This week's update highlights the most significant changes to detection rules from 9 of the 40+ monitored GitHub repositories. Between Jan 20 and Jan 27, 2025, contributors added 13 new rules and updated 13 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

ReCAPTCHA command detection in EDR, PowerShell, and Sysmon — New rules in anvilogic-forge/armory improve identification of command executions using reCAPTCHA, addressing high-risk threats across varied log sources. (anvilogic-forge/armory)

Linux malware detections — ReversingLabs and Neo23x0 have added rules targeting Linux malware, including YARA rules for PygmyGoat, Helldown, byte encoding, and stack string manipulation techniques. (reversinglabs/reversinglabs-yara-rules, Neo23x0/signature-base)

Improved detection of suspicious user creations — Adjusted SigmaHQ rule syntax for privileged user creation to improve precision and reduce false positives by correcting UID and GID criteria. (SigmaHQ/sigma)

Hash value updates for detection accuracy — Integrated IMPHASH and changed hash formats to MD5 and SHA256 prefixes, refining detection in scenarios like Dumpert execution and ManageEngine abuse. (SigmaHQ/sigma)

Detection logic refinement for threats in SharePoint and Dropbox — Sublime Security updated regex and logic to better catch suspicious names and URLs related to enterprise tools like SharePoint and Dropbox. (sublime-security/sublime-rules)

New RTF file detection — A rule in delivr-to/detections identifies potential exploits using RTF files with embedded OLE objects linked to CVE-2025-21298, effectively targeting unsolicited attack vectors. (delivr-to/detections)

Tracebit intrusion alerts — Panther Labs introduced rules for detecting Tracebit-monitored intrusions and processing alert conditions in Python, expanding security canary awareness. (panther-labs/panther-analysis)

Updated IoCs for emerging threats — ESET added IoCs for PlushDaemon and AceCryptor, vital for tracking and mitigating these ongoing threats through fresh file hashes and network indicators (eset/malware-ioc).

Table Of Contents

• Corporate repositories (8)

  • SigmaHQ/sigma (✎5)

  • anvilogic-forge/armory (+3)

  • panther-labs/panther-analysis (+2)

  • sublime-security/sublime-rules (✎7)

  • delivr-to/detections (+1)

  • reversinglabs/reversinglabs-yara-rules (+2)

  • eset/malware-ioc (+2)

  • Yamato-Security/hayabusa-rules (✎1)

• Personal repositories (1)

  • Neo23x0/signature-base (+3)

• Feedback

• Disclaimer

• Powered by

Cybersec Feeds Overview consolidates updates from 80+ sources — government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.

Read the latest issue

Corporate repositories (8)

SigmaHQ/sigma (✎5)

https://github.com/SigmaHQ/sigma

Updated rules focus on improving detection accuracy and reducing false positives. The "Privileged User Has Been Created" rule corrects syntax errors by adding missing commas to better filter UID and GID criteria, which cuts down on false positives. Several rules, including "Forest Blizzard APT - Process Creation Activity" and "HackTool - Dumpert Process Dumper Execution," now specify hash values with SHA256 or MD5 prefixes, providing clearer detection logic. The "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" and "Renamed ZOHO Dctask64 Execution" rules include IMPHASH prefixes for hash values, ensuring uniformity and precision in identifying potential misuse scenarios.

✎ Modified rules

Privileged User Has Been Created
Medium impact • Coverage change
Corrected syntax by adding missing commas in the UID and GID selection criteria to reduce false positives.

Forest Blizzard APT - Process Creation Activity
Medium impact • Coverage change
Updated hash values to include SHA256 prefixes for improved clarity in detection logic.

ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
Medium impact • Coverage change
Prepended IMPHASH to hash values improving detection of potential abuse scenarios.

HackTool - Dumpert Process Dumper Execution
Medium impact • Coverage change
Changed hash format to prepend MD5 to improve detection accuracy for Dumpert execution.

Renamed ZOHO Dctask64 Execution
Medium impact • Coverage change
Updated hash values to prepend IMPHASH for consistent detection across tools.

anvilogic-forge/armory (+3)

https://github.com/anvilogic-forge/armory

New rules for detecting suspicious reCAPTCHA command execution have been added across multiple log sources: EDR, PowerShell, and Sysmon. These additions improve monitoring of command execution patterns linked to reCAPTCHA misuse, increasing detection capabilities for this emerging threat with high impact severity.

+ New rules

Suspicious reCAPTCHA Command Line (Splunk EDR)
High impact • Coverage change
New detection rule created to identify command execution using reCAPTCHA in EDR logs.

Suspicious reCAPTCHA Command Line (Splunk PowerShell)
High impact • Coverage change
New detection rule created to identify command execution using reCAPTCHA in PowerShell logs.

Suspicious reCAPTCHA Command Line (Splunk Sysmon)
High impact • Coverage change
New detection rule created to identify command execution using reCAPTCHA in Sysmon logs.

panther-labs/panther-analysis (+2)

https://github.com/panther-labs/panther-analysis

A new "Tracebit Alert" rule was added to detect potential intrusions using security canaries. The detection logic for the rule is also implemented in Python with refined event conditions to improve the detection performance.

+ New rules

Tracebit Alert
Medium impact • Coverage change
The new rule was created to detect potential intrusions via Tracebit monitoring of security canaries across the organization.

Tracebit Alert Logic
Medium impact • Performance change
Detection logic implemented in Python evaluates Tracebit alerts based on specific event conditions and criteria.

sublime-security/sublime-rules (✎7)

https://github.com/sublime-security/sublime-rules

The rule updates focus on refining detection accuracy and reducing false positives.

Improved logic in link_sharepoint_sus_name and abuse_dropbox_sus_names targets payroll and HR-related terms, improving subject detection for suspicious communications. 'Body Extortion Detection' rule adds checks to filter out irrelevant newsletters, increasing precision.

The 'link_userinfo_excessive_padding' rule improves pattern matching in URLs, excluding benign Google Maps links. 'impersonation_quickbooks' now identifies freemail senders linked to root websites. 'impersonation_chrome_web_store_policy' and 'brand_impersonation_enbridge' update sender exclusions for legitimate Google and Enbridge domains.

✎ Modified rules

link_sharepoint_sus_name
Medium impact • Coverage change
Improved detection logic by incorporating display text checks for various keywords related to payroll and HR, and refined conditions for solicited sender verification.

Body Extortion Detection
Medium impact • Coverage change
Added a condition to negate benign newsletters mentioning cyber extortion, improving detection accuracy.

link_userinfo_excessive_padding
Medium impact • Coverage change
Updated regex pattern to increase detection capabilities by adjusting match conditions for excessive URL padding and excluding specific cases related to Google Maps.

abuse_dropbox_sus_names
Medium impact • Coverage change
Added new regex conditions to improve detection of specific subject strings related to Payroll and Employee Handbook communications.

impersonation_quickbooks
Medium impact • Coverage change
Added a condition to handle links to the root website when the sender uses a freemail address to send invoices.

impersonation_chrome_web_store_policy
Medium impact • Coverage change
Added a condition to negate messages from Google support to refine the detection logic.

brand_impersonation_enbridge
Medium impact • Coverage change
Updated sender email domain exclusions to include additional Enbridge subsidiaries.

delivr-to/detections (+1)

https://github.com/delivr-to/detections

+ New rules

Attachment: RTF with Embedded OLE Object (Unsolicited)
High impact • Coverage change
New detection rule added to identify RTF files with embedded OLE objects from unsolicited sources, potentially weaponized based on CVE-2025-21298.

reversinglabs/reversinglabs-yara-rules (+2)

https://github.com/reversinglabs/reversinglabs-yara-rules/

New rules increase coverage for emerging Linux threats. Added YARA rules now detect PygmyGoat backdoor and Helldown ransomware. These updates significantly strengthen detection capabilities against high-severity malware on Linux systems.

+ New rules

Linux_Backdoor_PygmyGoat
High impact • Coverage change
New YARA rule added to detect the PygmyGoat backdoor malware.

Linux_Ransomware_Helldown
High impact • Coverage change
New YARA rule added to detect the Helldown ransomware malware.

eset/malware-ioc (+2)

https://github.com/eset/malware-ioc

High-impact updates include the addition of indicators for PlushDaemon, extending threat coverage with specific file hashes and network indicators. New IoCs for AceCryptor based on recent investigations were also added, broadening detection capabilities.

+ New rules

PlushDaemon IoCs
High impact • Coverage change
Added Indicators of Compromise for PlushDaemon, including file hashes and network indicators.

AceCryptor H2 2024 IoCs
Medium impact • Coverage change
Introduced new IoCs for AceCryptor related to investigations during H2 2024.

Yamato-Security/hayabusa-rules (✎1)

https://github.com/Yamato-Security/hayabusa-rules

✎ Modified rules

Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
Medium impact • Metadata change
Updated the title for clarity, modified the date to the latest revision, and adjusted the detection level from high to medium, reassessing the rule's threat relevance.

🛠️ Looking for more tools to sharpen your detections? Check out CyberSecTools - your gateway to the largest collection of cybersecurity tools and resources.

Personal repositories (1)

Neo23x0/signature-base (+3)

https://github.com/Neo23x0/signature-base

New rules added focus on Linux threats.

Introduced SUSP_LNX_ByteEncoder_Jan25 to detect Linux binaries using nibble encoding linked to SEASPY backdoors. Adds detection for potential backdoor activities.

SUSP_LNX_StackString_Technique_Jan25 identifies Linux binaries using stack-based string manipulation, targeting stealth or persistence tactics. Improves the ability to spot evasive tactics.

SUSP_LNK_Suspicious_Folders_Jan25 introduces a YARA rule targeting suspicious link files by specific folder names, improving detection in suspicious environments.

+ New rules

SUSP_LNX_ByteEncoder_Jan25
Medium impact • Coverage change
New rule to detect Linux binaries encoding bytes using nibble techniques associated with SEASPY backdoors.

SUSP_LNX_StackString_Technique_Jan25
Medium impact • Coverage change
New rule to identify suspicious Linux binaries utilizing stack-based string manipulation techniques for stealth or persistence.

SUSP_LNK_Suspicious_Folders_Jan25
Medium impact • Coverage change
Introduces a new YARA rule to detect suspicious link files associated with specific folder names.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — reach out to us.