EDR rule updates

This article identifies application code changes made to EDR rules. If you notice you are receiving new alerts or there is a drastic change in volume for a certain type of alert you receive, you may be able to identify the reason in this article.

Each table includes the name of the rule, the type of change (new rule, edited rule, or deleted rule), rule details, and the impact the change may have on the customer. The date identifies when the change was live in the application.

Rule name Change type Details Customer impact
Linux Enumerate Wireless Keys New rule Detects activity on files/directories where wireless passwords may be stored, which may be an attempt to enumerate wireless keys. Improve coverage. Low false positive rate.
Actions on Sensitive Directories New rule Detects interactions with sensitive directories using common applications, which may be a sign of tampering. The directories /etc, /boot, /bin, /usr, /sbin, and /opt contain configuration files and system binaries that attackers may target for privilege escalation or persistence. Improve coverage. Slight increase in false positives is possible.
Rule name Change type Details Customer impact
TA0002-Execution-T1059.004-alert-Linux Reverse Shell New rule Network connections to remote IP addresses from shell; similar characteristics of reverse shells. Slight increase in alerts.
TA0005-Defense Evasion-T1562.004-observable-Firewall Modification Edited rule Renamed rule to “Linux Firewall Modification” since it only covers Linux events. Rule detects changes/modifications made to firewall rules using ufw, iptables, nftables, firewalld, firewall-cmd. Increased visibility into changes made to firewall rules/services. Potentially large increase in number of non-alerting (i.e. observable) events.
Rule name Change type Details Customer impact
Possible Silent Install Abuse via ASUSSetup.exe New rule There is a (recently patched) vulnerability where asusinstaller.exe can be abused to install illegitimate software and appear as signed. The rule will detect any cases of silent installations of asussetup.exe. Customers of Asus motherboards who have not updated {{ASUSSetup.exe}} to its currently version should pay attention to this alert and ensure that the application was not called to install anything other than legitimate/approved programs.
Rule name Change type Details Customer impact
TA0003-Persistence-T1053.005-observable-Scheduled Task Created via schtasks.exe Edited rule The rule logic was refactored for improved accuracy and broader coverage. The updated detection adds support for matching both {{schtasks.exe}} and its use within broader strings using word boundaries ({{\bschtasks\b}}). It also checks {{decodedPayload}} alongside {{commandLine}}, and adds enhanced exclusion logic using regex for known benign patterns and processes (e.g., {{rmmkse}}, {{geocomplyupdate}}, {{discoveryagentsetup}}). These improvements make the rule more robust and reduce noise. Significant decrease in false positives for scheduled task detections, particularly in environments using legitimate agents like GeoComply or RMM tools.
TA0002-Execution-T1569.002-observable-PsExec Service Start Edited rule Updated the rule condition to perform a case-insensitive comparison and updated process name to psexesvc.exe. This ensures the rule triggers regardless of character casing in the process name and matches correct psexec process. Increase in low severity observables and increased visibility during incident response.
Potential Suspicious Child Process of 3CXDesktopApp.exe Edited rule Replaced a verbose OR clause checking for specific child process names with a case-insensitive regex match. This simplifies the rule logic and improves maintainability. Also updated the parent process name check to use {{lowercase()}} for robustness. No change in alert volume expected. Improved rule efficiency and reduced potential for case-sensitive misses.
TA0011-Command and Control-T1071.002-observable-FTP.exe Command File Execution.yaml Edited rule Changed {{parentCommandLine}} to {{commandLine}}. Fixed syntax from {{ParentProcessName}} to {{parentProcessName}}. {code:yaml}Detects use of ftp.exe to execute an FTP command file. This is not malicious by itself but is often suspicious in networks that don't use the built-in FTP.exe tool.{code} Rule was not triggering properly due to syntax errors, rule will now trigger correctly.
Suspicious PowerShell Download in Windows System32 Directory Edited rule Updated {{signature.subjectName}} from a strict match {{"Microsoft Windows"}} to a case-insensitive regex {{iregex("microsoft")}} to improve compatibility with varying casing in signature data and updated unit test. Potential increase in true positive alerts where the casing of "Microsoft" differs from the previous strict match, especially in environments with non-standardized subject name casing.
TA0006-Credential Access-T1003-alert-Enumerate Cleartext Wireless Keys Edited rule Modified the detection logic to remove the hard-coded process name ({{netsh.exe}}) and instead match based on command patterns found in both {{commandLine}} and {{decodedPayload}}. The new pattern matches attempts to extract Wi-Fi profiles with cleartext keys using more flexible regex matching ({{\bwlan\s+show\s+profile\s+name.
*key\s*=\s*clear\b}}).		 This change broadens detection coverage to include obfuscated or renamed binaries that execute similar commands, potentially increasing the number of medium severity alerts.
TA0005-Defense Evasion-T1218.009-alert-LOLBAS-RegAsm.exe Connection to Public IP Edited rule

{noformat} type == "connection" && name == "regasm.exe" &&
remoteAddr != privateIp() && remotePort != "443"
&& remotePort != "80"{noformat}

The ““ in remotePort is incorrect, the remotePort is looking for an integer not a string value.

 Rule will now filter out alerts for regasm.exe initiating on port 80 or 443.
Rule name Change type Details Customer impact
Hidden Powershell Base64 Encoded Command (Execution-T1059.001) Edited rule Updated the detection logic to broaden the
{{signature.subjectName}} check
from an exact match ({{"Microsoft Windows"}}) to a case-insensitive regex match for {{"Microsoft"}} to improve flexibility. Also changed the rule file name from {{alert}} to {{observable}} to better
reflect its intent, and updated the corresponding unit test description
to match the current rule logic. 		May result in slightly increased visibility into suspicious PowerShell executions involving Microsoft-signed binaries, especially those previously missed due to the exact string match constraint.
TA0005-Defense Evasion-T1562.001-observable-LOLBAS-Fltmc Edited rule Updated the rule condition to use {{lowercase(name)}} instead of a case-sensitive comparison. This improves detection reliability
across different casing formats of
the process name. A *unit test* was also added to validate
the rule logic and ensure consistent behavior.		 Improved detection accuracy; may result in an increase in medium severity observables if previously missed due to case mismatch.
TA0040-Impact-T1491-alert-Wallpaper Defacement Edited rule Corrected the regex pattern for detecting {{user32.dll}} references
—previous pattern failed to match certain formats. Also enhanced the {{SystemParametersInfo}} detection to support both decimal
(e.g., {{20,0}}) and hexadecimal (e.g., {{0x14, 0x0}}) values. This
improves reliability in identifying wallpaper modification attempts.		 Increase in low severity alerts due to improved coverage of both standard and obfuscated function usage patterns.
TA0002-Execution-T1059.001-alert-Powershell Encoded Command from Environment Variable (Process) Edited rule Updated the {{parentProcessName}} condition to apply a case-insensitive check by wrapping the value with {{lowercase()}}, ensuring consistent matching regardless of casing. Also added a unit test to validate the updated logic and prevent regression. Prevents false negatives where {{cohesity_windows_agent_service.exe}} appears with different letter casing, improving detection reliability without increasing alert volume.
TA0006-Credential Access-T1003-alert-WDigest Cleartext Credential Theft Edited rule Corrected the previously incorrect registry path used to
monitor WDigest credential caching ({{HKLM\SYSTEM\CurrentControlSet
\Control\SecurityProviders
\WDigest}}) and updated the detection logic to identify the
enabling (value {{1}})—instead of disabling (value {{0}})—of the {{UseLogonCredential}} key. Additionally, the rule logic has
been enhanced with refined regex patterns and added process conditions to more reliably detect suspicious usage of {{reg.exe}} and {{powershell.exe}}. A reference to official Microsoft guidance was also added to improve context, and
added unit test to this rule.		 Improved detection accuracy and rule reliability; may reduce false positives and increase true positive alerts when credential caching is being enabled maliciously.
Rule name Change type Details Customer impact
TA0005-Defense Evasion-T1070.001-alert-Windows Event Logs Cleared Edited rule Define wevtutil.exe definitions to highlight higher levels of log clearing. Rules will now trigger for less broad log removal definitions and alert for logs that are primarily removed during attacks. Customers should be more aware of this alert if previously suppressed to ensure proper actions if alerted.
Rule name Change type Details Customer impact
EDRKILLShifter New rule Rule detects commands associated with EDRKILLShifter, a program that exploits vulnerable drivers to evade detection and disrupt security processes. Increased coverage of threat actor activity.
Rule name Change type Details Customer impact
TA0002-Execution-T1059-observable-LOLBAS-Fsi Edited rule Rule edited to properly exclude paths. Less false/positives that would primarily impact “Fedex” applications.
Rule name Change type Details Customer impact
Malicious PowerShell Commandlets Edited rule Added detections for known PowerShell cmdlets used for offensive security. Increased detection coverage, possible increase in alerts/false positives.
Shadowcopy Enumeration Edited rule Added exclusions to reduce false positives. Decrease in false positive events.
Suspicious Discovery Commands from cscript or wscript (VB Script) Edited rule Added exclusions to reduce false positives. Reduction in false positive events.
Remote User Account Enumeration Edited rule Added exclusions to reduce false positives. Reduction in false positive events.
New Certificate Added to Trusted Root Store via Certutil Edited rule Fixed typo. Reduction in false positives.
Rule name Change type Details Customer impact
Hex or Base64 Obfuscated Shell Command{{Hex or Base64 Obfuscated Shell Command}} New rule Rule detects hex-encoded and base64-encoded shell commands observed in attacks on Xcode. Increased coverage of threat actor activity, possible increase in alerts.
(LOLBAS) RegAsm.exe Connection to Public IP New rule Rule detects regasm.exe network connections to public IP addresses on ports other than 80/443 (HTTP/HTTPS). Increased coverage of threat actor activity, possible increase in alerts.
Dual Use Tool (NetScan) New rule Rule detects usage of SoftPerfect's network scanning tool (NetScan). NetScan is a common tool used for network administration that also has documented usage by threat actors. Dual-use tool rules do not trigger alerts by default. Customers are advised to tailor alerting for these types of rules to best fit their security needs.
TA0005-Defense Evasion-T1027-alert-XOR Encryption In Powershell.yaml Edited rule Fixed typo. Expand rule coverage.
TA0007-Discovery-T1018-observable-Domain Controller Enumeration.yaml Edited rule Fixed typo. Expand rule coverage. Customers may see an increase in events.
Rule name Change type Details Customer impact
Schtasks.exe used to run a scheduled task Edited rule Added program exclusion to reduce false positives. Decrease in alerts for some customers.
New Certificate Added to Trusted Root Store via Certutil Edited rule Added certificate exclusions to reduce false positives. Decrease in alerts for some customers.
Firewall modification Edited rule Added logic to expand rule coverage. Possible increase in alerts.
Remote User Account Enumeration Edited rule Added logic to reduce false positives by excluding incomplete commands and enumermation of localhost. Decrease in alerts for some customers.
Run Lateral Scheduled Task Edited rule Added program exclusion to reduce false positives. Decrease in alerts for some customers.
Rule name Change type Details Customer impact
TA0002-Execution-T1053.002-alert-Base64 Encoded AT Command.yaml Edited rule Fixed incorrect use of {{&&}} in regex checks and improved logic to detect {{at.exe}} spawning PowerShell with Base64 commands or via {{wscript}}. Improved detection accuracy and reduced false negatives.
TA0003-Persistence-T1547.001-observable-New Run Key.yaml Edited rule Updated detection to correctly identify both *HKCU* and *HKLM* abbreviations. Broader coverage of registry-based persistence techniques.
Rule name Change type Details Customer impact
Behavior from Injected Process Edited rule Rule was reactivated after having been deactivated for testing purposes. No impact.
Rule name Change type Details Customer impact
Tool download Edited rule Rule edited to expand coverage of different syntax used to download a file with wget or curl. Possible large increase in observable (i.e. non-alerting) events.