chore(rules): Reorder not operators

rabbitstack · rabbitstack · commit 5860f662fa07 · 2024-11-30T22:44:28.000+01:00
Make sure the not operator is placed after the field.
diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml
@@ -20,7 +20,7 @@ labels:
 condition: >
   sequence
   maxspan 8m
-    |create_file and file.is_exec and not ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20')
+    |create_file and file.is_exec and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20')
       and
      thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*')
     | by file.name
diff --git a/rules/defense_evasion_potential_process_hollowing_injection.yml b/rules/defense_evasion_potential_process_hollowing_injection.yml
@@ -29,7 +29,7 @@ references:
 condition: >
   sequence
   maxspan 2m
-    |spawn_process and not ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches 
+    |spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches 
       (
         '?:\\Program Files\\*', 
         '?:\\Program Files (x86)\\*'

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ references:`
`29`	`29`	`condition: >`
`30`	`30`	`sequence`
`31`	`31`	`maxspan 2m`
`32`		`- \|spawn_process and not ps.sid in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches`
	`32`	`+ \|spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches`
`33`	`33`	`(`
`34`	`34`	`'?:\\Program Files\\*',`
`35`	`35`	`'?:\\Program Files (x86)\\*'`