EDR rule updates
This article identifies application code changes made to EDR rules. If you notice you are receiving new alerts or there is a drastic change in volume for a certain type of alert you receive, you may be able to identify the reason in this article.
Each table includes the name of the rule, the type of change (new rule, edited rule, or deleted rule), rule details, and the impact the change may have on the customer. The date identifies when the change was live in the application.
06/23/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0005-Defense Evasion-T1562.001 Windows Defender Disabled | Edited rule | The detection logic for this rule has been edited to significantly reduce false positives. | As false positives have been significantly reduced by 99.9%, customers should remove any suppression rules previously created for this alert to ensure accurate and effective detection going forward. |
| TA0003-Persistence-T1218.010-alert-Suspicous SSP Registry Modification via reg.exe | New rule | Implemented new detection rule monitoring reg.exe usage for SSP registry modifications. Added high-severity alert configuration with specific response actions for Security Support Provider (SSP) registry changes. Rule monitors two key registry locations (HKLM\SYSTEM\ CurrentControlSet\ Control\Lsa\Security Packages and \OSConfig\Security Packages) for modifications via reg.exe. Designed to detect persistence attempts through SSP configuration changes in the Windows registry. |
This detection helps identify potential adversaries attempting to establish persistence through SSP modifications. When triggered, it indicates possible malicious activity that could lead to unauthorized system-level access during boot time. |
| TA0003-Persistence-T1098.007-alert-Linux User Added to Privileged Group | Edited rule | Enhanced the detection logic by requiring both the parent and grandparent processes to not match (negate) Docker components, reducing false positives from legitimate Docker activity. Detection now only triggers if neither parent nor grandparent process match common Docker process names. |
Fewer false positives from legitimate Docker operations; improved alert accuracy. |
06/11/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0003-Persistence-T1547.008-alert-LSA Protection Turned Off via reg.exe | New rule | Detects when the LSASS RunAsPPL registry value is set to 0, effectively turning off LSASS Protected Process Light (PPL) protection. Disabling this protection weakens the security of the Local Security Authority Subsystem Service and may allow attackers to perform credential dumping or other privilege escalation attacks. | This rule enables early detection of attempts to weaken Windows authentication protection. Customers benefit from improved visibility into credential theft risks and can respond quickly to prevent lateral movement and account compromise. |
| TA0010-Exfiltration-T1567.002-alert-Possible Malicious Exfiltration to AWS S3 storage | New rule | Triggered when executable s3cmd, s4cmd, or s5cmd is ran. The rule defines criteria to move data from storage to a cloud s3 bucket. | Customers who legitimately use this tool (no known use cases at this time) will need to suppress the alert. |
| TA0005-DefenseEvasion-T1553.006-alert-IntegrityCheckBypass-bcdedit | New rule | Identifies suspicious usage of {{bcdedit.exe}} to bypass integrity checks or enable testsigning mode, which disables the driver signature check. This technique is often used by adversaries to load unsigned or malicious drivers, potentially bypassing security controls. The detection focuses on the presence of specific command-line parameters such as {{TESTSIGNING}}, {{nointegritychecks}}, or {{DISABLE_INTEGRITY_CHECKS}}. | May result in an increase in medium-severity alerts related to suspicious use of {{bcdedit.exe}}. This provides improved visibility into potential adversarial attempts to subvert trust controls. |
| Linux User Added to Privileged Group | New rule | Detects the addition of a user account to several common privileged groups found in Linux environments. An adversary may add additional privileged groups to an adversary-controlled account to maintain persistent access or leverage elevated privileges. | Increase coverage with low false positive count. |
| TA0002-Execution-T1059.004-alert-GTFOBins-aria2c | New rule | Identifies suspicious use of the {{aria2c}} utility's {{--on-download-complete}} parameter where a shell (e.g., bash, zsh, ksh, etc.) is executed post-download. This behavior is indicative of automated execution of potentially malicious payloads, commonly seen in malware staging or initial access phases. The detection focuses on the presence of shell interpreters and HTTP-related command-line strings. | May result in an increase in high-severity alerts related to suspicious script execution after downloads. This provides improved visibility into potential automated malware delivery mechanisms. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Sqlps | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-VSIIISExeLauncher | Edited rule | Modified the rule to normalize the {{name}} field using {{lowercase(name)}} to ensure case-insensitive comparison with "vsiiisexelauncher.exe" | Improved detection accuracy for this LOLBAS behavior, which may result in an increase in medium severity alerts due to better pattern matching. |
| TA0005-Execution-T1218-observable-LOLBAS-Cmdl32 | Edited rule | Added process name check to improve specificity of the rule. This ensures it only triggers on actual misuse of {{cmdl32.exe}} as a LOLBAS, reducing false positives caused by similar command-line patterns from unrelated processes. | Significant reduction in noise and false positives, leading to more actionable alerts and improved analyst efficiency. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Suspicious Csc.exe parent | Edited rule | Updated the rule logic to normalize the process name by using {{lowercase(name)}} for case-insensitive matching. Also fixed inconsistent casing in {{parentProcessName}} field to ensure proper evaluation. | More accurate detection of suspicious Csc.exe behavior, potentially resulting in a slight increase in medium severity alerts due to improved match consistency. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Msdeploy | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Extexport | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0006-Credential Access-T1003.001-observable-LOLBAS-Ntdsutil | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-DeviceCredentialDeployment | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-DefaultPack | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0006-Credential Access-T1003.001-observable-LOLBAS-RdrLeakdiag | Edited rule | Updated process name check from a case-sensitive comparison to a case-insensitive match using {{lowercase(name)}}. This change improves detection reliability across systems where process names may differ in casing, corresponding unit test added. | Potential increase in medium severity alerts due to improved matching for {{rdrleakdiag.exe}} regardless of case. |
| TA0006-Credential Access-T1003.001-observable-LOLBAS-Process Memory Dump via ADPlus | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0006-Credential Access-T1003.001-observable-LOLBAS-Dump64 | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0006-Credential Access-T1003.001-observable-LOLBAS-Dumpminitool | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0006-Credential Access-T1003-observable-LOLBAS-Sqldumper | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1574.002-observable-LOLBAS-Dnscmd | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1220-observable-LOLBAS-Msxsl | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0006-Credential Access-T1003-observable-LOLBAS-Createdump | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-VSDiagnostics | Edited rule | Implemented case-insensitive matching for the process name to improve rule robustness. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Diskshadow | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1564.004-observable-LOLBAS-Diantz | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218.007-observable-LOLBAS-Devinit download and install | Edited rule | Normalized the process name comparison by using {{lowercase(name)}} to ensure case-insensitive matching for "devinit.exe", enhancing detection consistency. | More accurate detection of Devinit misuse, with a potential increase in medium severity alerts due to improved rule matching logic. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-vsls-agent | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Stordiag | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-VisualUiaVerifyNative | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Ldifde | Edited rule | Updated the rule to use case-insensitive matching for the process name ({{ldifde.exe}}) by applying the {{lowercase()}} function. This ensures consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader process name matching and improved coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-IEExec | Edited rule | Enabled case-insensitive matching for the process name to strengthen detection reliability. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Provlaunch | Edited rule | Applied case-insensitive matching for consistent detection. Corresponding unit test added. | Slight increase in observable alerts due to broader matching logic and improved rule reliability. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-InstallUtil | Edited rule | Adjusted the rule to perform case-insensitive process name matching for enhanced detection fidelity. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-AtBroker | Edited rule | Updated the rule to perform case-insensitive process name comparison for enhanced detection consistency. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-CoreCLR Native Image Generator | Edited rule | Applied case-insensitive matching to the process name to ensure consistent and reliable detection. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-Certoc | Edited rule | Modified the rule to perform case-insensitive matching on the process name for enhanced detection consistency. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-BGInfo | Edited rule | Enabled case-insensitive process name matching to improve detection reliability. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1218-observable-LOLBAS-AddinUtil | Edited rule | Modified the rule to use case-insensitive matching for the process name to improve detection robustness. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1202-observable-LOLBAS-Runscripthleper | Edited rule | Applied case-insensitive process name matching to enhance detection reliability. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1202-observable-LOLBAS-Openconsole | Edited rule | Updated the rule to use case-insensitive process name matching for improved detection consistency. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Wfc | Edited rule | Enabled case-insensitive comparison for the process name to ensure broader and more reliable detection. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Vshadow | Edited rule | Updated to use case-insensitive process name comparison for improved detection consistency. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-VSTest.Console | Edited rule | Adjusted the rule to match the process name case-insensitively for broader detection reliability. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Tracker | Edited rule | Adjusted rule to match the process name case-insensitively for better detection consistency. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Te | Edited rule | Updated to use case-insensitive process name comparison to ensure consistent detection. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Microsoft.nodejstools.pressanykey | Edited rule | Applied case-insensitive matching to the parent process name to enhance detection coverage. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Jsc | Edited rule | Implemented case-insensitive matching for the process name to improve detection accuracy. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Ilasm | Edited rule | Switched to case-insensitive matching for the process name to enhance detection consistency. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Remote | Edited rule | Converted process name matching to case-insensitive for broader detection. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-MS Workflow Compiler | Edited rule | Enabled case-insensitive process name matching to strengthen detection reliability. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Dxcap | Edited rule | Applied case-insensitive matching to the process name for improved detection reliability. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-Devtoolslauncher | Edited rule | Enabled case-insensitive process name matching to ensure broader detection coverage. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1127-observable-LOLBAS-CSI | Edited rule | Updated the rule to support case-insensitive process name matching for improved detection fidelity. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0005-Defense Evasion-T1059-observable-LOLBAS-Mftrace | Edited rule | Updated the rule to use case-insensitive matching for both process name and parent process name to ensure consistent detection. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| TA0003-Persistence-T1197-observable-LOLBAS-BITSAdmin persistence | Edited rule | Updated the rule to perform case-insensitive matching on the process name to improve reliability across environments. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
| Linux Sudoers Recon | Edited rule | Added detection logic to alert on additional ways a threat actor could discover accounts with sudo rights. | Increased coverage, small increase in false positive detections possible. |
| TA0002-Execution-T1059.003-observable-LOLBAS-AccCheckConsole | Edited rule | Updated the rule to use case-insensitive matching for the process name to ensure consistent detection. Corresponding unit test added. | Slight increase in observable alerts on dashboard and increased coverage. |
05/27/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Linux Enumerate Wireless Keys | New rule | Detects activity on files/directories where wireless passwords may be stored, which may be an attempt to enumerate wireless keys. | Improve coverage. Low false positive rate. |
| Actions on Sensitive Directories | New rule | Detects interactions with sensitive directories using common applications, which may be a sign of tampering. The directories /etc, /boot, /bin, /usr, /sbin, and /opt contain configuration files and system binaries that attackers may target for privilege escalation or persistence. | Improve coverage. Slight increase in false positives is possible. |
05/21/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1059.004-alert-Linux Reverse Shell | New rule | Network connections to remote IP addresses from shell; similar characteristics of reverse shells. | Slight increase in alerts. |
| TA0005-Defense Evasion-T1562.004-observable-Firewall Modification | Edited rule | Renamed rule to “Linux Firewall Modification” since it only covers Linux events. Rule detects changes/modifications made to firewall rules using ufw, iptables, nftables, firewalld, firewall-cmd. | Increased visibility into changes made to firewall rules/services. Potentially large increase in number of non-alerting (i.e. observable) events. |
05/14/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Possible Silent Install Abuse via ASUSSetup.exe | New rule | There is a (recently patched) vulnerability where asusinstaller.exe can be abused to install illegitimate software and appear as signed. The rule will detect any cases of silent installations of asussetup.exe. | Customers of Asus motherboards who have not updated {{ASUSSetup.exe}} to its currently version should pay attention to this alert and ensure that the application was not called to install anything other than legitimate/approved programs. |
05/07/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0003-Persistence-T1053.005-observable-Scheduled Task Created via schtasks.exe | Edited rule | The rule logic was refactored for improved accuracy and broader coverage. The updated detection adds support for matching both {{schtasks.exe}} and its use within broader strings using word boundaries ({{\bschtasks\b}}). It also checks {{decodedPayload}} alongside {{commandLine}}, and adds enhanced exclusion logic using regex for known benign patterns and processes (e.g., {{rmmkse}}, {{geocomplyupdate}}, {{discoveryagentsetup}}). These improvements make the rule more robust and reduce noise. | Significant decrease in false positives for scheduled task detections, particularly in environments using legitimate agents like GeoComply or RMM tools. |
| TA0002-Execution-T1569.002-observable-PsExec Service Start | Edited rule | Updated the rule condition to perform a case-insensitive comparison and updated process name to psexesvc.exe. This ensures the rule triggers regardless of character casing in the process name and matches correct psexec process. | Increase in low severity observables and increased visibility during incident response. |
| Potential Suspicious Child Process of 3CXDesktopApp.exe | Edited rule | Replaced a verbose OR clause checking for specific child process names with a case-insensitive regex match. This simplifies the rule logic and improves maintainability. Also updated the parent process name check to use {{lowercase()}} for robustness. | No change in alert volume expected. Improved rule efficiency and reduced potential for case-sensitive misses. |
| TA0011-Command and Control-T1071.002-observable-FTP.exe Command File Execution.yaml | Edited rule | Changed {{parentCommandLine}} to {{commandLine}}. Fixed syntax from {{ParentProcessName}} to {{parentProcessName}}. {code:yaml}Detects use of ftp.exe to execute an FTP command file. This is not malicious by itself but is often suspicious in networks that don't use the built-in FTP.exe tool.{code} | Rule was not triggering properly due to syntax errors, rule will now trigger correctly. |
| Suspicious PowerShell Download in Windows System32 Directory | Edited rule | Updated {{signature.subjectName}} from a strict match {{"Microsoft Windows"}} to a case-insensitive regex {{iregex("microsoft")}} to improve compatibility with varying casing in signature data and updated unit test. | Potential increase in true positive alerts where the casing of "Microsoft" differs from the previous strict match, especially in environments with non-standardized subject name casing. |
| TA0006-Credential Access-T1003-alert-Enumerate Cleartext Wireless Keys | Edited rule | Modified the detection logic to remove the hard-coded process name ({{netsh.exe}}) and instead match based on command patterns found in both {{commandLine}} and {{decodedPayload}}. The new pattern matches attempts to extract Wi-Fi profiles with cleartext keys using more flexible regex matching ({{\bwlan\s+show\s+profile\s+name. *key\s*=\s*clear\b}}). |
This change broadens detection coverage to include obfuscated or renamed binaries that execute similar commands, potentially increasing the number of medium severity alerts. |
| TA0005-Defense Evasion-T1218.009-alert-LOLBAS-RegAsm.exe Connection to Public IP | Edited rule |
{noformat} type == "connection" &&
name == "regasm.exe" &&
|
Rule will now filter out alerts for regasm.exe initiating on port 80 or 443. |
04/18/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Hidden Powershell Base64 Encoded Command (Execution-T1059.001) | Edited rule | Updated the detection logic to broaden the {{signature.subjectName}} check from an exact match ({{"Microsoft Windows"}}) to a case-insensitive regex match for {{"Microsoft"}} to improve flexibility. Also changed the rule file name from {{alert}} to {{observable}} to better reflect its intent, and updated the corresponding unit test description to match the current rule logic. |
May result in slightly increased visibility into suspicious PowerShell executions involving Microsoft-signed binaries, especially those previously missed due to the exact string match constraint. |
| TA0005-Defense Evasion-T1562.001-observable-LOLBAS-Fltmc | Edited rule | Updated the rule condition to use {{lowercase(name)}} instead of a case-sensitive comparison. This improves detection reliability across different casing formats of the process name. A *unit test* was also added to validate the rule logic and ensure consistent behavior. |
Improved detection accuracy; may result in an increase in medium severity observables if previously missed due to case mismatch. |
| TA0040-Impact-T1491-alert-Wallpaper Defacement | Edited rule | Corrected the regex pattern for detecting {{user32.dll}} references —previous pattern failed to match certain formats. Also enhanced the {{SystemParametersInfo}} detection to support both decimal (e.g., {{20,0}}) and hexadecimal (e.g., {{0x14, 0x0}}) values. This improves reliability in identifying wallpaper modification attempts. |
Increase in low severity alerts due to improved coverage of both standard and obfuscated function usage patterns. |
| TA0002-Execution-T1059.001-alert-Powershell Encoded Command from Environment Variable (Process) | Edited rule | Updated the {{parentProcessName}} condition to apply a case-insensitive check by wrapping the value with {{lowercase()}}, ensuring consistent matching regardless of casing. Also added a unit test to validate the updated logic and prevent regression. | Prevents false negatives where {{cohesity_windows_agent_service.exe}} appears with different letter casing, improving detection reliability without increasing alert volume. |
| TA0006-Credential Access-T1003-alert-WDigest Cleartext Credential Theft | Edited rule | Corrected the previously incorrect registry path used to monitor WDigest credential caching ({{HKLM\SYSTEM\CurrentControlSet \Control\SecurityProviders \WDigest}}) and updated the detection logic to identify the enabling (value {{1}})—instead of disabling (value {{0}})—of the {{UseLogonCredential}} key. Additionally, the rule logic has been enhanced with refined regex patterns and added process conditions to more reliably detect suspicious usage of {{reg.exe}} and {{powershell.exe}}. A reference to official Microsoft guidance was also added to improve context, and added unit test to this rule. |
Improved detection accuracy and rule reliability; may reduce false positives and increase true positive alerts when credential caching is being enabled maliciously. |
04/16/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0005-Defense Evasion-T1070.001-alert-Windows Event Logs Cleared | Edited rule | Define wevtutil.exe definitions to highlight higher levels of log clearing. | Rules will now trigger for less broad log removal definitions and alert for logs that are primarily removed during attacks. Customers should be more aware of this alert if previously suppressed to ensure proper actions if alerted. |
04/08/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| EDRKILLShifter | New rule | Rule detects commands associated with EDRKILLShifter, a program that exploits vulnerable drivers to evade detection and disrupt security processes. | Increased coverage of threat actor activity. |
04/01/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1059-observable-LOLBAS-Fsi | Edited rule | Rule edited to properly exclude paths. | Less false/positives that would primarily impact “Fedex” applications. |
03/27/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Malicious PowerShell Commandlets | Edited rule | Added detections for known PowerShell cmdlets used for offensive security. | Increased detection coverage, possible increase in alerts/false positives. |
| Shadowcopy Enumeration | Edited rule | Added exclusions to reduce false positives. | Decrease in false positive events. |
| Suspicious Discovery Commands from cscript or wscript (VB Script) | Edited rule | Added exclusions to reduce false positives. | Reduction in false positive events. |
| Remote User Account Enumeration | Edited rule | Added exclusions to reduce false positives. | Reduction in false positive events. |
| New Certificate Added to Trusted Root Store via Certutil | Edited rule | Fixed typo. | Reduction in false positives. |
03/21/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Hex or Base64 Obfuscated Shell Command{{Hex or Base64 Obfuscated Shell Command}} | New rule | Rule detects hex-encoded and base64-encoded shell commands observed in attacks on Xcode. | Increased coverage of threat actor activity, possible increase in alerts. |
| (LOLBAS) RegAsm.exe Connection to Public IP | New rule | Rule detects regasm.exe network connections to public IP addresses on ports other than 80/443 (HTTP/HTTPS). | Increased coverage of threat actor activity, possible increase in alerts. |
| Dual Use Tool (NetScan) | New rule | Rule detects usage of SoftPerfect's network scanning tool (NetScan). NetScan is a common tool used for network administration that also has documented usage by threat actors. | Dual-use tool rules do not trigger alerts by default. Customers are advised to tailor alerting for these types of rules to best fit their security needs. |
| TA0005-Defense Evasion-T1027-alert-XOR Encryption In Powershell.yaml | Edited rule | Fixed typo. | Expand rule coverage. |
| TA0007-Discovery-T1018-observable-Domain Controller Enumeration.yaml | Edited rule | Fixed typo. | Expand rule coverage. Customers may see an increase in events. |
03/13/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Schtasks.exe used to run a scheduled task | Edited rule | Added program exclusion to reduce false positives. | Decrease in alerts for some customers. |
| New Certificate Added to Trusted Root Store via Certutil | Edited rule | Added certificate exclusions to reduce false positives. | Decrease in alerts for some customers. |
| Firewall modification | Edited rule | Added logic to expand rule coverage. | Possible increase in alerts. |
| Remote User Account Enumeration | Edited rule | Added logic to reduce false positives by excluding incomplete commands and enumermation of localhost. | Decrease in alerts for some customers. |
| Run Lateral Scheduled Task | Edited rule | Added program exclusion to reduce false positives. | Decrease in alerts for some customers. |
03/10/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1053.002-alert-Base64 Encoded AT Command.yaml | Edited rule | Fixed incorrect use of {{&&}} in regex checks and improved logic to detect {{at.exe}} spawning PowerShell with Base64 commands or via {{wscript}}. | Improved detection accuracy and reduced false negatives. |
| TA0003-Persistence-T1547.001-observable-New Run Key.yaml | Edited rule | Updated detection to correctly identify both *HKCU* and *HKLM* abbreviations. | Broader coverage of registry-based persistence techniques. |
03/07/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Behavior from Injected Process | Edited rule | Rule was reactivated after having been deactivated for testing purposes. | No impact. |
03/05/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Tool download | Edited rule | Rule edited to expand coverage of different syntax used to download a file with wget or curl. | Possible large increase in observable (i.e. non-alerting) events. |
