Skip to content

chore: Add endpoint rule IDs for T1087.002, T1204.001, T1204.002#29

Merged
Mikaayenson merged 1 commit intomainfrom
add-endpoint-rule-ids
Jan 28, 2026
Merged

chore: Add endpoint rule IDs for T1087.002, T1204.001, T1204.002#29
Mikaayenson merged 1 commit intomainfrom
add-endpoint-rule-ids

Conversation

@Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Jan 28, 2026
edited
Loading

Summary

Adds real endpoint rule IDs from the endpoint-rules repo for RTAs that have coverage.

Changes

RTA Endpoint Rule ID Rule Name
account_discovery_domain c3b3cd2e-04f5-457f-8d69-f92468f22eae Domain Accounts Enumeration via LDAP Search
account_discovery_domain 447b004a-ac74-4ba4-8131-44efc25fdd47 Group and Privileged Accounts Discovery via LDAP
user_execution_malicious_file ccfca0c7-c975-4735-82bd-954ffbafd00b Evasion via File Name Masquerading
user_execution_malicious_link 27d1b0dc-a50c-4e7b-9ec5-961351fbe819 Potential Execution via LNK Stomping

Testing

poetry run pytest tests/ -v
tests/test_rtas.py::test_load_all_modules PASSED

@Mikaayenson
Add real endpoint rule IDs for T1087.002, T1204.001, T1204.002
d3e9bbd 
Added endpoint rules from endpoint-rules repo:

- account_discovery_domain: Added endpoint rules c3b3cd2e (Domain Accounts
  Enumeration via LDAP Search), 447b004a (Group and Privileged Accounts
  Discovery via LDAP)
- user_execution_malicious_file: Added endpoint rule ccfca0c7 (Evasion via
  File Name Masquerading - double extension detection)
- user_execution_malicious_link: Added endpoint rule 27d1b0dc (Potential
  Execution via LNK Stomping)
@Mikaayenson Mikaayenson requested a review from a team as a code owner January 28, 2026 22:38
@Mikaayenson Mikaayenson self-assigned this Jan 28, 2026
@Mikaayenson Mikaayenson changed the title Add real endpoint rule IDs for T1087.002, T1204.001, T1204.002 chore: Add endpoint rule IDs for T1087.002, T1204.001, T1204.002 Jan 28, 2026
@Mikaayenson Mikaayenson added the documentation Improvements or additions to documentation label Jan 28, 2026
eric-forte-elastic
eric-forte-elastic approved these changes Jan 28, 2026
View reviewed changes
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Manual review, looks good to me! 👍

All appear valid

@Mikaayenson Mikaayenson merged commit 645e90f into main Jan 28, 2026
6 checks passed
@Mikaayenson Mikaayenson deleted the add-endpoint-rule-ids branch January 28, 2026 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

Assignees

@Mikaayenson Mikaayenson

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mikaayenson @eric-forte-elastic