Our latest Helix threat detection update is now live. This cumulative report summarizes the April 2026 update releases delivering 10 new atomic detection rules, 6 new correlation use cases, and 30+ rule enhancements to bolster your security posture.
Key Threat Coverage (Available on Helix New & Legacy)
-
Persistence & Evasion Tactics: We have introduced protections against threat actors using WMIC to disable user account password expiration for long-term access. Additionally, new rules detect PowerShell scripts utilizing native Windows APIs or dynamic API resolution to manipulate memory and evade static analysis during fileless execution.
-
Remote Access & Tunneling: Comprehensive coverage has been added for Ngrok utility usage. This includes detecting remote access tunneling for high-risk protocols like RDP and SSH, reverse tunnel initiation to bypass perimeter security, and suspicious communication with Ngrok-hosted services often used for C2 endpoints.
-
Modern Application & AI Security: To address emerging vectors, we now detect Office 365 Copilot Prompt Injection (Jailbreak) and Cross-Prompt Injection (XPIA) attempts aimed at bypassing AI safety filters. We also added detection for suspicious Deno execution used to compile unauthorized binaries or bypass system permissions.
- Advanced Browser & Macro Protection: New rules identify suspicious browser remote port debugging flags used by InfoStealers for session hijacking. We have also enhanced detection for Office applications loading WMI-related DLLs to evade standard parent-child process monitoring.
Enhanced Correlation (Available on Helix New)
- New Correlation Use Cases: Six new use cases are now available, specifically targeting Tomcat-based Web Server RCE to Web Shell chains, Meterpreter session/payload execution with C2 connections, and Privilege Escalation.
These updates are available in your environment. There is no action required on your part. For more details and a complete list of the changes, see the release details below:
[Login Required] Trellix Helix Threat Detection Updates - April, 2026
Note: To receive information about product updates, sign up for the Support Notification Service.
For instructions, see the Thrive Portal User Guide and navigate to Profile and Settings > My Settings > Manage Support Notification Services (SNS) subscription preferences.