This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Feb 10 and Feb 17, 2025, contributors added 42 new rules and updated 78 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

New detections improve coverage for endpoint, cloud, and identity threats. Rules now track rundll32.exe and regini.exe abuse for privilege escalation (anvilogic-forge/armory) and detect Sliver C2 implant activity via PowerShell.

Phishing defenses expand with new detections for Capital One impersonation and open redirect exploits (sublime-security/sublime-rules). Refinements reduce false positives in Charles Schwab impersonation and callback phishing detections.

Cloud security updates catch MFA disablement, external invites, and policy changes in Azure, along with SSH traffic monitoring in AWS (panther-labs/panther-analysis). These changes improve detection of identity misconfigurations and cloud exposure.

Process monitoring rules now filter benign system activity on Linux and macOS to reduce noise in detections (chainguard-dev/osquery-defense-kit).

Table Of Contents

• Corporate repositories (5)

  • anvilogic-forge/armory (+10)

  • sublime-security/sublime-rules (+4, ✎4)

  • chainguard-dev/osquery-defense-kit (✎16)

  • panther-labs/panther-analysis (+10, ✎2)

  • splunk/security_content (+1)

• Personal repositories (3)

  • Neo23x0/signature-base (+5)

  • SlimKQL/Hunting-Queries-Detection-Rules (+6)

  • RussianPanda95/Yara-Rules (+6)

Corporate repositories (5)

anvilogic-forge/armory (+10)

https://github.com/anvilogic-forge/armory

Multiple new rules were added to detect misuse of rundll32.exe calling Control_RunDLL via the command line, which may indicate an attempt to run malicious DLLs (+Control_RunDLL Call from Command Line, +Control_RunDLL Call from Command Line, +Control_RunDLL Call from Command Line).

New detection rules were also added to recognize regini.exe execution, which can signal attempts at registry modification for privilege escalation or persistence (+Regini.exe Execution, +Regini.exe Execution, +Regini.exe Execution).

Multiple rules target activity patterns related to Sliver C2 implants during PowerShell use, tracking process behaviors across various telemetry sources (+Sliver C2 Implant Activity Pattern, +Sliver C2 Implant Activity Pattern, +Sliver C2 Implant Activity Pattern, +Sliver C2 Implant Activity Pattern).

sublime-security/sublime-rules (+4, ✎4)

https://github.com/sublime-security/sublime-rules

Sublime Security added new rules to catch brand impersonation and open redirects along with XSS in email subjects. The Capital One impersonation rule detects inbound messages with Capital One branding while filtering out trusted senders (+Brand Impersonation: Capital One). Two new rules target open redirect exploits at listing.ca and vconfex.com (+Open Redirect: listing.ca, +Open Redirect: vconfex.com). A new rule flags XSS attempts in email subjects (+Suspected Cross-Site Scripting (XSS) found in subject).

The team also refined several existing rules to reduce false positives. The Charles Schwab impersonation rule now excludes the schwab-marketing.com domain (✎Brand impersonation: Charles Schwab). The Human Resources impersonation rule saw cleanup in spacing and adjusted conditions for urgency and suspicion (✎Impersonation: Human Resources with link or attachment and engaging language). The Fake Password Expiration rule has refined attachment criteria and keyword handling to improve match precision (✎Credential Phishing: Fake Password Expiration from New and Unsolicited sender). Also, the Intuit callback phishing detection now ignores text about selling on eBay as a vendor (✎Callback phishing via Intuit service abuse).

chainguard-dev/osquery-defense-kit (✎16)

https://github.com/chainguard-dev/osquery-defense-kit

Process detection rules were updated to cut down false positives. The missing-from-disk rule now checks if a process started over an hour ago (✎Processes that do not exist on disk, running in osquery's namespace) and the parent missing-from-disk rule excludes Docker cgroup paths (✎Parent Missing from Disk (Linux)).

Detection for suspicious communications was adjusted. The unexpected DNS rule filters out 'eksctl' and 'limactl' endpoints (✎Unexpected DNS Traffic Detection). Rules tracking unexpected non-HTTPS communications on macOS (✎Unexpected programs communicating over non-HTTPS running from weird locations) and Linux (✎Unexpected programs communicating over non-HTTPS protocols (state-based)) now use refined exception lists.

Persistence rules received several tweaks. The unexpected long-running processes running as root rule now has improvements across multiple updates. It refines the NOT IN clause to drop a zfs process (✎Unexpected long-running processes running as root), adds two previously excluded UIDs, and updates regex and expected path conditions. The unexpected crontab entries rule checks for a systemd service restart, boosting its scope for cron anomalies (✎Unexpected crontab entries). The unexpected programs listening on a TCP port rule now excludes 'OBSBOT_Center' and 'OBSBOT_Main', and fixes metadata for 'postgres' (✎Unexpected programs listening on a TCP port). The unexpected Chrome extensions rule refines permissions checks (✎Unexpected Chrome Extensions Detection).

Other modifications include updating the suspicious URL fetcher to skip a 172.17.% IP range (✎Suspicious URL requests by built-in fetching tools), modifying the rule for non-standard executable directories on macOS to ignore '~/chainguard-dev/' and allow 'sh' or 'make' as parent process names (✎Unexpected Execution from Non-standard Directories on macOS), updating file access alerts on macOS to remove Java from triggering alerts on /dev (✎Unexpected Programs Opening Files in /dev on macOS), and modifying executable permissions to check against a list of known applications (✎Unexpected Executable Permissions). Finally, hidden system path detection has extra checks for Gradle directories and updates to the exclusion list (✎Unexpected Hidden System Paths Detection).

What SIEM do you use? Tell us!

panther-labs/panther-analysis (+10, ✎2)

https://github.com/panther-labs/panther-analysis

New rules boost detection on Azure. Alerts now fire when MFA is turned off in conditional policies (+Azure MFA Disabled, +MFA disabled). Rules also flag invitations sent to external domains (+Azure Invite External Users, +Azure Invite External Users), monitor changes in Privileged Identity Management roles (+Azure Role Changed in PIM, +Azure Role Changed PIM) and track policy alterations in audit logs (+Azure Policy Changed, +Azure Policy Changed).

AWS rules now monitor SSH traffic on non-private IPs in VPC flow logs (+AWS VPC SSH Allowed Signal, +Signal - VPC Flow Logs Allowed SSH).

In addition, updates to AWS rules change the login detection criteria from failures to successes (+Logins Without SAML) and add filtering to reduce false alerts when EC2 instance user data is accessed via the PantherAuditRole (✎EC2 Instance User Data accessed in bulk).

splunk/security_content (+1)

https://github.com/splunk/security_content

A new Suspicious Process File Path rule has been added to replace the deprecated version. It retains the same detection logic while updating the version number and date (+Suspicious Process File Path).

Cybersec Feeds Overview by CTIChef.com collates updates from 80+ feeds, by vendors, gov agencies, threat intel teams and experts into a weekly digest.

Read the latest issue

Personal repositories (3)

Neo23x0/signature-base (+5)

https://github.com/Neo23x0/signature-base

New rules now detect high-risk payloads and phishing trends. A new YARA rule spots the BACKORDER loader compiled in GO that downloads a second stage payload (+MAL_BACKORDER_LOADER_WIN_Go_Jan23). Multiple rules now address phishing threats. One inspects byte sequences for shellcode in unknown phishing malware (+MAL_PHISH_ShellCode_Enc_Payload_Feb25); another identifies the final payload that decrypts and executes on user input (+MAL_PHISH_Final_Payload_Feb25). Additional rules target anomalies, including one that flags odd behavior in Sysinternals Desktops binaries (+SUSP_Sysinternals_Desktops_Anomaly_Feb25) and one that checks for PE files signed with a compromised certificate linked to phishing attacks (+SUSP_PE_Compromised_Certificate_Feb25).

SlimKQL/Hunting-Queries-Detection-Rules (+6)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

SlimKQL added six new rules. Two rules target Microsoft Graph threats by using GraphPreConsentExplorer data (+Using GraphPreConsentExplorer data for Microsoft Graph Threat Hunting) and by monitoring Copilot data exfiltration via the Graph API (+Monitoring Copilot Data Exfiltration via Graph API). Two more rules detect code obfuscation behaviors: one flags WafflesExploits shellcode in image files (+Detecting WafflesExploits Shellcode in Image Files) while the other spots ArgFuscator obfuscation in DeviceEvents (+KQLObfusGuard - Detecting ArgFuscator Obfuscation). Finally, two rules focus on AI-related detections: one monitors LLM model usage in a MDE setup (+LLM Hunting in a MDE Environment) and the other watches file events for top self hosted AI models (+The Hunt for Top 10 Self Hosted AI).

RussianPanda95/Yara-Rules (+6)

https://github.com/RussianPanda95/Yara-Rules

Several new YARA rules have been added by RussianPanda95 that improve detection of malware plugins and backdoors. New rules detect PreGrabber (+win_mal_PreGrabber), Formgrabber (+win_mal_Formgrabber) and mmgrabber (+Detects mmgrabber Plugin).

Additional rules focus on detecting active threats. These include detection of the GhostWeaver backdoor (+Detects GhostWeaver backdoor) and Juniper Stealer malware (+Detects Juniper Stealer).

One more rule targets potential key decryption behavior in Chromium apps (+Detects Potential Chromium app_bound_encryption key Decrypter).

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.