rabbitstack
diff --git a/‎rules/README.md‎
Lines changed: 1 addition & 1 deletion b/‎rules/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎rules/credentail_access_file_access_to_sam_database.yml‎
Lines changed: 2 additions & 2 deletions b/‎rules/credentail_access_file_access_to_sam_database.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/credential_access_credential_access_from_backups_via_rundll32.yml‎
Lines changed: 2 additions & 2 deletions b/‎rules/credential_access_credential_access_from_backups_via_rundll32.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/credential_access_credential_discovery_via_vaultcmd.yml‎
Lines changed: 2 additions & 2 deletions b/‎rules/credential_access_credential_discovery_via_vaultcmd.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/credential_access_lsass_access_from_unsigned_executable.yml‎
Lines changed: 3 additions & 3 deletions b/‎rules/credential_access_lsass_access_from_unsigned_executable.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎rules/credential_access_lsass_handle_leak_via_seclogon.yml‎
Lines changed: 3 additions & 3 deletions b/‎rules/credential_access_lsass_handle_leak_via_seclogon.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml‎
Lines changed: 2 additions & 2 deletions b/‎rules/credential_access_lsass_memory_dump_preparation_via_silent_process_exit.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml‎
Lines changed: 3 additions & 3 deletions b/‎rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎rules/credential_access_lsass_memory_dump_via_wer.yml‎
Lines changed: 2 additions & 2 deletions b/‎rules/credential_access_lsass_memory_dump_via_wer.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎rules/credential_access_lsass_memory_dumping.yml‎
Lines changed: 3 additions & 3 deletions b/‎rules/credential_access_lsass_memory_dumping.yml‎
Lines changed: 3 additions & 3 deletions
@@ -51,7 +51,7 @@ As highlighted in the previous paragraph, all rules should have the event type c
 
 ### Prefer macros over raw conditions
 
-Fibratus comes with a [macros](https://www.fibratus.io/#/filters/rules?id=macros) library to promote the reusability and modularization of rule conditions and lists. Before trying to spell out a raw rule condition, explore the library to check if there's already a macro you can pull into the rule. For example, detecting file accesses could be accomplished by declaring the `kevt.name = 'CreateFile' and file.operation = 'open'` expression. However, the macro library comes with the `open_file` macro that you can directly call in any rule. If you can't encounter a particular macro in the library, please consider creating it. Future detection engineers and rule writers could profit from those macros.
+Fibratus comes with a [macros](https://www.fibratus.io/#/filters/rules?id=macros) library to promote the reusability and modularization of rule conditions and lists. Before trying to spell out a raw rule condition, explore the library to check if there's already a macro you can pull into the rule. For example, detecting file accesses could be accomplished by declaring the `evt.name = 'CreateFile' and file.operation = 'open'` expression. However, the macro library comes with the `open_file` macro that you can directly call in any rule. If you can't encounter a particular macro in the library, please consider creating it. Future detection engineers and rule writers could profit from those macros.
 
 ### Formatting styles
 
 
@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -32,4 +32,4 @@ condition: >
       '?:\\Windows\\System32\\srtasks.exe'
     )
 
-min-engine-version: 2.4.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: Credentials access from backups via Rundll32
 id: ff43852c-486c-4870-a318-ce976d2231a5
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects an attempt to obtain credentials from credential backups.
 labels:
@@ -21,4 +21,4 @@ condition: >
     and
   (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))
 
-min-engine-version: 2.0.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: Credential discovery via VaultCmd tool
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.1.0
+version: 1.1.1
 description: |
   Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
   displays and deletes stored credentials. An adversary may abuse this to list or dump 
@@ -23,4 +23,4 @@ condition: >
 
 severity: medium
 
-min-engine-version: 2.0.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: LSASS access from unsigned executable
 id: 348bf896-2201-444f-b1c9-e957a1f063bf
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
   Adversaries may try to dump credential information stored in the process memory of LSASS.
@@ -21,12 +21,12 @@ condition: >
   maxspan 7m
   by ps.uuid
     |load_unsigned_executable|
-    |((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
+    |((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'|
 action:
   - name: kill
 
 output: >
   Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service
 severity: high
 
-min-engine-version: 2.2.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: LSASS handle leak via Seclogon
 id: 5d55c938-875e-49e1-ae53-fa196d4445eb
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that
   may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in 
@@ -19,10 +19,10 @@ references:
   - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
 
 condition: >
-  open_process and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe'
+  open_process and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe'
     and
   ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll')
 
 severity: high
 
-min-engine-version: 2.4.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: LSASS memory dump preparation via SilentProcessExit
 id: d325e426-f89a-4f7c-b655-3874dad07986
-version: 1.0.2
+version: 1.0.3
 description: |
   Adversaries may exploit the SilentProcessExit debugging technique to conduct
   LSASS memory dump via WerFault.exe (Windows Error Reporting) binary by creating
@@ -27,4 +27,4 @@ references:
 condition: >
   modify_registry and registry.path imatches 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass*'
 
-min-engine-version: 2.4.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: LSASS memory dump via MiniDumpWriteDump
 id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the
   memory via MiniDumpWriteDump API.
@@ -20,7 +20,7 @@ references:
   - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
 
 condition: >
-  ((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
+  ((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
     and
   (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))
 action:
@@ -30,4 +30,4 @@ output: >
   LSASS memory dump attempt by process %ps.exe via MiniDumpWriteDump
 severity: high
 
-min-engine-version: 2.4.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: LSASS memory dump via Windows Error Reporting
 id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7
-version: 1.0.2
+version: 1.0.3
 description: |
   Adversaries may abuse Windows Error Reporting service to dump LSASS memory.
   The ALPC protocol can send a message to report an exception on LSASS and
@@ -24,4 +24,4 @@ condition: >
     |spawn_process and ps.child.name iin ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
     |create_file and file.path icontains 'lsass'| by ps.uuid
 
-min-engine-version: 2.4.0
+min-engine-version: 3.0.0
@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.2
+version: 1.0.3
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -25,7 +25,7 @@ condition: >
   by ps.uuid
     |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE')
       and
-     kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
+     evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
       and
      ps.exe not imatches
       (
@@ -41,4 +41,4 @@ output: >
   and subsequently write the `%2.file.path` dump file to the disk device
 severity: critical
 
-min-engine-version: 2.4.0
+min-engine-version: 3.0.0