CINXE.COM

Detection Rules – The DFIR Report

<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>Detection Rules &#8211; The DFIR Report</title> <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='preconnect' href='//c0.wp.com' /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report &raquo; Feed" href="https://thedfirreport.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report &raquo; Comments Feed" href="https://thedfirreport.com/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/thedfirreport.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://c0.wp.com/c/6.7.2/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='https://c0.wp.com/c/6.7.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='https://c0.wp.com/c/6.7.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css' type='text/css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='freenews-style-css' href='https://thedfirreport.com/wp-content/themes/freenews/style.css?ver=6.7.2' type='text/css' media='all' /> <style id='freenews-style-inline-css' type='text/css'> .tags-links, .byline, .comments-link { clip: rect(1px, 1px, 1px, 1px); height: 1px; position: absolute; overflow: hidden; width: 1px; } </style> <link rel='stylesheet' id='font-awesome-css' href='https://thedfirreport.com/wp-content/themes/freenews/assets/library/fontawesome/css/all.min.css?ver=6.7.2' type='text/css' media='all' /> <link rel='stylesheet' id='freenews-google-fonts-css' href='https://thedfirreport.com/wp-content/fonts/d92fef3d9e5de6f7993b11046e265436.css' type='text/css' media='all' /> <style id='akismet-widget-style-inline-css' type='text/css'> .a-stats { --akismet-color-mid-green: #357b49; --akismet-color-white: #fff; --akismet-color-light-grey: #f6f7f7; max-width: 350px; width: auto; } .a-stats * { all: unset; box-sizing: border-box; } .a-stats strong { font-weight: 600; } .a-stats a.a-stats__link, .a-stats a.a-stats__link:visited, .a-stats a.a-stats__link:active { background: var(--akismet-color-mid-green); border: none; box-shadow: none; border-radius: 8px; color: var(--akismet-color-white); cursor: pointer; display: block; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen-Sans', 'Ubuntu', 'Cantarell', 'Helvetica Neue', sans-serif; font-weight: 500; padding: 12px; text-align: center; text-decoration: none; transition: all 0.2s ease; } /* Extra specificity to deal with TwentyTwentyOne focus style */ .widget .a-stats a.a-stats__link:focus { background: var(--akismet-color-mid-green); color: var(--akismet-color-white); text-decoration: none; } .a-stats a.a-stats__link:hover { filter: brightness(110%); box-shadow: 0 4px 12px rgba(0, 0, 0, 0.06), 0 0 2px rgba(0, 0, 0, 0.16); } .a-stats .count { color: var(--akismet-color-white); display: block; font-size: 1.5em; line-height: 1.4; padding: 0 13px; white-space: nowrap; } </style> <link rel='stylesheet' id='sharedaddy-css' href='https://c0.wp.com/p/jetpack/14.3/modules/sharedaddy/sharing.css' type='text/css' media='all' /> <link rel='stylesheet' id='social-logos-css' href='https://c0.wp.com/p/jetpack/14.3/_inc/social-logos/social-logos.min.css' type='text/css' media='all' /> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/global.js?ver=1" id="freenews-global-js"></script> <link rel="https://api.w.org/" href="https://thedfirreport.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://thedfirreport.com/wp-json/wp/v2/pages/21072" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://thedfirreport.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.2" /> <link rel="canonical" href="https://thedfirreport.com/services/detection-rules/" /> <link rel='shortlink' href='https://thedfirreport.com/?p=21072' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2Fservices%2Fdetection-rules%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2Fservices%2Fdetection-rules%2F&#038;format=xml" /> <!-- GA Google Analytics @ https://m0n.co/ga --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-162747485-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-162747485-1'); </script> <script type="text/javascript"> (function(url){ if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; } var addEvent = function(evt, handler) { if (window.addEventListener) { document.addEventListener(evt, handler, false); } else if (window.attachEvent) { document.attachEvent('on' + evt, handler); } }; var removeEvent = function(evt, handler) { if (window.removeEventListener) { document.removeEventListener(evt, handler, false); } else if (window.detachEvent) { document.detachEvent('on' + evt, handler); } }; var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' '); var logHuman = function() { if (window.wfLogHumanRan) { return; } window.wfLogHumanRan = true; var wfscr = document.createElement('script'); wfscr.type = 'text/javascript'; wfscr.async = true; wfscr.src = url + '&r=' + Math.random(); (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr); for (var i = 0; i < evts.length; i++) { removeEvent(evts[i], logHuman); } }; for (var i = 0; i < evts.length; i++) { addEvent(evts[i], logHuman); } })('//thedfirreport.com/?wordfence_lh=1&hid=899FD5382868D378FC499653E211D019'); </script> <style>img#wpstats{display:none}</style> <style type="text/css" id="custom-background-css"> body.custom-background { background-color: #f8f8f8; } </style> <!-- Jetpack Open Graph Tags --> <meta property="og:type" content="article" /> <meta property="og:title" content="Detection Rules" /> <meta property="og:url" content="https://thedfirreport.com/services/detection-rules/" /> <meta property="og:description" content="Our Private Ruleset is curated using insights derived from Private Threat Briefs and internal cases, focusing on Sigma rules. As of January 2024, it encompasses approximately 100 Sigma rules, creat…" /> <meta property="article:published_time" content="2023-09-10T10:46:43+00:00" /> <meta property="article:modified_time" content="2024-01-28T20:53:54+00:00" /> <meta property="og:site_name" content="The DFIR Report" /> <meta property="og:image" content="https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-scaled.jpg" /> <meta property="og:image:width" content="2560" /> <meta property="og:image:height" content="640" /> <meta property="og:image:alt" content="" /> <meta property="og:locale" content="en_US" /> <meta name="twitter:text:title" content="Detection Rules" /> <meta name="twitter:image" content="https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-scaled.jpg?w=640" /> <meta name="twitter:card" content="summary_large_image" /> <!-- End Jetpack Open Graph Tags --> <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-32x32.png" sizes="32x32" /> <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-180x180.png" /> <meta name="msapplication-TileImage" content="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-270x270.png" /> </head> <body class="page-template-default page page-id-21072 page-child parent-pageid-2160 custom-background has-sidebar tags-hidden author-hidden comment-hidden"> <div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Skip to content</a> <header id="masthead" class="site-header"> <div id="main-header" class="main-header"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav class="main-navigation" aria-label="Primary Menu" role="navigation"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li id="menu-item-21337" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li id="menu-item-21314" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li id="menu-item-21315" class="menu-item menu-item-type-post_type menu-item-object-page current-page-ancestor current-menu-ancestor current-menu-parent current-page-parent current_page_parent current_page_ancestor menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li id="menu-item-21319" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21318" class="menu-item menu-item-type-post_type menu-item-object-page current-menu-item page_item page-item-21072 current_page_item menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/" aria-current="page">Detection Rules</a></li> <li id="menu-item-31055" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35456" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32606" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38108" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21320" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li id="menu-item-21317" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring &#038; Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21325" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21326" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li id="menu-item-31033" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li id="menu-item-21313" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li id="menu-item-21316" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav><!-- #site-navigation --> </div> </div><!-- .wrap --> </div><!-- .navigation-top --> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li id="menu-item-21323" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21322" class="menu-item menu-item-type-post_type menu-item-object-page current-menu-item page_item page-item-21072 current_page_item menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/" aria-current="page">Detection Rules</a></li> <li id="menu-item-31037" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35457" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32608" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38110" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21321" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring &#038; Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21327" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21328" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li id="menu-item-21324" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div><!-- .wrap --> </nav><!-- .secondary-navigation --> <div class="main-header-brand"> <div class="header-brand"> <div class="wrap"> <div class="header-brand-content"> <div class="site-branding"> <div class="site-branding-text"> <p class="site-title"><a href="https://thedfirreport.com/" rel="home">The DFIR Report</a></p> <p class="site-description">Real Intrusions by Real Attackers, The Truth Behind the Intrusion</p> </div><!-- .site-branding-text --> </div><!-- .site-branding --> <div class="header-right"> <div class="header-banner"> </div><!-- .header-banner --> </div><!-- .header-right --> </div><!-- .header-brand-content --> </div><!-- .wrap --> </div><!-- .header-brand --> <div id="nav-sticker"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav id="site-navigation" class="main-navigation" aria-label="Primary Menu"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page current-page-ancestor current-menu-ancestor current-menu-parent current-page-parent current_page_parent current_page_ancestor menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page current-menu-item page_item page-item-21072 current_page_item menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/" aria-current="page">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring &#038; Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav><!-- #site-navigation --> </div> </div><!-- .wrap --> </div><!-- .navigation-top --> <div class="clock"> <div id="time"></div> <div id="date">Saturday, February 22, 2025</div> </div> </div><!-- #nav-sticker --> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page current-menu-item page_item page-item-21072 current_page_item menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/" aria-current="page">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring &#038; Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div><!-- .wrap --> </nav><!-- .secondary-navigation --> </div><!-- .main-header-brand --> </div><!-- .main-header --> </header><!-- #masthead --> <div id="content" class="site-content"> <div class="site-content-cell"> <div class="wrap wrap-width"> <div id="primary" class="content-area"> <main id="main" class="site-main"> <article id="post-21072" class="post-21072 page type-page status-publish has-post-thumbnail hentry entry"> <header class="entry-header"> <h1 class="entry-title">Detection Rules</h1> </header><!-- .entry-header --> <div class="post-thumbnail"> <img width="2560" height="640" src="https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-scaled.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" decoding="async" fetchpriority="high" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-scaled.jpg 2560w, https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-300x75.jpg 300w, https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-1024x256.jpg 1024w, https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-768x192.jpg 768w, https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-1536x384.jpg 1536w, https://thedfirreport.com/wp-content/uploads/2023/09/detection-2-2048x512.jpg 2048w" sizes="(max-width: 2560px) 100vw, 2560px" /> </div><!-- .post-thumbnail --> <div class="entry-content"> <p>Our Private Ruleset is curated using insights derived from <a href="https://thedfirreport.com/services/threat-intelligence/" target="_blank" rel="noopener">Private Threat Briefs</a> and internal cases, focusing on Sigma rules. As of January 2024, it encompasses approximately 100 Sigma rules, created from the knowledge of 40+ distinct cases. Each rule is mapped to ATT&amp;CK and accompanied by a test example.</p> <p>To receive more information on this ruleset or a quote, please <a href="https://thedfirreport.com/contact/" target="_blank" rel="noopener">Contact Us</a></p> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-21072" class="share-twitter sd-button share-icon" href="https://thedfirreport.com/services/detection-rules/?share=twitter" target="_blank" title="Click to share on Twitter" ><span>Twitter</span></a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-21072" class="share-linkedin sd-button share-icon" href="https://thedfirreport.com/services/detection-rules/?share=linkedin" target="_blank" title="Click to share on LinkedIn" ><span>LinkedIn</span></a></li><li class="share-reddit"><a rel="nofollow noopener noreferrer" data-shared="" class="share-reddit sd-button share-icon" href="https://thedfirreport.com/services/detection-rules/?share=reddit" target="_blank" title="Click to share on Reddit" ><span>Reddit</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-21072" class="share-facebook sd-button share-icon" href="https://thedfirreport.com/services/detection-rules/?share=facebook" target="_blank" title="Click to share on Facebook" ><span>Facebook</span></a></li><li class="share-jetpack-whatsapp"><a rel="nofollow noopener noreferrer" data-shared="" class="share-jetpack-whatsapp sd-button share-icon" href="https://thedfirreport.com/services/detection-rules/?share=jetpack-whatsapp" target="_blank" title="Click to share on WhatsApp" ><span>WhatsApp</span></a></li><li class="share-end"></li></ul></div></div></div> </div><!-- .entry-content --> </article><!-- #post-21072 --> </main><!-- #main --> </div><!-- #primary --> <aside id="secondary" class="widget-area"> <section id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://thedfirreport.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search &hellip;" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></section><section id="google_translate_widget-5" class="widget widget_google_translate_widget"><div id="google_translate_element"></div></section><section id="block-7" class="widget widget_block"> <div class="wp-block-jetpack-subscriptions__supports-newline wp-block-jetpack-subscriptions"> <div class="wp-block-jetpack-subscriptions__container is-not-subscriber"> <form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="175340963" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" > <div class="wp-block-jetpack-subscriptions__form-elements"> <p id="subscribe-email"> <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text" > Type your email… </label> <input required="required" type="email" name="email" class="no-border-radius " style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 0px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field." /> </p> <p id="subscribe-submit" > <input type="hidden" name="action" value="subscribe"/> <input type="hidden" name="blog_id" value="175340963"/> <input type="hidden" name="source" value="https://thedfirreport.com/services/detection-rules/"/> <input type="hidden" name="sub-type" value="subscribe-block"/> <input type="hidden" name="app_source" value=""/> <input type="hidden" name="redirect_fragment" value="subscribe-blog"/> <input type="hidden" name="lang" value="en_US"/> <input type="hidden" id="_wpnonce" name="_wpnonce" value="6470475017" /><input type="hidden" name="_wp_http_referer" value="/services/detection-rules/" /><input type="hidden" name="post_id" value="21072"/> <button type="submit" class="wp-block-button__link no-border-radius" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget" > Subscribe </button> </p> </div> </form> </div> </div> </section><section id="block-21" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png" alt="" class="wp-image-35571 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png 200w, https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h4 class="wp-block-heading"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc">Register For Our Next CTF</a></h4> </div></div> </section><section id="block-8" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png" alt="" class="wp-image-21332 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/" data-type="link" data-id="https://thedfirreport.com/">Reports</a></h3> </div></div> </section><section id="block-9" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/threat-intelligence/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png" alt="" class="wp-image-21334 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></h3> </div></div> </section><section id="block-10" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/detection-rules/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png" alt="" class="wp-image-21336 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></h3> </div></div> </section><section id="block-16" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/dfir-labs/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png" alt="" class="wp-image-31051 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png 200w, https://thedfirreport.com/wp-content/uploads/2024/04/labs-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a></h3> </div></div> </section><section id="block-12" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/mentoring-coaching-program/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png" alt="" class="wp-image-21333 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/help4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring and Coaching</a></h3> </div></div> </section></aside><!-- #secondary --> </div><!-- .wrap .wrap-width--> </div><!-- .site-content-cell --> </div><!-- #content --> <footer id="colophon" class="site-footer" role="contentinfo"> <div class="copyright-area"> <div class="wrap"> <div class="site-info"> <a href="https://wordpress.org/"> Proudly powered by WordPress</a> <span class="sep"> | </span> Copyright 2023 | The DFIR Report | All Rights Reserved </div><!-- .site-info --> <div class="footer-right-info"> </div> </div><!-- .wrap --> </div><!-- .copyright-area --> </footer><!-- #colophon --> <button href="#" class="back-to-top" type="button"><i class="fa-solid fa-arrow-up-long"></i>Go Top</button> </div><!-- #page --> <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/thedfirreport.com\/services\/detection-rules\/":21072}; </script> <style id='jetpack-block-subscriptions-inline-css' type='text/css'> .is-style-compact .is-not-subscriber .wp-block-button__link,.is-style-compact .is-not-subscriber .wp-block-jetpack-subscriptions__button{border-end-start-radius:0!important;border-start-start-radius:0!important;margin-inline-start:0!important}.is-style-compact .is-not-subscriber .components-text-control__input,.is-style-compact .is-not-subscriber p#subscribe-email input[type=email]{border-end-end-radius:0!important;border-start-end-radius:0!important}.is-style-compact:not(.wp-block-jetpack-subscriptions__use-newline) .components-text-control__input{border-inline-end-width:0!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form-container{display:flex;flex-direction:column}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) .is-not-subscriber .wp-block-jetpack-subscriptions__form-elements{align-items:flex-start;display:flex}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) p#subscribe-submit{display:flex;justify-content:center}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]{box-sizing:border-box;cursor:pointer;line-height:1.3;min-width:auto!important;white-space:nowrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button[contenteditable=true],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button[contenteditable=true]{white-space:pre-wrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]:disabled,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]:disabled{color:currentColor;opacity:.5}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button{border-color:#0000;border-style:solid}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email{background:#0000;flex-grow:1}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email input[type=email]{height:auto;margin:0;width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-submit,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-submit{line-height:0;margin:0;padding:0}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__show-subs .wp-block-jetpack-subscriptions__subscount{font-size:16px;margin:8px 0;text-align:end}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__form-elements{display:block}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline button{display:inline-block;max-width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__subscount{text-align:start}#subscribe-submit.is-link{text-align:center;width:auto!important}#subscribe-submit.is-link a{margin-left:0!important;margin-top:0!important;width:auto!important}@keyframes jetpack-memberships_button__spinner-animation{to{transform:rotate(1turn)}}.jetpack-memberships-spinner{display:none;height:1em;margin:0 0 0 5px;width:1em}.jetpack-memberships-spinner svg{height:100%;margin-bottom:-2px;width:100%}.jetpack-memberships-spinner-rotating{animation:jetpack-memberships_button__spinner-animation .75s linear infinite;transform-origin:center}.is-loading .jetpack-memberships-spinner{display:inline-block}body.jetpack-memberships-modal-open{overflow:hidden}dialog.jetpack-memberships-modal{opacity:1}dialog.jetpack-memberships-modal,dialog.jetpack-memberships-modal iframe{background:#0000;border:0;bottom:0;box-shadow:none;height:100%;left:0;margin:0;padding:0;position:fixed;right:0;top:0;width:100%}dialog.jetpack-memberships-modal::backdrop{background-color:#000;opacity:.7;transition:opacity .2s ease-out}dialog.jetpack-memberships-modal.is-loading,dialog.jetpack-memberships-modal.is-loading::backdrop{opacity:0} </style> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/navigation.min.js?ver=6.7.2" id="freenews-navigation-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/skip-link-focus-fix.js?ver=6.7.2" id="freenews-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/ResizeSensor.min.js?ver=6.7.2" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/theia-sticky-sidebar.min.js?ver=6.7.2" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick.min.js?ver=6.7.2" id="slick-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick-settings.js?ver=6.7.2" id="freenews-slick-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/jquery.sticky.js?ver=6.7.2" id="jquery-sticky-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/sticky-setting.js?ver=6.7.2" id="freenews-sticky-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/jquery.marquee.min.js?ver=6.7.2" id="marquee-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/marquee-settings.js?ver=6.7.2" id="freenews-marquee-settings-js"></script> <script type="text/javascript" src="https://stats.wp.com/e-202508.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script type="text/javascript" id="jetpack-stats-js-after"> /* <![CDATA[ */ _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"175340963\",\"post\":\"21072\",\"tz\":\"0\",\"srv\":\"thedfirreport.com\",\"j\":\"1:14.3\"}") ]); _stq.push([ "clickTrackerInit", "175340963", "21072" ]); /* ]]> */ </script> <script type="text/javascript" id="google-translate-init-js-extra"> /* <![CDATA[ */ var _wp_google_translate_widget = {"lang":"en_US","layout":"0"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/widgets/google-translate/google-translate.min.js" id="google-translate-init-js"></script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&amp;ver=14.3" id="google-translate-js"></script> <script type="text/javascript" id="jetpack-blocks-assets-base-url-js-before"> /* <![CDATA[ */ var Jetpack_Block_Assets_Base_Url="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/"; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/dist/dom-ready.min.js" id="wp-dom-ready-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/dist/vendor/wp-polyfill.min.js" id="wp-polyfill-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/subscriptions/view.js?minify=false&amp;ver=14.3" id="jetpack-block-subscriptions-js"></script> <script type="text/javascript" id="sharing-js-js-extra"> /* <![CDATA[ */ var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script type="text/javascript" id="sharing-js-js-after"> /* <![CDATA[ */ var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-twitter' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); /* ]]> */ </script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10