refactor(rules)!: Transition rules from ps.child.* to ps.* fields

Author: rabbitstack

rules/credential_access_credential_access_from_backups_via_rundll32.yml

@@ -1,6 +1,6 @@
 name: Credentials access from backups via Rundll32
 id: ff43852c-486c-4870-a318-ce976d2231a5
-version: 1.0.2
+version: 1.0.3
 description: |
   Detects an attempt to obtain credentials from credential backups.
 labels:
@@ -16,7 +16,7 @@ labels:
 
 condition: >
   spawn_process and
-  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') and
-  (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))
+  (ps.name ~= 'rundll32.exe' or pe.file.name ~= 'rundll32.exe') and
+  (ps.args iin ('keymgr.dll') and ps.args iin ('KRShowKeyMgr'))
 
 min-engine-version: 3.0.0

rules/credential_access_credential_discovery_via_vaultcmd.yml

@@ -1,6 +1,6 @@
 name: Credential discovery via VaultCmd tool
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.1.2
+version: 1.1.3
 description: |
   Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
   displays and deletes stored credentials. An adversary may abuse this to list or dump 
@@ -18,8 +18,8 @@ labels:
 
 condition: >
   spawn_process and
-  (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe') and
-  ps.child.cmdline imatches '*/list*'
+  (ps.name ~= 'VaultCmd.exe' or pe.file.name ~= 'vaultcmd.exe') and
+  ps.cmdline imatches '*/list*'
 
 severity: medium
 

rules/credential_access_lsass_memory_dump_via_wer.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dump via Windows Error Reporting
 id: 7b4a74e2-c7a7-4c1f-b2ce-0e0273c3add7
-version: 1.0.3
+version: 1.0.5
 description: |
   Adversaries may abuse Windows Error Reporting service to dump LSASS memory.
   The ALPC protocol can send a message to report an exception on LSASS and
@@ -21,7 +21,8 @@ references:
 condition: >
   sequence
   maxspan 2m
-    |spawn_process and ps.child.name iin ('WerFault.exe', 'WerFaultSecure.exe')| by ps.child.uuid
-    |create_file and file.path icontains 'lsass'| by ps.uuid
+  by ps.uuid
+    |spawn_process and ps.name iin ('WerFault.exe', 'WerFaultSecure.exe')|
+    |create_file and file.path icontains 'lsass'|
 
 min-engine-version: 3.0.0

rules/credential_access_lsass_process_clone_creation_via_reflection.yml

@@ -1,6 +1,6 @@
 name: LSASS process clone creation via reflection
 id: cdf3810a-4832-446a-ac9d-d108cf2e313c
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function.
   Adversaries can use this technique to dump credentials material from the LSASS fork and evade
@@ -21,7 +21,7 @@ references:
 
 condition: >
   spawn_process and 
-  ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' and
+  ps.name ~= 'lsass.exe' and ps.parent.name ~= 'lsass.exe' and
   thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')
 action:
   - name: kill

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.6
+version: 1.0.7
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -19,16 +19,17 @@ references:
 condition: >
   sequence
   maxspan 10m
+  by ps.uuid
     |spawn_process and
-     not (ps.exe imatches
+     not (ps.parent.exe imatches
                 (
                   '?:\\Program Files\\*.exe',
                   '?:\\Program Files (x86)\\*.exe',
                   '?:\\Windows\\System32\\svchost.exe'
                 ) or
-      (ps.child.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
+      (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
      )
-    | by ps.child.uuid
+    |
     |open_registry and
      registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and
      registry.path not imatches
@@ -65,6 +66,6 @@ condition: >
                   '?:\\Windows\\System32\\wbem\\WMIADAP.exe',
                   '?:\\Windows\\System32\\cleanmgr.exe'
                 )
-      | by ps.uuid
+      |
 
 min-engine-version: 3.0.0

rules/credential_access_suspicious_vault_client_dll_load.yml

@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -21,11 +21,12 @@ references:
 condition: >
   sequence
   maxspan 2m
+  by ps.uuid
     |spawn_process and
      ps.exe != '' and
      not
       (
-        ps.child.exe imatches
+        ps.exe imatches
                     (
                       '?:\\Windows\\System32\\MDMAppInstaller.exe',
                       '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
@@ -35,17 +36,17 @@ condition: >
                       '?:\\Program Files (x86)\\*.exe',
                       '?:\\Windows\\winsxs\\*\\TiWorker.exe'
                     ) or
-        (ps.child.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
-        (ps.child.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or
+        (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
+        (ps.exe imatches '?:\\Windows\\System32\\RuntimeBroker.exe') or
         (ps.exe imatches ('?:\\Program Files\\WindowsApps\\Microsoft.*.exe', '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe')) or
-        (ps.child.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.child.args imatches ('-ServerName:*')) or
-        (ps.child.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or
-        (ps.child.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') or
-        (ps.exe imatches '?:\\Windows\\System32\\services.exe') or
-        (ps.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
+        (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
+        (ps.exe imatches '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe') or
+        (ps.exe imatches '?:\\WINDOWS\\uus\\*\\MoUsoCoreWorker.exe') or
+        (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
+        (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
       )
-    | by ps.child.uuid
-    |load_dll and image.name ~= 'vaultcli.dll'| by ps.uuid
+    |
+    |load_dll and image.name ~= 'vaultcli.dll'|
 
 output: >
   Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting

rules/defense_evasion_dll_loaded_via_callback_function.yml

@@ -1,6 +1,6 @@
 name: DLL loaded via a callback function
 id: c7f46d0a-10b2-421a-b33c-f4df79599f2e
-version: 1.0.3
+version: 1.0.5
 description: |
   Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying
   the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback
@@ -19,7 +19,8 @@ tags:
 condition: >
   sequence
   maxspan 2m
-   |spawn_process| by ps.child.uuid
+  by ps.uuid
+   |spawn_process|
    |load_dll and image.name iin
                 (
                   'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
@@ -32,7 +33,7 @@ condition: >
                   'ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll',
                   'ntdll.dll|wow64.dll|wow64cpu.dll|wow64.dll|ntdll.dll|kernelbase.dll|ntdll.dll|kernel32.dll|ntdll.dll'
                 )
-   | by ps.uuid
+   |
 
 output: >
   %2.image.path loaded from callback function by process %ps.exe

rules/defense_evasion_potential_injection_via_dotnet_debugging.yml

@@ -1,6 +1,6 @@
 name: Potential injection via .NET debugging
 id: 193ebf2f-e365-4f57-a639-275b7cdf0319
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies creation of a process on behalf of the CLR debugging facility which may
   be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess
@@ -18,16 +18,16 @@ references:
 
 condition: >
   spawn_process and
-  ps.exe != '' and thread.callstack.symbols imatches ('mscordbi.dll!OpenVirtualProcess') and
-  ps.child.exe not imatches
-                  (
-                    '?:\\Visual Studio\\Common?\\IDE\\devenv.exe',
-                    '?:\\Program Files\\Microsoft Visual Studio\\*.exe',
-                    '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe',
-                    '?:\\Program Files\\IIS Express\\iisexpress.exe',
-                    '?:\\Program Files (x86)\\IIS Express\\iisexpress.exe'
-                  ) and 
-  ps.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe'
+  ps.parent.exe != '' and thread.callstack.symbols imatches ('mscordbi.dll!OpenVirtualProcess') and
+  ps.exe not imatches
+            (
+              '?:\\Visual Studio\\Common?\\IDE\\devenv.exe',
+              '?:\\Program Files\\Microsoft Visual Studio\\*.exe',
+              '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe',
+              '?:\\Program Files\\IIS Express\\iisexpress.exe',
+              '?:\\Program Files (x86)\\IIS Express\\iisexpress.exe'
+            ) and 
+  ps.parent.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe'
 
 output: >
   Process %ps.exe attached the .NET debugger to process %ps.child.exe for potential code injection

rules/defense_evasion_potential_process_doppelganging_injection.yml

@@ -1,6 +1,6 @@
 name: Potential Process Doppelganging
 id: eb34cf6e-ccc3-4bce-bbcf-013720640a28
-version: 1.0.1
+version: 1.0.2
 description: |
   Adversaries may inject malicious code into process via process doppelganging
   in order to evade process-based defenses as well as possibly elevate privileges.
@@ -50,9 +50,8 @@ references:
 condition: >
   sequence
   maxspan 2m
-  by ps.uuid
-    |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')|
-    |spawn_process|
+    |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by ps.uuid
+    |spawn_process| by ps.parent.uuid
 action:
   - name: kill
 

rules/defense_evasion_potential_process_hollowing_injection.yml

@@ -1,6 +1,6 @@
 name: Potential Process Hollowing
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 1.1.6
+version: 1.1.7
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -29,19 +29,20 @@ references:
 condition: >
   sequence
   maxspan 2m
+  by ps.uuid
     |spawn_process and
-     ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
-     ps.exe not imatches
+     ps.parent.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
+     ps.parent.exe not imatches
                 (
                   '?:\\Program Files\\*.exe',
                   '?:\\Program Files (x86)\\*.exe',
                   '?:\\Users\\*\\AppData\\Local\\Programs\\Common\\OneDriveCloud\\taskhostw.exe'
                 )
-    | by ps.child.uuid
+    |
     |unmap_view_of_section and
      file.view.size > 20000 and file.view.protection != 'READONLY' and (length(file.name) = 0 or not ext(file.name) = '.dll')
-    | by ps.uuid
-    |load_executable| by ps.uuid
+    |
+    |load_executable|
 action:
   - name: kill