This week's update highlights the most significant changes to detection rules from 10 of the 40+ monitored GitHub repositories. Between Feb 3 and Feb 10, 2025, contributors added 82 new rules and updated more than 200 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Exec Summary

Recent updates expand detection coverage for both endpoint and cloud-based threats. New rules have been added to monitor critical registry changes associated with privilege escalation, such as LocalAccountTokenFilterPolicy modifications designed to prevent pass-the-hash attacks (anvilogic-forge/armory).

AWS-specific threat detection enhancements include monitoring for bucket enumeration and misconfigurations that attackers may exploit (panther-labs/panther-analysis). Additionally, identity protection rules have been improved, with enhanced QR sign-in monitoring within Entra ID to detect unauthorized access attempts (sublime-security/sublime-rules).

The updates emphasize a stronger focus on cloud and identity security. New AWS detection logic provides more robust visibility into misconfiguration and service exploitation risks (panther-labs/panther-analysis, elastic/detection-rules). Similarly, updated identity-based detections aim to improve defenses against phishing and access abuse in hybrid environments (sublime-security/sublime-rules, phish-report/IOK), addressing common attack vectors that leverage compromised credentials.

Operational improvements include performance optimizations for Splunk Sysmon and PowerShell detections, ensuring more efficient use of resources without sacrificing rule accuracy (anvilogic-forge/armory, splunk/security_content). Detection engineers should prioritize deploying these updates in relevant environments, followed by validation through attack simulations. Testing these rules, particularly in cloud infrastructure and identity management scenarios, will be essential for maintaining a strong detection posture.

Help us improve! Take a survey

Table Of Contents

• Corporate repositories (9)

  • anvilogic-forge/armory (+11)

  • panther-labs/panther-analysis (+9)

  • sublime-security/sublime-rules (+20, ✎19)

  • delivr-to/detections (+1)

  • chainguard-dev/osquery-defense-kit (+1, ✎13)

  • phish-report/IOK (+1)

  • elastic/protections-artifacts (+31, ✎44)

  • splunk/security_content (✎4)

  • elastic/detection-rules (+4, ✎61)

• Personal repositories (1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+4)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (11)

anvilogic-forge/armory (+11)

https://github.com/anvilogic-forge/armory

New rules watch for changes to the LocalAccountTokenFilterPolicy registry value that may expose systems to pass‐the‐hash attacks (+LocalAccountTokenFilterPolicy Registry Value Modified, +LocalAccountTokenFilterPolicy Registry Value Modified, +LocalAccountTokenFilterPolicy Registry Value Modified, +LocalAccountTokenFilterPolicy Registry Value Modified).

New rules detect execution of Visual Studio Code tunnel attempts that may hint at command and control channel setup (+Visual Studio Code Tunnel Execution, +Visual Studio Code Tunnel Execution, +Visual Studio Code Tunnel Execution, +Visual Studio Code Tunnel Execution).

New rules monitor OpenSSL encryption commands on Unix systems that may be used by adversaries for data encryption (+OpenSSL Encryption Commands - *nix, +OpenSSL Encryption Commands - *nix, +OpenSSL Encryption Commands - *nix).

panther-labs/panther-analysis (+9)

https://github.com/panther-labs/panther-analysis

Multiple new AWS Secrets Manager rules have been introduced to detect secret retrieval activities from various angles. They cover batch retrieval using catch-all filters (+AWS Secrets Manager Batch Retrieve Secrets Catch-All, +AWS Secrets Manager Batch Retrieve Secrets), standard retrieval attempts when access is denied (+AWS Secrets Manager Retrieve Secrets), multi-region retrieval efforts (+AWS Secrets Manager Retrieve Secrets Multi Region, +AWS Secrets Manager Retrieve Secrets Multi-Region), excessive retrieval attempts from EC2 (+EC2 Secrets Manager Retrieve Secrets), and catch-all filter detection (+AWS Secrets Manager Catch-All Filter Retrieval).

A new rule was also added to check organization-wide GitHub repository ruleset modifications (+GitHub Repository Ruleset Modified).

sublime-security/sublime-rules (+20, ✎19)

https://github.com/sublime-security/sublime-rules

New rules target emerging threats focusing on open redirect misuse, suspicious attachments, brand impersonation, and anomalous sender text. Notable additions include multiple open redirect rules for domains (+Open Redirect: museepicassoparis.fr, +Open Redirect: radiopublic.com, +Open Redirect: api.spently.com, +Open Redirect: ijf.org, +Open Redirect: mail.spiceworks.com, +Open Redirect: magiccity.ne.jp, +Open Redirect: astroarts.co.jp, +Open Redirect: embluemail.com, +Open Redirect: retailrocket.net, +Open Redirect: smartadserver.com, +Open Redirect: sciencebuddies.org, +Open Redirect: shoppingwebapi.didatravel.com, +Open Redirect: ssg-financial.com, +Open Redirect: social.bigpress.net, +Open Redirect: unitedwaynwvt.org). Additional new rules cover detection of PDF attachments with DocuSign logos and suspicious links, HTML attachments with excessive 'const' declarations, anomalies in sender display names, inbound messages from popular services via suspicious distribution lists, and scam content (e.g., Piano Giveaway) (+Brand Impersonation: DocuSign pdf attachment with suspicious link, +Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts, +Suspicious sender display name with long procedurally generated text blob, +Inbound Message from Popular Service Via Newly Observed Distribution List, +Scam: Piano Giveaway).

Modifications improve regex patterns, strengthen pattern matching, and resolve logic issues to cut false positives. Updated rules refine subject matching, correct string checks by switching to regex match in open redirect and phishing detection rules, and clean up conditions for sender or URL analysis. Key updates cover Corporate Services Impersonation Phishing, Suspicious Office 365 app authorization links, extortion tactics in PDF attachments, Twitter infrastructure abuse, and several adjustments for credential phishing and impersonation cases (✎Corporate Services Impersonation Phishing, ✎Suspicious Office 365 app authorization (OAuth) link, ✎Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender, ✎Twitter infrastructure abuse via link shortener, ✎Credential phishing: Engaging language and other indicators (untrusted sender), among others). Additional updates include enhancements to redirect detection for domains like bubblelife.com, magic4media.com, and unitedwaynwvt.org, plus fixes to impersonation rules for Hulu and DHL (✎Open Redirect: bubblelife.com, ✎Open Redirect: magic4media.com, ✎Open Redirect: unitedwaynwvt.org, ✎Brand impersonation: Hulu, ✎Impersonation: DHL).

delivr-to/detections (+1)

https://github.com/delivr-to/detections

A new rule has been added to detect unsolicited emails with nested 7-Zip archives aimed at CVE-2025-0411 (+Attachment: Nested 7-Zip Archives CVE-2025-0411 (Unsolicited)).

chainguard-dev/osquery-defense-kit (+1, ✎13)

https://github.com/chainguard-dev/osquery-defense-kit

A new rule detects long-running processes running as root on Linux systems (+unexpected long-running processes running as root).

Several evasion rules have been refined. The hidden current working directory rule now checks additional top directories (✎Programs running with a hidden current working directory). The unexpected executables in /etc rule now excludes the '/etc/asciidoc/filters/code' directory (✎Unexpected Executables in /etc). The hidden executable detection rule updates the WHERE clause with more exclusions and removes obsolete directories (✎Hidden Executable Detection).

Two rules monitoring access to /dev files were modified. The macOS rule now omits the agentbeat process for better accuracy (✎Unexpected Programs Accessing /dev Files on macOS) and the Linux rule refines its exception list for related events (✎Detects unexpected programs opening files in /dev on Linux).

Rules that detect unusual network or DNS activity have also been updated. An exception for 'minecraft-launcher' was added to the rule monitoring non-HTTPS communications (✎Unexpected programs communicating over non-HTTPS protocols), and the unexpected DNS traffic rule now excludes 'buildkitd' and includes 'containerd-shim-runc-v2' (✎Catch unexpected DNS traffic to non-configured servers).

Additional modifications further refine detection accuracy. The unusual process name rule for Linux revises its exclusion list (✎Unusual Process Name Detection for Linux). The yara-suspicious strings process rule for Linux adds new process exclusions and drops others (✎yara-suspicious-strings-process-linux). The unexpected device detection rule on Linux now ignores more device names (✎Unexpected Device Linux Detection). The macOS rule detecting long-running security framework processes now excludes keys matching 'terraform-provider-%,a.out,' (✎Unexpected Long-Running Security Framework on macOS). The privilege escalation rule on macOS adds a new path to its exclusion list (✎Unexpected Privilege Escalation on macOS). Finally, the systemd unit rule now ignores bootc status changes and flatpak automatic updates to improve detection of persistence mechanisms (✎Unexpected systemd units, may be evidence of persistence).

phish-report/IOK (+1)

https://github.com/phish-report/IOK

A new rule was added to catch websites that target Roblox players with fake currency scams (+Roblox Survey Scam 9170a30d).

elastic/protections-artifacts (+31, ✎44)

https://github.com/elastic/protections-artifacts

New rules target evasion and reverse shell techniques in Linux and Windows. On Linux, rules now detect the use of auditctl with a disable flag (+Auditctl Disabled via Shell Process), suspicious use of base64 strings (+Suspicious Base64 String Command-line), abnormal shared object file preloading (+Shared Object file creation and immediate Preload), and tampering with file timestamps using touch (+Timestomping Detected via Touch). Additional Linux rules detect reverse shell activity via Java, NetworkManager scripts, and named pipes (+Potential Linux Reverse Shell via Java, +Reverse Shell via NetworkManager Dispatcher Script, +Potential Reverse Shell via Named Pipe). Other new Linux detections cover suspicious command execution via Busybox (+Suspicious Command Execution via Busybox Proxy), backdoor execution via PAM (+Potential Backdoor Execution Through PAM_EXEC), web server directory traversal (+Potential Web Server Directory Traversal), data exfiltration via curl (+Potential Data Exfiltration Through Curl), and coin miner execution through shell commands (+Potential Coin Miner Execution, +Potential Coin Miner Execution via Shell). A rule to capture abnormal curl usage with SOCKS proxy options is also added (+Curl SOCKS Proxy Activity from Unusual Parent), as is one for detecting process path symbolic link manipulation (+Process Path Symbolic Link Manipulation) and another for processes started via /proc/self/exe (+Potential Masquerading via /proc/self/exe).

New Windows rules detect code injection and suspicious process behavior. They flag shellcode injection from mounted devices (+Shellcode Injection from Mounted Device), remote memory writes from untrusted modules (+Remote Memory Write to Trusted Target Process), and PowerShell base64 decoding that may signal malware activity (+Suspicious PowerShell Base64 Decoding). Additional Windows rules detect download and execute operations via scripts (+Download and Execute via Windows Script) and flag executions of low or unknown reputation executables (+Execution of a downloaded executable with low or unknown reputation). A further Windows rule detects suspicious memory writes to non-child processes (+Process Memory Write to a Non Child Process) and one tracks potential injection via EarlyCascade (+Potential Injection via EarlyCascade).

Several rules receive updates to improve accuracy and reduce false positives. Linux rules for file downloads via curl or wget (✎File Downloaded via Curl or Wget to Hidden Directory), cron service startups (✎Cron(d) Service Started by Unusual Parent), and chattr executions (✎Chattr Execution with Unusual Target File) have refined queries and extended exclusion lists. Updates also cover Linux detections for hexadecimal payload execution (✎Hexadecimal Payload Execution), process executions from unusual directories (✎Execution from Unusual Directory), and suspicious web server activity (✎Suspicious Download and Redirect by Web Server, ✎Unusual Command Executed by Web Server). Windows rule updates span improvements in unsigned binary web service connections (✎Connection to WebService by an Unsigned Binary), signed binary proxy connections (✎Connection to WebService by a Signed Binary Proxy), and advanced shellcode injection checks (✎Shellcode Injection via PowerShell, ✎Shellcode Execution from Low Reputation Module). MacOS updates improve external IP discovery conditions (✎External IP address discovery via Package or Script, ✎External IP address discovery via Curl) and initial access via Google Drive (✎Python Initial Access via Google Drive). Other updates refine query logic for command and control, persistence, and injection events by updating version numbers and adding new exclusion criteria.

splunk/security_content (✎4)

https://github.com/splunk/security_content

Detect Remote Access Software Usage Process rule version was upgraded to version 6, adding drill-down searches plus risk-based alerting improvements (✎Detect Remote Access Software Usage Process). Detect Remote Access Software Usage DNS now uses a new search format to query the Network_Resolution data model (✎Detect Remote Access Software Usage DNS).

Windows System Remote Discovery With Query now excludes certain process paths from query.exe events to cut false alerts (✎Windows System Remote Discovery With Query). System User Discovery With Query upgraded from version 4 to 5 and now checks both process_name and original_file_name for query.exe detection (✎System User Discovery With Query).

elastic/detection-rules (+4, ✎61)

https://github.com/elastic/detection-rules

New rules have been added to catch emerging evasion and command‐execution tactics. The team now detects command execution via ForFiles (+Command Execution via ForFiles), execution of downloaded Windows scripts (+Execution of a Downloaded Windows Script), file transfer via Curl for Windows (+Potential File Transfer via Curl for Windows), and backgrounded processes via unusual parent in Linux (+Process Backgrounded by Unusual Parent).

Many endpoint detection rules now use shorter time windows and intervals to produce alerts faster. The detection periods have been tightened from now-10m to now-2m and the check interval reduced from 5m to 1m in rules like Ransomware - Detected - Elastic Defend (✎Ransomware - Detected - Elastic Defend), Behavior - Detected - Elastic Defend (✎Behavior - Detected - Elastic Defend), Memory Threat - Detected - Elastic Defend (✎Memory Threat - Detected - Elastic Defend), Behavior - Prevented - Elastic Defend (✎Behavior - Prevented - Elastic Defend), Memory Threat - Prevented- Elastic Defend (✎Memory Threat - Prevented- Elastic Defend), Ransomware - Prevented - Elastic Defend (✎Ransomware - Prevented - Elastic Defend), and Malicious File - Detected - Elastic Defend (✎Malicious File - Detected - Elastic Defend).

Several rules have refined their query logic and index patterns. Many detection rules now pinpoint process and network events with more specificity. Updates include changes in index fields or conditions in rules such as Suspicious Execution from Foomatic-rip or Cupsd Parent (✎Suspicious Execution from Foomatic-rip or Cupsd Parent), BPF filter applied using TC (✎BPF filter applied using TC), Unusual Instance Metadata Service (IMDS) API Request (✎Unusual Instance Metadata Service (IMDS) API Request), Kernel Unpacking Activity (✎Kernel Unpacking Activity), several reverse shell detections such as Potential Reverse Shell via Java (✎Potential Reverse Shell via Java) and Potential Reverse Shell via Child (✎Potential Reverse Shell via Child), as well as many persistence and escalation rules that now target process or network events more narrowly (for example, ✎Network Connections Initiated Through XDG Autostart Entry, ✎Access to Keychain Credentials Directories, and ✎Suspicious APT Package Manager Execution). Additional refinements in Windows and cross-platform scripts also update process name filters and exclude benign conditions (✎Command and Scripting Interpreter via Windows Scripts, ✎Potential JAVA/JNDI Exploitation Attempt, ✎Suspicious .NET Reflection via PowerShell).

Personal repositories (1)

SlimKQL/Hunting-Queries-Detection-Rules (+4)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

New rules have been added that strengthen detection of various threats. A rule now flags exploitation of HTTP client tools in account takeover attempts by checking user agent and ISP data (+HTTP Client Tools Exploitation for ATO Detection). Another rule monitors AWS CloudTrail logs for NoSuchBucket errors (+AWS NoSuchBucket Check). A further addition examines Sysinternals tools use by reviewing device events and file loads to spot zero day vulnerabilities (+Sysinternals Tools Zero Day Vulnerability Detection). Finally, a rule detects admin changes to the QR code sign-in process (+Entra QR Code Sign-In KQL Detection).

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork. Looking for a customized version of this newsletter? We'd be happy to help — contact us.