Overview

Stairwell provides multiple categories of YARA-based rule feeds. Each category is designed for a specific analytical purpose—ranging from high-confidence detection to behavioral hunting enrichment. This document outlines the role of each feed and provides technical guidance for their use.

Detection-Grade Feeds

These feeds are designed for production use and high-confidence detection. They should be enabled globally.

1. Pro Rules

Purpose: High-confidence identification of Advanced Persistent Threat (APT) activity.

Characteristics:

• Source: Licensed from a trusted commercial threat intelligence provider
• Confidence: Very high
• Visibility: Rule bodies are not displayed (match results remain visible)
• Intended Use: Production-grade detection and alerting

Appropriate Scenarios:

• APT threat detection
• High-fidelity alerting
• Strategic threat intelligence integration

2. Stairwell Research Rules

Purpose: Provide broad coverage across malware families, techniques, and behaviors.

Characteristics:

• Source: Developed and maintained by Stairwell’s internal research team
• Visibility: Full rule bodies available to the customer
• Intended Use: Detection, investigation, and enrichment

Appropriate Scenarios:

• Malware family classification
• Behavioral analysis
• Investigation workflows

Hunting-Grade Feeds

These feeds are not intended for standalone detection or alerting. They support advanced threat hunting, triage, and response.

3. Methodology Rules

Purpose: Identify file attributes, capabilities, and behaviors frequently associated with malicious software.

Examples of behaviors detected:

• Presence of AES encryption constants
• Direct physical disk access bypassing normal file I/O operations
• API name hashing or heavy obfuscation
• Presence of onion service references
• Creation of single-character Windows services

Key Properties:

• Over 1,000 rules
• Not detection-grade
• High value for identifying suspicious or noteworthy behaviors
• Frequently match (~80–85%) truly malicious files, but also match legitimate software

Appropriate Scenarios:

• Prioritizing large file datasets for review
• Identifying ransomware-like characteristics
• Filtering uncommon files exhibiting suspicious traits

Operational Guidance: Methodology rules are most effective when combined with additional context, such as:

• Global asset rarity
• Local asset presence
• Co-occurrence with detection-grade rules (Pro or Research)

4. Experimental Rules

Purpose: Internal or pre-release rules not yet validated for promotion.

Characteristics:

• High likelihood of noise
• Not intended for detection
• Optional for exploratory hunting use

5. OSINT Rules

Purpose: Community or publicly sourced rules, provided with full attribution.

Characteristics:

• Not detection-grade
• Useful for supplemental enrichment during investigations

Threat Hunting With Methodology Rules

The following techniques highlight how methodology rules can be operationalized effectively.

1. Combine Methodology Matches With Global Rarity

Filtering for files that:

• Match at least one methodology rule
• Are present on fewer than five assets globally
• Are present on at least one asset locally

This process isolates:

• Low-prevalence malware
• Embedded or packaged malicious components
• Early-stage threat deployments

2. Combine Methodology Rules With Detection-Grade Rule Matches

A file matching both:

• A Pro rule
• A Methodology rule

is typically extremely high-signal and should be prioritized immediately.

3. Example Search Pattern

matches: methodology_rule
AND global_asset_count < 5
AND local_asset_count >= 1

Expected outcome:
A focused dataset of rare, suspicious files surfaced for manual review.