refactor(rules): Adapt rules and macros to use new module/dll fields

Author: rabbitstack

rules/credential_access_lsass_access_from_unsigned_executable.yml

@@ -1,6 +1,6 @@
 name: LSASS access from unsigned executable
 id: 348bf896-2201-444f-b1c9-e957a1f063bf
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
   Adversaries may try to dump credential information stored in the process memory of LSASS.
@@ -26,7 +26,7 @@ action:
   - name: kill
 
 output: >
-  Unsigned executable %1.image.path attempted to access Local Security Authority Subsystem Service
+  Unsigned executable %1.module.path attempted to access Local Security Authority Subsystem Service
 severity: high
 
 min-engine-version: 3.0.0

rules/credential_access_suspicious_vault_client_dll_load.yml

@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -46,7 +46,7 @@ condition: >
         (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
       )
     |
-    |load_dll and image.name ~= 'vaultcli.dll'|
+    |load_dll and dll.name ~= 'vaultcli.dll'|
 
 output: >
   Suspicious process %2.ps.exe loaded the Credential Vault Client DLL for potential credentials harvesting

rules/defense_evasion_appdomain_manager_injection_via_clr_search_order_hijacking.yml

@@ -1,6 +1,6 @@
 name: AppDomain Manager injection via CLR search order hijacking
 id: 9319fafd-b7dc-4d85-b41a-54a8d4f1ab18
-version: 1.0.6
+version: 1.0.7
 description: |
   Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies. 
   The .NET framework uses the AppDomainManager class to create and manage one or more isolated runtime environments 
@@ -25,12 +25,12 @@ references:
   - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
 
 condition: >
-  (load_unsigned_or_untrusted_module)
-  and ps.exe != '' and ((base(dir(image.path)) ~= base(image.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith image.name)) and
-  ps.pe.is_dotnet and (image.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
+  (load_unsigned_or_untrusted_module) and
+  ps.exe != '' and ((base(dir(module.path)) ~= base(module.path, false)) or (ps.envs[APPDOMAIN_MANAGER_ASM] istartswith module.name)) and
+  ps.pe.is_dotnet and (module.pe.is_dotnet or thread.callstack.symbols imatches ('clr.dll!ParseManifest*'))
 
 output: >
-  Process %ps.exe loaded untrusted .NET assembly %image.path from suspicious location
+  Process %ps.exe loaded untrusted .NET assembly %module.path from suspicious location
 severity: high
 
 min-engine-version: 3.0.0

rules/defense_evasion_dll_loaded_via_apc_queue.yml

@@ -1,6 +1,6 @@
 name: DLL loaded via APC queue
 id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies loading of a DLL with a callstack originating from the thread
   alertable state that led to the execution of an APC routine. This may be
@@ -16,7 +16,7 @@ references:
   - https://github.com/Idov31/Cronos
 
 condition: >
-  load_dll and image.name iin
+  load_dll and dll.name iin
               (
                 'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
                 'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',

rules/defense_evasion_dll_loaded_via_callback_function.yml

@@ -1,6 +1,6 @@
 name: DLL loaded via a callback function
 id: c7f46d0a-10b2-421a-b33c-f4df79599f2e
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies module proxying as a method to conceal suspicious callstacks. Adversaries use module proxying
   the hide the origin of the LoadLibrary call from the callstack by loading the library from the callback
@@ -21,7 +21,7 @@ condition: >
   maxspan 2m
   by ps.uuid
    |spawn_process|
-   |load_dll and image.name iin
+   |load_dll and dll.name iin
                 (
                   'winhttp.dll', 'clr.dll', 'bcrypt.dll', 'bcryptprimitives.dll',
                   'wininet.dll', 'taskschd.dll', 'dnsapi.dll', 'coreclr.dll', 'ws2_32.dll',
@@ -36,7 +36,7 @@ condition: >
    |
 
 output: >
-  %2.image.path loaded from callback function by process %ps.exe
+  %2.module.path loaded from callback function by process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0

rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml

@@ -1,6 +1,6 @@
 name: DLL loaded via LdrpKernel32 overwrite
 id: 56739eda-210f-4a30-a114-d55ca60976df
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. 
   The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL.
@@ -20,7 +20,7 @@ references:
 condition: >
   (load_unsigned_or_untrusted_dll) and
   thread.callstack.symbols imatches ('*!BaseThreadInitThunk*') and
-  image.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' and
+  dll.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll' and
   not foreach(thread._callstack, $frame,
               $frame.symbol imatches ('?:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk*',
                                       '?:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk*',
@@ -31,7 +31,7 @@ action:
   - name: kill
 
 output: >
-  DLL %image.path loaded via LdrpKernel32 overwrite evasion by process %ps.exe
+  DLL %dll.path loaded via LdrpKernel32 overwrite evasion by process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0

rules/defense_evasion_dll_sideloading_via_copied_binary.yml

@@ -1,6 +1,6 @@
 name: DLL Side-Loading via a copied binary
 id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c
-version: 1.0.5
+version: 1.0.6
 description: |
   Identifies when a binary is copied to a directory and shortly followed
   by the loading of an unsigned DLL from the same directory. Adversaries may
@@ -27,7 +27,7 @@ condition: >
     |(load_dll) and
      dir(image.path) ~= dir(ps.exe) and
      ps.signature.subject icontains 'Microsoft' and ps.signature.trusted and
-     (image.signature.type = 'NONE' or image.signature.level = 'UNCHECKED' or image.signature.level = 'UNSIGNED')
+     (dll.signature.exists = false or dll.signature.trusted = false)
     | by ps.exe
 
 min-engine-version: 3.0.0

rules/defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml

@@ -1,6 +1,6 @@
 name: DLL Side-Loading via Microsoft Office dropped file
 id: d808175d-c4f8-459d-b17f-ca9a88890c04
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies Microsoft Office process creating a DLL or other variant of an executable object which
   is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious 
@@ -25,14 +25,14 @@ condition: >
     | by file.path
     |(load_unsigned_or_untrusted_dll) and
      ps.name not iin msoffice_binaries and ps.signature.trusted = true and
-     image.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and
+     dll.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and
      ps.exe not imatches
                 (
                   '?:\\Windows\\System32\\msiexec.exe',
                   '?:\\Windows\\SysWOW64\\msiexec.exe',
                   '?:\\Windows\\System32\\spoolsv.exe'
                 )
-    | by image.path
+    | by dll.path
 
 output: >
   Suspicious DLL %1.file.path dropped by Microsoft Office process %1.ps.exe and subsequently loaded by process %2.ps.exe

rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml

@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.9
+version: 1.0.10
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -18,8 +18,8 @@ references:
 condition: >
   (load_unsigned_or_untrusted_module) and
   ps.exe != '' and ps.pe.is_dotnet = false and
-  (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
-  image.path not imatches
+  (dll.pe.is_dotnet or thread.callstack.modules imatches ('*clr.dll')) and
+  dll.path not imatches
                 (
                   '?:\\Windows\\assembly\\*\\*.ni.dll',
                   '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
@@ -36,7 +36,7 @@ condition: >
                 )
 
 output: >
-  .NET assembly %image.path loaded by unmanaged process %ps.exe
+  .NET assembly %dll.path loaded by unmanaged process %ps.exe
 severity: high
 
 min-engine-version: 3.0.0

rules/defense_evasion_image_load_via_ntfs_transaction.yml

@@ -1,6 +1,6 @@
 name: Image load via NTFS transaction
 id: ce8de3d0-0768-41a7-bab9-4eca27ed1e3c
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies image loading of a file written to disk via NTFS transaction. Adversaries may exploit 
   the transactional API to execute code in the address space of the running process without committing 
@@ -19,10 +19,10 @@ condition: >
   sequence
   maxspan 2m
     |create_file and thread.callstack.symbols imatches ('kernel32.dll!CreateFileTransacted*', 'ntdll.dll!RtlSetCurrentTransaction')| by file.name
-    |load_module and evt.pid != 4| by image.name
+    |load_module and evt.pid != 4| by module.name
 
 output: >
-  Image %2.image.name written via transactional NTFS and loaded afterward
+  Image %2.module.name written via transactional NTFS and loaded afterward
 severity: high
 
 min-engine-version: 3.0.0