rabbitstack · rabbitstack · Mar 20, 2026 · Mar 20, 2026
diff --git a/rules/credential_access_lsass_access_from_unsigned_executable.yml b/rules/credential_access_lsass_access_from_unsigned_executable.yml
@@ -1,13 +1,14 @@
 name: LSASS access from unsigned executable
 id: 348bf896-2201-444f-b1c9-e957a1f063bf
-version: 1.0.2
+version: 1.0.3
 description: |
   Detects attempts by an unsigned process to access the Local Security Authority Subsystem Service (LSASS). 
   Adversaries may try to dump credential information stored in the process memory of LSASS.
 labels:
   tactic.id: TA0006
   tactic.name: Credential Access
   tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
   technique.name: OS Credential Dumping
   technique.ref: https://attack.mitre.org/techniques/T1003/
   subtechnique.id: T1003.001

diff --git a/rules/credential_access_lsass_handle_leak_via_seclogon.yml b/rules/credential_access_lsass_handle_leak_via_seclogon.yml
@@ -1,6 +1,6 @@
 name: LSASS handle leak via Seclogon
 id: 5d55c938-875e-49e1-ae53-fa196d4445eb
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies suspicious access to LSASS process from a callstack pointing to seclogon.dll that
   may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in 
@@ -9,6 +9,7 @@ labels:
   tactic.id: TA0006
   tactic.name: Credential Access
   tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1003
   technique.name: OS Credential Dumping
   technique.ref: https://attack.mitre.org/techniques/T1003/
   subtechnique.id: T1003.001

diff --git a/rules/defense_evasion_dll_loaded_via_apc_queue.yml b/rules/defense_evasion_dll_loaded_via_apc_queue.yml
@@ -1,6 +1,6 @@
 name: DLL loaded via APC queue
 id: e1ee3912-ad7c-4acb-80f4-84db87e54d5e
-version: 1.0.4
+version: 1.0.5
 description: |
   Identifies loading of a DLL with a callstack originating from the thread
   alertable state that led to the execution of an APC routine. This may be
@@ -9,9 +9,9 @@ labels:
   tactic.id: TA0005
   tactic.name: Defense Evasion
   tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1055
   technique.name: Process Injection
   technique.ref: https://attack.mitre.org/techniques/T1055/
-  subtechnique.id: T1055.003
 references:
   - https://github.com/Idov31/Cronos
 

diff --git a/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml b/rules/defense_evasion_dll_loaded_via_ldrpkernel32_overwrite.yml
@@ -1,13 +1,14 @@
 name: DLL loaded via LdrpKernel32 overwrite
 id: 56739eda-210f-4a30-a114-d55ca60976df
-version: 1.0.4
+version: 1.0.5
 description: |
   Detects attempts to bypass the standard NTDLL bootstrap process by loading a malicious DLL early through hijacking. 
   The malicious DLL, containing attacker-controlled code, is loaded in place of the legitimate kernel32 DLL.
 labels:
   tactic.id: TA0005
   tactic.name: Defense Evasion
   tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1574
   technique.name: Hijack Execution Flow
   technique.ref: https://attack.mitre.org/techniques/T1574/
   subtechnique.id: T1574.001

diff --git a/rules/defense_evasion_dll_sideloading_via_copied_binary.yml b/rules/defense_evasion_dll_sideloading_via_copied_binary.yml
@@ -1,6 +1,6 @@
 name: DLL Side-Loading via a copied binary
 id: 80798e2c-6c37-472b-936c-1d2d6b95ff3c
-version: 1.0.7
+version: 1.0.8
 description: |
   Identifies when a binary is copied to a directory and shortly followed
   by the loading of an unsigned DLL from the same directory. Adversaries may
@@ -26,7 +26,7 @@ condition: >
      (file.extension ~= '.exe' or file.is_exec)
     | by file.path
     |(load_dll) and
-     dir(image.path) ~= dir(ps.exe) and
+     dir(dll.path) ~= dir(ps.exe) and
      ps.signature.subject icontains 'Microsoft' and ps.signature.trusted and
      (dll.signature.exists = false or dll.signature.trusted = false)
     | by ps.exe

diff --git a/rules/persistence_potential_mandatory_profile_registry_persistence.yml b/rules/persistence_potential_mandatory_profile_registry_persistence.yml
@@ -1,6 +1,6 @@
 name: Potential mandatory profile registry persistence
 id: e9c9fa57-5088-4d40-8a5e-2aa70ec6e189
-version: 1.0.0
+version: 1.0.1
 description: |
   Identifies suspicious creation of the NTUSER.MAN file within user profile
   directories, a lesser-known persistence technique that abuses mandatory
@@ -11,6 +11,7 @@ labels:
   tactic.id: TA0003
   tactic.name: Persistence
   tactic.ref: https://attack.mitre.org/tactics/TA0003/
+  technique.id: T1547
   technique.name: Boot or Logon Autostart Execution
   technique.ref: https://attack.mitre.org/techniques/T1547/
   subtechnique.id: T1547.001

diff --git a/...tence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml b/...tence_potential_port_monitor_or_print_processor_persistence_via_registry_modification.yml
@@ -1,13 +1,14 @@
 name: Potential port monitor or print processor persistence via registry modification
 id: de04ae6b-8141-41af-9baa-15630b5954cc
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies port monitor or print process registry modifications that would allow
   adversaries to run malicious DLLs during system boot.
 labels:
   tactic.id: TA0003
   tactic.name: Persistence
   tactic.ref: https://attack.mitre.org/tactics/TA0003/
+  technique.id: T1547
   technique.name: Boot or Logon Autostart Execution
   technique.ref: https://attack.mitre.org/techniques/T1547/
   subtechnique.id: T1547.010