Our latest Helix threat detection update is now live. This cumulative report summarizes the May 2026 update releases delivering 5 new atomic detection rules, 8 new correlation use cases, and 5+ rule enhancements to bolster your security posture.
Key Threat Coverage (Available on Helix New & Legacy)
-
Linux System Evasion: We have introduced protections to identify when adversaries attempt to use system management utilities like systemctl, service, or chkconfig to stop, disable, or mask system services to evade defenses. Additional rules flag the use of killall or pkill commands, which are frequently used by attackers to terminate security monitoring tools and logging services.
-
Windows Privilege Escalation & BYOVD: New rules detect kernel-mode drivers being registered or loaded from temporary paths, a high indicator of Bring Your Own Vulnerable Driver (BYOVD) attacks aimed at gaining kernel-level privileges. We have also added detections for colorcpl.exe running from user-writable directories instead of protected system paths to elevate privileges or evade analysis.
- Anomalous .NET Deserialization: To target payload execution tactics, new rules identify when .NET Add-In framework binaries spawn unusual child processes (excluding conhost.exe and werfault.exe), which often indicates an adversary leveraging BinaryFormatter deserialization.
Enhanced Correlation (Available on Helix New)
-
New Correlation Use Cases: Eight new use cases are now available to provide deeper behavioral insight across your environment. These target high-risk behaviors including:
- Suspicious Remote Management and Monitoring (RMM) tool execution.
- WScript malicious file execution leveraged by Office applications alongside colorcpl.exe.
- Windows event log enumeration, tampering, or deletion.
- PowerShell history credential reconnaissance followed by suspicious activity.
- Persistence via modifications to the UserInitMprLogonScript registry key.
These updates are available in your environment. There is no action required on your part. For more details and a complete list of the changes, see the release details below:
Note: To receive information about product updates, sign up for the Support Notification Service.
For instructions, see the Thrive Portal User Guide and navigate to Profile and Settings > My Settings > Manage Support Notification Services (SNS) subscription preferences.