f0e9281854
[New] Potential Masquerading as Svchost ( #5305 )
...
* [New] Potential Masquerading as Svchost
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
* Update defense_evasion_masquerading_as_svchost.toml
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2025-11-19 12:10:11 +00:00
64cc823481
[Tuning] Outbound Scheduled Task Activity via PowerShell ( #5287 )
...
https://github.com/elastic/detection-rules/issues/5286
Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon):
2025-11-17 10:02:50 +00:00
8b74ba7136
[Rule Tuning] Remove host.os.type Unit Test Exception ( #5317 )
2025-11-14 08:46:24 -08:00
7b7082e9f4
[New] Command Obfuscation via Unicode Modifier Letters ( #5311 )
...
* [New] Command Obfuscation via Unicode Modifier Letters
* Update defense_evasion_obf_args_unicode_modified_letters.toml
* Update defense_evasion_obf_args_unicode_modified_letters.toml
* Update defense_evasion_obf_args_unicode_modified_letters.toml
* ++
* Update defense_evasion_obf_args_unicode_modified_letters.toml
* Update defense_evasion_obf_args_unicode_modified_letters.toml
2025-11-13 21:29:07 +00:00
da9bfd0abc
MITRE ATT&CK Sub-Technique Update - Solves Issue #5279 ( #5280 )
...
* Resolves Issue #5279
* Corrected the "updated_date" value
* Put the technique and sub-technique in the correct location
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-11-11 10:26:14 -05:00
e938ecf41a
Refresh Manifest and Schemas November Update ( #5298 )
2025-11-11 18:04:20 +05:30
34bd88a37e
[Tuning] Potential Ransomware Behavior - Note Files by System ( #5235 )
...
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update rules/windows/impact_high_freq_file_renames_by_kernel.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-11-10 18:22:37 +00:00
085ef447e8
[New] Windows Server Update Service Spawning Suspicious Processes ( #5250 )
...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
ttps://hawktrace.com/blog/CVE-2025-59287
2025-11-10 18:10:32 +00:00
598e5c363f
[New] Suspicious Kerberos Authentication Ticket Request ( #5260 )
...
* [New] Suspicious Kerberos Authentication Ticket Request
Multi-datasource correlation to detect suspicious Kerberos Authentication Ticket Request from the source machine and the Domain Controller.
* Update lateral_movement_credential_access_kerberos_correlation.toml
* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_credential_access_kerberos_correlation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update lateral_movement_credential_access_kerberos_correlation.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-11-03 15:44:13 +00:00
818978975d
Prep 9.2 ( #5231 )
2025-10-17 21:01:13 +05:30
64a8290b37
[New] Potential Command Shell via NetCat ( #5221 )
...
* [New] Potential Command Shell via NetCat
* Update execution_revshell_cmd_via_netcat.toml
* Update execution_revshell_cmd_via_netcat.toml
* Update execution_revshell_cmd_via_netcat.toml
* Update execution_revshell_cmd_via_netcat.toml
* Update execution_revshell_cmd_via_netcat.toml
2025-10-15 12:30:09 +01:00
a31fb00614
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic ( #5193 )
2025-10-07 08:40:23 -07:00
3397b7e707
Monthly Schema Updates ( #5187 )
2025-10-06 21:39:14 +05:30
29c4c19d59
[Tuning] Startup or Run Key Registry Modification ( #5137 )
...
* [Tuning] Startup or Run Key Registry Modification
high percentage of the FPs are for programfiles and localappdata files in the registry data string value. This tuning should drop FPs/volume significantly.
* Update rules/windows/persistence_run_key_and_startup_broad.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-10-06 09:24:33 +01:00
b4e9b48ad7
[New] Suspicious SeIncreaseBasePriorityPrivilege Use ( #5150 )
...
* [New] Suspicious SeIncreaseBasePriorityPrivilege Us
https://github.com/Octoberfest7/ThreadCPUAssignment_POC/tree/main
https://x.com/sixtyvividtails/status/1970721197617717483
* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/privilege_escalation_thread_cpu_priority_hijack.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-10-03 16:52:32 +01:00
66a0b6b97c
[Tuning] Potential Ransomware Behavior - High count of Readme files by System ( #5167 )
...
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-10-02 17:39:51 +01:00
f75062a855
[Rule Tuning] Suspicious PowerShell Engine ImageLoad ( #5134 )
...
* Update execution_suspicious_powershell_imgload.toml
* Update execution_suspicious_powershell_imgload.toml
2025-09-22 06:03:41 -07:00
cd6c37e3b9
[Rule Tuning] Mark some field optional for 3rd party compatibility ( #5135 )
...
* [Rule Tuning] Mark some field optional for 3rd party compatibility
* bump
2025-09-22 05:43:10 -07:00
657b504f46
Update investigation guides ( #5112 )
2025-09-16 18:34:37 +05:30
4476ac52a8
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms ( #5091 )
...
* [Rule Tuning] High-Severity Noisy Rules Conversion to new_terms
* ++
* ++
* Update credential_access_dcsync_replication_rights.toml
* Update persistence_webshell_detection.toml
* ++
* Update persistence_webshell_detection.toml
2025-09-15 09:38:03 -07:00
7bd9c52852
[Rule Tuning] Windows High Severity - 5 ( #5096 )
...
* [Rule Tuning] Windows High Severity - 4
* Update privilege_escalation_windows_service_via_unusual_client.toml
2025-09-15 09:29:37 -07:00
76c73f84f6
[Rule Tuning] Windows High Severity - 4 ( #5095 )
...
* [Rule Tuning] Windows High Severity - 4
* Update initial_access_execution_from_inetcache.toml
2025-09-15 09:18:55 -07:00
8d9822e8be
[Rule Tuning] Fix process.pe.original_file_name Conditions ( #5101 )
...
* [Rule Tuning] Fix process.pe.original_file_name Conditions
* --
2025-09-15 09:06:23 -07:00
d69ede2508
[Rule Tuning] Windows High Severity - 3 ( #5094 )
...
* [Rule Tuning] Windows High Severity - 3
* Update execution_pdf_written_file.toml
* Update execution_pdf_written_file.toml
* Update execution_pdf_written_file.toml
2025-09-15 08:34:43 -07:00
567b82cb2f
[Rule Tuning] Windows High Severity - 2 ( #5093 )
...
* [Rule Tuning] Windows High Severity - 2
* [Rule Tuning] Windows High Severity - 3
* Revert "[Rule Tuning] Windows High Severity - 3"
This reverts commit 32c8348072ab1629e2a164a3579d866b2682f234.
2025-09-15 07:53:31 -07:00
7910f465cc
[Rule Tuning] Windows High Severity - 1 ( #5092 )
...
* [Rule Tuning] Windows High Severity - 1
* Update command_and_control_headless_browser.toml
* Update defense_evasion_execution_suspicious_explorer_winword.toml
* Update command_and_control_outlook_home_page.toml
2025-09-15 07:44:20 -07:00
1dedea798a
[Rule Tuning] Component Object Model Hijacking ( #5065 )
2025-09-11 17:18:05 -07:00
aa97487b20
[Rule Tuning] PowerShell Rules ( #5056 )
...
* [Rule Tuning] PowerShell Rules
* Update defense_evasion_posh_defender_tampering.toml
* [Rule Tuning] Connection to Commonly Abused Web Services
* Revert "[Rule Tuning] Connection to Commonly Abused Web Services"
This reverts commit 74dcea07e16a2b50ee8a372aef63a7c699e7c66a.
2025-09-11 16:54:11 -07:00
b5d77951b5
[Rule Tuning] Remote Execution via File Shares ( #5066 )
...
* [Rule Tuning] Remote Execution via File Shares
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-09-11 16:40:59 -07:00
25539fd6c6
Delete Development Rules ( #5084 )
2025-09-10 23:24:28 +05:30
375082729a
[Rule Tuning] Adjust process.code_signature.trusted condition ( #5067 )
...
* [Rule Tuning] Adjust process.code_signature.trusted condition
* typo
2025-09-08 08:42:17 -07:00
6ac71050dc
[Rule Tuning] Remote File Download via PowerShell ( #5062 )
...
* [Rule Tuning] Remote File Download via PowerShell
* Update command_and_control_remote_file_copy_powershell.toml
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update command_and_control_remote_file_copy_powershell.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-09-08 07:59:53 -07:00
4aa6c4e715
[Rule Tuning] Untrusted Driver Loaded ( #5061 )
...
* [Rule Tuning] Untrusted Driver Loaded
* Update defense_evasion_untrusted_driver_loaded.toml
2025-09-05 06:12:30 -07:00
9ee15a13b0
[Rule Tuning] Connection to Commonly Abused Web Services ( #5060 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2025-09-04 11:58:13 -07:00
0bbad3bbf8
Update defense_evasion_modify_ownership_os_files.toml ( #5051 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-02 08:18:35 -07:00
8d2ea9220b
[New Rules] Potential Relay Attack against a Computer Account ( #4826 )
...
* [New Rules] Potential Relay Attack against a Computer Account Rules
* update description
* .
* add min_stack
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-01 10:07:37 -07:00
464fb3951e
[Tuning] Unusual Network Activity from a Windows System Binary ( #5048 )
2025-09-01 22:17:53 +05:30
a31b3a36ad
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 ( #5025 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
* pending adjustments
* Update execution_windows_cmd_shell_susp_args.toml
2025-09-01 09:30:21 -07:00
a62ee7a8a2
[New] Active Directory Discovery using AdExplorer ( #5047 )
...
* [New] Active Directory Discovery using AdExplorer
* Update discovery_ad_explorer_execution.toml
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:58:22 +01:00
40794368a7
[New] Connection to Common Large Language Model Endpoints ( #5044 )
...
* [New] Connection to Common Large Language Model Endpoints
* [New] Connection to Common Large Language Model Endpoints
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_common_llm_endpoint.toml
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:47:31 +01:00
ba354ceff9
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 ( #5038 )
2025-09-01 08:25:52 -07:00
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
61af3e801d
[New] Potential System Tampering via File Modification ( #5043 )
...
* [New] Potential System Tampering via File Modification
* Update impact_mod_critical_os_files.toml
* Update rules/windows/impact_mod_critical_os_files.toml
* Create defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:52:26 +01:00
e1205cb5c5
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 ( #5001 )
...
* [New/Tuning] Windows Top Threats 2024/2025
1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.
2) MSIEXEC:
* Update defense_evasion_mshta_susp_child.toml
* Update defense_evasion_script_via_html_app.toml
* Update defense_evasion_mshta_susp_child.toml
* Create defense_evasion_msiexec_remote_payload.toml
* Update defense_evasion_msiexec_remote_payload.toml
* ++
* Create execution_scripting_remote_webdav.toml
* Create execution_windows_fakecaptcha_cmd_ps.toml
* Create command_and_control_rmm_netsupport_susp_path.toml
* Update command_and_control_rmm_netsupport_susp_path.toml
* ++
* Update execution_jscript_fake_updates.toml
* Create command_and_control_dns_susp_tld.toml
* ++
* Create command_and_control_remcos_rat_iocs.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Update execution_scripts_archive_file.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* ++
* Create execution_nodejs_susp_patterns.toml
* Update execution_nodejs_susp_patterns.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Fix unit test errors
* Update defense_evasion_network_connection_from_windows_binary.toml
* Add system index
* Add tag
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Remove duplicate
* Update defense_evasion_msiexec_child_proc_netcon.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Create credential_access_browsers_unusual_parent.toml
* Update credential_access_browsers_unusual_parent.toml
* ++
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_mshta_susp_child.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_windows_phish_clickfix.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update execution_windows_phish_clickfix.toml
* Update rules/windows/defense_evasion_script_via_html_app.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_browsers_unusual_parent.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_nodejs_susp_patterns.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_script_via_html_app.toml
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:41:51 +01:00
b2bc6021f2
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths ( #5037 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths
* ++
* Update defense_evasion_workfolders_control_execution.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
2025-09-01 05:31:12 -07:00
dd918b1f80
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #5039 )
2025-09-01 05:09:31 -07:00
79daf3fc68
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 ( #5028 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:28:14 -07:00
ccedd45df1
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 ( #5030 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:07:38 -07:00
86dd350579
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 ( #5029 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:50:59 -07:00
7eec833ec8
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 ( #5027 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12
* Update rules/windows/persistence_app_compat_shim.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:40:03 -07:00
Samirbous