Simplified rule conditions with new condition constructs

rules/apt/apt_elise.yml

@@ -16,7 +16,7 @@ detection:
     selection2:
         EventID: 1
         CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting'
-    condition: selection1 or selection2
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: critical

rules/apt/apt_equationgroup_c2.yml

@@ -15,7 +15,7 @@ detection:
         src:
             - '69.42.98.86'
             - '89.185.234.145'
-    condition: outgoing or incoming
+    condition: 1 of them
 falsepositives:
     - Unknown
 level: high

rules/apt/apt_pandemic.yml

@@ -18,7 +18,7 @@ detection:
     selection2:
         EventID: 1
         Command: 'loaddll -a *'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/windows/builtin/win_alert_active_directory_user_control.yml

@@ -12,7 +12,7 @@ detection:
         EventID: 4707
     keywords:
         - 'SeEnableDelegationPrivilege'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_alert_ad_user_backdoors.yml

@@ -20,7 +20,7 @@ detection:
         EventID: 5136
         ObjectClass: 'user'
         AttributeLDAPDisplayName: 'servicePrincipalName'
-    condition: selection1 or selection2 or selection3
+    condition: 1 of them
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_mal_service_installs.yml

@@ -7,26 +7,26 @@ logsource:
 detection:
     selection:
         EventID: 7045
-    wce:
+    malsvc_wce:
         ServiceName: 
             - 'WCESERVICE'
             - 'WCE SERVICE'
-    paexec:
+    malsvc_paexec:
         ServiceFileName: '*\PAExec*'
-    winexe:
+    malsvc_winexe:
         ServiceFileName: 'winexesvc.exe*'
-    pwdumpx:
+    malsvc_pwdumpx:
         ServiceFileName: '*\DumpSvc.exe'
-    wannacry:
+    malsvc_wannacry:
         ServiceName: 'mssecsvc2.0'
-    persistence:
+    malsvc_persistence:
         ServiceFileName: '* net user *'
-    others:
+    malsvc_others:
         ServiceName:
             - 'pwdump*'
             - 'gsecdump*'
             - 'cachedump*'
-    condition: selection and ( wce or paexec or winexe or pwdumpx or wannacry or persistence or others )
+    condition: selection and 1 of malsvc_*
 falsepositives: 
     - Penetration testing
 level: critical

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -16,11 +16,10 @@ detection:
     selection2:
         Source: 'Windows Error Reporting'
         EventID: 1001
-    keyword1:
+    keywords:
         - 'MsMpEng.exe'
-    keyword2:
         - 'mpengine.dll'
-    condition: (selection1 or selection2) and keyword1 and keyword2
+    condition: 1 of selection* and all of keywords
 falsepositives: 
     - Unknown
 level: high

rules/windows/builtin/win_susp_sam_dump.yml

@@ -11,7 +11,7 @@ detection:
         EventID: 16
     keywords:
         - '*\AppData\Local\Temp\SAM-*.dmp *'
-    condition: selection and keywords
+    condition: all of them
 falsepositives: 
     - Penetration testing
 level: high

rules/windows/malware/sysmon_malware_notpetya.yml

@@ -26,7 +26,7 @@ detection:
         CommandLine: '*.dat,#1'       
     perfc_keyword:
         - '*\perfc.dat*'
-    condition: fsutil_clean_journal or pipe_com or event_clean or rundll32_dash1 or perfc_keyword
+    condition: 1 of them
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/malware/sysmon_malware_wannacry.yml

@@ -30,7 +30,7 @@ detection:
             - '*bcdedit /set {default} recoveryenabled no*'
             - '*wbadmin delete catalog -quiet*'
             - '*@Please_Read_Me@.txt*'
-    condition: selection1 or selection2
+    condition: 1 of them
 fields:
     - CommandLine
     - ParentCommandLine

rules/windows/malware/win_mal_wannacry.yml

@@ -12,7 +12,7 @@ detection:
             - '*icacls * /grant Everyone:F /T /C /Q*'
             - '*bcdedit /set {default} recoveryenabled no*'
             - '*wbadmin delete catalog -quiet*'
-    condition: selection1 or selection2
+    condition: 1 of them
 falsepositives: 
     - Unknown
 level: critical

rules/windows/other/win_tool_psexec.yml

@@ -18,7 +18,7 @@ detection:
         EventID: 1
         Image: '*\PSEXESVC.exe'
         User: 'NT AUTHORITY\SYSTEM'
-    condition: service_installation or service_execution or sysmon_processcreation
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/windows/powershell/powershell_prompt_credentials.yml

@@ -14,7 +14,7 @@ detection:
         EventID: 4104
     keyword:
         - 'PromptForCredential'
-    condition: selection and keyword
+    condition: all of them
 falsepositives:
     - Unknown
 level: high

rules/windows/powershell/powershell_psattack.yml

@@ -11,9 +11,9 @@ logsource:
 detection:
     selection:
         EventID: 4103
-    keywords: 
+    keyword: 
         - 'PS ATTACK!!!'
-    condition: selection and keywords
+    condition: all of them
 falsepositives:
     - Pentesters
 level: high

rules/windows/powershell/powershell_suspicious_invocation_generic.yml

@@ -16,7 +16,7 @@ detection:
     noninteractive:
         - ' -noni '
         - ' -noninteractive '
-    condition: encoded and hidden and noninteractive
+    condition: all of them
 falsepositives:
     - Penetration tests
 level: high

rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml

@@ -15,7 +15,7 @@ detection:
     dnsregmod:
         EventID: 13
         TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
-    condition: dnsadmin or dnsregmod
+    condition: 1 of them
 fields:
     - EventID
     - CommandLine

rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml

@@ -19,7 +19,7 @@ detection:
     combination2:
         SourceImage: '*\Microsoft Office\*'
         CallTrace: '*|UNKNOWN*'
-    condition: selection and ( combination1 or combination2 )
+    condition: selection and 1 of combination*
 falsepositives:
     - unknown
 level: high

rules/windows/sysmon/sysmon_powershell_suspicious_parameter_combo.yml

@@ -18,7 +18,7 @@ detection:
     noninteractive:
         - ' -noni '
         - ' -noninteractive '
-    condition: keywords and encoded and hidden and noninteractive
+    condition: all of them
 falsepositives:
     - Penetration tests
     - Very special / sneaky PowerShell scripts

rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml

@@ -51,7 +51,7 @@ detection:
         - ' -encod '
         - ' -enco '
         - ' -en '
-    condition: keywords and substrings
+    condition: all of them
 falsepositives:
     - Penetration tests
 level: high

rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml

@@ -31,7 +31,7 @@ detection:
         EventID: 1
         Image: '*\wscript.exe'
         ParentImage: '*\regsvr32.exe'
-    condition: selection1 or selection2 or selection3 or selection4
+    condition: 1 of them
 fields:
     - CommandLine
     - ParentCommandLine