refactor(rules): Migrate to ps.pe. fields in rules

rabbitstack · rabbitstack · commit 877ace078c82 · 2026-01-13T18:21:45.000+01:00
diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml
@@ -1,6 +1,6 @@
 name: Credentials access from backups via Rundll32
 id: ff43852c-486c-4870-a318-ce976d2231a5
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects an attempt to obtain credentials from credential backups.
 labels:
@@ -16,7 +16,7 @@ labels:
 
 condition: >
   spawn_process and
-  (ps.name ~= 'rundll32.exe' or pe.file.name ~= 'rundll32.exe') and
+  (ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and
   (ps.args iin ('keymgr.dll') and ps.args iin ('KRShowKeyMgr'))
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml
@@ -1,6 +1,6 @@
 name: Credential discovery via VaultCmd tool
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.1.3
+version: 1.1.4
 description: |
   Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
   displays and deletes stored credentials. An adversary may abuse this to list or dump 
@@ -18,7 +18,7 @@ labels:
 
 condition: >
   spawn_process and
-  (ps.name ~= 'VaultCmd.exe' or pe.file.name ~= 'vaultcmd.exe') and
+  (ps.name ~= 'VaultCmd.exe' or ps.pe.file.name ~= 'vaultcmd.exe') and
   ps.cmdline imatches '*/list*'
 
 severity: medium
diff --git a/rules/credential_access_remote_thread_creation_into_lsass.yml b/rules/credential_access_remote_thread_creation_into_lsass.yml
@@ -1,6 +1,6 @@
 name: Remote thread creation into LSASS
 id: e3ce8d6f-c260-48d6-9398-3c1c71726297
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the creation of a remote thread in LSASS (Local Security And Authority Subsystem Service)
   by untrusted or suspicious processes. This may indicate attempts to execute code inside the LSASS process
@@ -19,6 +19,6 @@ labels:
 condition: >
   create_remote_thread and
   evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
-  (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or pe.is_signed = false or pe.is_trusted = false)
+  (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or ps.signature.exists = false or ps.signature.is_trusted = false)
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml
@@ -1,6 +1,6 @@
 name: AppDomain Manager injection via CLR search order hijacking
 id: 9319fafd-b7dc-4d85-b41a-54a8d4f1ab18
-version: 1.0.5
+version: 1.0.6
 description: |
   Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. 
   The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments 
@@ -27,7 +27,7 @@ references:
 condition: >
   (load_unsigned_or_untrusted_module)
   and ps.exe != '' and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name)) and
-  pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
+  ps.pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
 
 output: >
   Process %ps.exe loaded untrusted .NET assembly %image.path from suspicious location
diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml
@@ -25,7 +25,8 @@ condition: >
      thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*')
     | by file.path
     |(load_dll) and
-     dir(image.path) ~= dir(ps.exe) and pe.cert.subject icontains 'Microsoft' and pe.is_trusted and
+     dir(image.path) ~= dir(ps.exe) and
+     ps.signature.subject icontains 'Microsoft' and ps.signature.is_trusted and
      (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
     | by ps.exe
 
diff --git a/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml b/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml
@@ -1,6 +1,6 @@
 name: DLL Side-Loading via Microsoft Office dropped file
 id: d808175d-c4f8-459d-b17f-ca9a88890c04
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies Microsoft Office process creating a DLL or other variant of an executable object which
   is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious 
@@ -23,8 +23,8 @@ condition: >
      (file.extension iin ('.dll', '.cpl', '.ocx') or file.is_dll) and
      ps.name iin msoffice_binaries
     | by file.path
-    |(load_unsigned_or_untrusted_dll)
-     and pe.is_signed = true and ps.name not iin msoffice_binaries and
+    |(load_unsigned_or_untrusted_dll) and
+     ps.name not iin msoffice_binaries and ps.signature.is_trusted = true and
      image.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and
      ps.exe not imatches
                 (
diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml
@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.8
+version: 1.0.9
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -17,7 +17,7 @@ references:
 
 condition: >
   (load_unsigned_or_untrusted_module) and
-  ps.exe != '' and pe.is_dotnet = false and
+  ps.exe != '' and ps.pe.is_dotnet = false and
   (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
   image.path not imatches
                 (
diff --git a/rules/defense_evasion_regsvr32_scriptlet_execution.yml b/rules/defense_evasion_regsvr32_scriptlet_execution.yml
@@ -1,6 +1,6 @@
 name: Regsvr32 scriptlet execution
 id: 128f5254-67c9-43ac-b901-18b3731b1d0b
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies the execution of a scriptlet file by regsvr32.exe process. regsvr32.exe
   allows attackers to run arbitrary scripts to proxy execution of malicious code.
@@ -17,7 +17,7 @@ labels:
 
 condition: >
   spawn_process and
-  (ps.name ~= 'regsvr32.exe' or pe.file.name ~= 'regsvr32.exe') and
+  (ps.name ~= 'regsvr32.exe' or ps.pe.file.name ~= 'regsvr32.exe') and
     (
       (ps.cmdline imatches '*scrobj*' and
        ps.cmdline imatches
diff --git a/rules/defense_evasion_suspicious_html_application_script_execution.yml b/rules/defense_evasion_suspicious_html_application_script_execution.yml
@@ -1,7 +1,7 @@
 name: Suspicious HTML Application script execution
 id: 4ec64ac2-851d-41b4-b7d2-910c21de334d
-version: 1.0.6
-description: |  
+version: 1.0.7
+description: |
   Identifies the execution of scripts via Microsoft HTML Application Host interpreter. Adversaries 
   can proxy the execution of arbitrary script code through a trusted, signed utility to evade defenses.
 labels:
@@ -20,7 +20,7 @@ references:
 
 condition: >
   spawn_process and
-  (ps.name ~= 'mshta.exe' or pe.file.name ~= 'mshta.exe') and
+  (ps.name ~= 'mshta.exe' or ps.pe.file.name ~= 'mshta.exe') and
   ps.cmdline imatches
             (
               '*WScript.Shell*',
diff --git a/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml b/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml
@@ -1,6 +1,6 @@
 name: Suspicious object symbolic link creation
 id: f9306355-1f5f-4a06-9779-195aa681db80
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies the creation of the object symbolic link inside the object manager namespace
   by untrusted or unusual processes.
@@ -19,7 +19,7 @@ references:
 
 condition: >
   create_symbolic_link_object and evt.pid != 4 and
-  (pe.is_signed = false or pe.is_trusted = false or
+  (ps.signature.exists = false or ps.signature.is_trusted = false or
    ps.exe not imatches
               (
                 '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
diff --git a/rules/defense_evasion_suspicious_windows_defender_exclusions_registry_modification.yml b/rules/defense_evasion_suspicious_windows_defender_exclusions_registry_modification.yml
@@ -1,6 +1,6 @@
 name: Suspicious Windows Defender exclusions registry modification
 id: 92fdbbea-e177-494e-8a6a-d8b055daf0e9
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the modification of the Windows Defender process, path, or IP address registry key exclusions 
   by suspicious processes. Adversaries may alter the Windows Defender exclusions to bypass defenses.
@@ -27,7 +27,7 @@ condition: >
             '?:\\ProgramData\\*'
           ) or
     ps.name iin ('pwsh.exe', 'rundll32.exe', 'regsvr32.exe', 'cscript.exe', 'reg.exe', 'wscript.exe', 'mshta.exe', 'msbuild.exe', 'powershell.exe', 'cmd.exe') or
-    pe.is_signed = false or pe.is_trusted = false
+    ps.signature.exists = false or ps.signature.is_trusted = false
   ) and
   ps.exe not imatches
           (
diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml
@@ -1,6 +1,6 @@
 name: Suspicious XSL script execution
 id: 65136b30-14ae-46dd-b8e5-9dfa99690d74
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies a suspicious execution of XSL script via Windows Management Instrumentation command line tool or XSL
   transformation utility. Adversaries may bypass application control and obscure the execution of code by embedding 
@@ -21,7 +21,7 @@ condition: >
   maxspan 3m
   by ps.uuid
     |spawn_process and
-     (((ps.name ~= 'wmic.exe' or pe.file.name ~= 'wmic.exe') and
+     (((ps.name ~= 'wmic.exe' or ps.pe.file.name ~= 'wmic.exe') and
      ps.cmdline imatches ('* format*:*', '*/format*:*', '*-format*:*') and
      ps.cmdline not imatches
                     (
@@ -36,7 +36,7 @@ condition: >
                       '*format:csv*'
                     )
       ) or
-      ps.name ~= 'msxsl.exe' or pe.file.name ~= 'msxsl.exe'
+      ps.name ~= 'msxsl.exe' or ps.pe.file.name ~= 'msxsl.exe'
      )
     |
     |load_dll and image.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')|
diff --git a/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml b/rules/defense_evasion_system_binary_proxy_execution_via_rundll32.yml
@@ -1,6 +1,6 @@
 name: System Binary Proxy Execution via Rundll32
 id: 43d76718-cc46-485e-8f47-996eb7a9f83b
-version: 1.0.4
+version: 1.0.5
 description: |
   Detects the execution of rundll32.exe process with suspicious command line
   followed by the creation of a possibly malicious child process.
@@ -25,7 +25,7 @@ condition: >
   sequence
   maxspan 1m
     |spawn_process and
-     (ps.name ~= 'rundll32.exe' or pe.file.name ~= 'rundll32.exe') and
+     (ps.name ~= 'rundll32.exe' or ps.pe.file.name ~= 'rundll32.exe') and
       (
         ps.cmdline imatches
                   (
diff --git a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml
@@ -1,6 +1,6 @@
 name: Suspicious execution via WMI from a Microsoft Office process
 id: cc3f0bbe-ec53-40a7-9eed-f0a8a3f7d7fa
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies a suspicious process execution via Windows Management Instrumentation (WMI)
   originated from the Microsoft Office process loading an unusual WMI DLL. This technique
@@ -57,7 +57,7 @@ condition: >
                'wmic.exe',
                'msiexec.exe'
              ) or
-    pe.file.name iin 
+    ps.pe.file.name iin
             (
               'rundll32.exe',
               'regsvr32.exe',
diff --git a/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml b/rules/persistence_script_interpreter_or_untrusted_process_persistence.yml
@@ -1,6 +1,6 @@
 name: Script interpreter host or untrusted process persistence
 id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea
-version: 1.1.2
+version: 1.1.3
 description: |
   Identifies the script interpreter or untrusted process writing to commonly 
   abused run keys or the Startup folder locations.
@@ -17,7 +17,7 @@ labels:
 
 condition: >
   (((modify_registry) or (create_file)) and evt.pid != 4) and
-  (ps.name in script_interpreters or ps.parent.name in script_interpreters or pe.is_trusted = false) and
+  (ps.name in script_interpreters or ps.parent.name in script_interpreters or ps.signature.is_trusted = false) and
   (registry.path imatches registry_run_keys or file.path imatches startup_locations) and
   not (ps.exe imatches
               (
@@ -35,7 +35,7 @@ condition: >
                 '?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe',
                 '?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe'
               ) or
-       (pe.is_signed = true and pe.cert.subject imatches '*Microsoft*'))
+       (ps.signature.is_signed = true and ps.signature.subject imatches '*Microsoft*'))
 action:
   - name: kill
 
diff --git a/rules/persistence_suspicious_netsh_helper_dll_execution.yml b/rules/persistence_suspicious_netsh_helper_dll_execution.yml
@@ -1,6 +1,6 @@
 name: Suspicious Netsh Helper DLL execution
 id: bd17781d-38ca-4b9a-a12a-f807a1eb45e0
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence 
   by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting 
@@ -25,7 +25,7 @@ condition: >
   maxspan 1m
   by ps.uuid
     |spawn_process and
-     (ps.name ~= 'netsh.exe' or pe.file.name ~= 'netsh.exe')
+     (ps.name ~= 'netsh.exe' or ps.pe.file.name ~= 'netsh.exe')
     |
     |create_thread and
      foreach(thread._callstack, $frame, $frame.symbol imatches '*!InitHelperDll' and ($frame.module.signature.is_signed = false or $frame.module.signature.is_trusted = false))
diff --git a/rules/persistence_suspicious_persistence_via_registry_modification.yml b/rules/persistence_suspicious_persistence_via_registry_modification.yml
@@ -1,6 +1,6 @@
 name: Suspicious persistence via registry modification
 id: 1f496a17-4f0c-491a-823b-7a70adb9919c
-version: 1.0.4
+version: 1.0.5
 description: |
   Adversaries may abuse the registry to achieve persistence
   by modifying the keys that are unlikely modified by legitimate
@@ -21,7 +21,7 @@ condition: >
   (
     (ps.name in script_interpreters or ps.name in ('reg.exe', 'rundll32.exe', 'regsvr32.exe')) or
      ps.exe imatches '?:\\Users\\Public\\*' or
-     pe.is_signed = false or pe.is_trusted = false
+     ps.signature.exists = false or ps.signature.is_trusted = false
   ) and
   registry.path imatches registry_persistence_keys
 
