fix 4697 fieldname

rules/windows/builtin/win_invoke_obfuscation_clip+_services_security.yml

@@ -23,7 +23,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
+        ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services_security.yml

@@ -18,13 +18,13 @@ detection:
     selection:
         EventID: 4697
     selection_1:
-        - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
-        - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
-        - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
-        - ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
-        - ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
-        - ImagePath|re: '\$VerbosePreference\.ToString\('
-        - ImagePath|re: '\String\]\s*\$VerbosePreference'
+        - ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
+        - ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
+        - ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
+        - ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
+        - ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
+        - ServiceFileName|re: '\$VerbosePreference\.ToString\('
+        - ServiceFileName|re: '\String\]\s*\$VerbosePreference'
     condition: selection and selection_1
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_stdin+_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
+        ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_var+_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
+        ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
     condition: all of them
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_via_compress_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697 
     selection:
-        ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
+        ServiceFileName|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend'
     condition: selection and selection_eventid
 falsepositives:
     - unknown

rules/windows/builtin/win_invoke_obfuscation_via_rundll_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697 
     selection:
-        ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
+        ServiceFileName|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_via_stdin_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
+        ServiceFileName|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
+        ServiceFileName|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
+        ServiceFileName|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
+        ServiceFileName|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"'
     condition: selection and selection_eventid
 falsepositives:
     - Unknown

rules/windows/builtin/win_invoke_obfuscation_via_var++_services_security.yml

@@ -22,7 +22,7 @@ detection:
     selection_eventid:
         EventID: 4697
     selection:
-        ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
+        ServiceFileName|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
     condition: selection and selection_eventid
 falsepositives:
     - Unknown