Detections Digest #20250120
This issue highlights updates from 9 GitHub repositories — 29 new and 76 modified rules between Jan 13 and Jan 20, 2025.
This week's edition showcases the most significant detection rule updates from 9 of the 40+ GitHub repositories we monitor, covering changes made between Jan 13 and Jan 20, 2025.
During this period, contributors across these repositories added 29 new rules and updated 76 existing ones.
Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Increase in AWS detection rules for potential high-risk activities — Multiple rules were added to detect unusual AWS activities like S3 encryption with SSE-C and SNS topic publishing by rare users (elastic/detection-rules, splunk/security_content).
Strengthening process and binary monitoring on Linux systems — New rules and updates focus on detecting GRUB configurations, process name changes, and system binary permissions, enhancing threat detection in Linux environments (elastic/detection-rules, Neo23x0/signature-base, chainguard-dev/osquery-defense-kit).
Improving detection of external influences on cloud components — Rules have been updated to better monitor suspicious logins in Azure and persistent IAM activities in AWS, reflecting an increased focus on cloud security posture (SigmaHQ/sigma, splunk/security_content).
Expanding coverage in phishing and digital communication security — New detections target suspicious email patterns, open redirects, and exploitation through emails, aiming to reduce risks from phishing and BEC attacks (sublime-security/sublime-rules, chainguard-dev/osquery-defense-kit).
Revisions enhance telemetry and data source integration for AWS events — Updates across multiple rules in the splunk/security_content repository incorporate ASL AWS CloudTrail to fortify AWS event monitoring.
Enhanced detection for potential brute force activities — New and updated rules focus on identifying brute force login attempts by username and IP, raising awareness of unauthorized access attempts (panther-labs/panther-analysis).
YARA and signature rules updated for immediate APT response — New rule tracks wmRAT activities while existing rules refine conditions to bolster malware detection via YARA signatures (Neo23x0/signature-base).
Increased focus on exploitation prevention in local environments — New rules added to detect remote code execution attempts and modify detection criteria targeting exploit and privilege escalation strategies (falcosecurity/rules, chainguard-dev/osquery-defense-kit).
Table of Contents
elastic/detection-rules (+15, ✎1)
SigmaHQ/sigma (+2, ✎4)
panther-labs/panther-analysis (+2, ✎3)
splunk/security_content (✎28)
falcosecurity/rules (+1)
sublime-security/sublime-rules (+7, ✎10)
chainguard-dev/osquery-defense-kit (+1, ✎27)
Neo23x0/signature-base (+1, ✎2)
Corporate repositories (8)
elastic/detection-rules (+15, ✎1)
https://github.com/elastic/detection-rules
A high-impact update introduces two new rules targeting AWS S3 objects encrypted with Server-Side Encryption using Customer-Provisioned Keys (SSE-C). One rule focuses on detecting unusual encryption activities, and the other flags excessive usage above 15 occurrences, both aimed at identifying potential ransomware activity. Additionally, a new rule identifies suspicious child processes of communication apps, directing attention to possible masquerading or code execution exploitations.
To further enhance detection capabilities, rules now cover potential AWS SQS queue purges and sensitive audit policy modifications. A rule targeting process name stomping via the prctl syscall has also been introduced, improving response to evasion tactics. Modifications to existing rules include an updated description and focus for "AWS EC2 Instance Connect SSH Public Key Uploaded" to better capture lateral movement attempts.
+ New rules:
Unusual AWS S3 Object Encryption with SSE-C
High impact • Coverage change
New rule added to identify when AWS S3 objects are encrypted using Server-Side Encryption with Customer-Provided Keys (SSE-C), which could indicate potential ransomware activity.
Excessive AWS S3 Object Encryption with SSE-C
High impact • Coverage change
New threshold rule created to flag excessive encryption of AWS S3 objects using SSE-C, indicating possible malicious activity when the behavior is observed more than 15 times in a short time-frame.
Suspicious Communication App Child Process
Medium impact • Coverage change
New rule to identify suspicious child processes of communications apps, which may indicate masquerading or code execution exploitation.
AWS SQS Queue Purge
Medium impact • Coverage change
Introduced a new detection rule to identify when an AWS SQS queue is purged, aiming to enhance coverage against potential malicious activities.
Potential Process Name Stomping with Prctl
Medium impact • Coverage change
A new rule was introduced to detect potential process name stomping via the prctl syscall, focusing on changes made to a process's name to evade detection.
Sensitive Audit Policy Sub-Category Disabled
Medium impact • Coverage change
This rule detects attempts to disable auditing for sensitive audit policy sub-categories, which may indicate evasion tactics employed by attackers.
SNS Topic Message Publish by Rare User
Medium impact • Coverage change
A new detection rule was added to identify when an SNS topic message is published by a rare user in AWS, reflecting potential adversarial behavior.
System Binary Path File Permission Modification
Low impact • Coverage change
This rule was added to identify file permission modification events on files located in common system binary paths to detect potential adversary activities.
GRUB Configuration Generation through Built-in Utilities
Low impact • Coverage change
A new detection rule has been added to identify the generation of a GRUB configuration file using built-in Linux commands, which may be exploited by attackers for persistence.
GRUB Configuration File Creation
Low impact • Coverage change
This rule detects the creation of GRUB configuration files on Linux systems to prevent malicious modifications that could compromise system integrity.
AWS EC2 Deprecated AMI Discovery
Low impact • Coverage change
New rule created to detect queries for deprecated Amazon Machine Images (AMIs) in AWS, indicating potential security risks.
Suspicious Path Invocation from Command Line
Low impact • Coverage change
This new rule detects the execution of a PATH variable in a command line invocation by shell processes, potentially indicating unauthorized action or evasion tactics.
Kernel Seeking Activity
Low impact • Coverage change
This rule detects kernel seeking activity through several built-in Linux utilities, identifying potential threats that exploit the kernel.
Kernel Unpacking Activity
Low impact • Coverage change
This rule detects kernel unpacking activity through several built-in Linux utilities, monitoring for potential unpacking of kernel images and modules to search for vulnerabilities.
Process Started with Executable Stack
Low impact • Coverage change
A new detection rule was introduced to monitor system logs for processes started with an executable stack, indicating potential security risks.
✎ Modified rules:
AWS EC2 Instance Connect SSH Public Key Uploaded
Medium impact • Metadata change
Updated the rule description and added a new threat tactic regarding lateral movement. The rule's filename was also changed to reflect its updated focus.
💡 Looking for more tools to sharpen your detections?
Check out CyberSecTools - your gateway to the largest collection of cybersecurity tools and resources.
SigmaHQ/sigma (+2, ✎4)
https://github.com/SigmaHQ/sigma
New detection rules have been added to enhance coverage against emerging threats. The rule for Azure Login Bypassing Conditional Access Policies identifies successful logins that bypass Microsoft Intune safeguards, while the rule for Suspicious Invocation of Shell via Rsync detects shell execution anomalies during rsync operations.
Modified rules include updating the 'Shell Execution via Rsync - Linux' rule to target rsync instead of gcc and considering more shell varieties in command line checks, improving detection accuracy. The rule for Exploit Framework User Agent has added a new Havoc C2 user agent, and the rule for Volume Shadow Copy suspicious activity now excludes benign cases involving vcredist execution. Additionally, the rule for potential CVE-2023-36874 exploitation now filters for file creation in specific system directories.
+ New rules:
Azure Login Bypassing Conditional Access Policies
High impact • Coverage change
A new detection rule was added to identify successful Microsoft Intune Company Portal logins that may bypass Conditional Access Policies.
Suspicious Invocation of Shell via Rsync
High impact • Coverage change
A new rule was added to detect the execution of a shell as a subprocess of 'rsync' without the expected command line flag '-e', indicating potential exploitation.
✎ Modified rules:
Shell Execution via Rsync - Linux
High impact • Coverage change
Updated the detection logic to target 'rsync' instead of 'gcc' and made the rule more generic by including additional shells in the command line checks.
Exploit Framework User Agent
Medium impact • Coverage change
Updated the last modified date to 2025-01-18 and added a new user agent for the Havoc C2 framework under the detection section.
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
Medium impact • Coverage change
Updated rule title and adjusted detection filters to include an exclusion for ‘C:\ProgramData\Package Cache{‘
to account for cases involving vcredist execution.
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Medium impact • Coverage change
Added a new filter for detecting file creation in the directory '\Windows\SoftwareDistribution\Download\
'.
panther-labs/panther-analysis (+2, ✎3)
https://github.com/panther-labs/panther-analysis
The new rules "Standard.BruteForceByUser" and "Brute Force By User" enhance detection capabilities by targeting failed login attempts and brute force attacks using username-based thresholds, bringing medium-impact improvements in coverage. These additions provide context for alerting when users are targeted, strengthening defenses against targeted attacks.
The "Standard.BruteForceByIP" rule was revised to focus on tracking failed logins by IP address, which improves alignment with detection goals. The "Snowflake Stream Brute Force By IP" and "Snowflake Stream Brute Force by Username" rules now include logic to filter out overflow failure events and adjust severity classifications, which reduce false positives and improve clarity through specific error handling, both rated medium in impact.
+ New rules:
Standard.BruteForceByUser
Medium impact • Coverage change
Introduced a new rule to detect failed login attempts by username, including necessary context for alerting.
Brute Force By User
Medium impact • Coverage change
Introduced a new detection rule for brute force attempts targeting specific users based on login failure thresholds.
✎ Modified rules:
Standard.BruteForceByIP
Medium impact • Coverage change
Updated the title logic to reflect login attempts from IP instead of username for failed logins.
Snowflake Stream Brute Force By IP (Python)
Medium impact • Coverage change
Added additional condition to the login attempt check to ignore overflow failure events and a new severity function to downgrade specific errors to INFO.
Snowflake Stream Brute Force by Username (Python)
Medium impact • Coverage change
Updated login detection logic to exclude logs with ERROR_MESSAGE 'OVERFLOW_FAILURE_EVENTS_ELIDED' and added severity handling based on specific error messages.
splunk/security_content (✎28)
https://github.com/splunk/security_content
The recent rule updates significantly enhance AWS detection capabilities by incorporating ASL AWS CloudTrail as a primary data source. High-impact changes include adjusting the rules for detecting GetPasswordData API calls and StopLogging events, aiming to increase accuracy in credential access and logging cessation detection. Additionally, AWS S3 Bucket Versioning Suspension and EC2 Snapshot Sharing detections have been updated to better track unauthorized actions, leveraging CloudTrail data.
Several medium-severity updates focus on improving threat detection across various AWS services. These include monitoring unauthorized actions around IAM, such as access key creations, failed role assumptions, and unauthorized MFA modifications. Detection rules for AWS KMS key creation, IAM policy changes, and network access controls also utilize the new data source to identify potentially malicious activities. The updates optimize false positive reduction and precision by using the contextual depth provided by CloudTrail telemetry.
✎ Modified rules:
asl_aws_credential_access_getpassworddata
High impact • Coverage change
Modified the rule to incorporate ASL AWS CloudTrail data source for detecting GetPasswordData API calls.
ASL AWS CloudTrail StopLogging Detection
High impact • Metadata change
Adjusted data source from an empty list to 'ASL AWS CloudTrail', enhancing the accuracy of the detection mechanism.
ASL AWS S3 Bucket Versioning Suspension Detection
High impact • Coverage change
Added AWS CloudTrail as a data source to enhance detection logic for suspending bucket versioning events.
ASL AWS EC2 Snapshot Shared Externally Detection
High impact • Coverage change
Added AWS CloudTrail as a data source to improve detection of EC2 snapshots shared outside the originating AWS account.
ASL AWS ECR Container Upload Unknown User
High impact • Coverage change
Added data source ASL AWS CloudTrail to monitor unauthorized container uploads by unrecognized users in AWS Elastic Container Service (ECR).
O365 Service Principal Privilege Escalation
Medium impact • Coverage change
Changed 'data_sources' from an empty array to include 'O365 Add app role assignment grant to user' for enhanced threat detection.
AWS Concurrent Sessions from Different IPs
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to enhance detection of concurrent sessions originating from different IPs.
AWS Create Access Key Detection
Medium impact • Coverage change
Incorporated ASL AWS CloudTrail as a data source to improve detection of unauthorized access key creation by users.
asl_aws_create_policy_version_to_allow_all_resources
Medium impact • Coverage change
Updated to include ASL AWS CloudTrail data source for detecting the creation of broad IAM policy versions.
ASL AWS Credential Access RDS Password Reset
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to enhance detection of unauthorized RDS password resets.
ASL AWS Defense Evasion Delete CloudTrail
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to support detection of AWS DeleteTrail events.
ASL AWS Defense Evasion - Delete CloudWatch Log Group
Medium impact • Coverage change
Updated data source to include 'ASL AWS CloudTrail' for improved logging detection capabilities.
ASL AWS Defense Evasion - Impair Security Services
Medium impact • Coverage change
Updated data source to include 'ASL AWS CloudTrail' to enhance detection of critical security services modification.
ASL AWS CloudTrail PutBucketLifecycle Detection
Medium impact • Metadata change
Updated data source from 'AWS CloudTrail PutBucketLifecycle' to 'ASL AWS CloudTrail' to reflect the new data ingestion process.
AWS CloudTrail UpdateTrail Detection
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to the detection rule for UpdateTrail events, enhancing the rule's capability to detect alterations in logging configurations.
AWS KMS Key Creation Detection
Medium impact • Coverage change
Incorporated ASL AWS CloudTrail as a data source for detecting the creation of KMS keys with broad encryption policies, improving threat detection coverage.
ASL AWS ECR Container Upload Outside Business Hours
Medium impact • Coverage change
Added data source ASL AWS CloudTrail to track uploads of new containers to AWS Elastic Container Service (ECR) during non-business hours.
ASL AWS IAM AccessDenied Discovery Events
Medium impact • Coverage change
Updated data source to include ASL AWS CloudTrail, enabling more effective detection of AccessDenied events from AWS IAM users.
ASL AWS IAM Assume Role Policy Brute Force
Medium impact • Coverage change
Updated data source to include ASL AWS CloudTrail, improving detection capabilities for failed role assumption attempts.
ASL AWS IAM Delete Policy
Medium impact • Coverage change
The data source was updated to include 'ASL AWS CloudTrail' to enhance monitoring of AWS policy deletions.
ASL AWS IAM Failure Group Deletion
Medium impact • Coverage change
The data source was updated to include 'ASL AWS CloudTrail', allowing for better detection of failed attempts to delete AWS IAM groups.
asl_aws_iam_successful_group_deletion
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source for detecting successful deletion of AWS IAM groups.
asl_aws_multi_factor_authentication_disabled
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source for detecting attempts to disable multi-factor authentication (MFA) for AWS IAM users.
ASL AWS Network Access Control List Created with All Open Ports
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to the rule detecting the creation of AWS Network Access Control Lists with all ports open.
ASL AWS Network Access Control List Deleted
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to the rule detecting the deletion of AWS Network Access Control Lists.
ASL AWS New MFA Method Registered for User
Medium impact • Coverage change
The data source was updated to include ASL AWS CloudTrail, enhancing the rule's detection capabilities for MFA registration actions.
ASL AWS SAML Update Identity Provider
Medium impact • Coverage change
The data source was updated to include ASL AWS CloudTrail, strengthening the detection of updates to the SAML provider in AWS.
asl_aws_updateloginprofile
Medium impact • Coverage change
Added ASL AWS CloudTrail as a data source to enhance detection capabilities related to AWS user login profile updates.
falcosecurity/rules (+1)
https://github.com/falcosecurity/rules
+ New rules:
Netcat/Socat Remote Code Execution on Host
High impact • Coverage change
New detection rule added to identify remote code execution via Netcat or Socat programs on the host.
sublime-security/sublime-rules (+7, ✎10)
https://github.com/sublime-security/sublime-rules
New rules have been added to address emerging threats. These include detecting open redirect chains in YouTube and Meta to prevent phishing, monitoring urgent language and suspicious sending patterns for BEC attacks, and identifying excessive URL padding indicative of phishing. Rules also now target links to sensitive directories and suspicious Looker Studio reports. Additionally, a new rule alerts on impersonation related to Chrome Web Store policy emails.
Several existing rules have been modified to enhance detection performance and reduce false positives. This includes updates to regex patterns in spam detection and improvements to sender domain logic in phishing detection. The detection logic for file-sharing links now excludes certain non-suspicious hosts, while the threshold for phishing links in voicemail emails increases. Rules for brand impersonation and spam image detection have also been refined for broader coverage.
+ New rules:
Open Redirect: YouTube --> Google Redirection Chain
Medium impact • Coverage change
New rule created to detect open redirect chains involving YouTube and Google, aimed at preventing credential phishing attacks.
BEC/Fraud: Urgent Language and Suspicious Sending/Infrastructure Patterns
Medium impact • Coverage change
New rule created to detect inbound messages using urgent language patterns and suspicious sender behaviors indicative of BEC and phishing attacks.
Open Redirect: Meta --> YouTube Redirection Chain
Medium impact • Coverage change
This rule detects a redirect chain involving Meta and YouTube, which has been exploited in the wild. It includes specific conditions for inbound types and the presence of certain domain patterns in the URL.
Link: Obfuscation via userinfo with Excessive URL Padding
Medium impact • Coverage change
Created a new detection rule to identify instances of excessive padding in usernames within URLs that may indicate phishing attempts.
Link: Common Hidden Directory Observed
Medium impact • Coverage change
A new detection rule has been created to identify links pointing to sensitive system directories that could expose confidential configuration data or system files.
Spam: Sexually Explict Looker Studio Report
Low impact • Coverage change
This rule detects suspicious Looker Studio Reports containing inappropriate content or suspicious patterns, specifically targeting reports from non-organizational domains with explicit keywords or emojis.
Impersonation: Chrome Web Store Policy
Low impact • Coverage change
New rule created to detect impersonation messages related to Chrome Web Store policy communications, utilizing specific HTML formatting patterns and observed domains.
✎ Modified rules:
Spam Image Hidden Element Detection
Medium impact • Coverage change
Updated regex to capture additional HTML structures and corrected a typo in comments.
File Sharing Link from Suspicious Sender Domain
Medium impact • Coverage change
Updated the detection logic to exclude certain image file hosting domains from being classified as suspicious links.
Link Credential Phishing Voicemail Language
Medium impact • Coverage change
Increased the threshold for the maximum number of links from 15 to 25 in the detection logic.
Brand Impersonation: PayPal
Medium impact • Coverage change
Updated the rule name for better readability and modified the list of excluded email domains to enhance detection effectiveness.
link_credential_phishing_voicemail_language
Medium impact • Coverage change
Updated sender domain checking logic to include high trust sender domains while improving the profile checking conditions.
Attachment EML with HTML Attachment
Medium impact • Coverage change
The detection logic has been updated to check that no unsolicited emails from a sender are considered, replacing the previous condition that checked for false positives.
spam_google_group_explict_invite
Medium impact • Coverage change
Updated regex patterns to include additional sexually explicit keywords and added comments to maintain consistency between rules.
spam_image_hidden_element
Medium impact • Coverage change
Enhanced regex conditions to improve detection of spam images hidden in HTML by adding additional matching criteria for anchor and hidden elements.
link_fake_storage_alert
Medium impact • Coverage change
Expanded the detection logic to exclude bouncebacks and undeliverables based on attachment content types.
Impersonation Wells Fargo
Medium impact • Coverage change
Updated the logic to allow sender emails containing 'no reply' in addition to excluding previously defined recipient emails.
chainguard-dev/osquery-defense-kit (+1, ✎27)
https://github.com/chainguard-dev/osquery-defense-kit
The current updates focus on enhancing detection capabilities and improving the precision of existing rules. A new rule, Shady Chrome Extension Author Detection, was introduced to identify suspicious Chrome extensions linked to spam authors. The unexpected-chrome-extensions rule was updated to include a broader range of potential suspicious authors. For DNS traffic events, additional Cloudflare and Canonical IPs were recognized as safe, reducing false positives. To refine precision, changes were made to unexpected talkers and executables detection across platforms by adjusting exception lists and paths.
Detection logic saw significant expansions and exclusions to better target threats and improve rule performance. Specific paths and identifiers were added to rules like Hidden CWD, Docker Container Mounting Root, and Unexpected Privilege Escalation to boost coverage without sacrificing accuracy. Exclusions for known paths were added to rules involving hidden executables and UID0 daemons to prevent false positives. Emerging threat detection saw enhancements with conditions added for Sketchy Fetcher related to AWS EC2 metadata checks, and new entries in the Unexpected Global Lock Detection were made. This comprehensive set of updates ensures broader coverage and reduced noise within the detection systems.
+ New rules:
Shady Chrome Extension Author Detection
Medium impact • Coverage change
New SQL rule added to detect potentially shady chrome extensions based on documented spam authors.
✎ Modified rules:
unexpected-chrome-extensions
Medium impact • Coverage change
Extended detection logic to include additional Chrome Extension authors in the SQL query.
Unexpected DNS Traffic Events Detection
Medium impact • Coverage change
Expanded the list of safe DNS resolvers to include additional Cloudflare IPs and Canonical IPs while removing some prior entries.
Unexpected Talkers Linux Detection
Medium impact • Coverage change
Updated exception key entries for various processes to include new identifiers and changed some existing IDs for better precision.
unexpected-talkers-macos
Medium impact • Coverage change
Updated application identifiers list by adding 'Software Signing' and several developer ID applications while removing duplicates and incorrect entries.
Unexpected Dev Opener Linux
Medium impact • Coverage change
The detection logic for paths has been updated to exclude additional specific device paths including '/dev/console', '/dev/video', and '/dev/bus/usb'.
Hidden CWD
Medium impact • Coverage change
The rule was modified to include additional paths in the detection logic, enhancing coverage by considering more specific directories and file patterns.
Hidden Executable Detection
Medium impact • Coverage change
Removed exclusion for '/.vscode/cli' and added exclusion for '/Documents/GitHub' in the hidden-executable rule.
Name Path Mismatch Detection
Medium impact • Coverage change
Modified the exception conditions to include 'systemd' and updated exception keys for 'systemd-executor'.
Parent Missing from Disk Detection (Linux)
Medium impact • Coverage change
Added a path to the detection for '/usr/share/codium' and modified conditions for path exclusions.
Unexpected Executables Detection Rule
Medium impact • Coverage change
Removed several unnecessary file paths from the exclusion list and added new relevant paths in the WHERE clause to enhance detection capabilities.
Unexpected Hidden System Paths Detection Rule
Medium impact • Coverage change
Updated the list of hidden system paths by removing and adding specific entries to improve system path coverage for detection.
Unexpected Process Extension Detection for Linux
Medium impact • Coverage change
Added additional file extensions '7', 'bfd', and excluded 'rpc.mountd' from the search criteria.
Relative Execution of Low UID Events
Medium impact • Coverage change
Added a condition to exclude commands matching './updater -insecure https://10.%:9174/check-update/macos'.
Sketchy Fetcher
Medium impact • Coverage change
Added conditions to match command lines involving AWS EC2 metadata access and internal IP address checks.
Tiny Executable Events Detection
Medium impact • Coverage change
Added exceptions for legacy paths in the detection logic to exclude specific binaries, enhancing the rule's precision.
Unexpected Long Running Security Framework Detection (macOS)
Medium impact • Coverage change
Added additional exception keys to the filter for longer-running programs and updated existing pattern to a more flexible form.
unexpected-setuid-binaries
Medium impact • Coverage change
Added new entries for '/bin/bwrap', '/bin/chfn', '/bin/chsh', '/usr/bin/bwrap', and '/usr/bin/chfn' while removing redundant lines for the same paths.
systemd_execstart_elsewhere
Medium impact • Coverage change
Added a new condition to check for ExecStart path involving /etc/etckeeper/ to enhance rule coverage for potentially suspicious processes.
unexpected-chrome-extensions
Medium impact • Coverage change
Added multiple new entries for potential suspicious Chrome extensions to the detection list, increasing the breadth of coverage.
Unexpected Global Lock Detection
Medium impact • Metadata change
Added multiple detection entries for new locks and removed an existing lock condition.
unexpected-listening-port-linux
Medium impact • Coverage change
Added new detection conditions for Goland and Pycharm listening ports to enhance coverage on unexpected listening services.
unexpected-listening-port-macos
Medium impact • Coverage change
Removed old listening ports and added various new ports including LogiPluginService, and updated references for existing services to improve accuracy.
Unexpected UID0 Daemon - Linux
Medium impact • Coverage change
Added new entries for apt.systemd.dai and modified dockerd paths to adjust service configurations.
Unexpected UID0 Daemon - macOS
Medium impact • Coverage change
Added signatures for Apple Mac OS Application Signing and EA Swiss Sarl to enhance detection capabilities.
Docker Container Mounting Root
Medium impact • Coverage change
Added additional exclusions to the image filter to prevent false positives from specific container images.
Unexpected Privilege Escalation in Linux
Medium impact • Coverage change
Expanded the search criteria for path related to polkit to include the polkit helper, increasing detection capabilities.
Unexpected SetUID Process Detection
Medium impact • Coverage change
Added additional file path exclusion for '/opt/Blockbench/chrome-sandbox' and '/Library/Application Support/Google/GoogleUpdater/1%/GoogleUpdater.app/Contents/Helpers/launcher' to enhance detection accuracy.
Yamato-Security/hayabusa-rules (✎1)
https://github.com/Yamato-Security/hayabusa-rules
✎ Modified rules
File Event Windows Exploit CVE-2023-36874
Medium impact • Coverage change
The rule's last modified date was updated to 2025-01-13, and an additional directory for Software Distribution Download was included in the detection criteria.
Personal repositories (1)
Neo23x0/signature-base (+1, ✎2)
https://github.com/Neo23x0/signature-base
A new rule, APT_IN_TA397_wmRAT, was added to improve coverage by tracking wmRAT through YARA based on socket usage, error handling, and reused strings. This addresses emerging threats associated with wmRAT.
Existing rules were modified to enhance detection accuracy. SUSP_LNX_Base64_Exec_Apr24 now uses a more specific matching condition, changing from 'any of them' to '1 of ($s*)', reducing false positives. The vuln_paloalto_cve_2024_3400_apr24 rule condition now also checks for a filesize less than 800KB, refining detection criteria. These changes collectively improve detection performance and specificity.
+ New rules:
APT_IN_TA397_wmRAT
Medium impact • Coverage change
New YARA rule created to track wmRAT based on socket usage, error handling, and reused strings.
✎ Modified rules:
SUSP_LNX_Base64_Exec_Apr24
Medium impact • Coverage change
The detection condition was changed from 'any of them' to '1 of ($s*)' for improved specificity in matching.
vuln_paloalto_cve_2024_3400_apr24
Medium impact • Coverage change
The rule condition was updated to check for filesize less than 800KB in addition to the existing logic.
Feedback
Your input helps us improve! We'd love to hear from you if you spot any issues, mistakes, or omissions in this digest issue or have suggestions for new data sources to include. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.
Disclaimer
The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the sources linked in the brief for complete context and accuracy.
Powered by
This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.
Looking for a customized version of this newsletter? We'd be happy to help — reach out to us.