From 8c3930494b15ee9df26145eb4dac61c189559b84 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Sun, 4 Jan 2026 20:25:18 +0100
Subject: [PATCH] feat(rules): Add Suspicious protected process execution rule

Identifies unprivileged process spawning a child with protected integrity level. This  indicates an unusual behavior that is often associated with attempts to tamper with or  freeze endpoint protection components.
---
 ...suspicious_protected_process_execution.yml | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 rules/defense_evasion_suspicious_protected_process_execution.yml

diff --git a/rules/defense_evasion_suspicious_protected_process_execution.yml b/rules/defense_evasion_suspicious_protected_process_execution.yml
new file mode 100644
index 000000000..a360e5952
--- /dev/null
+++ b/rules/defense_evasion_suspicious_protected_process_execution.yml
@@ -0,0 +1,40 @@
+name: Suspicious protected process execution
+id: a778295a-02f1-42d9-9c20-78346a7bc2c6
+version: 1.0.0
+description: |
+  Identifies unprivileged process spawning a child with protected integrity level. This 
+  indicates an unusual behavior that is often associated with attempts to tamper with or 
+  freeze endpoint protection components.
+labels:
+  tactic.id: TA0005
+  tactic.name: Defense Evasion
+  tactic.ref: https://attack.mitre.org/tactics/TA0005/
+  technique.id: T1562
+  technique.name: Impair Defenses
+  technique.ref: https://attack.mitre.org/techniques/T1562/
+  subtechnique.id: T1562.001
+  subtechnique.name: Disable or Modify Tools
+  subtechnique.ref: https://attack.mitre.org/techniques/T1562/001
+references:
+  - https://github.com/TwoSevenOneT/EDR-Freeze
+
+condition: >
+  sequence
+  maxspan 1m30s
+    |spawn_process and
+     ps.token.integrity_level != 'SYSTEM' and
+     ps.exe not imatches
+                (
+                  '?:\\Program Files\\*',
+                  '?:\\Program Files(x86)\\*'
+                )
+    | by ps.uuid
+    |spawn_process and ps.is_protected| by ps.parent.uuid
+action:
+  - name: kill
+
+output: >
+  Suspicious protected process %2.ps.exe spawned by process %2.ps.parent.exe
+severity: high
+
+min-engine-version: 3.0.0