EDR rule updates
This article identifies application code changes made to EDR rules. If you notice you are receiving new alerts or there is a drastic change in volume for a certain type of alert you receive, you may be able to identify the reason in this article.
Each table includes the name of the rule, the type of change (new rule, edited rule, or deleted rule), rule details, and the impact the change may have on the customer. The date identifies when the change was live in the application.
05/07/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0003-Persistence-T1053.005-observable-Scheduled Task Created via schtasks.exe | Edited rule | The rule logic was refactored for improved accuracy and broader coverage. The updated detection adds support for matching both {{schtasks.exe}} and its use within broader strings using word boundaries ({{\bschtasks\b}}). It also checks {{decodedPayload}} alongside {{commandLine}}, and adds enhanced exclusion logic using regex for known benign patterns and processes (e.g., {{rmmkse}}, {{geocomplyupdate}}, {{discoveryagentsetup}}). These improvements make the rule more robust and reduce noise. | Significant decrease in false positives for scheduled task detections, particularly in environments using legitimate agents like GeoComply or RMM tools. |
| TA0002-Execution-T1569.002-observable-PsExec Service Start | Edited rule | Updated the rule condition to perform a case-insensitive comparison and updated process name to psexesvc.exe. This ensures the rule triggers regardless of character casing in the process name and matches correct psexec process. | Increase in low severity observables and increased visibility during incident response. |
| Potential Suspicious Child Process of 3CXDesktopApp.exe | Edited rule | Replaced a verbose OR clause checking for specific child process names with a case-insensitive regex match. This simplifies the rule logic and improves maintainability. Also updated the parent process name check to use {{lowercase()}} for robustness. | No change in alert volume expected. Improved rule efficiency and reduced potential for case-sensitive misses. |
| TA0011-Command and Control-T1071.002-observable-FTP.exe Command File Execution.yaml | Edited rule | Changed {{parentCommandLine}} to {{commandLine}}. Fixed syntax from {{ParentProcessName}} to {{parentProcessName}}. {code:yaml}Detects use of ftp.exe to execute an FTP command file. This is not malicious by itself but is often suspicious in networks that don't use the built-in FTP.exe tool.{code} | Rule was not triggering properly due to syntax errors, rule will now trigger correctly. |
| Suspicious PowerShell Download in Windows System32 Directory | Edited rule | Updated {{signature.subjectName}} from a strict match {{"Microsoft Windows"}} to a case-insensitive regex {{iregex("microsoft")}} to improve compatibility with varying casing in signature data and updated unit test. | Potential increase in true positive alerts where the casing of "Microsoft" differs from the previous strict match, especially in environments with non-standardized subject name casing. |
| TA0006-Credential Access-T1003-alert-Enumerate Cleartext Wireless Keys | Edited rule | Modified the detection logic to remove the hard-coded process name ({{netsh.exe}}) and instead match based on command patterns found in both {{commandLine}} and {{decodedPayload}}. The new pattern matches attempts to extract Wi-Fi profiles with cleartext keys using more flexible regex matching ({{\bwlan\s+show\s+profile\s+name. *key\s*=\s*clear\b}}). |
This change broadens detection coverage to include obfuscated or renamed binaries that execute similar commands, potentially increasing the number of medium severity alerts. |
| TA0005-Defense Evasion-T1218.009-alert-LOLBAS-RegAsm.exe Connection to Public IP | Edited rule |
{noformat} type == "connection" &&
name == "regasm.exe" &&
|
Rule will now filter out alerts for regasm.exe initiating on port 80 or 443. |
04/18/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Hidden Powershell Base64 Encoded Command (Execution-T1059.001) | Edited rule | Updated the detection logic to broaden the {{signature.subjectName}} check from an exact match ({{"Microsoft Windows"}}) to a case-insensitive regex match for {{"Microsoft"}} to improve flexibility. Also changed the rule file name from {{alert}} to {{observable}} to better reflect its intent, and updated the corresponding unit test description to match the current rule logic. |
May result in slightly increased visibility into suspicious PowerShell executions involving Microsoft-signed binaries, especially those previously missed due to the exact string match constraint. |
| TA0005-Defense Evasion-T1562.001-observable-LOLBAS-Fltmc | Edited rule | Updated the rule condition to use {{lowercase(name)}} instead of a case-sensitive comparison. This improves detection reliability across different casing formats of the process name. A *unit test* was also added to validate the rule logic and ensure consistent behavior. |
Improved detection accuracy; may result in an increase in medium severity observables if previously missed due to case mismatch. |
| TA0040-Impact-T1491-alert-Wallpaper Defacement | Edited rule | Corrected the regex pattern for detecting {{user32.dll}} references —previous pattern failed to match certain formats. Also enhanced the {{SystemParametersInfo}} detection to support both decimal (e.g., {{20,0}}) and hexadecimal (e.g., {{0x14, 0x0}}) values. This improves reliability in identifying wallpaper modification attempts. |
Increase in low severity alerts due to improved coverage of both standard and obfuscated function usage patterns. |
| TA0002-Execution-T1059.001-alert-Powershell Encoded Command from Environment Variable (Process) | Edited rule | Updated the {{parentProcessName}} condition to apply a case-insensitive check by wrapping the value with {{lowercase()}}, ensuring consistent matching regardless of casing. Also added a unit test to validate the updated logic and prevent regression. | Prevents false negatives where {{cohesity_windows_agent_service.exe}} appears with different letter casing, improving detection reliability without increasing alert volume. |
| TA0006-Credential Access-T1003-alert-WDigest Cleartext Credential Theft | Edited rule | Corrected the previously incorrect registry path used to monitor WDigest credential caching ({{HKLM\SYSTEM\CurrentControlSet \Control\SecurityProviders \WDigest}}) and updated the detection logic to identify the enabling (value {{1}})—instead of disabling (value {{0}})—of the {{UseLogonCredential}} key. Additionally, the rule logic has been enhanced with refined regex patterns and added process conditions to more reliably detect suspicious usage of {{reg.exe}} and {{powershell.exe}}. A reference to official Microsoft guidance was also added to improve context, and added unit test to this rule. |
Improved detection accuracy and rule reliability; may reduce false positives and increase true positive alerts when credential caching is being enabled maliciously. |
04/16/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0005-Defense Evasion-T1070.001-alert-Windows Event Logs Cleared | Edited rule | Define wevtutil.exe definitions to highlight higher levels of log clearing. | Rules will now trigger for less broad log removal definitions and alert for logs that are primarily removed during attacks. Customers should be more aware of this alert if previously suppressed to ensure proper actions if alerted. |
04/08/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| EDRKILLShifter | New rule | Rule detects commands associated with EDRKILLShifter, a program that exploits vulnerable drivers to evade detection and disrupt security processes. | Increased coverage of threat actor activity. |
04/01/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1059-observable-LOLBAS-Fsi | Edited rule | Rule edited to properly exclude paths. | Less false/positives that would primarily impact “Fedex” applications. |
03/27/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Malicious PowerShell Commandlets | Edited rule | Added detections for known PowerShell cmdlets used for offensive security. | Increased detection coverage, possible increase in alerts/false positives. |
| Shadowcopy Enumeration | Edited rule | Added exclusions to reduce false positives. | Decrease in false positive events. |
| Suspicious Discovery Commands from cscript or wscript (VB Script) | Edited rule | Added exclusions to reduce false positives. | Reduction in false positive events. |
| Remote User Account Enumeration | Edited rule | Added exclusions to reduce false positives. | Reduction in false positive events. |
| New Certificate Added to Trusted Root Store via Certutil | Edited rule | Fixed typo. | Reduction in false positives. |
03/21/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Hex or Base64 Obfuscated Shell Command{{Hex or Base64 Obfuscated Shell Command}} | New rule | Rule detects hex-encoded and base64-encoded shell commands observed in attacks on Xcode. | Increased coverage of threat actor activity, possible increase in alerts. |
| (LOLBAS) RegAsm.exe Connection to Public IP | New rule | Rule detects regasm.exe network connections to public IP addresses on ports other than 80/443 (HTTP/HTTPS). | Increased coverage of threat actor activity, possible increase in alerts. |
| Dual Use Tool (NetScan) | New rule | Rule detects usage of SoftPerfect's network scanning tool (NetScan). NetScan is a common tool used for network administration that also has documented usage by threat actors. | Dual-use tool rules do not trigger alerts by default. Customers are advised to tailor alerting for these types of rules to best fit their security needs. |
| TA0005-Defense Evasion-T1027-alert-XOR Encryption In Powershell.yaml | Edited rule | Fixed typo. | Expand rule coverage. |
| TA0007-Discovery-T1018-observable-Domain Controller Enumeration.yaml | Edited rule | Fixed typo. | Expand rule coverage. Customers may see an increase in events. |
03/13/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Schtasks.exe used to run a scheduled task | Edited rule | Added program exclusion to reduce false positives. | Decrease in alerts for some customers. |
| New Certificate Added to Trusted Root Store via Certutil | Edited rule | Added certificate exclusions to reduce false positives. | Decrease in alerts for some customers. |
| Firewall modification | Edited rule | Added logic to expand rule coverage. | Possible increase in alerts. |
| Remote User Account Enumeration | Edited rule | Added logic to reduce false positives by excluding incomplete commands and enumermation of localhost. | Decrease in alerts for some customers. |
| Run Lateral Scheduled Task | Edited rule | Added program exclusion to reduce false positives. | Decrease in alerts for some customers. |
03/10/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| TA0002-Execution-T1053.002-alert-Base64 Encoded AT Command.yaml | Edited rule | Fixed incorrect use of {{&&}} in regex checks and improved logic to detect {{at.exe}} spawning PowerShell with Base64 commands or via {{wscript}}. | Improved detection accuracy and reduced false negatives. |
| TA0003-Persistence-T1547.001-observable-New Run Key.yaml | Edited rule | Updated detection to correctly identify both *HKCU* and *HKLM* abbreviations. | Broader coverage of registry-based persistence techniques. |
03/07/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Behavior from Injected Process | Edited rule | Rule was reactivated after having been deactivated for testing purposes. | No impact. |
03/05/2025
| Rule name | Change type | Details | Customer impact |
|---|---|---|---|
| Tool download | Edited rule | Rule edited to expand coverage of different syntax used to download a file with wget or curl. | Possible large increase in observable (i.e. non-alerting) events. |
