Detections Digest #20241209
Key Detection Rule Updates between Dec 2 and Dec 9, 2024.
This edition highlights detection rule changes from 9 GitHub repositories (out of 40+ monitored) between Dec 2 and Dec 9, 2024.
In this period, 19 new rules were added, and 61 were updated. We focus only on medium, high, or critical impact changes to bring you the most relevant updates.
Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key points
Significant advancements in detection rules this cycle primarily focus on enhancing coverage for emerging threats, particularly by adding high and critical severity rules in various repositories. New rules improve detection against SQL injection, path traversal, and remote execution vulnerabilities while existing rules have been optimized for better detection accuracy and reduced false positives. The updates reflect a strategic focus on expanding threat landscape visibility and improving attacker activity interception across diverse platforms, including AWS, Azure, Apache Tomcat, and Windows environments.
A new critical rule targeting Apache Tomcat JMX Port vulnerabilities has been introduced, filling a crucial gap in detection capabilities. This enables organizations to better protect against potentially severe remote code execution exploits. (
projectdiscovery/nuclei-templates)Emergent vulnerability detections, including Mingsoft MCMS SQL injection and MLflow path traversal vulnerabilities, are now covered with high-severity rules. These additions substantially bolster defenses against unauthorized data access and file exploitation. (
projectdiscovery/nuclei-templates)Enhancements in AWS security with new ESQL rules enable the detection of several sensitive and policy violation activities, such as Bedrock invocations without guardrails and multiple policy breaches. These rules significantly strengthen detection against data breaches and unauthorized actions. (
elastic/detection-rules)Several updated rules in Sigma and Sigma-compatible detection tools like Hayabusa and Splunk ensure broader detection of suspicious activities through improved coverage of remote access software installations, NTLM downgrades, and network investigations. These modifications also focus on raising alert accuracy and reducing false negatives. (
SigmaHQ/sigma,mdecrevoisier/SIGMA-detection-rules,Yamato-Security/hayabusa-rules)Including the 'Meduza Stealer' tag across multiple Splunk metadata changes highlights a strategic move for enhanced threat contextualization and facilitates a more cohesive incident response workflow by anchoring alerts to recognized threat actors. (
splunk/security_content)
Corporate repositories (7)
elastic/detection-rules (4 added, 1 modified)
The dataset introduces several new ESQL rules targeting AWS Bedrock, significantly expanding the detection capability regarding unauthorized model invocations, sensitive information, and inappropriate content topic usage. Modifications in existing rules, such as refactoring field usage for modern log structures in Azure, improve operational effectiveness and coverage. These updates enhance detection for policy violations and sensitive use cases, reflecting a comprehensive upgrade in threat intelligence.
➕ New rules
AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
Coverage change | Medium impact | Source
Introduces a new ESQL rule to identify multiple AWS Bedrock executions without guardrails by the same user within a one-minute window. This rule targets suspicious activity by noting guardrail absences, suggesting potential security bypass attempts.Unusual High Denied Sensitive Information Policy Blocks Detected
Coverage change | Medium impact | Source
Adds a new ESQL rule to identify repeated blocked actions due to 'sensitive_information_policy' violations. This aims to catch attempts of accessing sensitive topics within AI models.Unusual High Denied Topic Blocks Detected
Coverage change | Medium impact | Source
Implements a new ESQL rule to detect frequent blocks due to 'topic_policy' violations in AWS Bedrock, targeting unauthorized attempts to access restricted topics.Unusual High Word Policy Blocks Detected
Coverage change | Medium impact | Source
Introduces a new ESQL rule focused on detecting repeated blocked actions due to 'word_policy' violations, helping identify efforts to circumvent content restrictions by users.
✎ Modified rules
Unusual High Confidence Content Filter Blocks Detected
Coverage change | Medium impact | Source
Enhanced detection for AWS Bedrock blocks due to content filter policy violations, including new violation codes like 'HATE', 'SEXUAL', 'INSULTS', 'PROMPT_ATTACK', and 'VIOLENCE'. The severity level and risk score were adjusted to reflect these changes.
SigmaHQ/sigma (1 added, 2 modified)
The dataset features the addition of a high-impact rule for detecting AWS RDS cluster modifications or deletions, improving cloud resource security monitoring. Modifications focus on enhancing detection for Windows remote access software installation by including AnyDesk, and refining NTLM registry event criteria to improve detection accuracy. These updates bolster security posture by improving detection coverage and precision in response to evolving threat landscapes.
➕ New rules
Modification or Deletion of an AWS RDS Cluster
Coverage change | High impact | Source
This new rule detects modifications or deletions of AWS RDS clusters, which could indicate data exfiltration, unauthorized access, or exposure of sensitive data. It uses CloudTrail logs focusing on 'ModifyDBCluster' and 'DeleteDBCluster' events.
✎ Modified rules
Windows Security Service Install Remote Access Software
Coverage change | Medium impact | Source
The rule has been updated to include 'AnyDesk' as a detection keyword for remote access software installations. This update likely references changes in tactics used by adversaries using AnyDesk software for unauthorized access.Registry Event Net NTLM Downgrade
Coverage change | Medium impact | Source
The modification refines the selection criteria, splitting detection into specific value checks for 'lmcompatibilitylevel', 'NtlmMinClientSec', and 'RestrictSendingNTLMTraffic'. This allows for more precise monitoring of changes that impact NTLM security settings in Windows registries.
panther-labs/panther-analysis (3 added)
This update introduces several new rules aimed at expanding detection coverage across AWS CloudTrail, EKS, and CrowdStrike environments, addressing potential defense evasion and misconfigurations. Additionally, email regex patterns in Microsoft365 and Zoom rules were standardized for maintenance purposes, enhancing rule efficiency and consistency across codebases. Operational impact is generally incremental, with medium-severity coverage enhancements poised to bolster security postures against specific attack vectors and logging misconfigurations.
➕ New rules
AWS CloudTrail Event Selectors Disabled
Coverage change | Medium impact | Source
A new rule to detect when CloudTrail event selectors are modified to exclude management events, indicating potential tampering with logging settings. Alerts on such events and verifies if all management events are excluded from each selector.AWS CloudTrail Short Lifecycle
Coverage change | Medium impact | Source
Introduced a rule to identify instances where CloudTrail logs stored in S3 buckets are configured with a lifecycle rule for less than 7 days. It checks such configurations to ensure that CloudTrail log retention meets or exceeds recommended durations.Crowdstrike Detection Summary
Coverage change | Medium impact | Source
Introduces a detection rule that forwards alerts from CrowdStrike Endpoint Protection Platform Detection Summary Events, providing visibility into EDR alerts triggered by CrowdStrike.
splunk/security_content (1 added, 14 modified)
Recent detection rule updates focus primarily on expanding detection coverage and standardizing rule coding practices. There was a strong emphasis on enhancing coverage across known threat activities including Meduza Stealer, integrating metadata for improved investigative context. Key updates broadened executable checks and process list monitoring to capture newer iterations of potential exploitations.
➕ New rules
Windows Credentials Access via VaultCli Module
NewDetection change | High impact | Source
Introduced a new analytic to detect anomalous interactions with VaultCli.dll used by information stealers like Meduza, focusing on publicly writable directories for potentially unauthorized credential access.
✎ Modified rules
7zip Commandline to SMB Share Path
Coverage change | Medium impact | Source
Added detection for '7zr.exe' in the list of process names and original file names. This update broadens the detection capability to include another variant of 7-Zip application usage with specific process paths.Certutil Download with URLCache and Split Arguments
Coverage change | Medium impact | Source
Included detection for processes using 'urlcache' argument, expanding the detection scope.Create Local Admin Accounts Using Net Exe
Efficiency change | Medium impact | Source
The condition for process name checks has been refactored using a predefined macroprocess_net. Added more localized terms for administrators to the detection criteria.Create Remote Thread in Shell Application
Coverage change | Medium impact | Source
The detection rule now includes 'pwsh.exe' in its TargetImage criteria, extending coverage to newer versions of PowerShell.Disable Logs Using Wevtutil
Coverage change | Medium impact | Source
TheProcesses.processcondition is now expanded to include 'set-log' operations as an alternative to 'sl'.Dump Lsass via Comsvcs DLL
Coverage change | Medium impact | Source
Expanded the detection to account for command line inputs that include log messages '#24', alongside 'MiniDump'.Executables or Script Creation in Suspicious Path
Efficiency change | Medium impact | Source
Replaced direct checks with tabulated IN clause for filenames and paths, enhancing readability and efficiency of SQL form query. Also updated metadata to include 'Meduza Stealer'.Linux Auditd: File Permission Modification via Chmod
FalsePositives/negatives change | Medium impact | Source
Improved the conditional checks for '+x' in chmod operations, refining previous equal validation scenarios to cover broader unintended positives.Powershell Disable Security Monitoring
Coverage change | High impact | Source
Expanded list for recognized disabling commands within PowerShell to better profile misuse patterns, particularly in setting malware defenses.Shim Database Installation with Suspicious Parameters
FalsePositives/negatives change | Medium impact | Source
Enhanced process checks to exclude expected legitimate paths when 'sdbinst.exe' runs.Wbadmin Delete System Backups
Coverage change | High impact | Source
Refined search to replace 'systemstatebackup' with more inclusive detection of 'backup' operations. Also, a new informational reference to Buhtrap analysis URL is added, providing context to potential usage scenarios of the rule.Wget Download and Bash Execution
Coverage change | Medium impact | Source
The condition logic updated to check for 'wget.exe' alongside 'wget', and comprehensive quiet mode detection, broadening perspective from Linux and MacOS to Windows as well in its monitoring.Windows Msiexec Spawn Discovery Command
Coverage change | Medium impact | Source
Extended detection capabilities by recognizing 'pwsh.exe' as an alternate for 'powershell.exe' when executed by msiexec.exe parent process.Wscript or Cscript Suspicious Child Process
Coverage change | Medium impact | Source
Additional detection including 'pwsh.exe' for scripts running suspicious sub-processes, bolstering visibility over PowerShell instances under wscript/cscript control.
pan-unit42/iocs (1 modified)
✎ Modified rules
2024-11-26 Tech Support Scams
Coverage change | Medium impact | Source
Updated the STIX2 pattern with correct syntax by closing open brackets in the patterns definingurl:valueanddomain-name:value. The title formatting was also adjusted to remove extra colon and newline characters for consistency.
projectdiscovery/nuclei-templates (4 added)
Several detections were enhanced, notably with new rules addressing Apache Tomcat RCE, Axigen WebMail XSS, and Mingsoft MCMS SQL Injection vulnerabilities. Significant advancements in security coverage against critical and exploitable vulnerabilities have been made, solidifying detection infrastructures. Minor metadata digest updates were prevalent among existing rules, primarily focusing on maintaining integrity and consistency within the detection framework.
➕ New rules
Apache Tomcat RCE via JMX Ports (CVE-2016-8735)
Coverage change | Critical impact | Source
A new detection rule for remote code execution in Apache Tomcat via JMX Ports has been added. It covers versions before 6.0.48 to 9.x before 9.0.0.M12 by utilizing JMX port exposures to detect exploitation attempts.Axigen WebMail XSS
Coverage change | Medium impact | Source
This rule detects reflected XSS vulnerabilities in Axigen WebMail versions 10.5.0-4370c946 and older using specific 'm' parameter manipulation in the /index.hsp endpoint.Mingsoft MCMS SQL Injection
Coverage change | Critical impact | Source
A new rule targets SQL injection within Mingsoft MCMS up to version 5.2.9 via the sqlWhere parameter in the /cms/category/list endpoint. Detection focuses on SQL error patterns and response analysis.MLflow Path Traversal
Coverage change | High impact | Source
Introduced a rule against path traversal vulnerabilities in MLflow versions prior to 2.11.3, allowing file read attacks due to improper URI parsing. Endpoint monitoring includes server file path access attempts.
Yamato-Security/hayabusa-rules (4 modified)
Enhancements across multiple Sigma rules improved detection accuracy for NTLM downgrade events by adding specific DWORD configuration checks. Additional coverage includes detection for AnyDesk installations, aiding in the identification of unauthorized remote access. Renamed binaries detection now covers more files, enhancing visibility for suspicious executable activities. These updates strengthen the overall threat detection posture by focusing on explicit high-risk configurations and behaviors.
✎ Modified rules
Registry Event Net NTLM Downgrade
Coverage change | Medium impact | Source
Updated to include more specific value selections for registry events related to NTLM security settings. New conditions focus on exact DWORD values that indicate potentially insecure configurations. This change introduces targeted monitoring for configurations of "lmcompatibilitylevel", "NtlmMinClientSec", and "RestrictSendingNTLMTraffic".Win Security Service Install Remote Access Software
Coverage change | Medium impact | Source
The rule now includes detection for AnyDesk installations, which is commonly used for remote access and could be relevant for escalated privileges.Proc Creation Win Renamed Binary Highly Relevant
Coverage change | Medium impact | Source
Added monitoring for renamed binaries to include checks for IE4UINIT.EXE and msxsl.exe. This extends the list of suspicious renamed executables that may indicate misconfigured or malicious activities.Sysmon Registry Event Net NTLM Downgrade
Coverage change | Medium impact | Source
Rule refined to include more precise object end paths for targeted DWORD values monitoring in NTLM settings. This refinement assists in catching configuration that may lead to security downgrades.
Personal repositories (2)
mdecrevoisier/SIGMA-detection-rules (8 modified)
The changes primarily enhance detection coverage across several authentication brute force and reconnaissance scenarios by adopting improved correlation strategies for event aggregation over specific time intervals. This enables better distinction between legitimate and malicious activities on both Kerberos and OpenSSH protocols, focusing on failed login attempts related to non-existing accounts and policy restrictions. These modifications likely reduce false negatives and augment contextual awareness for aggregated IP-based activities, enhancing overall detection robustness without major performance trade-offs.
✎ Modified rules
Bruteforce Non Existing Users Kerberos
Coverage change | Medium impact | Source
Converted single quotes to double quotes in YAML properties to maintain consistency across the file. Updated condition and timespan structure for correlation, focusing on count of failed login attempts by non-existing users over a 30m duration. Adjusted metadata and added correlation structure for a more modular detection setup.Kerbrute Enumeration
Coverage change | Medium impact | Source
Standardized YAML syntax with double quotation marks. Improved correlation logic and metadata, added correlation structure to track enumeration attempts with Kerbrute tools. Removed timespan from the main rule, including it within correlation structure to track failed login attempts within a 30m window by TargetUserName.OpenSSH Brute Force Non Existing User
Coverage change | Medium impact | Source
Unified YAML formatting and converted single quotes to double quotes for consistency. Removed explicit timeframe from main rule and implemented a correlation-based mechanism to handle brute force enumeration attempts by counting non-existing user logins within a specified time span of 30m.Bruteforce OpenSSH Valid Users
Coverage change | Medium impact | Source
Revised YAML quoting and formatting for consistency. Removed immediate timeframe and transitioned to using correlation logic over a specified duration for evaluating brute force attempts with valid user accounts on OpenSSH servers, focusing on EventRecordID counts within a 30m window.Login Non Existing User
Coverage change | Medium impact | Source
Updated YAML syntax, replacing quotes and structuring correlation criteria for non-existing user login detection. Shifted from immediate evaluation to a correlation approach based on event count over a 30-minute period for detecting login attempts using invalid usernames.Bruteforce Denied Account Restriction Policies
Coverage change | Medium impact | Source
Corrected YAML formatting for quoted values and restructured correlation parameters to detect login attempts impacted by account restriction policies. Removed elemental timeframe checks in favor of aggregated data scrutiny within correlation over 30m.RDP Discovery Multiple Host
Coverage change | Medium impact | Source
Amended YAML syntax and revamped the correlation description to encompass the entire observation narrative. Streamlined correlation logic to track RDP service probing attempts across multiple hosts by analyzing source IP activity within abbreviated five-minute intervals for detection.RDP Reconnaissance Valid Credentials
Coverage change | Medium impact | Source
Formatted YAML identifiers consistently and improved correlation methods for tracking RDP brute force attempts using valid credentials. Shifted evaluation intervals from rule into correlation context for incidents assessed through source IP activity over five minutes.
Neo23x0/signature-base (2 added)
The dataset includes modifications to an existing YARA rule and the addition of two new rules. The new additions improve detection capabilities for tampered OOXML files and AiTM phishing threats using distinct file signature analyses, thereby expanding threat coverage. Changes are primarily focused on enhancing detection precision while maintaining system stability, with a medium potential increase in alert volume.
➕ New rules
Brooxml Hunting
Coverage change | Medium impact | Source
Introduces a new hunting rule targeting manipulated Microsoft OOXML files. The rule inspects specific byte patterns in file headers and filters out patterns associated with false positives, improving detection specificity.Brooxml Phishing
Coverage change | Medium impact | Source
Adds a new rule to detect PDF and OOXML files connected to AiTM phishing by analyzing specific byte patterns for common document types and reducing false positives through contextual negation.
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we’d love to hear from you. Reach out to us at team@rulecheck.io - we value your feedback and we are committed to making this resource better for the detection engineering community.