This week’s edition showcases the most significant detection rule updates from 4 of the 40+ GitHub repositories we monitor, covering changes made between December 23 and December 30, 2024.

During this period, contributors across these repositories added 12 new rules and updated 5 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Points

• Introduction of high-impact rules to detect critical vulnerabilities like CVE-2020-1472 and potential pass-the-hash attacks. (Yamato-Security/hayabusa-rules)

• New rules added to identify suspicious RDP connections from domain controllers and unauthorized remote registry changes, enhancing security against lateral movement. (Yamato-Security/hayabusa-rules)

• Enhancements in PowerShell detection rules to capture AMSI bypasses and Windows Defender tampering, boosting endpoint security defenses. (Yamato-Security/hayabusa-rules)

• Performance optimization in regex parsing for PowerShell event detection rules, likely improving accuracy across different parsers. (SigmaHQ/sigma)

• Extension of detection coverage to Salesforce infrastructure threats and phishing vectors not directly associated with Docusign domains. (sublime-security/sublime-rules)

• Added rules for detecting unauthorized administrative logins and interactive session patterns indicating potential unauthorized access. (Yamato-Security/hayabusa-rules)

Corporate repositories (4)

elastic/detection-rules (✎ 1)

✎ Modified rules

• Uncommon Registry Persistence Change
  Medium impact — Coverage change – Source
  The rule was updated to include new registry rules for additional SMSS persistence vectors. The updated_date field was also modified.

SigmaHQ/sigma (✎ 2)

The patch introduces regex updates to enhance the performance of PowerShell-related detection rules, improving their adaptability to varied log formats. This improves detection accuracy and coverage for PowerShell activities in Windows environments.

✎ Modified rules

• Suspicious Non PowerShell WSMAN COM Provider
  Medium impact — Performance change – Source
  Updated regex to use '\s+' to account for different parsers.

• Renamed Powershell Under Powershell Channel
  Medium impact — Performance change – Source
  Updated regex to use '\s+' to account for different parsers.

sublime-security/sublime-rules (✎ 2)

The patch introduces significant improvements to detection rules by enhancing coverage against phishing attacks and unauthorized infrastructure use, thereby increasing the overall security posture. The modifications focus on expanding detection logic to cover additional threat vectors, specifically targeting non-associated domains in phishing scenarios and improving detection accuracy for Salesforce abuse cases.

✎ Modified rules

• link_multistage_docusign
  Medium impact — Coverage change – Source
  Added an additional condition to filter links with domains not in 'docusign.net' or 'docusign.com'.

• salesforce_infra_abuse
  Medium impact — Coverage change – Source
  Updated detection logic to enhance the rule's capability for identifying Salesforce infrastructure abuse.

Yamato-Security/hayabusa-rules (+12)

Several new Sigma rules were introduced, primarily enhancing detection coverage for critical vulnerabilities and potential attack vectors. Notable additions include rules to detect exploitation of CVE-2020-1472 and AMSI bypass attempts, both assessed as having a critical impact on security posture. Additionally, improvements in detecting unauthorized access and tampering attempts have been made, with a high-severity impact. These changes significantly bolster threat detection capabilities by covering a broader range of attack techniques and improving alert accuracy.

+ New rules

• net_connection_win_susp_rdp_from_domain_controller
  High impact — Coverage change – Source
  New rule added to detect suspicious RDP connections from a domain controller.

• proc_creation_win_userdomain_variable_enumeration
  Medium impact — Coverage change – Source
  Introduced rule to detect enumeration of user domain variables in process creation logs.

• win_security_admin_logon
  Medium impact — Coverage change – Source
  Rule added to monitor administrative login events.

• win_security_exploit_cve_2020_1472
  Critical impact — Coverage change – Source
  New rule to detect exploitation attempts of CVE-2020-1472.

• win_security_potential_pass_the_hash
  High impact — Coverage change – Source
  Added rule to detect potential pass-the-hash attacks.

• win_security_remote_registry_management_via_reg
  High impact — Coverage change – Source
  Introduced rule to identify remote registry changes using reg.exe.

• win_security_susp_interactive_logons
  Medium impact — Coverage change – Source
  New rule to detect suspicious interactive logons.

• posh_pc_tamper_windows_defender_set_mp
  High impact — Coverage change – Source
  Added rule to detect tampering attempts on Windows Defender settings using PowerShell.

• posh_ps_tamper_windows_defender_set_mp
  High impact — Coverage change – Source
  New rule to identify tampering with Windows Defender settings via PowerShell scripts.

• proc_creation_win_powershell_amsi_init_failed_bypass
  Critical impact — Coverage change – Source
  Rule added to detect AMSI initialization bypass attempts via PowerShell.

• sysmon_wmi_event_subscription
  Medium impact — Coverage change – Source
  Introduced rule to monitor WMI event subscriptions.

• dns_query_win_wscript_cscript_resolution
  Medium impact — Coverage change – Source
  New rule added to detect DNS resolutions involving wscript and cscript.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Powered by

This digest is brought to you in collaboration with BlackStork, combining their content generation tech with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Are you looking for a customized version of the newsletter or interested in licensing your own hosted instance? We’d be happy to help — reach out to us.