refactor(rules): Rearrange conditions for lazy file info evaluation

Author: rabbitstack

rules/credential_access_lsass_memory_dumping.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.2.0
+version: 1.2.1
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -32,7 +32,16 @@ condition: >
                   '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
                 )
     |
-    |create_file and (file.extension iin ('.dmp', '.mdmp', '.dump') or is_minidump(file.path))|
+    |create_new_file and
+     file.path not imatches
+                  (
+                    '?:\\$WinREAgent\\Scratch\\*',
+                    '?:\\Windows\\WinSxS\\*',
+                    '?:\\Windows\\CbsTemp\\*',
+                    '?:\\Windows\\SoftwareDistribution\\*'
+                  ) and
+     (file.extension iin ('.dmp', '.mdmp', '.dump') or is_minidump(file.path))
+    |
 
 output: >
   Detected an attempt by `%1.ps.name` process to access and read

rules/credential_access_lsass_process_clone_creation_via_reflection.yml

@@ -1,6 +1,6 @@
 name: LSASS process clone creation via reflection
 id: cdf3810a-4832-446a-ac9d-d108cf2e313c
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function.
   Adversaries can use this technique to dump credentials material from the LSASS fork and evade
@@ -20,7 +20,7 @@ references:
   - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/
 
 condition: >
-  spawn_process and 
+  spawn_process and
   ps.name ~= 'lsass.exe' and ps.parent.name ~= 'lsass.exe' and
   thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')
 action:

rules/defense_evasion_dll_sideloading_via_copied_binary.yml

@@ -1,6 +1,6 @@
 name: DLL Side-Loading via a copied binary
 id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c
-version: 1.0.6
+version: 1.0.7
 description: |
   Identifies when a binary is copied to a directory and shortly followed
   by the loading of an unsigned DLL from the same directory. Adversaries may
@@ -21,8 +21,9 @@ condition: >
   sequence
   maxspan 8m
     |create_file and
-     file.is_exec and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
-     thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*')
+     ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and
+     thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*') and
+     (file.extension ~= '.exe' or file.is_exec)
     | by file.path
     |(load_dll) and
      dir(image.path) ~= dir(ps.exe) and

rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml

@@ -1,6 +1,6 @@
 name: DLL Side-Loading via Microsoft Office dropped file
 id: d808175d-c4f8-459d-b17f-ca9a88890c04
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies Microsoft Office process creating a DLL or other variant of an executable object which
   is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious 
@@ -20,8 +20,8 @@ condition: >
   sequence
   maxspan 6m
     |create_file and
-     (file.extension iin ('.dll', '.cpl', '.ocx') or file.is_dll) and
-     ps.name iin msoffice_binaries
+     ps.name iin msoffice_binaries and
+     (file.extension iin ('.dll', '.cpl', '.ocx') or file.is_dll)
     | by file.path
     |(load_unsigned_or_untrusted_dll) and
      ps.name not iin msoffice_binaries and ps.signature.trusted = true and

rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml

@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.10
+version: 1.0.11
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -17,14 +17,18 @@ references:
 
 condition: >
   (load_unsigned_or_untrusted_module) and
-  ps.exe != '' and ps.pe.is_dotnet = false and
-  (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
   dll.path not imatches
                 (
                   '?:\\Windows\\assembly\\*\\*.ni.dll',
                   '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
-                  '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll'
+                  '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll',
+                  '?:\\$WinREAgent\\Scratch\\*',
+                  '?:\\Windows\\WinSxS\\*',
+                  '?:\\Windows\\CbsTemp\\*',
+                  '?:\\Windows\\SoftwareDistribution\\*'
                 ) and
+  ps.exe != '' and ps.pe.is_dotnet = false and
+  (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
   ps.exe not imatches
                 (
                   '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',

rules/initial_access_execution_via_microsoft_office_process.yml

@@ -1,6 +1,6 @@
 name: Execution via Microsoft Office process
 id: a10ebe66-1b55-4005-a374-840f1e2933a3
-version: 1.0.3
+version: 1.0.4
 description:
   Identifies the execution of the file dropped by Microsoft Office process.
 labels:
@@ -17,7 +17,7 @@ labels:
 condition: >
   sequence
   maxspan 1h
-    |create_file and (file.extension iin executable_extensions or file.is_exec) and ps.name iin msoffice_binaries| by file.path
+    |create_file and ps.name iin msoffice_binaries and (file.extension iin executable_extensions or file.is_exec)| by file.path
     |spawn_process and ps.parent.name iin msoffice_binaries| by ps.exe
 
 min-engine-version: 3.0.0

rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml

@@ -1,6 +1,6 @@
 name: Suspicious DLL loaded by Microsoft Office process
 id: 5868518c-2a83-4b26-ad4b-f14f0b85e744
-version: 1.0.4
+version: 1.0.5
 description:
   Identifies loading of recently dropped DLL by Microsoft Office process.
 labels:
@@ -18,7 +18,8 @@ condition: >
   sequence
   maxspan 1h
     |create_file and
-     (file.extension iin module_extensions or file.is_dll) and ps.name iin msoffice_binaries and
+     ps.name iin msoffice_binaries and
+     (file.extension iin module_extensions or file.is_dll) and
      file.path not imatches '?:\\Program Files\\Microsoft Office\\Root\\Office*\\*.dll'
     | by file.name
     |load_module and ps.name iin msoffice_binaries| by module.name

rules/macros/macros.yml

@@ -25,6 +25,9 @@
 - macro: create_file
   expr: evt.name = 'CreateFile' and file.operation != 'OPEN' and file.status = 'Success'
 
+- macro: create_new_file
+  expr: evt.name = 'CreateFile' and file.operation = 'CREATE' and file.status = 'Success'
+
 - macro: rename_file
   expr: evt.name = 'RenameFile'
 

rules/persistence_suspicious_microsoft_office_template.yml

@@ -1,6 +1,6 @@
 name: Suspicious Microsoft Office template
 id: c4be3b30-9d23-4a33-b974-fb12e17487a2
-version: 1.0.4
+version: 1.0.5
 description: |
   Detects when attackers drop macro-enabled files in specific
   folders to trigger their execution every time the victim user
@@ -20,6 +20,7 @@ references:
 
 condition: >
   create_file and
+  ps.name not iin msoffice_binaries and
   file.path imatches
             (
               '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*',
@@ -28,7 +29,6 @@ condition: >
               '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*',
               '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*.otm'
             ) and
-  ps.name not iin msoffice_binaries and
   ps.exe not imatches
             (
               '?:\\Program Files\\*.exe',

rules/persistence_unusual_file_written_in_startup_folder.yml

@@ -1,6 +1,6 @@
 name: Unusual file written in Startup folder
 id: c5ffe15c-d94f-416b-bec7-c47f89843267
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies suspicious files written to the startup folder that would
   allow adversaries to maintain persistence on the endpoint.
@@ -17,8 +17,8 @@ labels:
 
 condition: >
   create_file and
-  (file.extension in ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe') or (file.is_exec or file.is_dll)) and
   file.path imatches startup_locations and
+  (file.extension in ('.vbs', '.js', '.jar', '.exe', '.dll', '.com', '.ps1', '.hta', '.cmd', '.vbe') or (file.is_exec or file.is_dll)) and
   ps.exe not imatches
             (
               '?:\\Windows\\System32\\wuauclt.exe',