This week’s edition showcases the most significant detection rule updates from 4 of the 40+ GitHub repositories we monitor, covering changes made between December 30, 2024 and January 6, 2025.

During this period, contributors across these repositories added 15 new rules and updated 11 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Points

The recent updates primarily strengthened detection capabilities for potential persistence and evasion techniques across several platforms. Notable enhancements include improved SSHD and system process monitoring and refined email scam detection rules criteria. No critical issues or regressions were found in this release cycle, but focused attention on medium-impact rule modifications is advisable to ensure optimal alert accuracy and resource management.

• Enhanced detection of persistence mechanisms by broadening path ranges for dynamic linker file modifications, improving the rule's effectiveness in identifying persistence threats. (elastic/detection-rules)

• Introduction of the 'Unusual SSHD Child Process' rule, aiding in monitoring abnormal processes initiated by SSHD, thus bolstering persistence threat detection. (elastic/detection-rules)

• Multiple email security rules were refined to detect impersonation and open redirect abuse more effectively, including adjustments for phishing and credential access scenarios. (sublime-security/sublime-rules)

• New detection rules were added for email redirection exploits focusing on specific vulnerable services (e.g., Xfinity, Nowlifestyle) to expand coverage against evolving phishing tactics. (sublime-security/sublime-rules)

• Detection capabilities for expected talkers in Linux were expanded by including additional potential threat processes such as 'pasta.avx2', 'slirp4netns', and 'python3.12' to improve anomaly detection. (chainguard-dev/osquery-defense-kit)

Corporate repositories (3)

elastic/detection-rules (+9, ✎1)

+ New rules

• Dynamic Linker (ld.so) Creation
  Low impact • Coverage change • Source
  This new rule detects the creation of the dynamic linker (ld.so) file, which attackers may replace to execute arbitrary code. By monitoring specific file paths, it enhances detection capabilities for defense evasion attempts.

• Kernel Object File Creation
  Low impact • Coverage change • Source
  This newly introduced rule detects the creation of Linux kernel object files (.ko) that can be leveraged by attackers to load rootkits or malware. It broadens the detection scope for persistent threats.

• Simple HTTP Web Server Connection
  Low impact • Coverage change • Source
  This rule detects connections accepted by simple HTTP web servers created through PHP or Python. It aims to identify potential persistence mechanisms when attackers upload shells to web roots.

• Simple HTTP Web Server Creation
  Low impact • Coverage change • Source
  This rule monitors the creation of simple HTTP web servers in Python or PHP, aiming to detect potential backdoor setups. It reinforces threats associated with command and control mechanisms.

• Loadable Kernel Module Configuration File Creation
  Low impact • Coverage change • Source
  This new rule identifies the creation of Loadable Kernel Module (LKM) configuration files that attackers might exploit for persistence. Its addition enhances threat detection for kernel modification activities.

• Unusual Preload Environment Variable Process Execution
  Low impact • Coverage change • Source
  This rule detects processes executed with uncommon environment variables, indicating potential manipulation of execution flow. It aims to capture sophisticated attacks using unusual preloads for malicious activities.

• Unusual SSHD Child Process
  Medium impact • Coverage change • Source
  This rule detects the creation of unexpected child processes from SSHD, which may indicate unauthorized access attempts. Its implementation strengthens monitoring on persistence threat activities.

• Pluggable Authentication Module Creation in Unusual Directory
  Low impact • Coverage change • Source
  This newly created rule monitors PAM shared object files created in unexpected directories, potentially signifying malicious activity. It enhances detection of credential access techniques.

• PAM Version Discovery
  Low impact • Coverage change • Source
  This rule identifies PAM version discovery attempts, potentially indicating pre-attack reconnaissance for backdoor creation. It improves coverage on credential access tactics.

✎ Modified rules

• Potential Persistence via File Modification
  Medium impact • Coverage change • Source
  This existing rule was updated to include a broader range of paths related to dynamic linker files in its detection logic. This adjustment strengthens its detection capability for persistence mechanisms.

sublime-security/sublime-rules (+5, ✎8)

+ New rules

• open_redirect_xfinity_cmp
  Medium impact • Coverage change • Source
  Created a new rule to detect when non-Xfinity senders abuse Xfinity's CMP redirection service, particularly when links contain Google AMP paths.

• open_redirect_nowlifestyle
  Medium impact • Coverage change • Source
  Introduced a rule to detect exploitation of the nowlifestyle.com open redirect, focusing on untrusted senders and specific query patterns.

• open_redirect_xfinity
  Medium impact • Coverage change • Source
  Defined a new rule for detecting abuse of Xfinity's open redirect service, targeting links that misuse 'referer' query parameters.

• spam_item_giveaway
  Low impact • Coverage change • Source
  Created a new rule that identifies spam emails using templates related to item giveaways, focusing on suspicious HTML patterns.

• open_redirect_easycamp
  Medium impact • Coverage change • Source
  Introduced a detection rule targeting the easycamp.com open redirect exploit, adding coverage for a new threat vector.

✎ Modified rules

• suspicious_request_for_quote_or_purchase
  Medium impact • Coverage change • Source
  Updated the condition to check if the sender's email domain root is not in the organization's domains for a more stringent detection criterion.

• impersonation_ledger
  Medium impact • Coverage change • Source
  Added a condition to check if the sender's display name starts with 'ledger', improving detection of impersonation attempts.

• link_multistage_docusign
  Medium impact • Coverage change • Source
  Added a condition for the domain root to ensure that detected links are not within the organization's domains, allowing for better detection of phishing attempts.

• impersonation_sharefile
  Medium impact • Coverage change • Source
  Enhanced the detection criteria by including checks for specific phrases in the subject and body to identify ShareFile-related impersonation better.

• docusign_new_sender_domain
  Medium impact • Performance change • Source
  Modified the sender domain checks to allow for more flexible SPF and DMARC validation handling, improving detection accuracy.

• impersonation_dhl
  Medium impact • Coverage change • Source
  Introduced checks to detect potential QR codes in the messages, enhancing the capability to identify sophisticated impersonation attacks.

• open_redirect_emp-eduyield
  Medium impact • Coverage change • Source
  Adjusted regex conditions in the open redirect detection to fine-tune matching of malicious URLs, improving accuracy.

• open_redirect_emp-eduyield
  Medium impact • Coverage change • Source
  Modified regex patterns used in the detection logic to catch broader variations to enhance overall detection effectiveness.

chainguard-dev/osquery-defense-kit (✎2)

✎ Modified rules

• unexpected-talkers-linux
  Medium impact • Coverage change • Source
  Introduced two new entries for unusual talkers, 'pasta.avx2' and 'slirp4netns', increasing the rule's detection capabilities for unexpected processes.

• unexpected-talkers-linux
  Medium impact • Coverage change • Source
  Updated the rule to detect the added process 'python3.12' in the context of unusual processes running on Linux systems.

Personal repositories (1)

RussianPanda95/Yara-Rules (+1)

+ New rules

• LegionLoader
  Medium impact • Coverage change • Source
  This rule detects the core payload of LegionLoader by identifying specific strings and checking for the correct file size. It enhances detection capabilities for malicious payloads associated with this malware. The introduction of this rule improves threat coverage against known LegionLoader infections.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Powered by

This digest is brought to you in collaboration with BlackStork.io, combining their content generation tech with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Are you looking for a customized version of the newsletter or are you interested in licensing your own hosted instance? We’d be happy to help — reach out to us.