refactor(rules): Reformat rules with condensed formatting style

Introduce a new rule formatting style for better
readability and standardization. Generally, the
event type is the first condition in the rule, and
almost always appearing as an isolated condition
on the first line. All binary operators appear at the
end of line, expect the unary not operator.

Author: rabbitstack

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -15,21 +15,19 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
 
 condition: >
-  open_file
-    and
+  open_file and
   file.path imatches
-    (
-      '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
-      '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
-      '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
-    )
-    and
+            (
+              '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
+              '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
+              '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
+            ) and
   ps.exe not imatches
-    (
-      '?:\\Program Files\\*',
-      '?:\\Program Files (x86)\\*',
-      '?:\\Windows\\System32\\lsass.exe',
-      '?:\\Windows\\System32\\srtasks.exe'
-    )
+            (
+              '?:\\Program Files\\*',
+              '?:\\Program Files (x86)\\*',
+              '?:\\Windows\\System32\\lsass.exe',
+              '?:\\Windows\\System32\\srtasks.exe'
+            )
 
 min-engine-version: 3.0.0

rules/credential_access_credential_access_from_backups_via_rundll32.yml

@@ -1,6 +1,6 @@
 name: Credentials access from backups via Rundll32
 id: ff43852c-486c-4870-a318-ce976d2231a5
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects an attempt to obtain credentials from credential backups.
 labels:
@@ -15,10 +15,8 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  spawn_process
-    and
-  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe')
-    and
+  spawn_process and
+  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') and
   (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))
 
 min-engine-version: 3.0.0

rules/credential_access_credential_discovery_via_vaultcmd.yml

@@ -1,6 +1,6 @@
 name: Credential discovery via VaultCmd tool
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.1.1
+version: 1.1.2
 description: |
   Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
   displays and deletes stored credentials. An adversary may abuse this to list or dump 
@@ -17,8 +17,8 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  spawn_process and (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe')
-    and
+  spawn_process and
+  (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe') and
   ps.child.cmdline imatches '*/list*'
 
 severity: medium

rules/credential_access_lsass_handle_leak_via_seclogon.yml

@@ -1,6 +1,6 @@
 name: LSASS handle leak via Seclogon
 id: 5d55c938-875e-49e1-ae53-fa196d4445eb
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that
   may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in 
@@ -19,8 +19,8 @@ references:
   - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
 
 condition: >
-  open_process and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe'
-    and
+  open_process and 
+  evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' and
   ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll')
 
 severity: high

rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dump via MiniDumpWriteDump
 id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the
   memory via MiniDumpWriteDump API.
@@ -20,8 +20,8 @@ references:
   - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
 
 condition: >
-  ((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
-    and
+  ((open_process) or (open_thread)) and 
+  evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
   (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))
 action:
   - name: kill

rules/credential_access_lsass_memory_dumping.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -23,15 +23,14 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE')
-      and
-     evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
-      and
+    |open_process and 
+     ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and
+     evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
      ps.exe not imatches
-      (
-        '?:\\Windows\\System32\\svchost.exe',
-        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
-      )
+                (
+                  '?:\\Windows\\System32\\svchost.exe',
+                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
+                )
     |
     |write_minidump_file|
 

rules/credential_access_lsass_process_clone_creation_via_reflection.yml

@@ -1,6 +1,6 @@
 name: LSASS process clone creation via reflection
 id: cdf3810a-4832-446a-ac9d-d108cf2e313c
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function.
   Adversaries can use this technique to dump credentials material from the LSASS fork and evade
@@ -20,8 +20,8 @@ references:
   - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/
 
 condition: >
-  spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe'
-    and
+  spawn_process and 
+  ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' and
   thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')
 action:
   - name: kill

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.5
+version: 1.0.6
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -19,55 +19,52 @@ references:
 condition: >
   sequence
   maxspan 10m
-    |spawn_process and not (ps.exe imatches
-      (
-        '?:\\Program Files\\*.exe',
-        '?:\\Program Files (x86)\\*.exe',
-        '?:\\Windows\\System32\\svchost.exe'
-      )
-        or
+    |spawn_process and
+     not (ps.exe imatches
+                (
+                  '?:\\Program Files\\*.exe',
+                  '?:\\Program Files (x86)\\*.exe',
+                  '?:\\Windows\\System32\\svchost.exe'
+                ) or
       (ps.child.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
      )
     | by ps.child.uuid
-    |open_registry
-      and
-     registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
-      and
+    |open_registry and
+     registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and
      registry.path not imatches
-      (
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
-      )
-      and
+                (
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
+                ) and
      ps.exe not imatches
-      (
-        '?:\\Windows\\System32\\lsass.exe',
-        '?:\\Windows\\System32\\RuntimeBroker.exe',
-        '?:\\Windows\\explorer.exe',
-        '?:\\Windows\\System32\\Taskmgr.exe',
-        '?:\\Windows\\System32\\sihost.exe',
-        '?:\\Windows\\System32\\SearchIndexer.exe',
-        '?:\\Windows\\System32\\SearchProtocolHost.exe',
-        '?:\\Windows\\System32\\svchost.exe',
-        '?:\\Windows\\System32\\services.exe',
-        '?:\\Windows\\System32\\taskhostw.exe',
-        '?:\\Windows\\System32\\backgroundTaskHost.exe',
-        '?:\\Windows\\System32\\WerFault.exe',
-        '?:\\Windows\\System32\\ctfmon.exe',
-        '?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe',
-        '?:\\Windows\\System32\\CompatTelRunner.exe',
-        '?:\\Windows\\System32\\cleanmgr.exe',
-        '?:\\Windows\\System32\\MoUsoCoreWorker.exe',
-        '?:\\Windows\\System32\\lpremove.exe',
-        '?:\\Windows\\System32\\LogonUI.exe',
-        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
-        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
-        '?:\\Windows\\System32\\ApplicationFrameHost.exe',
-        '?:\\Windows\\System32\\wbem\\WMIADAP.exe',
-        '?:\\Windows\\System32\\cleanmgr.exe'
-       )
+                (
+                  '?:\\Windows\\System32\\lsass.exe',
+                  '?:\\Windows\\System32\\RuntimeBroker.exe',
+                  '?:\\Windows\\explorer.exe',
+                  '?:\\Windows\\System32\\Taskmgr.exe',
+                  '?:\\Windows\\System32\\sihost.exe',
+                  '?:\\Windows\\System32\\SearchIndexer.exe',
+                  '?:\\Windows\\System32\\SearchProtocolHost.exe',
+                  '?:\\Windows\\System32\\svchost.exe',
+                  '?:\\Windows\\System32\\services.exe',
+                  '?:\\Windows\\System32\\taskhostw.exe',
+                  '?:\\Windows\\System32\\backgroundTaskHost.exe',
+                  '?:\\Windows\\System32\\WerFault.exe',
+                  '?:\\Windows\\System32\\ctfmon.exe',
+                  '?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe',
+                  '?:\\Windows\\System32\\CompatTelRunner.exe',
+                  '?:\\Windows\\System32\\cleanmgr.exe',
+                  '?:\\Windows\\System32\\MoUsoCoreWorker.exe',
+                  '?:\\Windows\\System32\\lpremove.exe',
+                  '?:\\Windows\\System32\\LogonUI.exe',
+                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
+                  '?:\\Windows\\System32\\ApplicationFrameHost.exe',
+                  '?:\\Windows\\System32\\wbem\\WMIADAP.exe',
+                  '?:\\Windows\\System32\\cleanmgr.exe'
+                )
       | by ps.uuid
 
 min-engine-version: 3.0.0

rules/credential_access_remote_thread_creation_into_lsass.yml

@@ -1,6 +1,6 @@
 name: Remote thread creation into LSASS
 id: e3ce8d6f-c260-48d6-9398-3c1c71726297
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the creation of a remote thread in LSASS (Local Security And Authority Subsystem Service)
   by untrusted or suspicious processes. This may indicate attempts to execute code inside the LSASS process
@@ -17,8 +17,8 @@ labels:
    subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
 
 condition: >
-  create_remote_thread and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
-    and
+  create_remote_thread and
+  evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
   (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or pe.is_signed = false or pe.is_trusted = false)
 
 min-engine-version: 3.0.0

rules/credential_access_suspicious_access_to_active_directory_domain_database.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Active Directory domain database
 id: a30c100e-28d0-4aa0-b98d-0d38025c2c29
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects suspicious access to the Active Directory domain database.
   Adversaries may attempt to access or create a copy of the Active Directory
@@ -17,18 +17,16 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1003/003/
 
 condition: >
-  open_file
-    and
+  open_file and
   file.path imatches
-    (
-      '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit',
-      '?:\\WINDOWS\\NTDS\\ntds.dit'
-    )
-    and
+            (
+              '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit',
+              '?:\\WINDOWS\\NTDS\\ntds.dit'
+            ) and
   ps.exe not imatches
-    (
-      '?:\\Windows\\System32\\lsass.exe',
-      '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
-    )
+            (
+              '?:\\Windows\\System32\\lsass.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
+            )
 
 min-engine-version: 3.0.0