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess
@@ -30,7 +30,7 @@ condition: >
   ps.parent.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe'
 
 output: >
-  Process %ps.exe attached the .NET debugger to process %ps.child.exe for potential code injection
+  Process %ps.parent.exe attached the .NET debugger to process %ps.exe for potential code injection
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_potential_process_creation_via_shellcode.yml b/rules/defense_evasion_potential_process_creation_via_shellcode.yml
@@ -1,6 +1,6 @@
 name: Potential process creation via shellcode
 id: 7a918532-12d1-4aa2-8c46-8769c67cac07
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the creation of a process with stack frames originating from floating memory area while 
   invoking commonly used Windows API functions like WinExec. This behavior is a typical indicator of 
@@ -21,7 +21,7 @@ condition: >
   thread.callstack.symbols imatches ('kernel32.dll!WinExec*')
 
 output: >
-  Process %ps.child.exe created via potential shellcode injection by process %ps.exe
+  Process %ps.exe created via potential shellcode injection by process %ps.parent.exe
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to the hosts file
 id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2
-version: 1.0.5
+version: 1.0.6
 description: >
   Identifies suspicious process accessing the Windows hosts file for potential tampering.
   Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the
@@ -34,7 +34,7 @@ action:
   - name: kill
 
 output: >
-  Suspicious process %1.ps.child.exe accessed the hosts file for potential tampering
+  Suspicious process %1.ps.exe accessed the hosts file for potential tampering
 severity: medium
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_suspicious_html_application_script_execution.yml b/rules/defense_evasion_suspicious_html_application_script_execution.yml
@@ -1,6 +1,6 @@
 name: Suspicious HTML Application script execution
 id: 4ec64ac2-851d-41b4-b7d2-910c21de334d
-version: 1.0.5
+version: 1.0.6
 description: |  
   Identifies the execution of scripts via Microsoft HTML Application Host interpreter. Adversaries 
   can proxy the execution of arbitrary script code through a trusted, signed utility to evade defenses.
@@ -54,7 +54,7 @@ action:
   - name: kill
 
 output: >
-  Suspicious HTML Application script execution by mshta process with command line arguments %ps.child.cmdline
+  Suspicious HTML Application script execution by mshta process with command line arguments %ps.cmdline
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml
@@ -1,6 +1,6 @@
 name: Suspicious XSL script execution
 id: 65136b30-14ae-46dd-b8e5-9dfa99690d74
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
   transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding 
@@ -42,7 +42,7 @@ condition: >
     |load_dll and image.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')|
 
 output: >
-  Suspicious XSL script executed by process %1.ps.child.name with command line arguments %1.ps.child.args
+  Suspicious XSL script executed by process %1.ps.name with command line arguments %1.ps.args
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/initial_access_microsoft_office_file_execution_via_wmi.yml b/rules/initial_access_microsoft_office_file_execution_via_wmi.yml
@@ -1,6 +1,6 @@
 name: Microsoft Office file execution via WMI
 id: 50f6efa2-4d7b-4fb7-b1a9-65c3a24d9152
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the execution via Windows Management Instrumentation (WMI) of the binary file written 
   by the Microsoft Office process. Attackers can exploit WMI to silently execute malicious code.

diff --git a/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml b/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml
@@ -1,6 +1,6 @@
 name: Potential ClickFix infection chain via Run window
 id: ffe1fc54-2893-4760-ab50-51a83bd71d13
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies the execution of the process via the Run command dialog box followed by spawning of the potential 
   infostealer process. 
@@ -42,7 +42,7 @@ action:
   - name: kill
 
 output: >
-  Potential infostealer process %2.ps.child.exe executed via the Run command window by %1.ps.child.cmdline
+  Potential infostealer process %2.ps.exe executed via the Run command window by %1.ps.cmdline
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml
@@ -1,6 +1,6 @@
 name: Suspicious execution via WMI from a Microsoft Office process
 id: cc3f0bbe-ec53-40a7-9eed-f0a8a3f7d7fa
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies a suspicious process execution via Windows Management Instrumentation (WMI)
   originated from the Microsoft Office process loading an unusual WMI DLL. This technique
@@ -86,7 +86,7 @@ condition: >
             ))|
 
 output: >
-  Suspicious process %2.ps.child.exe launched via WMI from Microsoft Office process %1.ps.cmdline
+  Suspicious process %2.ps.exe launched via WMI from Microsoft Office process %1.ps.parent.cmdline
 severity: high
 
 min-engine-version: 3.0.0