security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,545 Commits 1 Branch 0 Tags
a6d31d7dfd296e71e2f71e45ccbb78abf20ec311
Commit Graph

993 Commits

Author SHA1 Message Date
Jonhnathan 0a8c89d3f5 [Rule Tuning] Misc Windows (#5906) 2026-04-06 09:42:29 -03:00
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-04-01 09:12:42 -05:00
Terrance DeJesus a8033e14aa rule tuning add ICP blockchain indicator (#5887) 2026-03-26 11:09:51 -05:00
Samirbous 057fe30199 [New] RMM Rules (#5848) 2026-03-23 22:11:52 +05:30
Jonhnathan 3ce89a3ccf [Rule Tuning] Sensitive Audit Policy Sub-Category Disabled (#5859) 
* [Rule Tuning] Sensitive Audit Policy Sub-Category Disabled

* ++

* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestion from @w0rk3r

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-03-23 13:25:35 -03:00
Jonhnathan 38e1456eca [Rule Tuning] Misc Rule Tuning (#5858) 
* [Rule Tuning] Misc Rule Tuning

* Update defense_evasion_elastic_agent_service_terminated.toml
 2026-03-23 13:01:06 -03:00
Samirbous 062a065722 [Tuning] Add Missing executable file extensions (#5857) 
Add Missing executable file extensions such as execution_windows_script_from_internet.toml didn't cover wsf and sct.
 2026-03-23 12:23:51 +00:00
Samirbous e788ab7e73 [New/tuning] WarLock coverage (#5846) 
* [New/tuning] WarLock coverage

Improve coverage for https://www.trendmicro.com/tr_tr/research/26/c/dissecting-a-warlock-attack.html

* ++

* Update command_and_control_velociraptor_shell_execution.toml

* Update command_and_control_tunnel_cloudflared.toml

* Update command_and_control_tunnel_yuze.toml

* Update command_and_control_velociraptor_shell_execution.toml

* Update exfiltration_rclone_cloud_upload.toml

* Update rules/windows/exfiltration_rclone_cloud_upload.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_velociraptor_shell_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_yuze.toml

* Update command_and_control_tunnel_yuze.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-23 11:01:12 +00:00
Samirbous 7bde0a9d2d [Tuning] Mis Rules Tuning (#5817) 
* [Tuning] Mis Rules Tuning

tuning of recently created or tuned rules.

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update credential_access_bruteforce_admin_account.toml

* ++

* ++

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-03-23 10:49:23 +00:00
Samirbous 02adbfb2b0 [New / Tuning] LeakNet cov (#5850) 
* [Tuning] LeakNet cov

https://reliaquest.com/blog/threat-spotlight-casting-a-wider-net-clickfix-deno-and-leaknets-scaling-threat

* Update execution_susp_javascript_via_deno.toml

* Update execution_susp_javascript_via_deno.toml

* Apply suggestion from @w0rk3r

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestion from @w0rk3r

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Apply suggestion from @w0rk3r

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_susp_javascript_via_deno.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-20 21:11:26 +00:00
Samirbous 7bd2e2911c Update command_and_control_common_webservices.toml (#5831) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-18 09:38:29 -03:00
Samirbous 2d6172e9c2 Update command_and_control_dns_rmm_domains_non_browser.toml (#5819) 
minor change to unblock release.
 2026-03-10 12:07:39 +00:00
Samirbous afcb342c55 [Tuning/New] RMM Rules (#5810) 
* [Tuning/New] RMM Rules

- replaced RAT by RMM (RMM != RAT)
- added extra RMM processes, added process.parent.name and parent code signature too (GoToHTTP, tacticalrmm and more).
- added more references
- new term rule based on dns.question.name

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* ++

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* ++

* ++

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update rules/windows/command_and_control_dns_rmm_domains_non_browser.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_dns_rmm_domains_non_browser.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-09 16:33:47 +00:00
Samirbous ec4a0e58e4 [New] Suspicious Execution from VS Code Extension (#5786) 
* [New] Suspicious Execution from VS Code Extension

Detects suspicious process execution launched from a VS Code extension context (parent command line contains
.vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like
ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and
recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot
extension that installed ScreenConnect RAT.

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* ++

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml

* Update initial_access_suspicious_execution_from_vscode_extension.toml
 2026-03-09 16:22:41 +00:00
Samirbous a7c34ebf3b [New] Potential Account Takeover - Logon from New Source IP (#5770) 
* [New] Potential Account Takeover - Logon from New Source IP

* Update credential_access_account_takeover_new_source_ip.toml

* Update credential_access_account_takeover_new_source_ip.toml

* Update privilege_escalation_takeover_new_source_ip.toml

* ++

* Update privilege_escalation_account_takeover_mixed_logon_types.toml

* Update privilege_escalation_account_takeover_mixed_logon_types.toml

* Update rules/windows/privilege_escalation_takeover_new_source_ip.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* Update rules/windows/privilege_escalation_account_takeover_mixed_logon_types.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2026-03-09 15:33:57 +00:00
Eric Forte 94c73e3ad7 [FR] Minor Typo Fixes (#5784) 2026-03-06 16:12:45 -06:00
Samirbous dc7d8960de [Tuning] LSASS Process Access via Windows API (#5807) 
* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml
 2026-03-03 19:05:47 +00:00
Jonhnathan 5ddca45adf [Rule Tuning] Windows Misc Tuning - 2 (#5758) 
* [Rule Tuning] Windows Misc Tuning - 2

* Apply suggestion from @w0rk3r
 2026-02-23 13:09:19 -03:00
Jonhnathan 3d647feb8c [Rule Tuning] Windows Misc Tunings (#5740) 
* [Rule Tuning] Windows Misc Tunings

* ++

* Update defense_evasion_wsl_child_process.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2026-02-20 14:11:35 -03:00
Samirbous 2605d38018 [New] Potential Notepad Markdown RCE Exploitation (#5729) 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841
 2026-02-18 16:19:56 +00:00
Jonhnathan 6d0471768f [Rule Tuning] PowerShell Rules Revamp - 9 (#5706) 
* [Rule Tuning] PowerShell Rules Revamp - 9

* .

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* Update defense_evasion_posh_obfuscation_index_reversal.toml

* update disclaimer

* update tags
 2026-02-18 12:22:24 -03:00
Jonhnathan 5d98a212fc [Rule Tuning] Potential Timestomp in Executable Files (#5727) 
* [Rule Tuning] Potential Timestomp in Executable Files

* Update defense_evasion_timestomp_sysmon.toml
 2026-02-18 11:14:54 -03:00
Samirbous 41a8256aa3 [tuning] LLM DNS queries (#5709) 
* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Update command_and_control_common_llm_endpoint.toml

* Apply suggestion from @w0rk3r

* Update command_and_control_common_llm_endpoint.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-02-13 13:54:52 +00:00
Jonhnathan 51cf7574a9 [Rule Deprecation] PowerShell Rules (#5707) 
* [Rule Deprecation] PowerShell Rules

* Update defense_evasion_posh_obfuscation_index_reversal.toml
 2026-02-11 16:49:33 -03:00
Jonhnathan 4980a3b50c [Rule Tuning] PowerShell Rules Revamp - 8 (#5705) 
* [Rule Tuning] PowerShell Rules Revamp - 8

* update disclaimer

* Apply suggestion from @w0rk3r

* Update rules/windows/execution_posh_psreflect.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestion from @w0rk3r

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 16:32:04 -03:00
Jonhnathan 3065b10f91 [Rule Tuning] PowerShell Rules Revamp - 7 (#5704) 
* [Rule Tuning] PowerShell Rules Revamp - 7

* update disclaimer
 2026-02-11 16:02:48 -03:00
Jonhnathan 9be58755ae [Rule Tuning] PowerShell Rules Revamp - 6 (#5700) 
* [Rule Tuning] PowerShell Rules Revamp - 6

* .

* [Rule Tuning] PowerShell Rules Revamp - 7

* Revert "[Rule Tuning] PowerShell Rules Revamp - 7"

This reverts commit 378f8c8b6409ea1e4bad0e86027c05e0a7db9950.

* update disclaimer
 2026-02-11 15:50:49 -03:00
Jonhnathan 20450660df [Rule Tuning] PowerShell Rules Revamp - 5 (#5699) 
* [Rule Tuning] PowerShell Rules Revamp - 5

* Update defense_evasion_posh_obfuscation_backtick.toml

* update disclaimer
 2026-02-11 15:36:48 -03:00
Jonhnathan 2d4d56bf21 [Rule Tuning] PowerShell Rules Revamp - 4 (#5698) 
* [Rule Tuning] PowerShell Rules Revamp - 4

* bump

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update defense_evasion_posh_compressed.toml

* update disclaimer

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-11 15:26:05 -03:00
Jonhnathan 5489c107b0 [New Rule] Potential PowerShell Obfuscated Script via High Entropy (#5554) 
* [New Rule] Potential PowerShell Obfuscated Script via High Entropy

* Update defense_evasion_posh_high_entropy.toml

* Add investigation guide

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml

* Update defense_evasion_posh_high_entropy.toml
 2026-02-11 09:50:19 -03:00
Samirbous 2b5472a9b3 [Tuning/New] Solarwinds Post Exploit (#5696) 
* [Tuning/New] Solawrwinds Post Exploit

https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399

- new rule for tunneling using QEMU
- added few websvc domains .cloud.es.io, files.catbox.moe and  supabase.co
- added javaw to the solarwinds rule
- added ZOHO and Velociraptor to the new term RMM rule.

* Update initial_access_potential_webhelpdesk_exploit.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* ++

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-02-09 13:57:52 +00:00
Ruben Groenewoud 3cba3d7982 [Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* [Rule Tuning] Dormant & Deprecated Rule Clean-Up

* Few more deprecations

* ++

* Update unit test syntax fix

* Update bad bytes

* ++
 2026-02-05 13:24:21 +01:00
ailiffa e6fafc914e [Rule Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion (#5592) 
* [Tuning] Unsigned DLL Side-Loading from a Suspicious Folder: Add Downloads path and fix subdirectory evasion

- Add Downloads folder to the suspicious paths list
- Modify directory matching logic from endswith~ to startswith~ to detect DLLs loaded from subdirectories of the executable's location

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Swap back to "endswith" and add chrome_elf.dll coverage.

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-04 14:16:14 -03:00
Samirbous 2b8fb44cb5 [New] SolarWinds Web Help Desk Java Module Load or Child Process (#5665) 
* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.

https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

https://github.com/rapid7/metasploit-framework/pull/20917

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 16:09:55 +00:00
Samirbous d42ebdc3e6 [Tuning] Component Object Model Hijacking (#5651) 
* Update persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml
 2026-02-04 13:23:40 +00:00
Samirbous ed089d5d76 [Tuning] Svchost spawning Cmd (#5649) 
* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml
 2026-02-04 12:42:50 +00:00
Terrance DeJesus c75fc7e487 [Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663) 
Fixes #5662
 2026-02-03 09:38:14 -05:00
Jonhnathan 2f9dc7af53 [Rule Tuning] PowerShell Rules Revamp - 2 (#5623) 
* [Rule Tuning] PowerShell Rules Revamp - 2

* Update credential_access_mimikatz_powershell_module.toml

* Apply suggestions from code review
 2026-01-26 19:35:05 -03:00
Jonhnathan 6843d11b09 [Rule Tuning] PowerShell Rules Revamp - 3 (#5625) 
* [Rule Tuning] PowerShell Rules Revamp - 3

* Apply suggestion from @w0rk3r
 2026-01-26 19:11:29 -03:00
Jonhnathan fc55e8b308 [Rule Tuning] PowerShell Rules Revamp - 1 (#5619) 
* [Rule Tuning] PowerShell Rules Revamp - 1

* bump
 2026-01-26 19:01:48 -03:00
Samirbous 88e0b14709 [Tuning] ESQL Dynamic unique value fields (#5569) 
* [Tuning] Extract dynamic field with 1 value to ECS fields for alerts exclusion

Extract dynamic field with 1 value to ECS fields for alerts exclusion:

Esql.host_id_values -> host.is
Esql.agent_id_values -> agent.id
Esql.host_name_values -> host.name

* Update multiple_alerts_by_host_ip_and_source_ip.toml

* Update newly_observed_elastic_defend_alert.toml

* Update defense_evasion_base64_decoding_activity.toml

* Update discovery_subnet_scanning_activity_from_compromised_host.toml

* Update persistence_web_server_sus_command_execution.toml

* Update persistence_web_server_sus_child_spawned.toml

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/impact_potential_bruteforce_malware_infection.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_elastic_defend_netsecurity_by_host.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/newly_observed_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/windows/credential_access_rare_webdav_destination.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update credential_access_rare_webdav_destination.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:34:16 +00:00
Samirbous 7221db6b36 [Tuning] Potential Ransomware Behavior - Note Files by System (#5595) 
* [Tuning] Potential Ransomware Behavior - Note Files by System

added host.id and removed noisy patterns (writes to non C drive)

* Update impact_high_freq_file_renames_by_kernel.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 13:15:54 +00:00
Samirbous 30c7833f08 [Tuning] Rare Connection to WebDAV Target (#5604) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-26 12:51:09 +00:00
Samirbous ccfb69244a [Tuning] Rare Connection to WebDAV Target (#5556) 
* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml

* Update credential_access_rare_webdav_destination.toml
 2026-01-23 11:17:19 +00:00
Jonhnathan 9055d564f5 [Rule Tuning] Web Server Rules (#5581) 2026-01-20 15:30:57 -03:00
Samirbous 31de1789c4 [Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560) 
* [Tuning] Reduce NewTerm history_window_start for Windows Rules

Reduce Windows NewTerm rules history_window_start from 14d to 5d.

* Update execution_command_shell_started_by_svchost.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update persistence_scheduled_task_updated.toml
 2026-01-16 12:46:45 +00:00
G. Blue Team Detection 3ab961da42 Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547) 
* Docs: improve WinRAR/7-Zip encrypted archive rule guidance

Clarifies the rule description and expands investigation and false positive guidance
to help analysts distinguish data staging for exfiltration from common benign
administrative and backup workflows. No detection logic or query changes.

* Update rules/windows/collection_winrar_encryption.toml

* Change updated_date to 2026/01/12

Bump update_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-01-12 19:51:08 -03:00
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 5081735acc [New] Potential Persistence via Mandatory User Profile (#5530) 
* [New] Potential Persistence via Mandatory User Profile

https://deceptiq.com/blog/ntuser-man-registry-persistence

* Update persistence_suspicious_user_mandatory_profile_file.toml

* Update persistence_suspicious_user_mandatory_profile_file.toml
 2026-01-09 09:35:47 +00:00
Samirbous fde2fa972e [Tuning] Process Created with an Elevated Token (#5532) 
* [Tuning] Process Created with an Elevated Token

https://github.com/elastic/detection-rules/issues/5492

* Update privilege_escalation_via_token_theft.toml
 2026-01-09 09:23:37 +00:00