This week’s edition showcases the most significant detection rule updates from 2 of the 40+ GitHub repositories we monitor, covering changes made between December 16 and December 23, 2024.

During this period, contributors across these repositories added 13 new rules and updated 4 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Points

The current detection engineering updates showcase a strategic enhancement addressing crucial areas such as in-memory threats, ransomware, and cloud service provider activities. These updates concentrate on scaling up coverage for detection and prevention capabilities across various environments. Notably, recent additions focus on advanced threats, particularly those leaping beyond traditional detection vectors, offering substantial improvements in operational relevance and investigatory depth. Key areas of advancement include memory- and behavior-based activity monitoring, alongside improved visibility into cloud-specific vulnerabilities, particularly within AWS ecosystems. Collectively, these updates aim to shore up existing defenses against sophisticated attack techniques while reducing false positive rates through targeted alerting strategies.

• Introduced new rules for in-memory threat detection and prevention, isolating alerting for detection from prevention outcomes to provide more actionable intelligence on advanced memory-based attack techniques. (elastic/detection-rules)

• Enhanced ransomware monitoring with separate detection and prevention alerts, improving visibility into ransomware indicators while validating successful prevention strategies. (elastic/detection-rules)

• Improved detection coverage for cloud-specific activities with new rules focusing on potential security disruptions in AWS environments, including SAML provider deletions and Lambda function URL configurations. (SigmaHQ/sigma)

• Added behavior-based detection and prevention rules in Elastic Defend to isolate better unusual activity patterns that could indicate underlying threats, thus refining alert precision and reducing noise. (elastic/detection-rules)

• Enhanced detection of malicious file activities through separate rule tracks for detection and prevention alerts, facilitating early investigation and response planning for non-prevented threats. (elastic/detection-rules)

• New rules in the Sigma repository enhance detection of unauthorized key imports within AWS EC2, potentially indicating escalation or persistence efforts, boosting cloud security posture. (SigmaHQ/sigma)

Corporate repositories (2)

elastic/detection-rules (+8)

This update introduces several new detection rules specifically focused on distinguishing between detected and prevented threats across various threat vectors, including memory, behavior, malicious files, and ransomware. These additions enhance the strategic focus on detection coverage by addressing threat prevention and detection separately, allowing for more granular and effective security monitoring. High-severity changes significantly improve threat visibility, especially in detecting advanced techniques such as in-memory threats and ransomware, while providing actionable data to prioritize security operations and bolster threat response capabilities.

+ New rules

• Memory Threat - Detected - Elastic Defend
  Coverage change | High impact | Source
  A new detection rule has been added to generate alerts for memory signature detections captured by Elastic Defend. This rule specifically targets detection events and excludes prevention alerts.

• Memory Threat - Prevented - Elastic Defend
  Coverage change | High impact | Source
  Introduced a new prevention-specific rule that triggers on memory signature prevention alerts. This rule aims to focus strictly on blocked threats.

• Behavior - Detected - Elastic Defend
  Coverage change | Medium impact | Source
  A new rule was added to detect malicious behavior identified by Elastic Defend. The focus is on unusual behavior activities instead of prevention alerts.

• Behavior - Prevented - Elastic Defend
  Coverage change | Medium impact | Source
  This newly added rule creates alerts for behavior prevention activities, focusing solely on cases where defensive measures succeed in preventing suspicious behaviors.

• Malicious File - Detected - Elastic Defend
  Coverage change | Medium impact | Source
  A new rule has been added to alert on detected malicious files without prevention activities by Elastic Defend. The focus is on detection events only.

• Malicious File - Prevented - Elastic Defend
  Coverage change | Medium impact | Source
  New rule added to address instances where malicious file activities are prevented, enabling security teams to monitor and verify prevention effectiveness.

• Ransomware - Detected - Elastic Defend
  Coverage change | High impact | Source
  Adds a detection rule for behaviors and activities associated with ransomware attacks as detected by Elastic Defend, excluding prevention alerts.

• Ransomware - Prevented - Elastic Defend
  Coverage change | High impact | Source
  Introduced rule alerts on successful prevention activities against ransomware, allowing security teams to track effective defense mechanisms.

SigmaHQ/sigma (+5)

The repository witnessed multiple new rules primarily enhancing detection coverage for AWS cloud activities and potential misuse of Microsoft Windows Quick Assist. These additions focus on initial access and privilege escalation threats in cloud environments, contributing medium-severity impacts.

+ New rules

• AWS SAML Provider Deletion Activity
  Coverage change | Medium impact | Source
  A new rule detects the deletion of an AWS SAML provider, which could indicate malicious intent to disrupt administrative or security team access by removing authentication methods.

• AWS Key Pair Import Activity
  Coverage change | Medium impact | Source
  Introduces detection for the import of SSH key pairs into AWS EC2, which may indicate unauthorized access attempts to EC2 instances through compromised or malicious SSH keys.

• New AWS Lambda Function URL Configuration Created
  Coverage change | Medium impact | Source
  This rule identifies the creation of a Lambda function URL configuration, potentially exposing the function to external access and unauthorized IAM role use.

• DNS Query Request By QuickAssist.EXE
  Coverage change | Low impact | Source
  Detects DNS queries initiated by 'QuickAssist.exe', potentially identifying misuse in unauthorized remote assistance or social engineering attacks.

• QuickAssist Execution
  Coverage change | Low impact | Source
  Introduces detection for the execution of 'QuickAssist.exe', focused on identifying unauthorized remote access attempts via legitimate Windows tools.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue or have suggestions for new data sources to include, we’d love to hear from you. Reach out to us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Powered by

This digest is brought to you in collaboration with BlackStork.io, combining their content generation tech with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of the newsletter or interested in licensing your own hosted instance? We’d be happy to help — reach out to us.