rabbitstack · rabbitstack · Feb 13, 2025 · Feb 13, 2025
diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml
@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.1
+version: 1.0.2
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -25,7 +25,15 @@ condition: >
         '?:\\Program Files (x86)\\*.exe'
       )
         or
-      (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch'))
+      (ps.child.exe imatches '?:\\Windows\\System32\\svchost.exe' and ps.child.args intersects ('-k', 'DcomLaunch'))
+        or
+      (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k defragsvc')
+        or
+      (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k netsvcs -p -s BITS')
+        or
+      (ps.child.cmdline imatches '?:\\Windows\\System32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc')
+        or
+      (ps.child.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior')
      )
     | by ps.child.uuid
     |open_registry

diff --git a/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml b/rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml
@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -31,7 +31,8 @@ condition: >
     not
   ps.exe imatches
     (
-      '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe'
+      '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',
+      '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe'
     )
 
 output: >

diff --git a/rules/defense_evasion_process_execution_from_self_deleting_binary.yml b/rules/defense_evasion_process_execution_from_self_deleting_binary.yml
@@ -1,6 +1,6 @@
 name: Process execution from a self-deleting binary
 id: 0f0da517-b22c-4d14-9adc-36baeb621cf7
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies the execution of the process from a self-deleting binary. The attackers can
   abuse undocumented API functions to create a process from a file-backed section. The file 
@@ -20,13 +20,29 @@ references:
 condition: >
   sequence
   maxspan 1m 
-    |delete_file 
+    |delete_file and file.info.is_disposition_delete_file
+      and
+      not
+     ps.exe imatches 
+      (
+        '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
+        '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe'
+      )
       and 
-    file.info.is_disposition_delete_file
+      not
+     ps.cmdline imatches 
+      (
+        '?:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc'
+      )
       and
-    not file.name imatches '?:\\Windows\\SoftwareDistribution\\Download\\*'
+      not 
+     file.path imatches 
+      (
+        '?:\\Windows\\SoftwareDistribution\\Download\\*',
+        '?:\\Windows\\uus\\packages\\preview\\*'
+      )
     | by file.name
-    |load_module| by image.name
+    |load_module and ext(image.path) != '.dll'| by image.name
 
 output: >
   Process %2.image.path spawned from self-deleting binary

diff --git a/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml b/rules/defense_evasion_unsigned_dll_injection_via_remote_thread.yml
@@ -1,6 +1,6 @@
 name: Unsigned DLL injection via remote thread
 id: 21bdd944-3bda-464b-9a72-58fd37ba9163
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies unsigned DLL injection via remote thread creation.
   Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses
@@ -28,13 +28,15 @@ condition: >
         '?:\\Program Files (x86)\\*.exe'
       )
         or
-      (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args iin ('-k', 'DcomLaunch'))
+      (ps.exe imatches 'C:\\Windows\\System32\\svchost.exe' and ps.args intersects ('-k', 'DcomLaunch'))
+        or
+      (ps.cmdline imatches '?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe ExecuteQueuedItems /LegacyServiceBehavior')
      )
     | by thread.pid
     |(load_unsigned_or_untrusted_dll)
       and
       not
-     image.name imatches
+     image.path imatches
       (
         '?:\\Program Files\\Git\\mingw64\\bin\\*.dll',
         '?:\\Windows\\assembly\\*\\*.ni.dll',
@@ -43,4 +45,4 @@ condition: >
       )
     | by ps.pid
 
-min-engine-version: 2.0.0
+min-engine-version: 2.4.0