refactor(rules): Adapt rules to *.path filter fields

All rules referencing file.name/image.name/registry.key.name are adapted to use the new *.path fields. This effectively leads to a breaking change, that's why all
affected rules minimum engine version is bumped.

Author: rabbitstack

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
       '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
@@ -32,4 +32,4 @@ condition: >
       '?:\\Windows\\System32\\lsass.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dump preparation via SilentProcessExit
 id: d325e426-f89a-4f7c-b655-3874dad07986
-version: 1.0.0
+version: 1.0.1
 description: |
   Adversaries may exploit the SilentProcessExit debugging technique to conduct
   LSASS memory dump via WerFault.exe (Windows Error Reporting) binary by creating
@@ -27,8 +27,8 @@ references:
 condition: >
   modify_registry
     and
-  registry.key.name
+  registry.path
     imatches
   'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*'
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_lsass_memory_dump_via_wer.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dump via Windows Error Reporting
 id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7
-version: 1.0.0
+version: 1.0.1
 description: |
   Adversaries may abuse Windows Error Reporting service to dump LSASS memory.
   The ALPC protocol can send a message to report an exception on LSASS and
@@ -22,6 +22,6 @@ condition: >
   sequence
   maxspan 2m
     |spawn_process and ps.child.name in ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
-    |write_minidump_file and file.name icontains 'lsass'| by ps.uuid
+    |write_minidump_file and file.path icontains 'lsass'| by ps.uuid
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_lsass_memory_dumping.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -39,7 +39,7 @@ condition: >
 output: >
   Detected an attempt by `%1.ps.name` process to access and read
   the memory of the **Local Security And Authority Subsystem Service**
-  and subsequently write the `%2.file.name` dump file to the disk device
+  and subsequently write the `%2.file.path` dump file to the disk device
 severity: critical
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.0
+version: 1.0.1
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -30,10 +30,10 @@ condition: >
     | by ps.child.uuid
     |open_registry
       and
-     registry.key.name imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
+     registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
       and
       not
-     registry.key.name imatches
+     registry.path imatches
       (
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
@@ -68,4 +68,4 @@ condition: >
        )
       | by ps.uuid
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_suspicious_access_to_active_directory_domain_database.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Active Directory domain database
 id: a30c100e-28d0-4aa0-b98d-0d38025c2c29
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects suspicious access to the Active Directory domain database.
   Adversaries may attempt to access or create a copy of the Active Directory
@@ -19,7 +19,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit',
       '?:\\WINDOWS\\NTDS\\ntds.dit'
@@ -32,4 +32,4 @@ condition: >
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_suspicious_access_to_unattended_panther_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Unattended Panther files
 id: d305fb15-6ad1-4d61-a84b-ada462f23a55
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies suspicious to access to unattend.xml files where credentials
   are commonly stored within the Panther directory. Adversaries may search local
@@ -19,7 +19,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Windows\\Panther\\Unattend\\Unattended.xml',
       '?:\\Windows\\Panther\\Unattend\\Unattend.xml',
@@ -35,4 +35,4 @@ condition: >
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows DPAPI Master Keys
 id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects suspicious processes accessing the Windows Data Protection API Master keys
   which is a sign of potential credential stealing.
@@ -26,7 +26,7 @@ references:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\Users\\*',
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-5-21*\\*',
@@ -42,4 +42,4 @@ condition: >
       '?:\\Windows\\SysWOW64\\*'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_suspicious_access_to_windows_manager_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Credential Manager files
 id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Credentials\\*',
       '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*'
@@ -31,4 +31,4 @@ condition: >
       '?:\\Windows\\System32\\lsass.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0

rules/credential_access_suspicious_access_to_windows_vault_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Vault files
 id: 44400221-f98d-424a-9388-497c75b18924
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies attempts from adversaries to acquire credentials from Vault files.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   open_file
     and
-  file.name imatches
+  file.path imatches
     (
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Vault\\*\\*',
       '?:\\ProgramData\\Microsoft\\Vault\\*'
@@ -34,4 +34,4 @@ condition: >
       '?:\\Windows\\System32\\svchost.exe'
     )
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0