elastic · traut · Jun 20, 2025 · Jun 18, 2025
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="cbb29b1d-e0ef-4c00-a2ca-0f5277deb3a3",
+    name="amsi_bypass_via_unbacked_memory",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="06516087-9305-482b-af9a-92f4386d2f19", name="AMSI Bypass via Unbacked Memory")
+    ],
+    techniques=['T1562', 'T1562.001'],
+    sample_hash="aa31279da8b6c8dbefe9d3d6c423f3f785fd13ab8539839c73d13e9580ebe22c",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="0eeb9564-8765-4c29-a2f5-f7670e1cd669",
+    name="attempt_to_mount_a_remote_webdav_share",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="0a364281-5edc-4f75-a839-48b150cec3f2", name="Attempt to Mount a Remote WebDav Share")
+    ],
+    techniques=['T1204', 'T1204.002', 'T1021', 'T1021.002'],
+    sample_hash="bbf1699eeb08269b7d7a3982be6fa207f3d767ba9e48c406db102a552db716eb",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="8be64c37-dfc0-4ee4-a4e3-63c42ed33bca",
+    name="execution_from_suspicious_stack_trailing_bytes",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="0a26ccb6-41b9-418d-9314-854aadcb1fba", name="Execution from Suspicious Stack Trailing Bytes")
+    ],
+    techniques=[],
+    sample_hash="ad6e942d541570bedea0a2560ecd8ad7783593eef510af7f2f48a8a4d00aa674",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="64d4640c-3c0f-4e5f-b8b1-e910b8a5d152",
+    name="execution_via_obfuscated_powershell_script",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="ce95fc52-051e-4409-9c99-f2daf3e6e609", name="Execution via Obfuscated PowerShell Script")
+    ],
+    techniques=['T1059', 'T1059.001'],
+    sample_hash="47ae6d232dee297bf10ee6b88ee560801c3e7b0504485e254e4bc69b611ba3d8",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="49360b18-d88a-470c-b551-2851773797a6",
+    name="firewall_policy_changed_by_a_suspicious_process",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="bf072c39-90bc-4b1b-9c78-1d8a9bd6f0e1", name="Firewall Policy Changed by a Suspicious Process")
+    ],
+    techniques=['T1562', 'T1562.001'],
+    sample_hash="bdf06c7902c1d0b705be7415aad80836686d4d44482ced0bb2d4c7670c501255",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="e8b32a35-de6f-4f22-a132-6e233f7eaf8d",
+    name="image_hollow_from_unusual_stack",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="446e61bf-8370-45df-88ab-7b213ee653db", name="Image Hollow from Unusual Stack")
+    ],
+    techniques=['T1055'],
+    sample_hash="966a6c9fd83512c580dfc9f8cf666361ba6f7491d296e707a29c4780e5825f3f",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="e55a01e6-5a5c-4934-91aa-7dad9e93c59c",
+    name="internet_activity_from_suspicious_unbacked_memory",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="7dca0e22-0e3f-4ed0-ad28-eff5617adf75", name="Internet Activity from Suspicious Unbacked Memory")
+    ],
+    techniques=['T1055'],
+    sample_hash="17bc5b41b35d894b37224e5daa66e2c7326e10a8309e299af122c6602afc953e",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="44f50c16-742b-427a-aee7-6d812f908814",
+    name="microsoft_common_language_runtime_loaded_from_suspicious_memory",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="ad2c6fcc-89d3-4939-85d9-d7114d6bbf14", name="Microsoft Common Language Runtime Loaded from Suspicious Memory")
+    ],
+    techniques=['T1055'],
+    sample_hash="44788f535787ccc40ce79b30e4191e48986c2d40025cc0d55c32668b52acb3fa",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="9c5b7e6f-9053-44a3-ab28-36409845bdec",
+    name="netsupport_execution_form_unusual_path",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="f36c407e-27c1-4682-a322-73dd0cddf29d", name="NetSupport Execution form unusual Path")
+    ],
+    techniques=['T1219'],
+    sample_hash="8967c17e9f455d2af6b0c65817851bc03b1389bfaa92f566728de2d2a562f58a",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="66d7626a-3ae6-464b-ba20-446ce2b556dd",
+    name="network_activity_from_a_stomped_module",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="4388a77b-4ddf-4e15-8314-ecf96c77807a", name="Network Activity from a Stomped Module")
+    ],
+    techniques=['T1055'],
+    sample_hash="966a6c9fd83512c580dfc9f8cf666361ba6f7491d296e707a29c4780e5825f3f",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="6c264182-eaef-4776-aa52-4846fc0e79ff",
+    name="network_connect_api_from_unbacked_memory",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="720e0265-03bc-4cb7-9116-7fad5ea9cdfc", name="Network Connect API from Unbacked Memory")
+    ],
+    techniques=['T1055'],
+    sample_hash="eec61b37516a902f999d664590ae8538794f2bbf5f454be52c837cf52760dbfa",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="340f4c29-1fa6-42b0-846b-c56da0040498",
+    name="network_module_loaded_from_a_backed_rwx_memory",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="a1d00ee9-64d6-440a-8940-fd2d940152a6", name="Network Module Loaded from a Backed RWX Memory")
+    ],
+    techniques=['T1055'],
+    sample_hash="adfdb5d77b78750b46681a4792ffa6b30ba6665cad6127d61110ada5a7e139fb",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="40944110-6966-4e9c-aef0-d7fe1093b87b",
+    name="parallel_ntdll_loaded_from_unbacked_memory",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="69267bb2-e2d9-4621-9bf6-064ac885e49c", name="Parallel NTDLL Loaded from Unbacked Memory")
+    ],
+    techniques=['T1055'],
+    sample_hash="81e4808bcd2b11a4fd3b23668882628bcbdce55c62009daa4b97b15e421e6d13",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="4a39696b-43c2-4703-b942-5e8e6cbd1840",
+    name="parent_process_pid_spoofing",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="816ba7e7-519a-4f85-be2a-bacd6ccde57f", name="Parent Process PID Spoofing")
+    ],
+    techniques=['T1134', 'T1134.004'],
+    sample_hash="80e5cb11ae2512da3b7be501b469d6fc1a69a2017a143b9897023da9e366325f",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="950aa5b4-c99f-44ad-872b-f66ab1ddc17c",
+    name="payload_decoded_via_certutil",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="dbc72ac5-a004-45de-916d-e8aac82c4789", name="Payload Decoded via CertUtil")
+    ],
+    techniques=['T1027', 'T1140'],
+    sample_hash="24f65e496692a64157011ed08648a853312526299131e4f819376889ff94876d",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="bdc606e1-a136-447d-9e55-de60a89dffea",
+    name="potential_crypto_mining_activity",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="fe082539-a528-4453-ac19-34d57f2f7730", name="Potential Crypto Mining Activity")
+    ],
+    techniques=['T1496'],
+    sample_hash="af94ddf7c35b9d9f016a5a4b232b43e071d59c6beb1560ba76df20df7b49ca4c",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="52751955-55a7-4409-bc16-4bd26cf118ed",
+    name="potential_dll_hollowing_with_transactional_ntfs",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="7f61cf66-1363-4b2a-8f82-73cc2bd46b17", name="Potential DLL Hollowing with Transactional NTFS")
+    ],
+    techniques=['T1055'],
+    sample_hash="e7fa4f8df8fa95adffb3b0a08d091dd26830c17ef4cceed95f33ec087fbcf0ce",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="34587ca9-3adb-42e6-948c-d1f81dc12680",
+    name="potential_evasion_via_invalid_code_signature",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="f3f769b9-0695-49ed-ab6e-c8f199a7d2c8", name="Potential Evasion via Invalid Code Signature")
+    ],
+    techniques=['T1055', 'T1036'],
+    sample_hash="fb68f4812303beb08bb62f4b54bde01c0c11220ec1aab78d71f76f42ada86cdf",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="009e8ec8-6a9e-4449-9fa5-8961907b636e",
+    name="potential_injection_via_asynchronous_procedure_call",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="2316b571-731d-4745-97ac-4fd6922d32df", name="Potential Injection via Asynchronous Procedure Call")
+    ],
+    techniques=['T1055'],
+    sample_hash="94827a4ab543972eacee8e610ec94d8469de43fe8dc0302015f1c587b158025d",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="cf5e28a1-0c35-4be1-87ba-381dcdbb2d8b",
+    name="potential_injection_via_pyinstaller_executable",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="deb48ee3-8ce0-4ff7-a30b-041c5db024bb", name="Potential Injection via PyInstaller Executable")
+    ],
+    techniques=['T1055'],
+    sample_hash="c081174ab9326b2a9e552dd1b96017b51dd5212a8621d97144b697002baa2ef4",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="6d1885f8-b82f-48ff-b621-50b507ced8e8",
+    name="potential_operation_via_direct_syscall",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="30106950-2383-49cd-b462-ed55be29b10b", name="Potential Operation via Direct Syscall")
+    ],
+    techniques=['T1055'],
+    sample_hash="6c4a8bd310ce4f1146d84ca455a560fd082e7d22d8b8c772cef5ce89f68e3191",
+)
@@ -0,0 +1,17 @@
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+
+from . import OSType, RuleMetadata, register_hash_rta
+
+register_hash_rta(
+    id="195ab730-3bab-4738-b3b9-36d29cc541d2",
+    name="potential_remote_code_injection",
+    platforms=[OSType.WINDOWS],
+    endpoint_rules=[
+        RuleMetadata(id="f1d05929-4271-4d39-9cae-05eab6d4efca", name="Potential Remote Code Injection")
+    ],
+    techniques=['T1055'],
+    sample_hash="67f264aef12ee76e84254428afc9e489162b57f2f019dec7ec85c421d616a7ad",
+)