fix(rules): Use the correct form of the not operator

The not operator has two variants. If used in front of
the operator it negates the value of the operator eval.
If used in front of the binary expression, it negates
the entire expression. If not used adequately, this can
introduce issues. So, it is better to standardize the
usage of the not operator and if meant to solely negate
the result of the operator use the lhs not operator rhs
pattern.

Author: rabbitstack

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -24,8 +24,7 @@ condition: >
       '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files (x86)\\*',

rules/credential_access_lsass_memory_dumping.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -27,8 +27,7 @@ condition: >
       and
      kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
       and
-      not
-     ps.exe imatches
+     ps.exe not imatches
       (
         '?:\\Windows\\System32\\svchost.exe',
         '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.2
+version: 1.0.3
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -40,17 +40,15 @@ condition: >
       and
      registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
       and
-      not
-     registry.path imatches
+     registry.path not imatches
       (
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
       )
       and
-      not
-     ps.exe imatches
+     ps.exe not imatches
       (
         '?:\\Windows\\System32\\lsass.exe',
         '?:\\Windows\\System32\\RuntimeBroker.exe',

rules/credential_access_suspicious_access_to_active_directory_domain_database.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Active Directory domain database
 id: a30c100e-28d0-4aa0-b98d-0d38025c2c29
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects suspicious access to the Active Directory domain database.
   Adversaries may attempt to access or create a copy of the Active Directory
@@ -25,8 +25,7 @@ condition: >
       '?:\\WINDOWS\\NTDS\\ntds.dit'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Windows\\System32\\lsass.exe',
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'

rules/credential_access_suspicious_access_to_unattended_panther_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Unattended Panther files
 id: d305fb15-6ad1-4d61-a84b-ada462f23a55
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies suspicious to access to unattend.xml files where credentials
   are commonly stored within the Panther directory. Adversaries may search local
@@ -27,8 +27,7 @@ condition: >
       '?:\\Windows\\Panther\\Unattend.xml'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows DPAPI Master Keys
 id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects suspicious processes accessing the Windows Data Protection API Master keys
   which is a sign of potential credential stealing.
@@ -33,8 +33,7 @@ condition: >
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-12-1-*\\*'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_suspicious_access_to_windows_manager_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Credential Manager files
 id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager.
 labels:
@@ -23,8 +23,7 @@ condition: >
       '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_suspicious_access_to_windows_vault_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Vault files
 id: 44400221-f98d-424a-9388-497c75b18924
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies attempts from adversaries to acquire credentials from Vault files.
 labels:
@@ -25,8 +25,7 @@ condition: >
     and
   file.extension in vault_extensions
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_unusual_access_to_ssh_keys.yml

@@ -1,6 +1,6 @@
 name: Unusual access to SSH keys
 id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies access by unusual process to saved SSH keys.
 labels:
@@ -17,17 +17,15 @@ labels:
 condition: >
   open_file and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts'
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
       '?:\\Windows\\System32\\svchost.exe'
     )
     and
-    not
-  ps.name imatches
+  ps.name not imatches
     (
       'PuTTYNG.exe',
       'putty*.exe',

rules/credential_access_unusual_access_to_windows_credential_history.yml

@@ -1,6 +1,6 @@
 name: Unusual access to Windows Credential history files
 id: 9d94062f-2cf3-407c-bd65-4072fe4b167f
-version: 1.0.2
+version: 1.0.3
 description: |
   Detects unusual accesses to the Windows Credential history file.
   The CREDHIST file contains all previous password-linked master key hashes used by
@@ -20,8 +20,7 @@ labels:
 condition: >
   open_file and file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST'
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Windows\\System32\\lsass.exe',