fix(rules): Rearrange the not operator in binary expressions

pkg/filter/ql/expr.go

@@ -81,9 +81,8 @@ type NotExpr struct {
 // String returns a string representation of the not expression.
 func (e *NotExpr) String() string {
 	var b strings.Builder
-	b.Grow(len(e.Expr.String()) + 2)
-	b.WriteRune('(')
+	b.Grow(len(e.Expr.String()) + 4)
+	b.WriteString("NOT ")
 	b.WriteString(e.Expr.String())
-	b.WriteRune(')')
 	return b.String()
 }

rules/credentail_access_file_access_to_sam_database.yml

@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -24,8 +24,7 @@ condition: >
       '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files (x86)\\*',

rules/credential_access_lsass_memory_dumping.yml

@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -27,8 +27,7 @@ condition: >
       and
      kevt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
       and
-      not
-     ps.exe imatches
+     ps.exe not imatches
       (
         '?:\\Windows\\System32\\svchost.exe',
         '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'

rules/credential_access_potential_sam_hive_dumping.yml

@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.2
+version: 1.0.3
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -40,17 +40,15 @@ condition: >
       and
      registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
       and
-      not
-     registry.path imatches
+     registry.path not imatches
       (
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
         'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
       )
       and
-      not
-     ps.exe imatches
+     ps.exe not imatches
       (
         '?:\\Windows\\System32\\lsass.exe',
         '?:\\Windows\\System32\\RuntimeBroker.exe',

rules/credential_access_suspicious_access_to_active_directory_domain_database.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Active Directory domain database
 id: a30c100e-28d0-4aa0-b98d-0d38025c2c29
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects suspicious access to the Active Directory domain database.
   Adversaries may attempt to access or create a copy of the Active Directory
@@ -25,8 +25,7 @@ condition: >
       '?:\\WINDOWS\\NTDS\\ntds.dit'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Windows\\System32\\lsass.exe',
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'

rules/credential_access_suspicious_access_to_unattended_panther_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Unattended Panther files
 id: d305fb15-6ad1-4d61-a84b-ada462f23a55
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies suspicious to access to unattend.xml files where credentials
   are commonly stored within the Panther directory. Adversaries may search local
@@ -27,8 +27,7 @@ condition: >
       '?:\\Windows\\Panther\\Unattend.xml'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_suspicious_access_to_windows_dpapi_master_keys.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows DPAPI Master Keys
 id: b1d5732a-5ad4-4cdd-8791-c22e34c591e5
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects suspicious processes accessing the Windows Data Protection API Master keys
   which is a sign of potential credential stealing.
@@ -33,8 +33,7 @@ condition: >
       '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\S-1-12-1-*\\*'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_suspicious_access_to_windows_manager_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Credential Manager files
 id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager.
 labels:
@@ -23,8 +23,7 @@ condition: >
       '?:\\Windows\\System32\\config\\systemprofile\\AppData\\*\\Microsoft\\Credentials\\*'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_suspicious_access_to_windows_vault_files.yml

@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Vault files
 id: 44400221-f98d-424a-9388-497c75b18924
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies attempts from adversaries to acquire credentials from Vault files.
 labels:
@@ -25,8 +25,7 @@ condition: >
     and
   file.extension in vault_extensions
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',

rules/credential_access_unusual_access_to_ssh_keys.yml

@@ -1,6 +1,6 @@
 name: Unusual access to SSH keys
 id: 90f5c1bd-abd6-4d1b-94e0-229f04473d60
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies access by unusual process to saved SSH keys.
 labels:
@@ -17,17 +17,15 @@ labels:
 condition: >
   open_file and file.path imatches '?:\\Users\\*\\.ssh\\known_hosts'
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Program Files(x86)\\*',
       '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
       '?:\\Windows\\System32\\svchost.exe'
     )
     and
-    not
-  ps.name imatches
+  ps.name not imatches
     (
       'PuTTYNG.exe',
       'putty*.exe',

rules/credential_access_unusual_access_to_windows_credential_history.yml

@@ -1,6 +1,6 @@
 name: Unusual access to Windows Credential history files
 id: 9d94062f-2cf3-407c-bd65-4072fe4b167f
-version: 1.0.2
+version: 1.0.3
 description: |
   Detects unusual accesses to the Windows Credential history file.
   The CREDHIST file contains all previous password-linked master key hashes used by
@@ -20,8 +20,7 @@ labels:
 condition: >
   open_file and file.path imatches '?:\\Users\\*\\AppData\\*\\Microsoft\\Protect\\CREDHIST'
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\*',
       '?:\\Windows\\System32\\lsass.exe',

rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml

@@ -1,6 +1,6 @@
 name: DLL loaded via LdrpKernel32 overwrite
 id: 56739eda-210f-4a30-a114-d55ca60976df
-version: 1.0.0
+version: 1.0.1
 description: |
   Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. 
   The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL.
@@ -20,14 +20,15 @@ references:
 condition: >
   (load_unsigned_or_untrusted_dll) and thread.callstack.symbols imatches ('*!BaseThreadInitThunk*')
     and
+  image.path not imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll'
+    and
     not
   foreach(thread._callstack, $frame, 
           $frame.symbol imatches ('?:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk*',
                                   '?:\\Windows\\SysWOW64\\kernel32.dll!BaseThreadInitThunk*',
                                   '?:\\Windows\\WinSxS\\*\\kernel32.dll!BaseThreadInitThunk*',
                                   '?:\\Windows\\WinSxS\\Temp\\PendingDeletes\\*!BaseThreadInitThunk*',
-                                  '\\Device\\*\\Windows\\*\\kernel32.dll!BaseThreadInitThunk*')) and
-  not image.path imatches '?:\\Windows\\assembly\\NativeImages_*\\System.Numerics.ni.dll'
+                                  '\\Device\\*\\Windows\\*\\kernel32.dll!BaseThreadInitThunk*'))
 action:
   - name: kill
 

rules/defense_evasion_dotnet_assembly_loaded_by_unmanaged_process.yml

@@ -1,6 +1,6 @@
 name: .NET assembly loaded by unmanaged process
 id: 34be8bd1-1143-4fa8-bed4-ae2566b1394a
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies the loading of the .NET assembly by an unmanaged process. Adversaries can load the CLR runtime
   inside unmanaged process and execute the assembly via the ICLRRuntimeHost::ExecuteInDefaultAppDomain method.
@@ -20,16 +20,14 @@ condition: >
     and
   (image.is_dotnet or thread.callstack.modules imatches ('*clr.dll'))
     and
-    not
-  image.path imatches
+  image.path not imatches
     (
       '?:\\Windows\\assembly\\*\\*.ni.dll',
       '?:\\Program Files\\WindowsPowerShell\\Modules\\*\\*.dll',
       '?:\\Windows\\Microsoft.NET\\assembly\\*\\*.dll'
     )
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files\\WindowsApps\\*\\CrossDeviceService.exe',
       '?:\\Windows\\Microsoft.NET\\Framework\\*\\mscorsvw.exe'

rules/defense_evasion_hidden_registry_key_creation.yml

@@ -1,6 +1,6 @@
 name: Hidden registry key creation
 id: 65deda38-9b1d-42a0-9f40-a68903e81b49
-version: 1.1.2
+version: 1.1.3
 description: |
   Identifies the creation of a hidden registry key. Adversaries can utilize the
   native NtSetValueKey API to create a hidden registry key and conceal payloads
@@ -22,8 +22,7 @@ condition: >
     and
   thread.callstack.symbols not imatches ('KernelBase.dll!RegSetValue*', 'KernelBase.dll!RegLoadAppKey*', 'KernelBase.dll!GetFileAttributes*')
     and
-    not
-  ps.exe imatches
+  ps.exe not imatches
     (
       '?:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe',
       '?:\\Program Files\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe',

rules/defense_evasion_potential_injection_via_dotnet_debugging.yml

@@ -1,6 +1,6 @@
 name: Potential injection via .NET debugging
 id: 193ebf2f-e365-4f57-a639-275b7cdf0319
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies creation of a process on behalf of the CLR debugging facility which may
   be indicative of code injection. The CLR interface utilizes the OpenVirtualProcess
@@ -19,16 +19,15 @@ references:
 condition: >
   spawn_process and ps.exe != '' and thread.callstack.symbols imatches ('mscordbi.dll!OpenVirtualProcess')
     and
-    not
-  ps.child.exe imatches
+  ps.child.exe not imatches
     (
       '?:\\Visual Studio\\Common?\\IDE\\devenv.exe',
       '?:\\Program Files\\Microsoft Visual Studio\\*.exe',
       '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe',
       '?:\\Program Files\\IIS Express\\iisexpress.exe',
       '?:\\Program Files (x86)\\IIS Express\\iisexpress.exe'
     )
-  and not ps.exe imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe'
+  and ps.exe not imatches '?:\\Program Files (x86)\\Microsoft Visual Studio\\*.exe'
 
 output: >
   Process %ps.exe attached the .NET debugger to process %ps.child.exe for potential code injection

rules/defense_evasion_potential_process_hollowing_injection.yml

@@ -1,6 +1,6 @@
 name: Potential Process Hollowing
 id: 2a3fbae8-5e8c-4b71-b9da-56c3958c0d53
-version: 1.1.3
+version: 1.1.4
 description: |
   Adversaries may inject malicious code into suspended and hollowed processes in order to
   evade process-based defenses. Process hollowing is a method of executing arbitrary code
@@ -29,7 +29,7 @@ references:
 condition: >
   sequence
   maxspan 2m
-    |spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and not ps.exe imatches 
+    |spawn_process and ps.sid not in ('S-1-5-18', 'S-1-5-19', 'S-1-5-20') and ps.exe not imatches 
       (
         '?:\\Program Files\\*.exe', 
         '?:\\Program Files (x86)\\*.exe',

rules/defense_evasion_potential_process_injection_via_tainted_memory_section.yml

@@ -1,6 +1,6 @@
 name: Potential process injection via tainted memory section
 id: 8e4182f3-02e7-4e95-afc3-93d18c9a9c09
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies potential process injection when the adversary creates and maps a memory
   section with RW protection rights followed by mapping of the same memory section in
@@ -22,7 +22,7 @@ references:
 condition: >
   sequence
   maxspan 1m
-    |map_view_of_section and file.view.protection = 'READWRITE' and kevt.pid != 4 and file.view.size >= 4096 and not ps.exe imatches 
+    |map_view_of_section and file.view.protection = 'READWRITE' and kevt.pid != 4 and file.view.size >= 4096 and ps.exe not imatches 
       (
         '?:\\Program Files\\*.exe', 
         '?:\\Program Files (x86)\\*.exe',

rules/defense_evasion_potential_thread_execution_hijacking.yml

@@ -1,6 +1,6 @@
 name: Potential thread execution hijacking
 id: 8b9f6d47-e9ba-4b3a-9da2-d7bf27e08ca9
-version: 1.0.0
+version: 1.0.1
 description: |
   Adversaries may inject malicious code into hijacked processes in order to evade process-based
   defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of
@@ -30,7 +30,7 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') and not ps.exe imatches
+    |open_remote_thread and thread.access.mask.names in ('ALL_ACCESS', 'SUSPEND_THREAD') and ps.exe not imatches
       (
         '?:\\Program Files\\*',
         '?:\\Program Files (x86)\\*'

rules/defense_evasion_process_execution_from_self_deleting_binary.yml

@@ -1,6 +1,6 @@
 name: Process execution from a self-deleting binary
 id: 0f0da517-b22c-4d14-9adc-36baeb621cf7
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the execution of the process from a self-deleting binary. The attackers can
   abuse undocumented API functions to create a process from a file-backed section. The file 
@@ -22,21 +22,18 @@ condition: >
   maxspan 1m 
     |delete_file and file.info.is_disposition_delete_file
       and
-      not
-     ps.exe imatches 
+     ps.exe not imatches 
       (
         '?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe',
         '?:\\WINDOWS\\uus\\packages\\preview\\*\\wuaucltcore.exe'
       )
       and 
-      not
-     ps.cmdline imatches 
+     ps.cmdline not imatches 
       (
         '?:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc'
       )
-      and
-      not 
-     file.path imatches 
+      and 
+     file.path not imatches 
       (
         '?:\\Windows\\SoftwareDistribution\\Download\\*',
         '?:\\Windows\\uus\\packages\\preview\\*'