security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ab961da42610a3384e0134da66869bb97d6db2e
sigma-rules/rules/windows
T
History
G. Blue Team Detection 3ab961da42 Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547) 
* Docs: improve WinRAR/7-Zip encrypted archive rule guidance

Clarifies the rule description and expands investigation and false positive guidance
to help analysts distinguish data staging for exfiltration from common benign
administrative and backup workflows. No detection logic or query changes.

* Update rules/windows/collection_winrar_encryption.toml

* Change updated_date to 2026/01/12

Bump update_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2026-01-12 19:51:08 -03:00
..
collection_email_outlook_mailbox_via_com.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
collection_email_powershell_exchange_mailbox.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_mailbox_export_winlog.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_audio_capture.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_clipboard_capture.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_keylogger.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_posh_mailbox.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_screen_grabber.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_posh_webcam_video_capture.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_winrar_encryption.toml
Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547)
2026-01-12 19:51:08 -03:00
command_and_control_certreq_postdata.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_common_llm_endpoint.toml
[Rule Tuning] Adjust process.code_signature.trusted condition (#5067)
2025-09-08 08:42:17 -07:00
command_and_control_common_webservices.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
command_and_control_dns_susp_tld.toml
[Rule Tuning] Mark some field optional for 3rd party compatibility (#5135)
2025-09-22 05:43:10 -07:00
command_and_control_dns_tunneling_nslookup.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_encrypted_channel_freesslcert.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_headless_browser.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
command_and_control_iexplore_via_com.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_ingress_transfer_bits.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
command_and_control_new_terms_commonly_abused_rat_execution.toml
Update command_and_control_new_terms_commonly_abused_rat_execution.toml (#4842)
2025-06-25 12:39:48 -03:00
command_and_control_outlook_home_page.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
command_and_control_port_forwarding_added_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
command_and_control_rdp_tunnel_plink.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_remcos_rat_iocs.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_remote_file_copy_mpcmdrun.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_remote_file_copy_powershell.toml
[Rule Tuning] Remote File Download via PowerShell (#5062)
2025-09-08 07:59:53 -07:00
command_and_control_remote_file_copy_scripts.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_rmm_netsupport_susp_path.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
command_and_control_screenconnect_childproc.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
command_and_control_sunburst_c2_activity_detected.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
command_and_control_teamviewer_remote_file_copy.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
command_and_control_tool_transfer_via_curl.toml
[Rule Tuning] Windows - Small Adjusts for Compatibility (#5032)
2025-08-28 10:20:13 -07:00
command_and_control_tunnel_vscode.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
credential_access_adidns_wildcard.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_adidns_wpad_record.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_browsers_unusual_parent.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
credential_access_bruteforce_admin_account.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_cmdline_dump_tool.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_credential_dumping_msbuild.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dcsync_newterm_subjectuser.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_dcsync_replication_rights.toml
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)
2025-09-15 09:38:03 -07:00
credential_access_dcsync_user_backdoor.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_disable_kerberos_preauth.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dnsnode_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dollar_account_relay_kerberos.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
credential_access_dollar_account_relay_ntlm.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
credential_access_dollar_account_relay.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_domain_backup_dpapi_private_keys.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dump_registry_hives.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_generic_localdumps.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_iis_connectionstrings_dumping.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_imageload_azureadconnectauthsvc.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_kerberoasting_unusual_process.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
credential_access_kerberos_coerce_dns.toml
[New Rules] SPN Spoofing / Coercion Rules (#4815)
2025-06-17 18:50:28 -03:00
credential_access_kerberos_coerce.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_kirbi_file.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_ldap_attributes.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_lsass_handle_via_malseclogon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_lsass_loaded_susp_dll.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_lsass_memdump_file_created.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_lsass_memdump_handle_access.toml
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)
2025-09-15 09:38:03 -07:00
credential_access_lsass_openprocess_api.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_machine_account_smb_relay.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_mimikatz_memssp_default_logs.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
credential_access_mimikatz_powershell_module.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_mod_wdigest_security_provider.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
credential_access_moving_registry_hive_via_smb.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
credential_access_persistence_network_logon_provider_modification.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_invoke_ninjacopy.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_kerb_ticket_dump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_minidump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_relay_tools.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_request_ticket.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
credential_access_posh_veeam_sql.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_rare_webdav_destination.toml
[Tuning] Rare Connection to WebDAV Target (#5415)
2025-12-05 22:31:01 +00:00
credential_access_regback_sam_security_hives.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
credential_access_relay_ntlm_auth_via_http_spoolss.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_remote_sam_secretsdump.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_saved_creds_vault_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_saved_creds_vaultcmd.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_seenabledelegationprivilege_assigned_to_user.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_shadow_credentials.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_spn_attribute_modified.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_suspicious_comsvcs_imageload.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_lsass_access_generic.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_lsass_access_memdump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_lsass_access_via_snapshot.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_winreg_access_via_sebackup_priv.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_symbolic_link_to_shadow_copy_created.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_veeam_backup_dll_imageload.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_veeam_commands.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_via_snapshot_lsass_clone_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_wbadmin_ntds.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_web_config_file_access.toml
Update latest integration manifests and schema and investigation guides (#4957)
2025-08-04 19:30:01 +05:30
credential_access_wireless_creds_dumping.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
defense_evasion_amsi_bypass_dllhijack.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
defense_evasion_amsi_bypass_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_amsienable_key_mod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
defense_evasion_audit_policy_disabled_winlog.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_clearing_windows_console_history.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_clearing_windows_event_logs.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Replace legacy winlog.api usage (#4647)
2025-04-24 05:52:38 +05:30
defense_evasion_code_signing_policy_modification_builtin_tools.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_code_signing_policy_modification_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_communication_apps_suspicious_child_process.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
defense_evasion_create_mod_root_certificate.toml
[Rule Tuning] Creation or Modification of Root Certificate (#4970)
2025-08-13 09:41:57 -03:00
defense_evasion_cve_2020_0601.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_defender_disabled_via_registry.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_defender_exclusion_via_powershell.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_disable_nla.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_disable_posh_scriptblocklogging.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_disabling_windows_defender_powershell.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_disabling_windows_logs.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_dns_over_https_enabled.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_dotnet_compiler_parent_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_enable_network_discovery_with_netsh.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_control_panel_suspicious_args.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_lolbas_wuauclt.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_by_script.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_by_system_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_renamed.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_execution_msbuild_started_unusal_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_suspicious_explorer_winword.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
defense_evasion_execution_windefend_unusual_path.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_file_creation_mult_extension.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018)
2025-08-28 10:55:21 -07:00
defense_evasion_from_unusual_directory.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018)
2025-08-28 10:55:21 -07:00
defense_evasion_iis_httplogging_disabled.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_indirect_exec_conhost.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_indirect_exec_forfiles.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
defense_evasion_indirect_exec_openssh.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_injection_msbuild.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018)
2025-08-28 10:55:21 -07:00
defense_evasion_lolbas_win_cdb_utility.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_lsass_ppl_disabled_registry.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
defense_evasion_masquerading_as_svchost.toml
[Rule Tuning] Potential Masquerading as Svchost (#5439)
2025-12-09 13:56:38 -08:00
defense_evasion_masquerading_business_apps_installer.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
defense_evasion_masquerading_communication_apps.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
defense_evasion_masquerading_renamed_autoit.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_masquerading_trusted_directory.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Fixes FPs related to a process.args_count bug (#4971)
2025-08-13 08:46:46 -03:00
defense_evasion_microsoft_defender_tampering.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 (#5019)
2025-08-28 11:05:42 -07:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_modify_ownership_os_files.toml
Update defense_evasion_modify_ownership_os_files.toml (#5051)
2025-09-02 08:18:35 -07:00
defense_evasion_ms_office_suspicious_regmod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_msbuild_making_network_connections.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_mshta_beacon.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_mshta_susp_child.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_msiexec_child_proc_netcon.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_msiexec_remote_payload.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_network_connection_from_windows_binary.toml
[Tuning] Unusual Network Activity from a Windows System Binary (#5048)
2025-09-01 22:17:53 +05:30
defense_evasion_ntlm_downgrade.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_obf_args_unicode_modified_letters.toml
[New] Command Obfuscation via Unicode Modifier Letters (#5311)
2025-11-13 21:29:07 +00:00
defense_evasion_parent_process_pid_spoofing.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_persistence_account_tokenfilterpolicy.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)
2025-08-28 11:37:15 -07:00
defense_evasion_posh_assembly_load.toml
[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867)
2025-07-07 10:56:13 -03:00
defense_evasion_posh_compressed.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_posh_defender_tampering.toml
Update investigation guides (#5112)
2025-09-16 18:34:37 +05:30
defense_evasion_posh_encryption.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_posh_obfuscation_backtick_var.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_backtick.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_char_arrays.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_concat_dynamic.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_high_number_proportion.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_iex_string_reconstruction.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_index_reversal.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_reverse_keyword.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_string_concat.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_string_format.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_whitespace_special_proportion.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation.toml
[Rule Tuning] Potential PowerShell Obfuscated Script (#5389)
2025-12-02 08:30:54 -08:00
defense_evasion_posh_process_injection.toml
[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867)
2025-07-07 10:56:13 -03:00
defense_evasion_powershell_windows_firewall_disabled.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_process_termination_followed_by_deletion.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
defense_evasion_proxy_execution_via_msdt.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_reg_disable_enableglobalqueryblocklist.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
defense_evasion_regmod_remotemonologue.toml
[Rule Tuning] Mark some field optional for 3rd party compatibility (#5135)
2025-09-22 05:43:10 -07:00
defense_evasion_right_to_left_override.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_root_dir_ads_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_run_virt_windowssandbox.toml
Add investigation guides for detection rules (#4886)
2025-07-08 00:25:42 +05:30
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)
2025-08-28 11:37:15 -07:00
defense_evasion_sc_sdset.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_sccm_scnotification_dll.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)
2025-08-28 11:37:15 -07:00
defense_evasion_script_via_html_app.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_sdelete_like_filename_rename.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)
2025-08-28 11:51:45 -07:00
defense_evasion_sip_provider_mod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)
2025-08-28 11:51:45 -07:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)
2025-08-28 11:51:45 -07:00
defense_evasion_suspicious_certutil_commands.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_execution_from_mounted_device.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_managedcode_host_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_process_access_direct_syscall.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_process_creation_calltrace.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_scrobj_load.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_short_program_name.toml
Update defense_evasion_suspicious_short_program_name.toml (#5454)
2025-12-12 17:25:00 +00:00
defense_evasion_suspicious_wmi_script.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_zoom_child_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_timestomp_sysmon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Monthly Schema Updates (#5046)
2025-09-01 20:42:42 +05:30
defense_evasion_untrusted_driver_loaded.toml
[Rule Tuning] Untrusted Driver Loaded (#5061)
2025-09-05 06:12:30 -07:00
defense_evasion_unusual_ads_file_creation.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
defense_evasion_unusual_dir_ads.toml
[Rule Tuning] Fixes FPs related to a process.args_count bug (#4971)
2025-08-13 08:46:46 -03:00
defense_evasion_unusual_network_connection_via_dllhost.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
defense_evasion_unusual_process_network_connection.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_unusual_system_vp_child_program.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_wdac_policy_by_unusual_process.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_windows_filtering_platform.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_workfolders_control_execution.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_wsl_bash_exec.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_wsl_child_process.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_wsl_enabled_via_dism.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_wsl_filesystem.toml
[Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383)
2025-12-01 05:06:38 -08:00
defense_evasion_wsl_kalilinux.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_wsl_registry_modification.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
discovery_active_directory_webservice.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_ad_explorer_execution.toml
[New] Active Directory Discovery using AdExplorer (#5047)
2025-09-01 16:58:22 +01:00
discovery_adfind_command_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_admin_recon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_command_system_account.toml
[Tuning] Account Discovery Command via SYSTEM Account (#4734)
2025-05-21 06:25:16 +01:00
discovery_enumerating_domain_trusts_via_dsquery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_enumerating_domain_trusts_via_nltest.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_group_policy_object_discovery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_high_number_ad_properties.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
discovery_host_public_ip_address_lookup.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
discovery_peripheral_device.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_posh_invoke_sharefinder.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
discovery_posh_suspicious_api_functions.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_privileged_localgroup_membership.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_signal_unusual_discovery_signal_proc_cmdline.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_signal_unusual_discovery_signal_proc_executable.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_whoami_command_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_com_object_xwizard.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
execution_command_shell_started_by_svchost.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
execution_command_shell_started_by_unusual_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_command_shell_via_rundll32.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_delayed_via_ping_lolbas_unsigned.toml
Refresh Manifest and Schemas November Update (#5298)
2025-11-11 18:04:20 +05:30
execution_downloaded_shortcut_files.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_downloaded_url_file.toml
Update execution_downloaded_url_file.toml (#4794)
2025-06-12 12:11:19 +01:00
execution_enumeration_via_wmiprvse.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_from_unusual_path_cmdline.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
execution_initial_access_foxmail_exploit.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_initial_access_via_msc_file.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
execution_initial_access_wps_dll_exploit.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_mofcomp.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
execution_ms_office_written_file.toml
[Rule Tuning] Windows File-based Rules Tuning (#3963)
2024-08-09 12:26:58 -03:00
execution_nodejs_susp_patterns.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_pdf_written_file.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
execution_posh_hacktool_authors.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
execution_posh_hacktool_functions.toml
[Tuning] Powershell Atomics test gaps for T1059.001 (#5380)
2025-12-01 15:06:48 +00:00
execution_posh_malicious_script_agg.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_posh_portable_executable.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_posh_psreflect.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_powershell_susp_args_via_winscript.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
execution_psexec_lateral_movement_command.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
execution_register_server_program_connecting_to_the_internet.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_revshell_cmd_via_netcat.toml
[New] Potential Command Shell via NetCat (#5221)
2025-10-15 12:30:09 +01:00
execution_scheduled_task_powershell_source.toml
[Tuning] Outbound Scheduled Task Activity via PowerShell (#5287)
2025-11-17 10:02:50 +00:00
execution_scripting_remote_webdav.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_scripts_archive_file.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_shared_modules_local_sxs_dll.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
execution_suspicious_cmd_wmi.toml
[Tuning] Lateral Movement Rules (#4736)
2025-05-21 15:59:45 +01:00
execution_suspicious_image_load_wmi_ms_office.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_suspicious_pdf_reader.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_suspicious_powershell_imgload.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
execution_suspicious_psexesvc.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
execution_via_compiled_html_file.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_via_hidden_shell_conhost.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_via_mmc_console_file_unusual_path.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
execution_windows_cmd_shell_susp_args.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
execution_windows_fakecaptcha_cmd_ps.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_windows_phish_clickfix.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_windows_powershell_susp_args.toml
[Tuning] Powershell Atomics test gaps for T1059.001 (#5380)
2025-12-01 15:06:48 +00:00
execution_windows_script_from_internet.toml
Prep for Release 9.3 (#5548)
2026-01-12 21:07:07 +05:30
exfiltration_smb_rare_destination.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_backup_file_deletion.toml
[Rule Tuning] Windows - Small Adjusts for Compatibility (#5032)
2025-08-28 10:20:13 -07:00
impact_deleting_backup_catalogs_with_wbadmin.toml
[Rule Tuning] Backup Deletion with Wbadmin (#4715)
2025-05-19 20:34:25 +05:30
impact_high_freq_file_renames_by_kernel.toml
[Tuning] Potential Ransomware Behavior - Note Files by System (#5235)
2025-11-10 18:22:37 +00:00
impact_mod_critical_os_files.toml
[Rule Tuning] Potential System Tampering via File Modification (#5385)
2025-12-01 07:45:03 -08:00
impact_modification_of_boot_config.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_ransomware_file_rename_smb.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
impact_ransomware_note_file_over_smb.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
impact_stop_process_service_threshold.toml
Update impact_stop_process_service_threshold.toml (#4813)
2025-06-18 09:44:09 +05:30
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_volume_shadow_copy_deletion_via_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_volume_shadow_copy_deletion_via_wmic.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_evasion_suspicious_htm_file_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_execution_from_inetcache.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
initial_access_execution_from_removable_media.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_execution_remote_via_msiexec.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_execution_via_office_addins.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_exfiltration_first_time_seen_usb.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_exploit_jetbrains_teamcity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_rdp_file_mail_attachment.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
initial_access_script_executing_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_scripts_process_started_via_wmi.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_ms_exchange_files.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_ms_exchange_process.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
initial_access_suspicious_ms_office_child_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_ms_outlook_child_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_windows_server_update_svc.toml
[New] Windows Server Update Service Spawning Suspicious Processes (#5250)
2025-11-10 18:10:32 +00:00
initial_access_url_cve_2025_33053.toml
[New] Potential CVE-2025-33053 Exploitation (#4795)
2025-06-12 08:08:20 +01:00
initial_access_via_explorer_suspicious_child_parent_args.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_webshell_screenconnect_server.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
initial_access_xsl_script_execution_via_com.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_alternate_creds_pth.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_cmd_service.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_credential_access_kerberos_correlation.toml
Update lateral_movement_credential_access_kerberos_correlation.toml (#5455)
2025-12-12 18:14:26 +00:00
lateral_movement_dcom_hta.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_dcom_mmc20.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444)
2025-02-05 17:32:57 -03:00
lateral_movement_evasion_rdp_shadowing.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
lateral_movement_executable_tool_transfer_smb.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
lateral_movement_execution_from_tsclient_mup.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_execution_via_file_shares_sequence.toml
[Rule Tuning] Remote Execution via File Shares (#5066)
2025-09-11 16:40:59 -07:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_incoming_wmi.toml
[Tuning] Lateral Movement Rules (#4736)
2025-05-21 15:59:45 +01:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_powershell_remoting_target.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_rdp_enabled_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_rdp_sharprdp_target.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_remote_file_copy_hidden_share.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
lateral_movement_remote_service_installed_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
lateral_movement_remote_services.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_remote_task_creation_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
lateral_movement_scheduled_task_target.toml
Update lateral_movement_scheduled_task_target.toml to fix null values (#5228)
2025-12-08 18:40:20 +05:30
lateral_movement_suspicious_rdp_client_imageload.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_unusual_dns_service_children.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
lateral_movement_unusual_dns_service_file_writes.toml
Monthly Schema Updates (#5187)
2025-10-06 21:39:14 +05:30
lateral_movement_via_startup_folder_rdp_smb.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_via_wsus_update.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_ad_adminsdholder.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_adobe_hijack_persistence.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
persistence_app_compat_shim.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_appcertdlls_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_appinitdlls_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
persistence_browser_extension_install.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
persistence_dontexpirepasswd_account.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_evasion_registry_ifeo_injection.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
persistence_group_modification_by_system.toml
[Rule Tuning] Replace legacy winlog.api usage (#4647)
2025-04-24 05:52:38 +05:30
persistence_local_scheduled_job_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_local_scheduled_task_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_local_scheduled_task_scripting.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_ms_office_addins_file.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_ms_outlook_vba_template.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_msds_alloweddelegateto_krbtgt.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_msi_installer_task_startup.toml
[Rule Tuning] Persistence via a Windows Installer (#5386)
2025-12-01 07:54:23 -08:00
persistence_msoffice_startup_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_netsh_helper_dll.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_powershell_exch_mailbox_activesync_add_device.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_powershell_profiles.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_priv_escalation_via_accessibility_features.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
persistence_registry_uncommon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_remote_password_reset.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_run_key_and_startup_broad.toml
[Tuning] Startup or Run Key Registry Modification (#5137)
2025-10-06 09:24:33 +01:00
persistence_runtime_run_key_startup_susp_procs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_scheduled_task_creation_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_scheduled_task_updated.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_sdprop_exclusion_dsheuristics.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_service_dll_unsigned.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_service_windows_service_winlog.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
persistence_services_registry.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
persistence_startup_folder_file_written_by_suspicious_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_startup_folder_file_written_by_unsigned_process.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
persistence_startup_folder_scripts.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Component Object Model Hijacking (#5065)
2025-09-11 17:18:05 -07:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_suspicious_scheduled_task_runtime.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
persistence_suspicious_service_created_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_suspicious_user_mandatory_profile_file.toml
[New] Potential Persistence via Mandatory User Profile (#5530)
2026-01-09 09:35:47 +00:00
persistence_sysmon_wmi_event_subscription.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_system_shells_via_services.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_temp_scheduled_task.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_time_provider_mod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_user_account_added_to_privileged_group_ad.toml
[Rule Tuning] User Added to Privileged Group in Active Directory (#4646)
2025-04-24 06:12:33 +05:30
persistence_user_account_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_application_shimming.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
persistence_via_bits_job_notify_command.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_hidden_run_key_valuename.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_via_lsa_security_support_provider_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_update_orchestrator_service_hijack.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_windows_management_instrumentation_event_subscription.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_wmi_stdregprov_run_services.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
persistence_via_xp_cmdshell_mssql_stored_procedure.toml
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)
2025-09-15 09:38:03 -07:00
persistence_web_shell_aspx_write.toml
Investigation guides Update (#4990)
2025-08-18 20:36:46 +05:30
persistence_webshell_detection.toml
Update persistence_webshell_detection.toml (#5524)
2026-01-02 12:45:50 -03:00
persistence_werfault_reflectdebugger.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030)
2025-08-28 13:07:38 -07:00
privilege_escalation_badsuccessor_dmsa_abuse.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_create_process_as_different_user.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_create_process_with_token_unpriv.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_credroaming_ldap.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_disable_uac_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030)
2025-08-28 13:07:38 -07:00
privilege_escalation_dmsa_creation_by_unusual_user.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_dns_serverlevelplugindll.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_driver_newterm_imphash.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
privilege_escalation_expired_driver_loaded.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_exploit_cve_202238028.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00
privilege_escalation_gpo_schtask_service_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_group_policy_iniscript.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_group_policy_privileged_groups.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_group_policy_scheduled_task.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_installertakeover.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
privilege_escalation_krbrelayup_service_creation.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_lsa_auth_package.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_make_token_local.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_msi_repair_via_mshelp_link.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_named_pipe_impersonation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_newcreds_logon_rare_process.toml
[Rule Tuning] First Time Seen NewCredentials Logon Process (#4844)
2025-06-24 12:25:56 -03:00
privilege_escalation_persistence_phantom_dll.toml
[Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5525)
2026-01-07 21:03:44 +00:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_posh_token_impersonation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_printspooler_registry_copyfiles.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
privilege_escalation_printspooler_service_suspicious_file.toml
[Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#4976)
2025-08-18 06:29:28 -07:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
privilege_escalation_reg_service_imagepath_mod.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
privilege_escalation_rogue_windir_environment_var.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00
privilege_escalation_samaccountname_spoofing_attack.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_service_control_spawned_script_int.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_suspicious_dnshostname_update.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_thread_cpu_priority_hijack.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
privilege_escalation_uac_bypass_com_clipup.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_uac_bypass_com_ieinstal.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Monthly Schema Updates (#5046)
2025-09-01 20:42:42 +05:30
privilege_escalation_uac_bypass_event_viewer.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00
privilege_escalation_uac_bypass_mock_windir.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_unquoted_service_path.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030)
2025-08-28 13:07:38 -07:00
privilege_escalation_unusual_parentchild_relationship.toml
Update privilege_escalation_unusual_parentchild_relationship.toml (#4775)
2025-06-09 18:58:55 +01:00
privilege_escalation_unusual_printspooler_childprocess.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
privilege_escalation_unusual_svchost_childproc_childless.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_via_ppid_spoofing.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
privilege_escalation_via_rogue_named_pipe.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_via_token_theft.toml
[Tuning] Process Created with an Elevated Token (#5532)
2026-01-09 09:23:37 +00:00
privilege_escalation_windows_service_via_unusual_client.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00