EDR rule updates
This article identifies application code changes made to EDR rules. If you notice you are receiving new alerts or there is a drastic change in volume for a certain type of alert you receive, you may be able to identify the reason in this article.
Each table includes the name of the rule, the type of change (new rule, edited rule, or deleted rule), rule details, and the impact the change may have on the customer. The date identifies when the change was live in the application.
04/01/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1059-observable-LOLBAS-Fsi | Edited rule | Rule edited to properly exclude paths. | Less false/positives that would primarily impact “Fedex” applications. |
03/27/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Malicious PowerShell Commandlets | Edited rule | Added detections for known PowerShell cmdlets used for offensive security. | Increased detection coverage, possible increase in alerts/false positives. |
| Shadowcopy Enumeration | Edited rule | Added exclusions to reduce false positives. | Decrease in false positive events. |
| Suspicious Discovery Commands from cscript or wscript (VB Script) | Edited rule | Added exclusions to reduce false positives. | Reduction in false positive events. |
| Remote User Account Enumeration | Edited rule | Added exclusions to reduce false positives. | Reduction in false positive events. |
| New Certificate Added to Trusted Root Store via Certutil | Edited rule | Fixed typo. | Reduction in false positives. |
03/21/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Hex or Base64 Obfuscated Shell Command{{Hex or Base64 Obfuscated Shell Command}} | New rule | Rule detects hex-encoded and base64-encoded shell commands observed in attacks on Xcode. | Increased coverage of threat actor activity, possible increase in alerts. |
| (LOLBAS) RegAsm.exe Connection to Public IP | New rule | Rule detects regasm.exe network connections to public IP addresses on ports other than 80/443 (HTTP/HTTPS). | Increased coverage of threat actor activity, possible increase in alerts. |
| Dual Use Tool (NetScan) | New rule | Rule detects usage of SoftPerfect's network scanning tool (NetScan). NetScan is a common tool used for network administration that also has documented usage by threat actors. | Dual-use tool rules do not trigger alerts by default. Customers are advised to tailor alerting for these types of rules to best fit their security needs. |
| TA0005-Defense Evasion-T1027-alert-XOR Encryption In Powershell.yaml | Edited rule | Fixed typo. | Expand rule coverage. |
| TA0007-Discovery-T1018-observable-Domain Controller Enumeration.yaml | Edited rule | Fixed typo. | Expand rule coverage. Customers may see an increase in events. |
03/13/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Schtasks.exe used to run a scheduled task | Edited rule | Added program exclusion to reduce false positives. | Decrease in alerts for some customers. |
| New Certificate Added to Trusted Root Store via Certutil | Edited rule | Added certificate exclusions to reduce false positives. | Decrease in alerts for some customers. |
| Firewall modification | Edited rule | Added logic to expand rule coverage. | Possible increase in alerts. |
| Remote User Account Enumeration | Edited rule | Added logic to reduce false positives by excluding incomplete commands and enumermation of localhost. | Decrease in alerts for some customers. |
| Run Lateral Scheduled Task | Edited rule | Added program exclusion to reduce false positives. | Decrease in alerts for some customers. |
03/10/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1053.002-alert-Base64 Encoded AT Command.yaml | Edited rule | Fixed incorrect use of {{&&}} in regex checks and improved logic to detect {{at.exe}} spawning PowerShell with Base64 commands or via {{wscript}}. | Improved detection accuracy and reduced false negatives. |
| TA0003-Persistence-T1547.001-observable-New Run Key.yaml | Edited rule | Updated detection to correctly identify both *HKCU* and *HKLM* abbreviations. | Broader coverage of registry-based persistence techniques. |
03/07/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Behavior from Injected Process | Edited rule | Rule was reactivated after having been deactivated for testing purposes. | No impact. |
03/05/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Tool download | Edited rule | Rule edited to expand coverage of different syntax used to download a file with wget or curl. | Possible large increase in observable (i.e. non-alerting) events. |
