This week’s edition showcases the most significant detection rule updates from 7 of the 40+ GitHub repositories we monitor, covering changes made between January 6 and January 13, 2025.

During this period, contributors across these repositories added 9 new rules and updated 81 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Corporate repositories (8)

chronicle/detection-rules (✎30)

Several modifications have been made to improve detection coverage and accuracy by updating the extraction method for recipient AWS account ID from 'labels' to 'additional fields' in various rules such as 'AWS API Call Outside of Organization', 'AWS EC2 AMI or Snapshot Shared Publicly', and 'AWS IAM Activity By S3 Browser Utility'. These changes aim to enhance data clarity and consistency across rules. Additionally, adjustments to the field references in rules like 'AWS Security Group Open to World' and 'AWS SES Service Modification' have been made to improve accuracy in detecting potential threats. The modifications focus on refining data retrieval and aligning with best practices for detection rule optimization.

✎ Modified rules

• AWS API Call Outside of Organization
  Medium impact • Coverage change
  Updated the reference for recipient account ID from 'labels' to 'additional fields' in detection logic.

• AWS API Gateway Get Keys
  Medium impact • Coverage change
  Updated reference for recipient account ID to utilize 'additional fields' instead of 'labels' in the detection rule.

• aws_cloudtrail_logging_tampered
  Medium impact • Coverage change
  Updated field extraction for recipient AWS account ID from labels to additional fields.

• aws_config_service_modified
  Medium impact • Coverage change
  Updated field extraction for recipient AWS account ID from labels to additional fields.

• AWS Delete VPC Flow Logs
  Medium impact • Coverage change
  Updated the source for recipient AWS account ID from attribute labels to additional fields.

• AWS EC2 AMI or Snapshot Shared Publicly
  Medium impact • Coverage change
  Updated the source for recipient AWS account ID from attribute labels to additional fields.

• aws_ec2_get_windows_admin_password
  Medium impact • Coverage change
  Updated the attribute source for recipient AWS Account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_ec2_user_data_modified
  Medium impact • Coverage change
  Updated the attribute source for recipient AWS Account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_enable_disable_region
  Medium impact • Coverage change
  Updated the field used to retrieve the recipient AWS account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_excessive_successful_discovery_events
  Medium impact • Coverage change
  Changed the method of obtaining the recipient AWS account ID to use 'additional.fields' instead of 'target.resource.attribute.labels'.

• aws_guardduty_disabled
  Medium impact • Coverage change
  Updated the field for recipient AWS account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_guardduty_publishing_destination_deleted
  Medium impact • Coverage change
  Modified the method of retrieving recipient AWS account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_guardduty_trusted_or_threat_ip_lists_tampered
  Medium impact • Coverage change
  Updated the source for the recipient AWS account ID from target.resource.attribute.labels to additional.fields.

• aws_high_number_of_unknown_user_authentication_attempts
  Medium impact • Coverage change
  Changed the source for the recipient AWS account ID from target.resource.attribute.labels to additional.fields, improving field clarity.

• aws_iam_access_analyzer_deleted
  Medium impact • Coverage change
  Changed the source of recipient AWS account ID from cloudtrail.target.resource.attribute.labels to cloudtrail.additional.fields.

• aws_iam_access_denied_discovery_events
  Medium impact • Coverage change
  Updated the method of obtaining recipient AWS account ID from cloudtrail.target.resource.attribute.labels to cloudtrail.additional.fields.

• aws_iam_activity_by_s3_browser_utility
  Medium impact • Coverage change
  Updated the variable for recipient AWS account ID to retrieve it from additional fields instead of target resource attribute labels.

• aws_iam_activity_from_ec2_instance
  Medium impact • Coverage change
  Updated the variable for recipient AWS account ID to retrieve it from additional fields instead of target resource attribute labels.

• AWS IAM Administrator Access Policy Attached
  Medium impact • Coverage change
  Updated the reference for recipient AWS account ID from target resource attribute labels to additional fields.

• AWS IAM Compromised Key Quarantine Policy Attached
  Medium impact • Coverage change
  Updated the reference for recipient AWS account ID from target resource attribute labels to additional fields.

• aws_multi_factor_authentication_disabled
  Medium impact • Coverage change
  Updated the source field for recipient AWS account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_new_mfa_method_registered_for_user
  Medium impact • Coverage change
  Updated the source field for recipient AWS account ID from 'target.resource.attribute.labels' to 'additional.fields'.

• aws_password_policy_change
  Medium impact • Coverage change
  The variable for the recipient AWS account ID has been updated to reference the recipientAccountId field from additional fields instead of from target resource attribute labels.

• aws_rds_snapshot_shared_publicly
  Medium impact • Coverage change
  The variable for the recipient AWS account ID has been modified to use the recipientAccountId field from additional fields instead of from target resource attribute labels, improving accuracy of data retrieval.

• aws_s3_made_public_by_acl
  Medium impact • Coverage change
  Updated the extraction of recipient AWS account ID to use 'additional.fields' instead of 'target.resource.attribute.labels'.

• aws_s3_public_access_block_removed
  Medium impact • Coverage change
  Updated the extraction of recipient AWS account ID to use 'additional.fields' instead of 'target.resource.attribute.labels'.

• aws_saml_identity_provider_changes
  Medium impact • Coverage change
  Updated the field reference for recipient AWS account ID from target resource attribute labels to additional fields for better data retrieval.

• aws_security_group_open_to_world
  Medium impact • Coverage change
  Changed the reference for recipient AWS account ID from target resource attribute labels to additional fields to ensure consistency in data usage.

• aws_ses_service_modification
  Medium impact • Coverage change
  Updated the extraction of recipient AWS account ID from resource attribute labels to additional fields for better accuracy.

• aws_user_creates_permanent_access_key
  Medium impact • Coverage change
  Changed the method of retrieving recipient AWS account ID, ensuring consistency with other rules' data extraction methods.

SigmaHQ/sigma (+1, ✎8)

A new rule has been added to detect exploitation attempts of CVE-2024-49113, targeting 'Application Error' logs for lsass.exe and WLDAP32.dll. This high-impact change enhances coverage against specific threats. Several existing rules have been modified, with metadata adjustments indicating improved confidence in detection capabilities for various threats, such as FortiOS SSL VPN exploitation (CVE-2022-42475), Qakbot malware behavior, ScreenConnect remote access tool execution, tampering with shell context menu commands, and changes in Bitbucket security configurations.

The modifications include upgrades in rule status from 'experimental' to 'test' for increased reliability and readiness, emphasizing performance optimizations to reduce false positives and enhance detection accuracy. These changes improve overall detection quality against emerging threats and suspicious activities across different telemetry sources.

+ New rules

• CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
  High impact • Coverage change
  New rule added to detect exploitation attempts of CVE-2024-49113, specifically targeting 'Application Error' logs for lsass.exe and WLDAP32.dll.

✎ Modified rules

• Exploitation Indicator Of CVE-2022-42475
  Medium impact • Metadata change
  Promoted rule status from 'experimental' to 'test' to indicate improved confidence in its detection capability.

• Qakbot Regsvr32 Calc Pattern
  Medium impact • Metadata change
  Promoted rule status from 'experimental' to 'test' reflecting enhanced reliability in detecting specific malicious behavior.

• Remote Access Tools ScreenConnect Child Process Execution
  Medium impact • Metadata change
  Promoted rule status from 'experimental' to 'test', signifying improved reliability for detecting remote binary or command execution via the ScreenConnect Service.

• Shell Context Menu Command Tampering
  Medium impact • Metadata change
  Promoted rule status from 'experimental' to 'test', indicating a more reliable detection capability for changes to shell context menu commands.

• Bitbucket Global SSH Settings Changed
  Medium impact • Metadata change
  Changed rule status from 'experimental' to 'test' to indicate a more stable level of confidence in its detection capabilities.

• Bitbucket Audit Log Configuration Updated
  Medium impact • Metadata change
  Changed rule status from 'experimental' to 'test' reflecting improved reliability and readiness for broader usage.

• Bitbucket Project Secret Scanning Allowlist Added
  Medium impact • Metadata change
  The status field was changed from 'experimental' to 'test', indicating a promotion in the rule's status.

• Bitbucket Secret Scanning Exempt Repository Added
  Medium impact • Metadata change
  The status field was changed from 'experimental' to 'test', indicating a promotion in the rule's status.

anvilogic-forge/armory (+1)

A new detection rule, "Potential CVE-2024-49113 - LDAPNightmare," has been added to enhance coverage. This rule focuses on LDAP Denial of Service events related to lsass.exe and WLDAP32.dll in application error logs, targeting CVE-2024-49113 specifically.

+ New rules

• Potential CVE-2024-49113 - LDAPNightmare
  Medium impact • Coverage change
  New detection rule added for CVE-2024-49113, focusing on LDAP Denial of Service events related to lsass.exe and WLDAP32.dll during application error logs.

panther-labs/panther-analysis (+2, ✎2)

Two new rules were added to enhance coverage and performance. The first rule, "GitHub Repository Ruleset Modified," monitors modifications to GitHub repository rulesets. A corresponding Python script was created to handle various GitHub repository events, enhancing the "GitHub Repository Ruleset Modified Python Logic" rule. In modified rules, the S3 access IP allowlist check now supports IPv6 addressing for improved coverage. Additionally, in the "Okta New Behavior Accessing Admin Console" rule, direct access to logOnlySecurityData fields was replaced with a helper function (deep_get) to enhance readability and consistency. These changes ensure more comprehensive detection and better rule implementation in both cases.

+ New rules

• GitHub Repository Ruleset Modified
  Low impact • Coverage change
  Introduced a new detection rule for monitoring modifications to GitHub repository rulesets.

• GitHub Repository Ruleset Modified Python Logic
  Low impact • Performance change
  Created the corresponding Python script for the detection rule handling various GitHub repository events.

✎ Modified rules

• AWS S3 Access IP Allowlist - Python Implementation
  Medium impact • Coverage change
  Updated the S3 access IP allowlist check to support IPv6 addressing.

• Okta New Behavior Accessing Admin Console
  Medium impact • Coverage change
  Switched from direct access to logOnlySecurityData fields to using a helper function deep_get for better readability and consistency.

splunk/security_content (✎4)

In the recent updates to detection rules:

1. The "Windows Process with Netexec Command Line Parameters" rule was modified to include drilldown searches for destination and user parameters, improving investigation capabilities.

2. The "Remote Access Software Usage Detection" rule was updated with new drilldown options for detailed search capabilities and refined detection logic based on user destination.

3. In the "Detect Remote Access Software Usage Registry" rule, the macro name was changed and field types were updated to align with the Endpoint data model's Registry node, enhancing accuracy.

4. Additionally, the "Windows Process with NetExec Command Line Parameters" rule now incorporates CrowdStrike ProcessRollup2 as an additional data source, augmenting detection capabilities.

✎ Modified rules

• Windows Process with Netexec Command Line Parameters
  Medium impact • Coverage change
  Added drilldown searches to enhance investigation capabilities for the detection results related to destination and user parameters.

• Remote Access Software Usage Detection
  Medium impact • Coverage change
  Added drilldowns to provide more detailed search capabilities based on the original detection logic and user destination.

• Detect Remote Access Software Usage Registry
  Medium impact • Coverage change
  Updated the macro name from remote_access_software_usage_exception_filter to remote_access_software_usage_exceptions and changed field types for various observable attributes to align with the Registry node of the Endpoint data model.

• Windows Process with NetExec Command Line Parameters
  Medium impact • Coverage change
  Added CrowdStrike ProcessRollup2 as an additional data source to enhance detection capability.

sublime-security/sublime-rules (+4, ✎26)

Several high-impact changes have been made to enhance threat detection capabilities. New rules were added to target emerging threats, such as detecting Google Drive sharing from new domains and identifying phishing campaigns using Zoho Invoice services. Performance improvements include adding conditions like 'incoming transmission' to existing rules and updating regex patterns for more accurate detection, such as adding 'hulu.jp' to domain checks. The modifications also focus on reducing false positives and improving accuracy by refining conditions for organization domains, enhancing attachment handling for voicemail phishing, and adding new conditions for subject verification and attachment hashing to bolster detection logic.

Additionally, specific optimizations were implemented, like reformatted logical checks for improved readability and regex pattern updates to match spam-containing HTML content. Rules were adjusted to strengthen detection logic by excluding legitimate emails, enhancing detection of impersonation attempts through additional conditions, and improving criteria for detecting suspicious indicators in email bodies. Further refinements include checking for specific patterns related to payment methods and address structures, ultimately enhancing the precision and coverage of threat detection capabilities.

+ New rules

• Service Abuse: Google Drive Share From New Reply-To Domain
  Medium impact • Coverage change
  New detection rule created to identify Google Drive sharing notifications from recently registered domains that do not match organizational domains.

• Mass Outbound Group With Free File Host Domain
  Medium impact • Coverage change
  New rule created to detect when a sender contacts multiple unique domains with links to known free file hosting services.

• Callback phishing via Zoho service abuse
  Medium impact • Coverage change
  A new detection rule has been created to identify callback phishing campaigns that misuse Zoho Invoice services to distribute fraudulent invoices.

• Spam: Sexually Explict Google Group Invitation
  Low impact • Coverage change
  New detection rule added to identify Google Groups invitations with inappropriate content or suspicious patterns, specifically targeting non-organizational domains.

✎ Modified rules

• MS Infrastructure Abuse Detection
  High impact • Coverage change
  Added condition to check that return-path domain is not in organization domains to strengthen the detection logic.

• link_credential_phishing_voicemail_language
  Medium impact • Coverage change
  Added 'incoming transmission' to the detection pattern of the rule.

• Impersonation ShareFile Detection Rule
  Medium impact • Coverage change
  Updated the condition for header fields to include additional checks for 'x-sf-messageclass' and 'x-sf-uri'.

• link_sharepoint_sus_name
  Medium impact • Coverage change
  Added a condition to detect generic document names along with suspicious indicators regarding email impersonation.

• spam_attendee_list_solicitation
  Medium impact • Coverage change
  Added new string conditions to enhance detection logic for spam solicitations.

• impersonation_microsoft_credential_theft
  Medium impact • Coverage change
  Updated the logic to include additional checks for microsoft.onmicrosoft.com domains and adjusted spam profiles for clarity.

• cc_infra_abuse
  Medium impact • Coverage change
  Removed a condition for hops index in the cc_infra_abuse rule's authentication details logic, streamlining the detection criteria.

• Credential Phishing Fake Email Quarantine Notification
  Medium impact • Coverage change
  Updated regex pattern to include additional phrases for detection improvements.

• Brand Impersonation - Hulu
  Medium impact • Coverage change
  Updated the sender email domain conditions to include 'hulu.jp' and 'hulu-japan.jp' alongside previous domains.

• Link Google Open Redirect with Suspicious Indicators
  Medium impact • Coverage change
  The condition for negating authenticated Google messages was updated to include an additional local part 'comments-noreply'.

• Impersonation Human Resources
  Medium impact • Coverage change
  Modified detection logic to include additional suspicious indicators related to email body links that contain all caps text.

• spam_attendee_list_solicitation
  Medium impact • Coverage change
  Updated regex patterns to enhance detection of solicitation language and added additional variations for the email list context.

• Spam Image Hidden Element Detection
  Medium impact • Coverage change
  Updated regex patterns for matching various HTML structures related to spam image elements and improved detection of hidden elements via CSS styles.

• Impersonation Detection for Amazon
  Medium impact • Coverage change
  The rule has had specific email domains removed and added to the sender's root domain checks, refining detection logic for impersonation attempts related to Amazon.

• Impersonation Detection for Microsoft Services
  Medium impact • Coverage change
  Added 'skype.com' to the list of monitored domains for impersonation detection.

• Callback Phishing Intuit
  Medium impact • Coverage change
  Enhanced detection logic by adding new regex conditions to identify specific payment methods and potential address patterns associated with Norton.

• Impersonation DocuSign Detection
  Medium impact • Coverage change
  Updated regex to enhance matching of DocuSign HTML content in email bodies by allowing any attributes within the font tag.

• link_google_notification_untrusted_sender
  Medium impact • Coverage change
  Updated detection logic to include additional condition for subject verification by allowing partial matches with 'verification'.

• Impersonation Fake Message Thread Mismatched From Freemail Reply-To
  Medium impact • Coverage change
  Reformatted logical checks for headers, including exclusions for mailing lists. Enhanced structure for readability.

• link_credential_phishing_voicemail_language
  Medium impact • Coverage change
  Enhanced attachment handling by accounting for distinct MD5 hashes, and improved regex patterns for phishing detection within voicemail-related communications.

• Spam detection for onmicrosoft domains
  Medium impact • Coverage change
  Updated the rule logic to exclude legitimate emails from 'microsoft.onmicrosoft.com' when SPF passes and URLs point to 'microsoft.com'.

• spam_item_giveaway
  Medium impact • Coverage change
  Updated the regex pattern to include additional conditions for matching spam-containing HTML content.

• Impersonation SharePoint Fake File Share
  Medium impact • Coverage change
  Added a condition to ensure that any Sharepoint link does not match any organization's second-level domains (SLDs).

• Impersonation DocuSign Detection Rule
  Medium impact • Coverage change
  Added an additional condition to check if the display text contains the term 'docusign' for enhanced detection of related impersonation attempts.

• Brand Impersonation - SiriusXM
  Medium impact • Coverage change
  Updated the root_domain exclusions to include 'engagement360.net' to cover potential threats from SiriusXM survey vendors.

• spam_fake_photo_share
  Medium impact • Coverage change
  Updated detection logic to include new keywords 'new pics' and enhanced conditions for string matching in the email body.

SophosRapidResponse/OSQuery (✎1)

In the provided rule changes, under the "modified_rules" section, the 'MS Office diagnostic logs' rule was altered to remove references to a specific CVE and external link, simplifying the rule context. This change has a medium impact severity as critical context related to CVE-2022-30190 was removed. The modification was made in the file path "Artefacts/Office/office.02.0 - MS Office diagnostic logs.sql".

This change indicates a deliberate simplification of the rule context, potentially impacting the coverage and contextual understanding of detections related to MS Office diagnostic logs. Careful consideration should be given to the implications of the critical context removal with regards to the CVE-2022-30190 mention.

✎ Modified rules

• MS Office diagnostic logs
  Medium impact • Coverage change
  Removed references to specific CVE and external link, simplifying rule context. Critical context removed regarding CVE-2022-30190.

Yamato-Security/hayabusa-rules (+1, ✎10)

A new high-impact Sigma rule was added to detect exploitation attempts of CVE-2024-49113, focusing on 'Application Error' logs linked to lsass.exe and WLDAP32.dll. Additionally, several rule modifications were made to enhance accuracy and reduce false positives. Changes include refining rule descriptions for ZipSlip vulnerability, Qakbot behavior, and Evil-WinRM Execution. Metadata updates across various rules indicate improved detection reliability, stability, and validation, particularly addressing malicious command combinations, file encoding suspicions, and specific malware executions like Qakbot and Raspberry-Robin. Rule statuses were upgraded from experimental to test for increased confidence and refined detection capabilities, specifically targeting exploits such as CVE-2024-1708 and CVE-2024-1709.

+ New rules

• CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
  High impact • Coverage change
  New Sigma rule created to detect exploitation attempts of CVE-2024-49113, focusing on 'Application Error' logs related to lsass.exe and WLDAP32.dll.

✎ Modified rules

• win_security_exploit_cve_2024_1708_screenconnect
  High impact • Metadata change
  Changed rule status from experimental to test and refined the description detailing file modifications related to the ZipSlip vulnerability.

• proc_creation_win_malware_qakbot_regsvr32_calc_pattern
  Medium impact • Metadata change
  Changed rule status from experimental to test and updated description for clarity on behavior associated with Qakbot.

• Detect Evil-WinRM Execution
  Medium impact • Metadata change
  Changed the status from experimental to test, indicating a refinement in detection reliability.

• Detect Suspicious File Encoding with Certutil
  Medium impact • Metadata change
  Updated status from experimental to test, suggesting improved confidence in the rule's detection capabilities.

• proc_creation_win_certutil_encode_susp_location
  Medium impact • Metadata change
  Updated rule status from experimental to test, indicating a more stable and tested phase. Adjusted metadata related to the rule's execution context and purpose.

• proc_creation_win_cmd_ping_copy_combined_execution
  Medium impact • Metadata change
  Changed rule status from experimental to test, suggesting enhanced reliability and validation. Involves detecting a specific combination of commands that may signal malicious activity.

• proc_creation_win_malware_qakbot_regsvr32_calc_pattern
  Medium impact • Metadata change
  Updated status from experimental to test and clarified the command line being detected related to Qakbot.

• file_event_win_exploit_cve_2024_1708_screenconnect
  Medium impact • Metadata change
  Changed status from experimental to test while maintaining the detection focus on file modifications tied to CVE-2024-1708 exploitation.

• File Event Win Exploit CVE-2024-1709 User Database Modification
  Medium impact • Metadata change
  Updated rule status from experimental to test and clarified description regarding the exploitation of CVE-2024-1709.

• Proc Creation Win Malware Raspberry Robin
  Medium impact • Metadata change
  Changed rule status from experimental to test while retaining the core logic of detecting CPL file execution.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we’d love to hear from you. Reach out to us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Powered by

This digest is brought to you in collaboration with BlackStork.io, combining their content generation tech with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of the newsletter or interested in licensing your own hosted instance? We’d be happy to help — reach out to us.