Aegis Detections: Battle-Tested Rules, Released to the Community
By Bell Labs Engineering

Every Bell Labs engagement ends the same way: we turn what we learned breaking in into detections that catch the next intruder. Aegis is the open-source subset of that work — rules distilled from hundreds of real intrusions, generalized and released for the community.
Detect behavior, not artifacts
Signatures on file hashes age out the moment an operator recompiles. Aegis rules target the behaviors that are expensive for an attacker to change: the sequence of a credential-dumping technique, the shape of a beacon's jitter, the parent- child process relationships of a living-off-the-land chain.
title: Suspicious LSASS Access From Non-System Binary
status: stable
logsource:
category: process_access
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1010'
filter:
SourceImage|startswith:
- 'C:\Windows\System32\'
condition: selection and not filter
level: high
What's inside
- Endpoint — credential access, defense evasion, and persistence chains.
- Network — beacon detection heuristics that survive profile changes.
- Identity — anomalous token and session behavior in cloud tenants.
Using Aegis
Rules ship in a portable format with mappings to common SIEM and EDR backends.
Start with the stable set, tune the filters to your environment, and promote
experimental rules once you have baselined the noise.
Contributions are welcome — the strongest detections come from defenders who have watched a real intrusion unfold.