This week's update highlights the most significant changes to detection rules from 7 of the 40+ monitored GitHub repositories. Between Jan 27 and Feb 3, 2025, contributors added 22 new rules and updated 76 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

New eBPF rootkit detection — A new rule to detect unauthorized uses of 'bpf_probe_write_user' in syslogs, indicating potential eBPF rootkit activity (elastic/detection-rules).

AWS EC2 intrusion indicators — New rules for detecting AWS EC2 User Data retrieval attempts and modifications to route tables, signaling possible unauthorized data access or network disruptions (elastic/detection-rules).

SELinux and syslog tampering detection — New rules for monitoring SELinux disablement and syslog blocking via iptables or UFW, targeting possible adversarial actions (anvilogic-forge/armory).

Windows Event Log registry tampering — Rules added to flag changes to EventLog channel permissions through registry edits, suggesting possible defense evasion (SigmaHQ/sigma, Yamato-Security/hayabusa-rules).

Open redirect exploitation detections — Multiple new rules identify open redirect vulnerabilities in various domains, which can aid in phishing and scam activities (sublime-security/sublime-rules).

Enhanced detection for known executables — Rules modified to monitor execution of processes like 'QuickAssist.exe', 'mshta.exe', 'printui.exe' outside typical folders, tracking unauthorized remote access and execution (anvilogic-forge/armory).

Improved Linux command and control detection — Updated rules to refine process exclusions and increase accuracy in detecting suspicious command and control activities (elastic/detection-rules).

Threat detection metadata update — Extensive metadata updates across rules to align with current threat trends and add relevant tags, strengthening identification of emerging threats (splunk/security_content, Yamato-Security/hayabusa-rules).

Table Of Contents

• Corporate repositories (7)

  • elastic/detection-rules (+3, ✎16)

  • SigmaHQ/sigma (+2, ✎3)

  • anvilogic-forge/armory (+4, ✎8)

  • splunk/security_content (✎24)

  • sublime-security/sublime-rules (+10, ✎9)

  • chainguard-dev/osquery-defense-kit (✎7)

  • Yamato-Security/hayabusa-rules (+3, ✎9)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (7)

elastic/detection-rules (+3, ✎16)

https://github.com/elastic/detection-rules

New rules add coverage for AWS EC2 data retrieval attempts, eBPF rootkit indicators, and EC2 route table modifications. These focus on discovering new threat vectors in AWS environments and kernel activities.

Modified rules improve accuracy and reduce false positives across various systems. Interactive Shell rules now account for '_apt' and 'man', enhancing system user detection. Several AWS-related rules, including role assumptions and secure parameter requests, update detection logic for more precise alerts. Linux and defense evasion rule updates focus on process and argument filtering, refining the exclusion criteria to better detect malicious activities. Enhanced filtering in network and command activities further sharpens detection capabilities.

+ New rules

AWS EC2 User Data Retrieval for EC2 Instance
Medium impact • Coverage change
New rule introduced to identify discovery request DescribeInstanceAttribute with the attribute userData, indicating potential data retrieval attempts from EC2 instances.

Suspicious Usage of bpf_probe_write_user Helper
Low impact • Coverage change
Introduced a new detection rule that monitors syslog for unauthorized uses of the 'bpf_probe_write_user' helper, which may indicate eBPF rootkit activity.

AWS EC2 Route Table Modified or Deleted
Low impact • Coverage change
New rule added to identify AWS CloudTrail events where an EC2 route table or association has been modified or deleted, aimed at detecting potential disruptions in network traffic.

✎ Modified rules

Interactive Shell from System User Detection
High impact • Coverage change
Additional conditions for user '_apt' and 'man' processes were added to increase detection accuracy.

AWS Systems Manager SecureString Parameter Request with Decryption Flag
Medium impact • Metadata change
Updated the index pattern and clarified user ID evaluation logic for enhanced alert accuracy.

AWS IAM Assume Role Policy Update
Medium impact • Coverage change
Updated the detection logic to identify modifications in IAM role's trust policy and adjusted temporal parameters for the rule to trigger based on specific AWS CloudTrail events.

Privilege Escalation Role Assumption by Service
Medium impact • Coverage change
Revised the rule to focus on additional specific AWS services that can invoke role assumption, improving detection scope.

IPv4/IPv6 Forwarding Activity
Medium impact • Coverage change
Updated the rule to exclude additional parent process names for better filtering of command and control activity.

Potential Protocol Tunneling via Chisel Client
Medium impact • Coverage change
Expanded the exclusion filter for process names to improve accuracy of detection.

Suspicious Network Activity to the Internet by Previously Unknown Executable
Medium impact • Coverage change
Expanded the monitored process names to include 'filebeat', 'apk', 'cursor', and 'http'.

Defense Evasion via ACL Modification
Medium impact • Coverage change
Updated the args condition to include additional exclusions, enhancing detection accuracy for potential ACL modifications.

Defense Evasion Attempt to Disable auditd Service
Medium impact • Coverage change
Updated the process.args condition to exclude cases where the parent process is 'auditd.prerm'.

Defense Evasion Attempt to Disable syslog Service
Medium impact • Coverage change
Updated the process.args condition to exclude cases where the parent process is 'rsyslog-rotate'.

Attempt to Clear Kernel Ring Buffer
Medium impact • Coverage change
Modified argument filtering for the 'dmesg' process and updated the last modified date.

Hidden Shared Object Detection
Medium impact • Coverage change
Updated the exclusion from 'dockerd' to include 'azcopy' and 'podman'.

SELinux Configuration Creation or Renaming
Medium impact • Coverage change
Modified the EQL query to exclude the 'platform-python' process from triggering the rule.

Linux Discovery Process Monitoring
Medium impact • Coverage change
Updated the 'not process.name' condition to exclude 'packetbeat' along with 'agentbeat'.

Linux Security File Access via Common Utility
Medium impact • Coverage change
Added additional exclusion to 'process.parent.name' to include 'lynis' in the rule condition.

Unusual User Privilege Enumeration via id
Medium impact • Coverage change
Updated the query to include additional process.parent.name checks and modified logic for parent process filtering.

SigmaHQ/sigma (+2, ✎3)

https://github.com/SigmaHQ/sigma

New rules significantly improve threat coverage: detecting suspicious file activity in public folders and registry changes affecting Windows Event Log permissions, both flagged as high severity.

Modified rules focus on reducing noise and improving accuracy. The "Failed Code Integrity Checks" rule now includes CrowdStrike filters to lower false positives. The "Renamed PowerShell Under PowerShell Channel" rule addresses edge cases involving double backslashes to sharpen detection. EventIDs 4658 and 4660 were removed from the "WCE wceaux.dll Access" rule to refine detection logic by eliminating irrelevant data points.

+ New rules

Suspicious Binaries and Scripts in Public Folder
High impact • Coverage change
Introduced a new rule that detects the creation of files with suspicious extensions in the public folder, indicating potential malicious activity.

Windows Event Log Access Tampering Via Registry
High impact • Coverage change
New detection rule added to identify changes to Windows EventLog channel permission values via registry modifications.

✎ Modified rules

Failed Code Integrity Checks
Medium impact • Performance change
Added filters for CrowdStrike to reduce false positives and adjusted modification date.

Renamed Powershell Under Powershell Channel
Medium impact • Coverage change
Added edge case filters for double backslashes in PowerShell invocation to enhance detection accuracy.

WCE wceaux.dll Access
Medium impact • Coverage change
Removed EventIDs 4658 and 4660 as they do not contain the 'ObjectName' field, updating detection logic.

anvilogic-forge/armory (+4, ✎8)

https://github.com/anvilogic-forge/armory

New high-impact rules added for detecting tampering with syslog forwarding on Linux using iptables or UFW, applied in both Splunk EDR and Splunk Unix environments. Similarly, new rules detect scenarios where SELinux is disabled, identifying potential threats with medium severity across similar environments.

Several modified rules improve coverage by expanding process monitoring: 'QuickAssist.exe' is now monitored as part of remote access software in Crowdstrike FDR, Splunk EDR, Sysmon, and Winevent, while 'mshta.exe' and 'printui.exe' are added to detect processes operating outside system folders in Snowflake, Splunk EDR, Sysmon, and Winevent. These updates aim to increase detection capability and coverage across different platforms and behaviors.

+ New rules

Syslog Forwarding Tampering via iptables_ufw - *nix (splunk-edr)
High impact • Coverage change
This rule detects modification of iptables or UFW commands to block outgoing packets directed to syslog ports, potentially indicating tampering with security tool operation.

Syslog Forwarding Tampering via iptables_ufw - *nix (splunk-unix)
High impact • Coverage change
This rule detects modification of iptables or UFW commands to block outgoing packets directed to syslog ports, indicating potential tampering with security software.

SELinux Disabled - *nix (Splunk EDR)
Medium impact • Coverage change
This rule detects scenarios where SELinux is disabled through various commands, indicating potential adversarial behavior.

SELinux Disabled - *nix (Splunk Unix)
Medium impact • Coverage change
This rule identifies the disabling of SELinux by monitoring the `setenforce` command and related log entries.

✎ Modified rules

Remote Access Software Execution (Crowdstrike FDR)
Medium impact • Coverage change
Updated the detection regex to include 'QuickAssist.exe' in the list of monitored remote access software.

Remote Access Software Execution (Splunk EDR)
Medium impact • Coverage change
Enhanced the detection regex to add 'QuickAssist.exe' to the monitored process names.

Remote Access Software Execution - Splunk Sysmon
Medium impact • Coverage change
Updated detection logic to include 'QuickAssist.exe' in the process name match criteria, enhancing coverage of remote access software.

Remote Access Software Execution - Splunk Winevent
Medium impact • Coverage change
Enhanced detection logic by adding 'QuickAssist.exe' to the list of monitored process names, improving threat coverage.

Windows Process Outside of System Folder - Snowflake
Medium impact • Coverage change
Updated regex to include 'mshta.exe' and 'printui.exe' in the detection logic for processes.

Windows Process Outside of System Folder - Splunk EDR
Medium impact • Coverage change
Enhanced regex match to include 'mshta.exe' and 'printui.exe' for improved detection of processes.

Windows Process Outside of System Folder (Splunk Sysmon)
Medium impact • Coverage change
Updated logic to include additional processes 'mshta.exe' and 'printui.exe' in the detection criteria, enhancing coverage of abnormal process execution.

Windows Process Outside of System Folder (Splunk Winevent)
Medium impact • Coverage change
Modified logic by including 'mshta.exe' and 'printui.exe' in the detection logic, improving detection capabilities for potentially malicious behaviors.

splunk/security_content (✎24)

https://github.com/splunk/security_content

Key updates include streamlined detection for Windows hive dumps and suspicious process paths, reducing false positives. Metadata changes across numerous rules align with current threat activities, notably Nexus APT and Earth Estries. Version increments and tag adjustments enhance mapping to emerging threat trends and precision in identification. Performance-oriented modifications in search syntax and data consistency aim to improve overall detection capabilities.

✎ Modified rules

windows_sensitive_registry_hive_dump_via_commandline
Medium impact • Coverage change
Updated data source to ensure consistency in naming and improved precision in detecting Windows hive dump commands via reg.exe.

suspicious_process_file_path
Medium impact • Coverage change
Updated the detection search to use 'Processes.process_name' instead of 'Processes.process' for improved accuracy in detecting suspicious processes.

Any Powershell DownloadFile
Medium impact • Metadata change
Updated version and date, refined tags for enhanced threat coverage.

Detect Renamed PSExec
Medium impact • Metadata change
Updated version and date, improved tag accuracy to reflect current threat landscape.

Executables Or Script Creation In Suspicious Path
Medium impact • Metadata change
Version updated to 11 with detection date set to 2025-01-27; multiple tags added or replaced to reflect current threat trends.

Linux Auditd File Permission Modification Via Chmod
Medium impact • Metadata change
Updated version from 5 to 7 and modified tags to include 'Nexus APT Threat Activity' and 'Earth Estries'.

Linux Auditd Nopasswd Entry In Sudoers File
Medium impact • Metadata change
Updated version from 3 to 5 and modified tags to add 'Nexus APT Threat Activity' and 'Earth Estries'.

Linux Auditd Possible Access To Credential Files
Medium impact • Metadata change
Updated version from 3 to 5 and revised the date to '2025-01-27'. Additional tags including 'Nexus APT Threat Activity' and 'Earth Estries' were added, enhancing context for threat detection.

Linux Auditd Possible Access To Sudoers File
Medium impact • Metadata change
Updated version from 3 to 5 and revised the date to '2025-01-27'. Added tags such as 'Nexus APT Threat Activity' and 'Earth Estries', providing more comprehensive detection coverage.

Linux Auditd Preload Hijack Library Calls
Medium impact • Metadata change
Updated version from 3 to 5, modified date to 2025-01-27, and added additional threat-related tags.

Linux Common Process For Elevation Control
Medium impact • Metadata change
Updated version from 4 to 6, modified date to 2025-01-27, and added additional threat-related tags.

Linux Possible Access To Sudoers File
Medium impact • Metadata change
Updated version from 4 to 6 and added new tags related to threats.

Linux Preload Hijack Library Calls
Medium impact • Metadata change
Updated version from 4 to 6 and added new tags related to threats.

Malicious PowerShell Process - Execution Policy Bypass
Medium impact • Metadata change
Updated version from 8 to 10, revised description formatting for clarity, and added new tags related to Nexus APT and Earth Estries.

Scheduled Task Deleted Or Created via CMD
Medium impact • Metadata change
Updated version number to 11 and modified the date to 2025-01-27. Added multiple threat tags to enhance coverage.

Suspicious Regsvr32 Register Suspicious Path
Medium impact • Metadata change
Updated version number to 11 and modified the date to 2025-01-27. Added new threat tags for better threat landscape mapping.

Suspicious Scheduled Task from Public Directory
Medium impact • Coverage change
Updated version from 4 to 6 and revised tags to enhance detection coverage.

Windows Access Token Manipulation SeDebugPrivilege
Medium impact • Coverage change
Incremented version from 6 to 11 and added new tags for improved threat identification.

Windows Credentials from Password Stores Chrome LocalState Access
Medium impact • Metadata change
Updated version number from 6 to 8 and modified date to 2025-01-27. Changed tags, adding 'Nexus APT Threat Activity' and restructuring existing tags.

Windows Replication Through Removable Media
Medium impact • Metadata change
Updated the version from 4 to 8 and added new tags for enhanced threat detection.

Windows Service Created with Suspicious Service Path
Medium impact • Metadata change
Updated the version from 8 to 12 and restructured tags, adding and removing several entries.

Windows Unsigned DLL Side-Loading In Same Process Path
Medium impact • Metadata change
Updated version from 3 to 7, and date to 2025-01-27. Additional tags added while correcting structure in test data source configuration.

Windows Unsigned MS DLL Side-Loading
Medium impact • Metadata change
Updated version from 4 to 8, and date to 2025-01-27. Added new tags for APT threat activity and fixed test data source configuration.

Detect Large Outbound ICMP Packets
Medium impact • Metadata change
Updated version from 7 to 9 and adjusted the date to 2025-01-27. The search syntax was reformatted for improved readability and the tags were expanded to include new threat activity identifiers.

sublime-security/sublime-rules (+10, ✎9)

https://github.com/sublime-security/sublime-rules

New high-severity rules focus on detecting WordPress-based XSS attempts and benefits enrollment impersonation, addressing serious threat vectors. Several medium-impact rules added for detecting open redirects across various domains like magic4media[.]com, plasticsurgery[.]or[.]kr, and others. These improve coverage against common redirect exploitation.

The "body_callback_phishing_no_attachment" rule now includes indicators for 'AT&T' and phone numbers, while "impersonation_netflix" updates domain checks. The "spam_image_hidden_element" rule refines hidden content detection by adding regex improvements. Additionally, regex enhancements in rules like "open_redirect_emp-eduyield," "Impersonation ShareFile Detection," and phishing detection like "link_credential_phishing_voicemail_language" increase reliability. Detection logic changes in "Spam Attendee List Solicitation" now account for Zendesk support tickets to reduce false positives.

+ New rules

Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators
High impact • Coverage change
New rule created to detect possible XSS attempts from compromised WordPress sites based on specific message patterns and script injection indicators.

Benefits Enrollment Impersonation
High impact • Coverage change
New rule created to detect impersonation attempts related to benefits enrollment communications, focusing on messages from external senders with urgent requests.

Open Redirect: magic4media.com
Medium impact • Coverage change
New rule added to detect open redirect exploitation via magic4media.com.

Google Services Using G.co Shortlinks
Medium impact • Coverage change
New rule added to identify messages containing g.co shortened URLs from authenticated Google domains.

Open Redirect: plasticsurgery.or.kr
Medium impact • Coverage change
New rule created to detect open redirect exploitation utilizing the plasticsurgery[.]or[.]kr domain.

Open Redirect: designsori.com
Medium impact • Coverage change
New rule created to detect open redirects associated with designsori[.]com, which has been exploited in the wild.

Open Redirect: predictiveresponse.net
Medium impact • Coverage change
New rule created to detect open redirect to predictiveresponse[.]net, exploiting a common vulnerability.

Open Redirect: bubblelife.com
Medium impact • Coverage change
New rule to detect exploitation of the bubblelife[.]com redirect in messages, focusing on specific URL structures and sender analysis.

Open Redirect: k-mil.net
Medium impact • Coverage change
New rule to detect open redirects involving k-mil[.]net, which is exploited in the wild.

Open Redirect: qrxtech.com
Medium impact • Coverage change
New rule created to detect open redirect vulnerabilities associated with qrxtech[.]com, targeting specific URL patterns that have been exploited in phishing.

✎ Modified rules

body_callback_phishing_no_attachment
Medium impact • Coverage change
Added new indicators for detecting 'AT&T' and phone number patterns within the message body to improve detection capabilities.

impersonation_netflix
Medium impact • Coverage change
Updated the list of email domains to include 'netelixir[.]com' and removed 'netflixevents[.]com' while adjusting comments for clarity.

spam_image_hidden_element
Medium impact • Coverage change
Enhanced detection logic to identify additional methods of hiding content by refining regex conditions and adding checks for inner text length being over a threshold.

open_redirect_emp-eduyield
Medium impact • Coverage change
Updated regex condition for query parameter matching to allow optional 's/' at the end.

Impersonation ShareFile Detection
Medium impact • Coverage change
Added a new regex condition to enhance the detection of file sharing through ShareFile.

link_credential_phishing_voicemail_language
Medium impact • Coverage change
Updated regex patterns for file name matching to improve accuracy in detecting potential phishing voicemail attacks.

spam_attendee_list_solicitation
Medium impact • Coverage change
Updated regex pattern to improve matching for 'interest' variations in the detection logic.

spam_image_hidden_element
Medium impact • Coverage change
Added a new regex pattern to detect hidden elements with centered divs that contain links and images.

Spam Attendee List Solicitation
Medium impact • Coverage change
Updated detection logic to negate Zendesk support tickets in spam detection.

chainguard-dev/osquery-defense-kit (✎7)

https://github.com/chainguard-dev/osquery-defense-kit

Exclusions for Google Chrome Helper and Steam Helper were modified in the "Unexpected DNS Traffic" rule, while the "Unexpected Talkers Linux" rule now excludes Microsoft Edge commands. The "Hidden-cwd" rule added the /var~/.config directory pattern, and "Unexpected-etc-executables" introduced a check for directories like /etc/asciidoc/%. The "Unexpected Listening Ports Detection" rule for Linux removed DNS process exclusions to widen detection, and the macOS version added a path exclusion to reduce false positives. Lastly, the "Unexpected-uid0-daemon-linux" rule was refined by updating entries for gdm and gvfsd-fuse and removing outdated data.

✎ Modified rules

Unexpected DNS Traffic
Medium impact • Coverage change
Modified the exclusion criteria for paths related to the Google Chrome Helper and added exclusion for Steam Helper.

Unexpected Talkers Linux
Medium impact • Coverage change
Added exclusion for the parent command related to Microsoft Edge in the detection logic.

hidden-cwd
Medium impact • Coverage change
Added new directory pattern '/var~/.config' to detection logic for hidden current working directory.

unexpected-etc-executables
Medium impact • Coverage change
Added condition to check if file.directory matches the pattern '/etc/asciidoc/%'.

Unexpected Listening Ports Detection for Linux
Medium impact • Coverage change
Removed specific DNS process exclusions to enhance the detection logic for unexpected listening ports.

Unexpected Listening Ports Detection for macOS
Medium impact • Coverage change
Added a condition to exclude a specific process path to improve accuracy of port listening detection.

unexpected-uid0-daemon-linux
Medium impact • Coverage change
Updated the detection logic to include additional entries for gdm and gvfsd-fuse while removing outdated entries.

Yamato-Security/hayabusa-rules (+3, ✎9)

https://github.com/Yamato-Security/hayabusa-rules

High-severity rules for 'Windows Event Log Access Tampering Via Registry' focus on changes to Windows EventLog's SDDL, a method often used in defense evasion. A medium-severity rule for 'Suspicious Binaries and Scripts in Public Folder' monitors the creation of potentially malicious files. Modified rules mainly involve metadata updates with `detection.emerging-threats` tags, increasing awareness of potential threats. This was applied to rules concerning APTs and CVEs. Notably, rule 'Win Security Code Integrity Check Failure' underwent logic improvements, incorporating additional filters for CrowdStrike and Sophos, optimizing performance.

+ New rules

Windows Event Log Access Tampering Via Registry
High impact • Coverage change
New Sigma rule added to detect changes to Windows EventLog channel permission values, focusing on modifications to SDDL that may aid in defense evasion.

Windows Event Log Access Tampering Via Registry
High impact • Coverage change
Introduced a new Sigma rule to detect changes to Windows EventLog channel permission values, focusing on SDDL string modifications that may allow defense evasion.

Suspicious Binaries and Scripts in Public Folder
Medium impact • Coverage change
Introduced a new rule to detect the creation of suspicious file types in the public folder, potentially indicating malicious activity.

✎ Modified rules

win_taskscheduler_apt_cozy_bear_graphical_proton_task_names
Medium impact • Metadata change
Added new tag 'detection.emerging-threats', extending the context of the rule.

win_security_exploit_cve_2024_1708_screenconnect
Medium impact • Metadata change
Added new tag 'detection.emerging-threats', extending the context of the rule.

posh_pc_renamed_powershell
Medium impact • Metadata change
Updated modified date to '2025-01-20' and added two new host application entries for improved detection.

Win Security Code Integrity Check Failure
Medium impact • Performance change
Updated detection logic to include additional filters for CrowdStrike and Sophos parameters, modifying the last modified date to 2025-01-19.

proc_creation_win_malware_qakbot_uninstaller_cleanup
Medium impact • Metadata change
The tag 'detection.emerging-threats' was added, extending the context of the rule.

image_load_apt_cozy_bear_graphical_proton_dlls
Medium impact • Metadata change
The tag 'detection.emerging-threats' was added, extending the context of the rule

proc_creation_win_exploit_cve_2024_50623_cleo
Medium impact • Metadata change
Added new tags for CVE-2024-50623 and detection.emerging-threats, extending the context of the rule.

proc_creation_win_apt_fin7_exploitation_indicators
Medium impact • Metadata change
Added the tag 'detection.emerging-threats', extending the context of the rule.

file_event_win_apt_forest_blizzard_activity
Medium impact • Metadata change
Added the tag 'detection.emerging-threats', extending the context of the rule.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.