rabbitstack · rabbitstack · Apr 26, 2026
diff --git a/rules/credential_access_suspicious_access_to_windows_manager_files.yml b/rules/credential_access_suspicious_access_to_windows_manager_files.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to Windows Credential Manager files
 id: 4ab688f7-94e2-481b-9c7f-c49f3a79a379
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies suspicious processes trying to acquire credentials from the Windows Credential Manager.
 labels:
@@ -25,7 +25,8 @@ condition: >
             (
               '?:\\Program Files\\*',
               '?:\\Program Files(x86)\\*',
-              '?:\\Windows\\System32\\lsass.exe'
+              '?:\\Windows\\System32\\lsass.exe',
+              '?:\\Windows\\system32\\svchost.exe'
             )
 
 min-engine-version: 3.0.0
diff --git a/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml b/rules/defense_evasion_suspicious_access_to_the_hosts_file.yml
@@ -1,6 +1,6 @@
 name: Suspicious access to the hosts file
 id: f7b2c9d3-99e7-41d5-bb4a-6ea1a5f7f9e2
-version: 1.1.0
+version: 1.1.1
 description: >
   Identifies suspicious process accessing the Windows hosts file for potential tampering.
   Adversaries can hijack the hosts files to block traffic to download/update servers or redirect the
@@ -65,7 +65,9 @@ condition: >
                                                 '?:\\Program Files\\Microsoft VS Code\\Code.exe!GetHandleVerifier',
                                                 '?:\\Program Files (x86)\\Microsoft VS Code\\Code.exe!GetHandleVerifier',
                                                 '?:\\Program Files\\Google\\Chrome\\*\\chrome.dll!*',
-                                                '?:\\Program Files (x86)\\Google\\Chrome\\*\\chrome.dll!*'
+                                                '?:\\Program Files (x86)\\Google\\Chrome\\*\\chrome.dll!*',
+                                                '?:\\Program Files\\Microsoft\\*\\msedge.dll!*',
+                                                '?:\\Program Files (x86)\\Microsoft\\*\\msedge.dll!*'
                                               ))
     |
 action:

diff --git a/rules/defense_evasion_suspicious_protected_process_execution.yml b/rules/defense_evasion_suspicious_protected_process_execution.yml
@@ -1,6 +1,6 @@
 name: Suspicious protected process execution
 id: a778295a-02f1-42d9-9c20-78346a7bc2c6
-version: 1.0.0
+version: 1.1.0
 description: |
   Identifies unprivileged process spawning a child with protected integrity level. This 
   indicates an unusual behavior that is often associated with attempts to tamper with or 
@@ -22,11 +22,13 @@ condition: >
   sequence
   maxspan 1m30s
     |spawn_process and
-     ps.token.integrity_level != 'SYSTEM' and
+     ps.is_protected = false and
+     (ps.sid != 'S-1-5-18' or ps.token.integrity_level != 'SYSTEM') and
      ps.exe not imatches
                 (
                   '?:\\Program Files\\*',
-                  '?:\\Program Files(x86)\\*'
+                  '?:\\Program Files(x86)\\*',
+                  '?:\\WINDOWS\\System32\\smss.exe'
                 )
     | by ps.uuid
     |spawn_process and ps.is_protected| by ps.parent.uuid