June 4th, 2026 - Content Release

June 4, 2026

This content release includes:

Updated MITRE ATT&CK tactic and technique tags across 89 rules to align with the MITRE ATT&CK v19 framework update, which reorganized the former Defense Evasion tactic into Stealth and the new Defense Impairment tactic
Affected rules now reference the correct successor techniques and tactic identifiers, ensuring accurate threat classification in detection workflows
Additional changes are enumerated below

Rules

[Updated] MATCH-S00307 AWS - Excessive OAuth Application Permissions Scope
[Updated] MATCH-S00306 AWS - New UserPoolClient Created
[Updated] MATCH-S00261 AWS CloudTrail - Database Snapshot Created
[Updated] MATCH-S00113 AWS CloudTrail - Logging Configuration Change Observed
[Updated] MATCH-S00654 AWS ECS Cluster Deleted
[Updated] MATCH-S00719 AWS Instance Creation
[Updated] MATCH-S00720 AWS Instance Deletion
[Updated] MATCH-S00721 AWS Instance Modification
[Updated] MATCH-S00598 Alibaba ActionTrail Logging Configuration Change Observed
[Updated] MATCH-S00516 Antivirus Ransomware Detection
[Updated] MATCH-S00510 Attempt to Add Certificate to Store
[Updated] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe
[Updated] MATCH-S00805 Azure - Bastion Host Created/Modified
[Updated] MATCH-S00806 Azure - Bastion Host Deleted
[Updated] MATCH-S00808 Azure - Container Instance Creation/Modification
[Updated] MATCH-S00809 Azure - Container Start
[Updated] MATCH-S00786 Azure - SQL Database Export
[Updated] MATCH-S00303 Azure - Unauthorized OAuth Application
[Updated] MATCH-S00803 Azure - Virtual Machine Creation/Modification
[Updated] MATCH-S00804 Azure - Virtual Machine Deleted
[Updated] MATCH-S00801 Azure - Virtual Machine Started
[Updated] MATCH-S00802 Azure - Virtual Machine Stopped
[Updated] MATCH-S00896 Azure Authentication Policy Change
[Updated] CHAIN-S00022 Azure DevOps - Agent Pool Created and Deleted within a Short Period
[Updated] FIRST-S00099 Azure DevOps - First Seen User Creating Agent Pool
[Updated] FIRST-S00092 Azure DevOps - First Seen User Creating Release Pipeline
[Updated] FIRST-S00097 Azure DevOps - First Seen User Modifying Build Variables
[Updated] FIRST-S00096 Azure DevOps - First Seen User Modifying Release Pipeline
[Updated] OUTLIER-S00030 Azure DevOps - Outlier in Pools Deleted Rapidly
[Updated] MATCH-S00891 Azure OAUTH Application Consent from User
[Updated] MATCH-S00373 BlueMashroom DLL Load
[Updated] MATCH-S01155 Claude Compliance API Logging Disabled
[Updated] MATCH-S01157 Claude Organization IP Restriction Deleted
[Updated] MATCH-S00758 CrashControl Registry Modification
[Updated] MATCH-S00544 Disabling Remote User Account Control
[Updated] MATCH-S00319 Dridex Process Pattern
[Updated] MATCH-S00392 File or Folder Permissions Modifications
[Updated] FIRST-S00037 First Seen AWS EKS Admission Controller Created by IP Address
[Updated] FIRST-S00020 First Seen Azure OAUTH Application Consent from User
[Updated] FIRST-S00030 First Seen Outbound Connection to External IP Address on Port 445 from IP Address
[Updated] FIRST-S00034 First Seen Session Token Granted to User from New IP
[Updated] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
[Updated] MATCH-S00712 GCP Instance Creation
[Updated] MATCH-S00713 GCP Instance Deletion
[Updated] MATCH-S00714 GCP Instance Modification
[Updated] MATCH-S00958 GitHub - PR Review Requirement Removed
[Updated] MATCH-S00962 GitHub - Repository Visibility Permissions Changed
[Updated] MATCH-S00964 GitHub - SSO Recovery Codes Access Activity
[Updated] MATCH-S00966 GitHub - Two-Factor Authentication Disabled for Organization
[Updated] MATCH-S00301 Google Workspace - Excessive OAuth Application Permissions Scope
[Updated] MATCH-S00227 Google Workspace - Unauthorized OAuth Application
[Updated] MATCH-S00894 HAR file creation observed on host
[Updated] MATCH-S00850 LastPass - Policy Added
[Updated] MATCH-S00851 LastPass - Policy Deleted
[Updated] MATCH-S00852 LastPass - Shared Folder Created
[Updated] MATCH-S00578 Lsass Registry Key Modified
[Updated] MATCH-S00534 MacOS - Re-Opened Applications
[Updated] MATCH-S00729 MacOS Gatekeeper Bypass
[Updated] MATCH-S00731 MacOS System Integrity Protection Disabled
[Updated] MATCH-S00397 Mimikatz Loaded Images Detected
[Updated] MATCH-S00404 Mimikatz via Powershell and EventID 4703
[Updated] MATCH-S00655 New Container Uploaded to AWS ECR
[Updated] MATCH-S00906 Okta - Application Created
[Updated] FIRST-S00067 Okta - First Seen Client ID/ASN combo in successful OIDC token grant
[Updated] MATCH-S00683 Overly Permissive Chmod Command
[Updated] MATCH-S00698 PATH Set to Current Directory
[Updated] MATCH-S00704 Persistence Registry Key Modification
[Updated] MATCH-S00200 Potential Pass the Hash Activity
[Updated] MATCH-S00545 Registry Keys For Creating Shim Databases
[Updated] MATCH-S00705 Registry Modification - Authentication Package
[Updated] MATCH-S00730 Registry Modification - Code Signing
[Updated] MATCH-S00735 Registry Modification - SIP or Trust Provider
[Updated] MATCH-S00569 Registry Persistence Mechanisms
[Updated] MATCH-S00328 Rubeus Hack Tool
[Updated] MATCH-S00498 Rubeus Hack Tool Logon Process Name
[Updated] LEGACY-S00094 Self-signed Certificates
[Updated] MATCH-S00834 Sensitive Registry Key (WDigest) Edit
[Updated] MATCH-S00196 Successful Overpass the Hash Attempt
[Updated] LEGACY-S00182 Suspicious HTTP User-Agent
[Updated] MATCH-S00135 Suspicious Registry Key Modification
[Updated] MATCH-S00886 Suspicious chmod Execution
[Updated] MATCH-S00567 Ursnif Malware Registry Key
[Updated] MATCH-S00316 WannaCry Ransomware
[Updated] MATCH-S00272 Windows - Rogue Domain Controller - dcshadow
[Updated] MATCH-S00107 Windows - User Adds Self to Security Group
[Updated] LEGACY-S00169 Windows Account Added To Privileged Security Group
[Updated] MATCH-S00274 Windows Credential Editor (WCE) Tool Use Detected
[Updated] MATCH-S00880 macOS - Entitlement Enumeration via Xattr

Rules​

Rules