refactor(rules): Adapt rules and macros to use new module/dll fields

rabbitstack · rabbitstack · commit 4c01cd381a9b · 2026-01-28T11:00:49.000+01:00
diff --git a/rules/credential_access_lsass_access_from_unsigned_executable.yml b/rules/credential_access_lsass_access_from_unsigned_executable.yml
@@ -1,6 +1,6 @@
 name: LSASS access from unsigned executable
 id: 348bf896-2201-444f-b1c9-e957a1f063bf
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
   Adversaries may try to dump credential information stored in the process memory of LSASS.
@@ -26,7 +26,7 @@ action:
   - name: kill
 
 output: >
-  Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service
+  Unsigned executable %1.module.path attempted to access Local Security Authority Subsystem Service
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_suspicious_vault_client_dll_load.yml b/rules/credential_access_suspicious_vault_client_dll_load.yml
@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -46,7 +46,7 @@ condition: >
         (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
       )
     |
-    |load_dll and image.name ~= 'vaultcli.dll'|
+    |load_dll and dll.name ~= 'vaultcli.dll'|
 
 output: >
   Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting
diff --git a/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml b/rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml
@@ -25,12 +25,12 @@ references:
   - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
 
 condition: >
-  (load_unsigned_or_untrusted_module)
-  and ps.exe != '' and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name)) and
-  ps.pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
+  (load_unsigned_or_untrusted_module) and
+  ps.exe != '' and ((base(dir(module.path)) ~= base(module.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith module.name)) and
+  ps.pe.is_dotnet and (module.pe.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
 
 output: >
-  Process %ps.exe loaded untrusted .NET assembly %image.path from suspicious location
+  Process %ps.exe loaded untrusted .NET assembly %module.path from suspicious location
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_dll_loaded_via_apc_queue.yml b/rules/defense_evasion_dll_loaded_via_apc_queue.yml
@@ -1,6 +1,6 @@
 name: DLL loaded via APC queue
 id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies loading of a DLL with a callstack originating from the thread
   alertable state that led to the execution of an APC routine. This may be
@@ -16,7 +16,7 @@ references:
   - https://github.com/Idov31/Cronos
 
 condition: >
-  load_dll and image.name iin
+  load_dll and dll.name iin
               (
                 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
                 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
diff --git a/rules/defense_evasion_dll_loaded_via_callback_function.yml b/rules/defense_evasion_dll_loaded_via_callback_function.yml
@@ -1,6 +1,6 @@
 name: DLL loaded via a callback function
 id: c7f46d0a-10b2-421a-b33c-f4df79599f2e
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying
   the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback
@@ -21,7 +21,7 @@ condition: >
   maxspan 2m
   by ps.uuid
    |spawn_process|
-   |load_dll and image.name iin
+   |load_dll and dll.name iin
                 (
                   'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
                   'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
@@ -36,7 +36,7 @@ condition: >
    |
 
 output: >
-  %2.image.path loaded from callback function by process %ps.exe
+  %2.module.path loaded from callback function by process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml b/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml
@@ -1,6 +1,6 @@
 name: DLL loaded via LdrpKernel32 overwrite
 id: 56739eda-210f-4a30-a114-d55ca60976df
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. 
   The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL.
@@ -20,7 +20,7 @@ references:
 condition: >
   (load_unsigned_or_untrusted_dll) and
   thread.callstack.symbols imatches ('*!BaseThreadInitThunk*') and
-  image.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' and
+  dll.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' and
   not foreach(thread._callstack, $frame,
               $frame.symbol imatches ('?:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk*',
                                       '?:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk*',
@@ -31,7 +31,7 @@ action:
   - name: kill
 
 output: >
-  DLL %image.path loaded via LdrpKernel32 overwrite evasion by process %ps.exe
+  DLL %dll.path loaded via LdrpKernel32 overwrite evasion by process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml
@@ -25,9 +25,8 @@ condition: >
      thread.callstack.symbols imatches ('*CopyFile*', '*MoveFile*')
     | by file.path
     |(load_dll) and
-     dir(image.path) ~= dir(ps.exe) and
-     ps.signature.subject icontains 'Microsoft' and ps.signature.trusted and
-     (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
+     dir(image.path) ~= dir(ps.exe) and ps.signature.subject icontains 'Microsoft' and ps.signature.trusted and
+     (dll.signature.exists = false or dll.signature.trusted = false)
     | by ps.exe
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml b/rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml
@@ -25,14 +25,14 @@ condition: >
     | by file.path
     |(load_unsigned_or_untrusted_dll) and
      ps.name not iin msoffice_binaries and ps.signature.trusted = true and
-     image.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and
+     dll.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and
      ps.exe not imatches
                 (
                   '?:\\Windows\\System32\\msiexec.exe',
                   '?:\\Windows\\SysWOW64\\msiexec.exe',
                   '?:\\Windows\\System32\\spoolsv.exe'
                 )
-    | by image.path
+    | by dll.path
 
 output: >
   Suspicious DLL %1.file.path dropped by Microsoft Office process %1.ps.exe and subsequently loaded by process %2.ps.exe
diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml
@@ -18,8 +18,8 @@ references:
 condition: >
   (load_unsigned_or_untrusted_module) and
   ps.exe != '' and ps.pe.is_dotnet = false and
-  (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
-  image.path not imatches
+  (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
+  dll.path not imatches
                 (
                   '?:\\Windows\\assembly\\*\\*.ni.dll',
                   '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
@@ -36,7 +36,7 @@ condition: >
                 )
 
 output: >
-  .NET assembly %image.path loaded by unmanaged process %ps.exe
+  .NET assembly %dll.path loaded by unmanaged process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_image_load_via_ntfs_transaction.yml b/rules/defense_evasion_image_load_via_ntfs_transaction.yml
@@ -1,6 +1,6 @@
 name: Image load via NTFS transaction
 id: ce8de3d0-0768-41a7-bab9-4eca27ed1e3c
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies image loading of a file written to disk via NTFS transaction. Adversaries may exploit 
   the transactional API to execute code in the address space of the running process without committing 
@@ -19,10 +19,10 @@ condition: >
   sequence
   maxspan 2m
     |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by file.name
-    |load_module and evt.pid != 4| by image.name
+    |load_module and evt.pid != 4| by module.name
 
 output: >
-  Image %2.image.name written via transactional NTFS and loaded afterward
+  Image %2.module.name written via transactional NTFS and loaded afterward
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml b/rules/defense_evasion_process_execution_from_hollowed_memory_section.yml
@@ -1,6 +1,6 @@
 name: Process execution from hollowed memory section
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 2.1.0
+version: 2.1.1
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -35,8 +35,8 @@ condition: >
                     )
     | by ps.uuid, file.view.base
     |load_executable and
-     image.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe'
-    | by ps.uuid, image.base.address
+     module.path not imatches '?:\\Windows\\SoftwareDistribution\\Download\\*\\Package_for_RollupFix*\\*.exe'
+    | by ps.uuid, module.base
 action:
   - name: kill
 
diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml
@@ -1,6 +1,6 @@
 name: Process execution from a self-deleting binary
 id: 0f0da517-b22c-4d14-9adc-36baeb621cf7
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies the execution of the process from a self-deleting binary. The attackers can
   abuse undocumented API functions to create a process from a file-backed section. The file 
@@ -36,10 +36,10 @@ condition: >
                   '?:\\Windows\\uus\\packages\\preview\\*'
                 )
     | by file.name
-    |load_module and ext(image.path) != '.dll'| by image.name
+    |load_module and ext(module.path) != '.dll'| by module.name
 
 output: >
-  Process %2.image.path spawned from self-deleting binary
+  Process %2.module.path spawned from self-deleting binary
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_suspicious_xsl_script_execution.yml b/rules/defense_evasion_suspicious_xsl_script_execution.yml
@@ -39,7 +39,7 @@ condition: >
       ps.name ~= 'msxsl.exe' or ps.pe.file.name ~= 'msxsl.exe'
      )
     |
-    |load_dll and image.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')|
+    |load_dll and dll.name iin ('scrobj.dll', 'vbscript.dll', 'jscript.dll', 'jscript9.dll')|
 
 output: >
   Suspicious XSL script executed by process %1.ps.name with command line arguments %1.ps.args
diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml
@@ -1,6 +1,6 @@
 name: Unsigned DLL injection via remote thread
 id: 21bdd944-3bda-464b-9a72-58fd37ba9163
-version: 1.1.4
+version: 1.1.5
 description: |
   Identifies unsigned DLL injection via remote thread creation.
   Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses
@@ -33,7 +33,7 @@ condition: >
           (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior'))
     | by thread.pid
     |(load_unsigned_or_untrusted_dll) and
-     image.path not imatches
+     dll.path not imatches
                     (
                       '?:\\Program Files\\Git\\mingw64\\bin\\*.dll',
                       '?:\\Windows\\assembly\\*\\*.ni.dll',
diff --git a/rules/defense_evasion_windows_defender_driver_unloading.yml b/rules/defense_evasion_windows_defender_driver_unloading.yml
@@ -1,6 +1,6 @@
 name: Windows Defender driver unloading
 id: c9b93fbc-8845-4f39-a74b-26862615432c
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys,
   which may indicate an attempt to impair or disable antivirus protections. 
@@ -19,10 +19,10 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1562/001
 
 condition: >
-  unload_driver and image.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys')
+  unload_driver and module.path imatches ('?:\\Windows\\System32\\drivers\\wd\\*.sys', '?:\\Windows\\System32\\drivers\\Wd*.sys')
 
 output: >
-  Windows Defender driver %image.path unloaded by process %ps.exe
+  Windows Defender driver %module.path unloaded by process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0
diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml
@@ -1,6 +1,6 @@
 name: Macro execution via script interpreter
 id: 845404de-df6f-472f-bd74-72148a7f5166
-version: 1.0.6
+version: 1.0.7
 description: |
   Identifies the execution of the Windows scripting interpreter spawning
   a Microsoft Office process to execute suspicious Visual Basic macro.
@@ -22,7 +22,7 @@ condition: >
     |spawn_process and ps.parent.name iin script_interpreters and ps.name iin msoffice_binaries|
     |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll' and
      (spawn_process or (create_remote_thread) or (modify_registry) or (create_file) or
-     (load_module and image.path not imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*')))
+     (load_module and module.path not imatches ('?:\\Program Files\\*', '?:\\Program Files (x86)\\*')))
     |
 
 min-engine-version: 3.0.0
diff --git a/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml b/rules/initial_access_suspicious_dll_loaded_by_microsoft_office_process.yml
@@ -1,6 +1,6 @@
 name: Suspicious DLL loaded by Microsoft Office process
 id: 5868518c-2a83-4b26-ad4b-f14f0b85e744
-version: 1.0.3
+version: 1.0.4
 description:
   Identifies loading of recently dropped DLL by Microsoft Office process.
 labels:
@@ -21,6 +21,6 @@ condition: >
      (file.extension iin module_extensions or file.is_dll) and ps.name iin msoffice_binaries and
      file.path not imatches '?:\\Program Files\\Microsoft Office\\Root\\Office*\\*.dll'
     | by file.name
-    |load_module and ps.name iin msoffice_binaries| by image.name
+    |load_module and ps.name iin msoffice_binaries| by module.name
 
 min-engine-version: 3.0.0
diff --git a/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml b/rules/initial_access_suspicious_execution_via_wmi_from_microsoft_office_process.yml
@@ -25,7 +25,7 @@ condition: >
   maxspan 1m
   by ps.sid
     |load_dll and
-     image.name iin ('wmiclnt.dll', 'wbemcomn.dll', 'wmiprov.dll', 'wbemprox.dll', 'wmutils.dll', 'fastprox.dll', 'WMINet_Utils.dll')  and
+     dll.name iin ('wmiclnt.dll', 'wbemcomn.dll', 'wmiprov.dll', 'wbemprox.dll', 'wmutils.dll', 'fastprox.dll', 'WMINet_Utils.dll')  and
      (ps.name iin msoffice_binaries or thread.callstack.modules imatches ('*vbe?.dll'))
     |
     |spawn_process and
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -123,68 +123,63 @@
 
 - macro: load_driver
   expr: >
-    (load_module and (image.name iendswith '.sys' or image.is_driver))
+    (load_module and (module.name iendswith '.sys' or module.is_driver))
   description: |
     Detects the loading of the kernel driver. Image load events are published when
     executable images, DLLs, or driver PE objects are loaded.
 
 - macro: unload_driver
-  expr: unload_module and (image.name iendswith '.sys' or image.is_driver)
+  expr: unload_module and (module.name iendswith '.sys' or module.is_driver)
 
 - macro: load_unsigned_module
   expr: >
-    load_module and image.signature.type = 'NONE'
+    load_module and module.signature.exists = false
   description: |
     Detects when unsigned executable or DLL is loaded into process address space.
     The module is considered as unsigned if it lacks the cert in the PE security
     directory or the Authenticode hash is not present in any of the catalogs.
 
 - macro: load_executable
   expr: >
-    load_module and (image.name iendswith '.exe' or image.is_exec)
+    load_module and (module.name iendswith '.exe' or module.is_exec)
 
 - macro: load_dll
   expr: >
-    load_module and (image.name iendswith '.dll' or image.is_dll)
+    load_module and (module.name iendswith '.dll' or module.is_dll)
 
 - macro: load_unsigned_executable
   expr: >
-    load_executable
-      and
-    image.signature.type = 'NONE'
+    load_executable and module.signature.exists = false
 
 - macro: load_untrusted_executable
   expr: >
-    load_executable and
-    (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
+    load_executable and module.signature.trusted = false
   description:
     Detects when untrusted executable is loaded into process address space.
 
 - macro: load_untrusted_dll
   expr: >
-    load_dll and
-    (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
+    load_dll and dll.signature.trusted = false
   description:
     Detects when untrusted DLL is loaded into process address space.
 
 - macro: load_unsigned_module
   expr: >
-    load_module and image.signature.type = 'NONE'
+    load_module and module.signature.exists = false
   description: |
     Detects when unsigned executable or DLL is loaded into process address space.
     The module is considered as unsigned if it lacks the cert in the PE security
     directory or the Authenticode hash is not present in any of the catalogs.
 
 - macro: load_unsigned_dll
   expr: >
-    load_dll and image.signature.type = 'NONE'
+    load_dll and dll.signature.exists = false
   description: |
     Detects when unsigned executable DLL is loaded into process address space.
 
 - macro: load_untrusted_module
   expr: >
-    load_module and
-    (image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
+    load_module and module.signature.trusted = false
   description: |
     Detects when untrusted executable or DLL is loaded into process address space.
     Windows must verify the trust chain by following the certificates to a trusted
diff --git a/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml b/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml
diff --git a/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml b/rules/persistence_network_connection_via_startup_folder_executable_or_script.yml
diff --git a/rules/persistence_suspicious_microsoft_office_addin_loaded.yml b/rules/persistence_suspicious_microsoft_office_addin_loaded.yml
diff --git a/rules/persistence_suspicious_netsh_helper_dll_execution.yml b/rules/persistence_suspicious_netsh_helper_dll_execution.yml
diff --git a/rules/persistence_suspicious_print_processor_loaded.yml b/rules/persistence_suspicious_print_processor_loaded.yml
diff --git a/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml b/rules/privilege_escalation_potential_privilege_escalation_via_phantom_dll_hijacking.yml
diff --git a/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml b/rules/privilege_escalation_vulnerable_or_malicious_driver_loaded.yml
