security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
edf28367e4dfaeedda024d90e78a39aa5ef9bf50
sigma-rules/rules/windows
T
History
Samirbous 7221db6b36 [Tuning] Potential Ransomware Behavior - Note Files by System (#5595) 
* [Tuning] Potential Ransomware Behavior - Note Files by System

added host.id and removed noisy patterns (writes to non C drive)

* Update impact_high_freq_file_renames_by_kernel.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update impact_high_freq_file_renames_by_kernel.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-01-26 13:15:54 +00:00
..
collection_email_outlook_mailbox_via_com.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
collection_email_powershell_exchange_mailbox.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_mailbox_export_winlog.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_audio_capture.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_clipboard_capture.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_keylogger.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_posh_mailbox.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
collection_posh_screen_grabber.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_posh_webcam_video_capture.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
collection_winrar_encryption.toml
Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547)
2026-01-12 19:51:08 -03:00
command_and_control_certreq_postdata.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_common_llm_endpoint.toml
[Rule Tuning] Adjust process.code_signature.trusted condition (#5067)
2025-09-08 08:42:17 -07:00
command_and_control_common_webservices.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
command_and_control_dns_susp_tld.toml
[Rule Tuning] Mark some field optional for 3rd party compatibility (#5135)
2025-09-22 05:43:10 -07:00
command_and_control_dns_tunneling_nslookup.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_encrypted_channel_freesslcert.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_headless_browser.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
command_and_control_iexplore_via_com.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_ingress_transfer_bits.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
command_and_control_new_terms_commonly_abused_rat_execution.toml
Update command_and_control_new_terms_commonly_abused_rat_execution.toml (#4842)
2025-06-25 12:39:48 -03:00
command_and_control_outlook_home_page.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
command_and_control_port_forwarding_added_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
command_and_control_rdp_tunnel_plink.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_remcos_rat_iocs.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
command_and_control_remote_file_copy_desktopimgdownldr.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_remote_file_copy_mpcmdrun.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_remote_file_copy_powershell.toml
[Rule Tuning] Remote File Download via PowerShell (#5062)
2025-09-08 07:59:53 -07:00
command_and_control_remote_file_copy_scripts.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
command_and_control_rmm_netsupport_susp_path.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
command_and_control_screenconnect_childproc.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
command_and_control_sunburst_c2_activity_detected.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
command_and_control_teamviewer_remote_file_copy.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
command_and_control_tool_transfer_via_curl.toml
[Rule Tuning] Windows - Small Adjusts for Compatibility (#5032)
2025-08-28 10:20:13 -07:00
command_and_control_tunnel_vscode.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
credential_access_adidns_wildcard.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_adidns_wpad_record.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_browsers_unusual_parent.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
credential_access_bruteforce_admin_account.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_cmdline_dump_tool.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_credential_dumping_msbuild.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dcsync_newterm_subjectuser.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_dcsync_replication_rights.toml
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)
2025-09-15 09:38:03 -07:00
credential_access_dcsync_user_backdoor.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_disable_kerberos_preauth.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dnsnode_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dollar_account_relay_kerberos.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
credential_access_dollar_account_relay_ntlm.toml
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
credential_access_dollar_account_relay.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_domain_backup_dpapi_private_keys.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_dump_registry_hives.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_generic_localdumps.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_iis_connectionstrings_dumping.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_imageload_azureadconnectauthsvc.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_kerberoasting_unusual_process.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
credential_access_kerberos_coerce_dns.toml
[New Rules] SPN Spoofing / Coercion Rules (#4815)
2025-06-17 18:50:28 -03:00
credential_access_kerberos_coerce.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_kirbi_file.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_ldap_attributes.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_lsass_handle_via_malseclogon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_lsass_loaded_susp_dll.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_lsass_memdump_file_created.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_lsass_memdump_handle_access.toml
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)
2025-09-15 09:38:03 -07:00
credential_access_lsass_openprocess_api.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
credential_access_machine_account_smb_relay.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_mimikatz_memssp_default_logs.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
credential_access_mimikatz_powershell_module.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_mod_wdigest_security_provider.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
credential_access_moving_registry_hive_via_smb.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
credential_access_persistence_network_logon_provider_modification.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_invoke_ninjacopy.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_kerb_ticket_dump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_minidump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_relay_tools.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_posh_request_ticket.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
credential_access_posh_veeam_sql.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_potential_lsa_memdump_via_mirrordump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_rare_webdav_destination.toml
[Tuning] Rare Connection to WebDAV Target (#5604)
2026-01-26 12:51:09 +00:00
credential_access_regback_sam_security_hives.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
credential_access_relay_ntlm_auth_via_http_spoolss.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_remote_sam_secretsdump.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_saved_creds_vault_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_saved_creds_vaultcmd.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_seenabledelegationprivilege_assigned_to_user.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_shadow_credentials.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_spn_attribute_modified.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_suspicious_comsvcs_imageload.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_lsass_access_generic.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_lsass_access_memdump.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_lsass_access_via_snapshot.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_suspicious_winreg_access_via_sebackup_priv.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
credential_access_symbolic_link_to_shadow_copy_created.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_veeam_backup_dll_imageload.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_veeam_commands.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_via_snapshot_lsass_clone_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_wbadmin_ntds.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_web_config_file_access.toml
[Rule Tuning] Web Server Rules (#5581)
2026-01-20 15:30:57 -03:00
credential_access_wireless_creds_dumping.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
defense_evasion_amsi_bypass_dllhijack.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
defense_evasion_amsi_bypass_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_amsienable_key_mod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016)
2025-08-28 06:43:09 -07:00
defense_evasion_audit_policy_disabled_winlog.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_clearing_windows_console_history.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_clearing_windows_event_logs.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_clearing_windows_security_logs.toml
[Rule Tuning] Replace legacy winlog.api usage (#4647)
2025-04-24 05:52:38 +05:30
defense_evasion_code_signing_policy_modification_builtin_tools.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_code_signing_policy_modification_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_communication_apps_suspicious_child_process.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
defense_evasion_create_mod_root_certificate.toml
[Rule Tuning] Creation or Modification of Root Certificate (#4970)
2025-08-13 09:41:57 -03:00
defense_evasion_cve_2020_0601.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_defender_disabled_via_registry.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_defender_exclusion_via_powershell.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_delete_volume_usn_journal_with_fsutil.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_disable_nla.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_disable_posh_scriptblocklogging.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
defense_evasion_disable_windows_firewall_rules_with_netsh.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_disabling_windows_defender_powershell.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_disabling_windows_logs.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_dns_over_https_enabled.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_dotnet_compiler_parent_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_enable_inbound_rdp_with_netsh.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_enable_network_discovery_with_netsh.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_control_panel_suspicious_args.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_lolbas_wuauclt.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_by_office_app.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_by_script.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
defense_evasion_execution_msbuild_started_by_system_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_execution_msbuild_started_renamed.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017)
2025-08-28 10:40:34 -07:00
defense_evasion_execution_msbuild_started_unusal_process.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
defense_evasion_execution_suspicious_explorer_winword.toml
[Rule Tuning] Windows High Severity - 1 (#5092)
2025-09-15 07:44:20 -07:00
defense_evasion_execution_windefend_unusual_path.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_file_creation_mult_extension.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018)
2025-08-28 10:55:21 -07:00
defense_evasion_from_unusual_directory.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
defense_evasion_hide_encoded_executable_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018)
2025-08-28 10:55:21 -07:00
defense_evasion_iis_httplogging_disabled.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_indirect_exec_conhost.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_indirect_exec_forfiles.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
defense_evasion_indirect_exec_openssh.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_injection_msbuild.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_installutil_beacon.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018)
2025-08-28 10:55:21 -07:00
defense_evasion_lolbas_win_cdb_utility.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_lsass_ppl_disabled_registry.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
defense_evasion_masquerading_as_elastic_endpoint_process.toml
[Rule Tuning] Windows Misc Tuning (#4870)
2025-07-07 10:32:12 -03:00
defense_evasion_masquerading_as_svchost.toml
[Rule Tuning] Potential Masquerading as Svchost (#5439)
2025-12-09 13:56:38 -08:00
defense_evasion_masquerading_business_apps_installer.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
defense_evasion_masquerading_communication_apps.toml
[Rule Tuning] Communication App Rules (#5487)
2025-12-18 02:38:18 -08:00
defense_evasion_masquerading_renamed_autoit.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_masquerading_suspicious_werfault_childproc.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_masquerading_trusted_directory.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_masquerading_werfault.toml
[Rule Tuning] Fixes FPs related to a process.args_count bug (#4971)
2025-08-13 08:46:46 -03:00
defense_evasion_microsoft_defender_tampering.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 (#5019)
2025-08-28 11:05:42 -07:00
defense_evasion_misc_lolbin_connecting_to_the_internet.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_modify_ownership_os_files.toml
Update defense_evasion_modify_ownership_os_files.toml (#5051)
2025-09-02 08:18:35 -07:00
defense_evasion_ms_office_suspicious_regmod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_msbuild_making_network_connections.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_mshta_beacon.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_mshta_susp_child.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_msiexec_child_proc_netcon.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_msiexec_remote_payload.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_msxsl_network.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_network_connection_from_windows_binary.toml
[Tuning] Unusual Network Activity from a Windows System Binary (#5048)
2025-09-01 22:17:53 +05:30
defense_evasion_ntlm_downgrade.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020)
2025-08-28 11:26:09 -07:00
defense_evasion_obf_args_unicode_modified_letters.toml
[New] Command Obfuscation via Unicode Modifier Letters (#5311)
2025-11-13 21:29:07 +00:00
defense_evasion_parent_process_pid_spoofing.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_persistence_account_tokenfilterpolicy.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)
2025-08-28 11:37:15 -07:00
defense_evasion_posh_assembly_load.toml
[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867)
2025-07-07 10:56:13 -03:00
defense_evasion_posh_compressed.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_posh_defender_tampering.toml
Update investigation guides (#5112)
2025-09-16 18:34:37 +05:30
defense_evasion_posh_encryption.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_posh_obfuscation_backtick_var.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_backtick.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_char_arrays.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_concat_dynamic.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_high_number_proportion.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_iex_string_reconstruction.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_index_reversal.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_reverse_keyword.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_string_concat.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation_string_format.toml
[Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486)
2025-12-18 03:30:22 -08:00
defense_evasion_posh_obfuscation_whitespace_special_proportion.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
defense_evasion_posh_obfuscation.toml
[Rule Tuning] Potential PowerShell Obfuscated Script (#5389)
2025-12-02 08:30:54 -08:00
defense_evasion_posh_process_injection.toml
[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867)
2025-07-07 10:56:13 -03:00
defense_evasion_powershell_windows_firewall_disabled.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
defense_evasion_process_termination_followed_by_deletion.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
defense_evasion_proxy_execution_via_msdt.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_reg_disable_enableglobalqueryblocklist.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
defense_evasion_regmod_remotemonologue.toml
[Rule Tuning] Mark some field optional for 3rd party compatibility (#5135)
2025-09-22 05:43:10 -07:00
defense_evasion_right_to_left_override.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_root_dir_ads_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_run_virt_windowssandbox.toml
Add investigation guides for detection rules (#4886)
2025-07-08 00:25:42 +05:30
defense_evasion_rundll32_no_arguments.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)
2025-08-28 11:37:15 -07:00
defense_evasion_sc_sdset.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_sccm_scnotification_dll.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_scheduledjobs_at_protocol_enabled.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021)
2025-08-28 11:37:15 -07:00
defense_evasion_script_via_html_app.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
defense_evasion_sdelete_like_filename_rename.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)
2025-08-28 11:51:45 -07:00
defense_evasion_sip_provider_mod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)
2025-08-28 11:51:45 -07:00
defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022)
2025-08-28 11:51:45 -07:00
defense_evasion_suspicious_certutil_commands.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_execution_from_mounted_device.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_managedcode_host_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_process_access_direct_syscall.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_process_creation_calltrace.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_scrobj_load.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_short_program_name.toml
Update defense_evasion_suspicious_short_program_name.toml (#5454)
2025-12-12 17:25:00 +00:00
defense_evasion_suspicious_wmi_script.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_suspicious_zoom_child_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_system_critical_proc_abnormal_file_activity.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_timestomp_sysmon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Monthly Schema Updates (#5046)
2025-09-01 20:42:42 +05:30
defense_evasion_untrusted_driver_loaded.toml
[Rule Tuning] Untrusted Driver Loaded (#5061)
2025-09-05 06:12:30 -07:00
defense_evasion_unusual_ads_file_creation.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
defense_evasion_unusual_dir_ads.toml
[Rule Tuning] Fixes FPs related to a process.args_count bug (#4971)
2025-08-13 08:46:46 -03:00
defense_evasion_unusual_network_connection_via_dllhost.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
defense_evasion_unusual_network_connection_via_rundll32.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
defense_evasion_unusual_process_network_connection.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_unusual_system_vp_child_program.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
defense_evasion_via_filter_manager.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_wdac_policy_by_unusual_process.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023)
2025-08-28 12:04:55 -07:00
defense_evasion_windows_filtering_platform.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_workfolders_control_execution.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_wsl_bash_exec.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_wsl_child_process.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_wsl_enabled_via_dism.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_wsl_filesystem.toml
[Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383)
2025-12-01 05:06:38 -08:00
defense_evasion_wsl_kalilinux.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
defense_evasion_wsl_registry_modification.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
discovery_active_directory_webservice.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_ad_explorer_execution.toml
[New] Active Directory Discovery using AdExplorer (#5047)
2025-09-01 16:58:22 +01:00
discovery_adfind_command_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_admin_recon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_command_system_account.toml
[Tuning] Account Discovery Command via SYSTEM Account (#4734)
2025-05-21 06:25:16 +01:00
discovery_enumerating_domain_trusts_via_dsquery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_enumerating_domain_trusts_via_nltest.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_group_policy_object_discovery.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_high_number_ad_properties.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
discovery_host_public_ip_address_lookup.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
discovery_peripheral_device.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_posh_invoke_sharefinder.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
discovery_posh_suspicious_api_functions.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
discovery_privileged_localgroup_membership.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
discovery_signal_unusual_discovery_signal_proc_cmdline.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
discovery_signal_unusual_discovery_signal_proc_executable.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
discovery_whoami_command_activity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_apt_solarwinds_backdoor_unusual_child_processes.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
execution_com_object_xwizard.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
execution_command_prompt_connecting_to_the_internet.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
execution_command_shell_started_by_svchost.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
execution_command_shell_started_by_unusual_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_command_shell_via_rundll32.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_delayed_via_ping_lolbas_unsigned.toml
Refresh Manifest and Schemas November Update (#5298)
2025-11-11 18:04:20 +05:30
execution_downloaded_shortcut_files.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_downloaded_url_file.toml
Update execution_downloaded_url_file.toml (#4794)
2025-06-12 12:11:19 +01:00
execution_enumeration_via_wmiprvse.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_from_unusual_path_cmdline.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
execution_html_help_executable_program_connecting_to_the_internet.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
execution_initial_access_foxmail_exploit.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_initial_access_via_msc_file.toml
[Rule Tuning] Windows High Severity - 2 (#5093)
2025-09-15 07:53:31 -07:00
execution_initial_access_wps_dll_exploit.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_mofcomp.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
execution_ms_office_written_file.toml
[Rule Tuning] Windows File-based Rules Tuning (#3963)
2024-08-09 12:26:58 -03:00
execution_nodejs_susp_patterns.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_pdf_written_file.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
execution_posh_hacktool_authors.toml
[Rule Tuning] PowerShell Rules (#5056)
2025-09-11 16:54:11 -07:00
execution_posh_hacktool_functions.toml
[Tuning] Powershell Atomics test gaps for T1059.001 (#5380)
2025-12-01 15:06:48 +00:00
execution_posh_malicious_script_agg.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_posh_portable_executable.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_posh_psreflect.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_powershell_susp_args_via_winscript.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
execution_psexec_lateral_movement_command.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024)
2025-08-28 12:15:25 -07:00
execution_register_server_program_connecting_to_the_internet.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_revshell_cmd_via_netcat.toml
[New] Potential Command Shell via NetCat (#5221)
2025-10-15 12:30:09 +01:00
execution_scheduled_task_powershell_source.toml
[Tuning] Outbound Scheduled Task Activity via PowerShell (#5287)
2025-11-17 10:02:50 +00:00
execution_scripting_remote_webdav.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_scripts_archive_file.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_shared_modules_local_sxs_dll.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
execution_suspicious_cmd_wmi.toml
[Tuning] Lateral Movement Rules (#4736)
2025-05-21 15:59:45 +01:00
execution_suspicious_image_load_wmi_ms_office.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_suspicious_pdf_reader.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_suspicious_powershell_imgload.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
execution_suspicious_psexesvc.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
execution_via_compiled_html_file.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_via_hidden_shell_conhost.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
execution_via_mmc_console_file_unusual_path.toml
[Rule Tuning] Windows High Severity - 3 (#5094)
2025-09-15 08:34:43 -07:00
execution_windows_cmd_shell_susp_args.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
execution_windows_fakecaptcha_cmd_ps.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_windows_phish_clickfix.toml
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001)
2025-09-01 15:41:51 +01:00
execution_windows_powershell_susp_args.toml
[Tuning] Powershell Atomics test gaps for T1059.001 (#5380)
2025-12-01 15:06:48 +00:00
execution_windows_script_from_internet.toml
Prep for Release 9.3 (#5548)
2026-01-12 21:07:07 +05:30
exfiltration_smb_rare_destination.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_backup_file_deletion.toml
[Rule Tuning] Windows - Small Adjusts for Compatibility (#5032)
2025-08-28 10:20:13 -07:00
impact_deleting_backup_catalogs_with_wbadmin.toml
[Rule Tuning] Backup Deletion with Wbadmin (#4715)
2025-05-19 20:34:25 +05:30
impact_high_freq_file_renames_by_kernel.toml
[Tuning] Potential Ransomware Behavior - Note Files by System (#5595)
2026-01-26 13:15:54 +00:00
impact_mod_critical_os_files.toml
[Rule Tuning] Potential System Tampering via File Modification (#5385)
2025-12-01 07:45:03 -08:00
impact_modification_of_boot_config.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_ransomware_file_rename_smb.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
impact_ransomware_note_file_over_smb.toml
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462)
2025-02-17 07:04:34 -03:00
impact_stop_process_service_threshold.toml
Update impact_stop_process_service_threshold.toml (#4813)
2025-06-18 09:44:09 +05:30
impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_volume_shadow_copy_deletion_via_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
impact_volume_shadow_copy_deletion_via_wmic.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_evasion_suspicious_htm_file_creation.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_execution_from_inetcache.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
initial_access_execution_from_removable_media.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_execution_remote_via_msiexec.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_execution_via_office_addins.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_exfiltration_first_time_seen_usb.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_exploit_jetbrains_teamcity.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_rdp_file_mail_attachment.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025)
2025-09-01 09:30:21 -07:00
initial_access_script_executing_powershell.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_scripts_process_started_via_wmi.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_ms_exchange_files.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_ms_exchange_process.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
initial_access_suspicious_ms_exchange_worker_child_process.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
initial_access_suspicious_ms_office_child_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_ms_outlook_child_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_suspicious_windows_server_update_svc.toml
[New] Windows Server Update Service Spawning Suspicious Processes (#5250)
2025-11-10 18:10:32 +00:00
initial_access_url_cve_2025_33053.toml
[New] Potential CVE-2025-33053 Exploitation (#4795)
2025-06-12 08:08:20 +01:00
initial_access_via_explorer_suspicious_child_parent_args.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_webshell_screenconnect_server.toml
[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)
2025-09-15 09:06:23 -07:00
initial_access_xsl_script_execution_via_com.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_alternate_creds_pth.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_cmd_service.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_credential_access_kerberos_correlation.toml
Update lateral_movement_credential_access_kerberos_correlation.toml (#5455)
2025-12-12 18:14:26 +00:00
lateral_movement_dcom_hta.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_dcom_mmc20.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_direct_outbound_smb_connection.toml
[Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444)
2025-02-05 17:32:57 -03:00
lateral_movement_evasion_rdp_shadowing.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
lateral_movement_executable_tool_transfer_smb.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
lateral_movement_execution_from_tsclient_mup.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_execution_via_file_shares_sequence.toml
[Rule Tuning] Remote Execution via File Shares (#5066)
2025-09-11 16:40:59 -07:00
lateral_movement_incoming_winrm_shell_execution.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_incoming_wmi.toml
[Tuning] Lateral Movement Rules (#4736)
2025-05-21 15:59:45 +01:00
lateral_movement_mount_hidden_or_webdav_share_net.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_powershell_remoting_target.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_rdp_enabled_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026)
2025-08-28 12:28:49 -07:00
lateral_movement_rdp_sharprdp_target.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
lateral_movement_remote_file_copy_hidden_share.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
lateral_movement_remote_service_installed_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
lateral_movement_remote_services.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_remote_task_creation_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
lateral_movement_scheduled_task_target.toml
Update lateral_movement_scheduled_task_target.toml to fix null values (#5228)
2025-12-08 18:40:20 +05:30
lateral_movement_suspicious_rdp_client_imageload.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_unusual_dns_service_children.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
lateral_movement_unusual_dns_service_file_writes.toml
Monthly Schema Updates (#5187)
2025-10-06 21:39:14 +05:30
lateral_movement_via_startup_folder_rdp_smb.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
lateral_movement_via_wsus_update.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_ad_adminsdholder.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_adobe_hijack_persistence.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
persistence_app_compat_shim.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_appcertdlls_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_appinitdlls_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
persistence_browser_extension_install.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
persistence_dontexpirepasswd_account.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_evasion_hidden_local_account_creation.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_evasion_registry_ifeo_injection.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027)
2025-08-28 12:40:03 -07:00
persistence_evasion_registry_startup_shell_folder_modified.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
persistence_group_modification_by_system.toml
[Rule Tuning] Replace legacy winlog.api usage (#4647)
2025-04-24 05:52:38 +05:30
persistence_local_scheduled_job_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_local_scheduled_task_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_local_scheduled_task_scripting.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_ms_office_addins_file.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_ms_outlook_vba_template.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_msds_alloweddelegateto_krbtgt.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_msi_installer_task_startup.toml
[Rule Tuning] Persistence via a Windows Installer (#5386)
2025-12-01 07:54:23 -08:00
persistence_msoffice_startup_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_netsh_helper_dll.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_powershell_exch_mailbox_activesync_add_device.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_powershell_profiles.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
persistence_priv_escalation_via_accessibility_features.toml
[Rule Tuning] Windows High Severity - 4 (#5095)
2025-09-15 09:18:55 -07:00
persistence_registry_uncommon.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_remote_password_reset.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_run_key_and_startup_broad.toml
[Tuning] Startup or Run Key Registry Modification (#5137)
2025-10-06 09:24:33 +01:00
persistence_runtime_run_key_startup_susp_procs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_scheduled_task_creation_winlog.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_scheduled_task_updated.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
persistence_sdprop_exclusion_dsheuristics.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_service_dll_unsigned.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_service_windows_service_winlog.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
persistence_services_registry.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
persistence_startup_folder_file_written_by_suspicious_process.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_startup_folder_file_written_by_unsigned_process.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
persistence_startup_folder_scripts.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_suspicious_com_hijack_registry.toml
[Rule Tuning] Component Object Model Hijacking (#5065)
2025-09-11 17:18:05 -07:00
persistence_suspicious_image_load_scheduled_task_ms_office.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_suspicious_scheduled_task_runtime.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
persistence_suspicious_service_created_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_suspicious_user_mandatory_profile_file.toml
[New] Potential Persistence via Mandatory User Profile (#5530)
2026-01-09 09:35:47 +00:00
persistence_sysmon_wmi_event_subscription.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_system_shells_via_services.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_temp_scheduled_task.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
persistence_time_provider_mod.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_user_account_added_to_privileged_group_ad.toml
[Rule Tuning] User Added to Privileged Group in Active Directory (#4646)
2025-04-24 06:12:33 +05:30
persistence_user_account_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_application_shimming.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
persistence_via_bits_job_notify_command.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_hidden_run_key_valuename.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_via_lsa_security_support_provider_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029)
2025-08-28 12:50:59 -07:00
persistence_via_telemetrycontroller_scheduledtask_hijack.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_update_orchestrator_service_hijack.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_windows_management_instrumentation_event_subscription.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
persistence_via_wmi_stdregprov_run_services.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
persistence_via_xp_cmdshell_mssql_stored_procedure.toml
[Rule Tuning] High-Severity Noisy Rules Conversion to new_terms (#5091)
2025-09-15 09:38:03 -07:00
persistence_web_shell_aspx_write.toml
[Rule Tuning] Web Server Rules (#5581)
2026-01-20 15:30:57 -03:00
persistence_webshell_detection.toml
Update persistence_webshell_detection.toml (#5524)
2026-01-02 12:45:50 -03:00
persistence_werfault_reflectdebugger.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030)
2025-08-28 13:07:38 -07:00
privilege_escalation_badsuccessor_dmsa_abuse.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_create_process_as_different_user.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_create_process_with_token_unpriv.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_credroaming_ldap.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_disable_uac_registry.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030)
2025-08-28 13:07:38 -07:00
privilege_escalation_dmsa_creation_by_unusual_user.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_dns_serverlevelplugindll.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_driver_newterm_imphash.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
privilege_escalation_expired_driver_loaded.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_exploit_cve_202238028.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00
privilege_escalation_gpo_schtask_service_creation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_group_policy_iniscript.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_group_policy_privileged_groups.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_group_policy_scheduled_task.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_installertakeover.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
privilege_escalation_krbrelayup_service_creation.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_lsa_auth_package.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_make_token_local.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_msi_repair_via_mshelp_link.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_named_pipe_impersonation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_newcreds_logon_rare_process.toml
[Rule Tuning] First Time Seen NewCredentials Logon Process (#4844)
2025-06-24 12:25:56 -03:00
privilege_escalation_persistence_phantom_dll.toml
[Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5525)
2026-01-07 21:03:44 +00:00
privilege_escalation_port_monitor_print_pocessor_abuse.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_posh_token_impersonation.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_printspooler_registry_copyfiles.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038)
2025-09-01 08:25:52 -07:00
privilege_escalation_printspooler_service_suspicious_file.toml
[Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560)
2026-01-16 12:46:45 +00:00
privilege_escalation_printspooler_suspicious_file_deletion.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_printspooler_suspicious_spl_file.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
privilege_escalation_reg_service_imagepath_mod.toml
[Rule Tuning] Check if registry.data.strings is null on exclusion-based logic (#5193)
2025-10-07 08:40:23 -07:00
privilege_escalation_rogue_windir_environment_var.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00
privilege_escalation_samaccountname_spoofing_attack.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_service_control_spawned_script_int.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_suspicious_dnshostname_update.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_thread_cpu_priority_hijack.toml
[Rule Tuning] Remove host.os.type Unit Test Exception (#5317)
2025-11-14 08:46:24 -08:00
privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
privilege_escalation_uac_bypass_com_clipup.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_uac_bypass_com_ieinstal.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_uac_bypass_com_interface_icmluautil.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_uac_bypass_diskcleanup_hijack.toml
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037)
2025-09-01 05:31:12 -07:00
privilege_escalation_uac_bypass_dll_sideloading.toml
Monthly Schema Updates (#5046)
2025-09-01 20:42:42 +05:30
privilege_escalation_uac_bypass_event_viewer.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00
privilege_escalation_uac_bypass_mock_windir.toml
Refresh ecs, beats, integration manifests & schemas (#4699)
2025-05-05 23:06:40 +05:30
privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_unquoted_service_path.toml
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030)
2025-08-28 13:07:38 -07:00
privilege_escalation_unusual_parentchild_relationship.toml
Update privilege_escalation_unusual_parentchild_relationship.toml (#4775)
2025-06-09 18:58:55 +01:00
privilege_escalation_unusual_printspooler_childprocess.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
privilege_escalation_unusual_svchost_childproc_childless.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_via_ppid_spoofing.toml
[Rule Tuning] Windows Misc Tuning (#5382)
2025-12-01 07:28:25 -08:00
privilege_escalation_via_rogue_named_pipe.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
privilege_escalation_via_token_theft.toml
[Tuning] Process Created with an Elevated Token (#5532)
2026-01-09 09:23:37 +00:00
privilege_escalation_windows_service_via_unusual_client.toml
[Rule Tuning] Windows High Severity - 5 (#5096)
2025-09-15 09:29:37 -07:00