rabbitstack · rabbitstack · Dec 26, 2025 · Dec 26, 2025
diff --git a/rules/credentail_access_file_access_to_sam_database.yml b/rules/credentail_access_file_access_to_sam_database.yml
@@ -1,6 +1,6 @@
 name: File access to SAM database
 id: e3dace20-4962-4381-884e-40dcdde66626
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies access to the Security Account Manager on-disk database.
 labels:
@@ -15,21 +15,19 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1003/002/
 
 condition: >
-  open_file
-    and
+  open_file and
   file.path imatches
-    (
-      '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
-      '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
-      '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
-    )
-    and
+            (
+              '?:\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
+              '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM',
+              '\\??\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\SYSTEM32\\CONFIG\\SAM'
+            ) and
   ps.exe not imatches
-    (
-      '?:\\Program Files\\*',
-      '?:\\Program Files (x86)\\*',
-      '?:\\Windows\\System32\\lsass.exe',
-      '?:\\Windows\\System32\\srtasks.exe'
-    )
+            (
+              '?:\\Program Files\\*',
+              '?:\\Program Files (x86)\\*',
+              '?:\\Windows\\System32\\lsass.exe',
+              '?:\\Windows\\System32\\srtasks.exe'
+            )
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_credential_access_from_backups_via_rundll32.yml b/rules/credential_access_credential_access_from_backups_via_rundll32.yml
@@ -1,6 +1,6 @@
 name: Credentials access from backups via Rundll32
 id: ff43852c-486c-4870-a318-ce976d2231a5
-version: 1.0.1
+version: 1.0.2
 description: |
   Detects an attempt to obtain credentials from credential backups.
 labels:
@@ -15,10 +15,8 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  spawn_process
-    and
-  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe')
-    and
+  spawn_process and
+  (ps.child.name ~= 'rundll32.exe' or ps.child.pe.file.name ~= 'rundll32.exe') and
   (ps.child.args iin ('keymgr.dll') and ps.child.args iin ('KRShowKeyMgr'))
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_credential_discovery_via_vaultcmd.yml b/rules/credential_access_credential_discovery_via_vaultcmd.yml
@@ -1,6 +1,6 @@
 name: Credential discovery via VaultCmd tool
 id: 2ce607d3-5a14-4628-be8a-22bcde97dab5
-version: 1.1.1
+version: 1.1.2
 description: |
   Detects the usage of the VaultCmd tool to list Windows Credentials. VaultCmd creates, 
   displays and deletes stored credentials. An adversary may abuse this to list or dump 
@@ -17,8 +17,8 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1555/004/
 
 condition: >
-  spawn_process and (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe')
-    and
+  spawn_process and
+  (ps.child.name ~= 'VaultCmd.exe' or ps.child.pe.file.name ~= 'vaultcmd.exe') and
   ps.child.cmdline imatches '*/list*'
 
 severity: medium

diff --git a/rules/credential_access_lsass_handle_leak_via_seclogon.yml b/rules/credential_access_lsass_handle_leak_via_seclogon.yml
@@ -1,6 +1,6 @@
 name: LSASS handle leak via Seclogon
 id: 5d55c938-875e-49e1-ae53-fa196d4445eb
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that
   may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in 
@@ -19,8 +19,8 @@ references:
   - https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
 
 condition: >
-  open_process and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe'
-    and
+  open_process and 
+  evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and ps.name ~= 'svchost.exe' and
   ps.access.mask.names in ('CREATE_PROCESS', 'DUP_HANDLE') and thread.callstack.modules imatches ('*seclogon.dll')
 
 severity: high

diff --git a/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml b/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dump via MiniDumpWriteDump
 id: fd7ced77-4a95-4658-80f6-6b9d7b5e3777
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the
   memory via MiniDumpWriteDump API.
@@ -20,8 +20,8 @@ references:
   - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
 
 condition: >
-  ((open_process) or (open_thread)) and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
-    and
+  ((open_process) or (open_thread)) and 
+  evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
   (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))
 action:
   - name: kill

diff --git a/rules/credential_access_lsass_memory_dumping.yml b/rules/credential_access_lsass_memory_dumping.yml
@@ -1,6 +1,6 @@
 name: LSASS memory dumping via legitimate or offensive tools
 id: 335795af-246b-483e-8657-09a30c102e63
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects an attempt to dump the LSAAS memory to the disk by employing legitimate
   tools such as procdump, Task Manager, Process Explorer or built-in Windows tools
@@ -23,15 +23,14 @@ condition: >
   sequence
   maxspan 2m
   by ps.uuid
-    |open_process and ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE')
-      and
-     evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
-      and
+    |open_process and 
+     ps.access.mask.names in ('ALL_ACCESS', 'CREATE_PROCESS', 'VM_READ', 'DUP_HANDLE') and
+     evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
      ps.exe not imatches
-      (
-        '?:\\Windows\\System32\\svchost.exe',
-        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
-      )
+                (
+                  '?:\\Windows\\System32\\svchost.exe',
+                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
+                )
     |
     |write_minidump_file|
 

diff --git a/rules/credential_access_lsass_process_clone_creation_via_reflection.yml b/rules/credential_access_lsass_process_clone_creation_via_reflection.yml
@@ -1,6 +1,6 @@
 name: LSASS process clone creation via reflection
 id: cdf3810a-4832-446a-ac9d-d108cf2e313c
-version: 1.0.1
+version: 1.0.2
 description: |
   Identifies the creation of an LSASS clone process via RtlCreateProcessReflection API function.
   Adversaries can use this technique to dump credentials material from the LSASS fork and evade
@@ -20,8 +20,8 @@ references:
   - https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/
 
 condition: >
-  spawn_process and ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe'
-    and
+  spawn_process and 
+  ps.name ~= 'lsass.exe' and ps.child.name ~= 'lsass.exe' and
   thread.callstack.symbols imatches ('ntdll.dll!RtlCloneUserProcess', 'ntdll.dll!RtlCreateProcessReflection')
 action:
   - name: kill

diff --git a/rules/credential_access_potential_sam_hive_dumping.yml b/rules/credential_access_potential_sam_hive_dumping.yml
@@ -1,6 +1,6 @@
 name: Potential SAM hive dumping
 id: 2f326557-0291-4eb1-a87a-7a17b7d941cb
-version: 1.0.5
+version: 1.0.6
 description:
   Identifies access to the Security Account Manager registry hives.
 labels:
@@ -19,55 +19,52 @@ references:
 condition: >
   sequence
   maxspan 10m
-    |spawn_process and not (ps.exe imatches
-      (
-        '?:\\Program Files\\*.exe',
-        '?:\\Program Files (x86)\\*.exe',
-        '?:\\Windows\\System32\\svchost.exe'
-      )
-        or
+    |spawn_process and
+     not (ps.exe imatches
+                (
+                  '?:\\Program Files\\*.exe',
+                  '?:\\Program Files (x86)\\*.exe',
+                  '?:\\Windows\\System32\\svchost.exe'
+                ) or
       (ps.child.cmdline imatches '"?:\\Windows\\Microsoft.NET\\Framework\\*\\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior')
      )
     | by ps.child.uuid
-    |open_registry
-      and
-     registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*'
-      and
+    |open_registry and
+     registry.path imatches 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\*' and
      registry.path not imatches
-      (
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
-        'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
-      )
-      and
+                (
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account',
+                  'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Account\\Aliases\\*'
+                ) and
      ps.exe not imatches
-      (
-        '?:\\Windows\\System32\\lsass.exe',
-        '?:\\Windows\\System32\\RuntimeBroker.exe',
-        '?:\\Windows\\explorer.exe',
-        '?:\\Windows\\System32\\Taskmgr.exe',
-        '?:\\Windows\\System32\\sihost.exe',
-        '?:\\Windows\\System32\\SearchIndexer.exe',
-        '?:\\Windows\\System32\\SearchProtocolHost.exe',
-        '?:\\Windows\\System32\\svchost.exe',
-        '?:\\Windows\\System32\\services.exe',
-        '?:\\Windows\\System32\\taskhostw.exe',
-        '?:\\Windows\\System32\\backgroundTaskHost.exe',
-        '?:\\Windows\\System32\\WerFault.exe',
-        '?:\\Windows\\System32\\ctfmon.exe',
-        '?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe',
-        '?:\\Windows\\System32\\CompatTelRunner.exe',
-        '?:\\Windows\\System32\\cleanmgr.exe',
-        '?:\\Windows\\System32\\MoUsoCoreWorker.exe',
-        '?:\\Windows\\System32\\lpremove.exe',
-        '?:\\Windows\\System32\\LogonUI.exe',
-        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
-        '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
-        '?:\\Windows\\System32\\ApplicationFrameHost.exe',
-        '?:\\Windows\\System32\\wbem\\WMIADAP.exe',
-        '?:\\Windows\\System32\\cleanmgr.exe'
-       )
+                (
+                  '?:\\Windows\\System32\\lsass.exe',
+                  '?:\\Windows\\System32\\RuntimeBroker.exe',
+                  '?:\\Windows\\explorer.exe',
+                  '?:\\Windows\\System32\\Taskmgr.exe',
+                  '?:\\Windows\\System32\\sihost.exe',
+                  '?:\\Windows\\System32\\SearchIndexer.exe',
+                  '?:\\Windows\\System32\\SearchProtocolHost.exe',
+                  '?:\\Windows\\System32\\svchost.exe',
+                  '?:\\Windows\\System32\\services.exe',
+                  '?:\\Windows\\System32\\taskhostw.exe',
+                  '?:\\Windows\\System32\\backgroundTaskHost.exe',
+                  '?:\\Windows\\System32\\WerFault.exe',
+                  '?:\\Windows\\System32\\ctfmon.exe',
+                  '?:\\Windows\\System32\\Wbem\\WmiPrvSE.exe',
+                  '?:\\Windows\\System32\\CompatTelRunner.exe',
+                  '?:\\Windows\\System32\\cleanmgr.exe',
+                  '?:\\Windows\\System32\\MoUsoCoreWorker.exe',
+                  '?:\\Windows\\System32\\lpremove.exe',
+                  '?:\\Windows\\System32\\LogonUI.exe',
+                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe',
+                  '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MpDefenderCoreService.exe',
+                  '?:\\Windows\\System32\\ApplicationFrameHost.exe',
+                  '?:\\Windows\\System32\\wbem\\WMIADAP.exe',
+                  '?:\\Windows\\System32\\cleanmgr.exe'
+                )
       | by ps.uuid
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_remote_thread_creation_into_lsass.yml b/rules/credential_access_remote_thread_creation_into_lsass.yml
@@ -1,6 +1,6 @@
 name: Remote thread creation into LSASS
 id: e3ce8d6f-c260-48d6-9398-3c1c71726297
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the creation of a remote thread in LSASS (Local Security And Authority Subsystem Service)
   by untrusted or suspicious processes. This may indicate attempts to execute code inside the LSASS process
@@ -17,8 +17,8 @@ labels:
    subtechnique.ref: https://attack.mitre.org/techniques/T1003/001/
 
 condition: >
-  create_remote_thread and evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe'
-    and
+  create_remote_thread and
+  evt.arg[exe] imatches '?:\\Windows\\System32\\lsass.exe' and
   (ps.name iin script_interpreters or ps.name ~= 'rundll32.exe' or pe.is_signed = false or pe.is_trusted = false)
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml b/rules/credential_access_suspicious_access_to_active_directory_domain_database.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Active Directory domain database
 id: a30c100e-28d0-4aa0-b98d-0d38025c2c29
-version: 1.0.3
+version: 1.0.4
 description: |
   Detects suspicious access to the Active Directory domain database.
   Adversaries may attempt to access or create a copy of the Active Directory
@@ -17,18 +17,16 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1003/003/
 
 condition: >
-  open_file
-    and
+  open_file and
   file.path imatches
-    (
-      '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit',
-      '?:\\WINDOWS\\NTDS\\ntds.dit'
-    )
-    and
+            (
+              '\\Device\\HarddiskVolumeShadowCopy*\\WINDOWS\\NTDS\\ntds.dit',
+              '?:\\WINDOWS\\NTDS\\ntds.dit'
+            ) and
   ps.exe not imatches
-    (
-      '?:\\Windows\\System32\\lsass.exe',
-      '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
-    )
+            (
+              '?:\\Windows\\System32\\lsass.exe',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
+            )
 
 min-engine-version: 3.0.0
diff --git a/rules/credential_access_suspicious_access_to_unattended_panther_files.yml b/rules/credential_access_suspicious_access_to_unattended_panther_files.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Unattended Panther files
 id: d305fb15-6ad1-4d61-a84b-ada462f23a55
-version: 1.0.3
+version: 1.0.4
 description: |
   Identifies suspicious to access to unattend.xml files where credentials
   are commonly stored within the Panther directory. Adversaries may search local
@@ -17,21 +17,19 @@ labels:
   subtechnique.ref: https://attack.mitre.org/techniques/T1552/001/
 
 condition: >
-  open_file
-    and
+  open_file and
   file.path imatches
-    (
-      '?:\\Windows\\Panther\\Unattend\\Unattended.xml',
-      '?:\\Windows\\Panther\\Unattend\\Unattend.xml',
-      '?:\\Windows\\Panther\\Unattended.xml',
-      '?:\\Windows\\Panther\\Unattend.xml'
-    )
-    and
+            (
+              '?:\\Windows\\Panther\\Unattend\\Unattended.xml',
+              '?:\\Windows\\Panther\\Unattend\\Unattend.xml',
+              '?:\\Windows\\Panther\\Unattended.xml',
+              '?:\\Windows\\Panther\\Unattend.xml'
+            ) and
   ps.exe not imatches
-    (
-      '?:\\Program Files\\*',
-      '?:\\Program Files(x86)\\*',
-      '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
-    )
+            (
+              '?:\\Program Files\\*',
+              '?:\\Program Files(x86)\\*',
+              '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe'
+            )
 
 min-engine-version: 3.0.0