refactor(rules): Rewrite rules to use unary negation

rules/credential_access_registry_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: Registry access to SAM database
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 2.0.0
+version: 2.0.1
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -26,10 +26,9 @@ condition: >
                   '?:\\Program Files\\*.exe',
                   '?:\\Program Files (x86)\\*.exe',
                   '?:\\Windows\\System32\\svchost.exe'
-                ) or
-      (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') or
-      (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe')
-     )
+                )) and
+      not (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior') and
+      not (ps.exe imatches '?:\\WINDOWS\\system32\\wevtutil.exe' and ps.parent.exe imatches '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe')
     |
     |open_registry and
      registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and

rules/credential_access_suspicious_vault_client_dll_load.yml

@@ -1,6 +1,6 @@
 name: Suspicious Vault client DLL load
 id: 64af2e2e-2309-4079-9c0f-985f1dd930f5
-version: 1.0.6
+version: 1.0.7
 description: |
   Identifies loading of the Vault client DLL by an unusual process. Adversaries can abuse the functions provided 
   by the Credential Vault Client Library to enumerate or harvest saved credentials.
@@ -25,38 +25,37 @@ condition: >
     |spawn_process and
      ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe != '' and
      not (ps.exe imatches
-                (
-                  '?:\\Windows\\System32\\MDMAppInstaller.exe',
-                  '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
-                  '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe',
-                  '?:\\Windows\\System32\\UCConfigTask.exe',
-                  '?:\\Windows\\System32\\DllHost.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
-                  '?:\\Program Files\\*.exe',
-                  '?:\\Program Files (x86)\\*.exe',
-                  '?:\\Windows\\winsxs\\*\\TiWorker.exe',
-                  '?:\\Windows\\System32\\RuntimeBroker.exe',
-                  '?:\\WINDOWS\\system32\\UCConfigTask.exe',
-                  '?:\\Program Files\\WindowsApps\\Microsoft.*.exe',
-                  '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe',
-                  '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe',
-                  '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
-                  '?:\\Windows\\System32\\PickerHost.exe',
-                  '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe',
-                  '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe',
-                  '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
-                  '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe'
-                ) or
-          (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) or
-          (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) or
-          (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') or
-          (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
-        )
+                 (
+                   '?:\\Windows\\System32\\MDMAppInstaller.exe',
+                   '?:\\Windows\\uus\\*\\MoUsoCoreWorker.exe',
+                   '?:\\Windows\\uus\\*\\WaaSMedicAgent.exe',
+                   '?:\\Windows\\System32\\UCConfigTask.exe',
+                   '?:\\Windows\\System32\\DllHost.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework64\\*\\dfsvc.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe',
+                   '?:\\Program Files\\*.exe',
+                   '?:\\Program Files (x86)\\*.exe',
+                   '?:\\Windows\\winsxs\\*\\TiWorker.exe',
+                   '?:\\Windows\\System32\\RuntimeBroker.exe',
+                   '?:\\WINDOWS\\system32\\UCConfigTask.exe',
+                   '?:\\Program Files\\WindowsApps\\Microsoft.*.exe',
+                   '?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework*\\NGenTask.exe',
+                   '?:\\Windows\\SystemApps\\MicrosoftWindows.Client.*\\SearchHost.exe',
+                   '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
+                   '?:\\Windows\\System32\\PickerHost.exe',
+                   '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\SearchHost.exe',
+                   '?:\\WINDOWS\\SystemApps\\MicrosoftWindows.Client.CBS_*\\AppActions.exe',
+                   '?:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework64\\*\\ngen.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe',
+                   '?:\\Windows\\Microsoft.NET\\Framework64\\*\\mscorsvw.exe'
+                 )) and
+     not (ps.exe imatches '?:\\WINDOWS\\System32\\taskhostw.exe' and ps.parent.args intersects ('-k', 'netsvcs', '-p', '-s', 'Schedule')) and
+     not (ps.exe imatches '?:\\WINDOWS\\system32\\BackgroundTaskHost.exe' and ps.args imatches ('-ServerName:*')) and
+     not (ps.parent.exe imatches '?:\\Windows\\System32\\services.exe') and
+     not (ps.parent.exe imatches '?:\\Program Files\\Microsoft OneDrive\\OneDriveStandaloneUpdater.exe')
     |
     |load_dll and dll.name ~= 'vaultcli.dll'|
 

rules/defense_evasion_potential_shellcode_execution_via_etw_logger_thread.yml

@@ -1,6 +1,6 @@
 name: Potential shellcode execution via ETW logger thread
 id: 3e915273-5ea0-4576-afc9-b018e2d53545
-version: 1.0.2
+version: 1.0.3
 description: |
   Adversaries may employ the undocumented EtwpCreateEtwThread function to execute shellcode 
   within the local process address space.
@@ -22,8 +22,8 @@ condition: >
               (
                 '?:\\WINDOWS\\System32\\ProvTool.exe',
                 '?:\\Windows\\System32\\LogonUI.exe'
-              ) or
-       thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*'))
+              )) and
+  not (thread.callstack.symbols imatches ('ntdll.dll!EtwProcessPrivateLoggerRequest', 'sechost.dll!ControlTrace*'))
 
 output: >
   Potential shellcode execution via EtwpCreateEtwThread API initiated by process %ps.exe

rules/defense_evasion_process_spawned_from_unusual_directory.yml

@@ -1,6 +1,6 @@
 name: Process spawned from unusual directory
 id: eb51aad3-f2ce-4f5a-b8f1-4cfb8d0d141e
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects executions of common utilities or build tools when those binaries
   are launched from suspicious default Windows directories. Attackers often
@@ -96,13 +96,10 @@ condition: >
             '?:\\Windows\\SKB\\*',
             '?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\*'
           ) and
-    not
-      (
-        (ps.name = 'rundll32.exe' and ps.parent.name = 'svchost.exe' and ps.parent.args iin ('LocalServiceNoNetworkFirewall')) or
-        (ps.name = 'regsvr32.exe' and ps.args imatches ('?:\\Windows\\servicing\\LCU\\Package_for_RollupFix~*')) or
-        (ps.parent.exe imatches '?:\\Windows\\system32\\CompatTelRunner.exe' and ps.parent.args imatches ('*-m:appraiser.dll')) or
-        (ps.exe imatches ('?:\\Program Files\\*\\msbuild.exe', '?:\\Program Files (x86)\\*\\msbuild.exe'))
-      )
+    not (ps.name = 'rundll32.exe' and ps.parent.name = 'svchost.exe' and ps.parent.args iin ('LocalServiceNoNetworkFirewall')) and
+    not (ps.name = 'regsvr32.exe' and ps.args imatches ('?:\\Windows\\servicing\\LCU\\Package_for_RollupFix~*')) and
+    not (ps.parent.exe imatches '?:\\Windows\\system32\\CompatTelRunner.exe' and ps.parent.args imatches ('*-m:appraiser.dll')) and
+    not (ps.exe imatches ('?:\\Program Files\\*\\msbuild.exe', '?:\\Program Files (x86)\\*\\msbuild.exe'))
 action:
   - name: kill
 

rules/defense_evasion_suspicious_child_spawned_via_reflected_process.yml

@@ -1,6 +1,6 @@
 name: Suspicious child spawned via reflected process
 id: 0c71dd48-d238-41bb-9c7e-9ba804e888de
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies the creation of a child via the clone process by employing the
   RtlCreateProcessReflection or RtlCloneUserProcess API.
@@ -22,12 +22,9 @@ condition: >
   maxspan 5m
     |spawn_process and
      thread.callstack.symbols imatches ('ntdll.dll!RtlCreateProcessReflection', 'ntdll.dll!RtlCloneUserProcess') and
-     not
-      (
-        (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll|wersvc.dll*') or
-        (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll*') or
-        (ps.exe imatches '?:\\Windows\\System32\\conhost.exe' and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile*'))
-      )
+     not (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll|wersvc.dll*') and
+     not (ps.exe imatches ('?:\\Windows\\System32\\WerFault.exe', '?:\\Windows\\SysWOW64\\WerFault.exe') and thread.callstack.summary imatches '*faultrep.dll*') and
+     not (ps.exe imatches '?:\\Windows\\System32\\conhost.exe' and thread.callstack.symbols imatches ('ntdll.dll!*DeviceIoControlFile*'))
     | by ps.uuid
     |spawn_process and
      ps.exe not imatches

rules/defense_evasion_thread_context_set_from_unbacked_memory.yml

@@ -1,6 +1,6 @@
 name: Thread context set from unbacked memory
 id: f8219274-ee68-416b-8489-4d2e635c7844
-version: 1.0.6
+version: 1.0.7
 description: |
   Identifies manipulation of the thread context from unbacked memory region. This may be
   indicative of process injection.
@@ -22,6 +22,6 @@ condition: >
               '?:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe',
               '?:\\Windows\\System32\\taskhostw.exe'
             ) and
-  (ps.exe not imatches '?:\\Program Files\\Go\\bin\\go.exe' and ps.cmdline not imatches 'go mod tidy -modfile=*.mod')
+  not (ps.exe imatches '?:\\Program Files\\Go\\bin\\go.exe' and ps.cmdline imatches 'go mod tidy -modfile=*.mod')
 
 min-engine-version: 3.0.0

rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml

@@ -1,6 +1,6 @@
 name: Unsigned DLL injection via remote thread
 id: 21bdd944-3bda-464b-9a72-58fd37ba9163
-version: 1.1.5
+version: 1.1.6
 description: |
   Identifies unsigned DLL injection via remote thread creation.
   Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses
@@ -28,9 +28,9 @@ condition: >
                 (
                   '?:\\Program Files\\*.exe',
                   '?:\\Program Files (x86)\\*.exe'
-                ) or
-          (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) or
-          (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior'))
+                )) and
+     not (ps.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch')) and
+     not (ps.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
     | by thread.pid
     |(load_unsigned_or_untrusted_dll) and
      dll.path not imatches

rules/persistence_script_interpreter_or_untrusted_process_persistence.yml

@@ -1,6 +1,6 @@
 name: Script interpreter host or untrusted process persistence
 id: cc41ee3a-6e44-4903-85a4-0147ec6a7eea
-version: 1.1.3
+version: 1.1.4
 description: |
   Identifies the script interpreter or untrusted process writing to commonly 
   abused run keys or the Startup folder locations.
@@ -34,8 +34,8 @@ condition: >
                 '?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe',
                 '?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe',
                 '?:\\Users\\*\\AppData\\Local\\Dropbox\\Dropbox.exe'
-              ) or
-       (ps.signature.exists = true and ps.signature.subject imatches '*Microsoft*'))
+              )) and
+  not (ps.signature.exists = true and ps.signature.subject imatches '*Microsoft*')
 action:
   - name: kill
 

rules/persistence_suspicious_startup_shell_folder_modification.yml

@@ -1,6 +1,6 @@
 name: Suspicious Startup shell folder modification
 id: 7a4082f6-f7e3-49bd-9514-dbc8dd4e68ad
-version: 1.0.4
+version: 1.0.5
 description: |
   Detects when adversaries attempt to modify the default Startup
   folder path to to circumvent runtime rules that hunt for file
@@ -19,7 +19,7 @@ labels:
 condition: >
   modify_registry and
   registry.path imatches startup_shell_folder_registry_keys and
-  not (registry.data imatches startup_locations or
-       registry.data imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup'))
+  registry.data not imatches startup_locations and
+  registry.data not imatches ('%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup')
 
 min-engine-version: 3.0.0