Summary

Recent detection rule updates expand coverage, focusing on cloud security, endpoint threats, and advanced evasion techniques. 46 new rules were added to Chronicle detection rules repository targeting Microsoft Entra ID, Office 365, and Graph API to detect admin abuse, API enumeration, and audit log modifications. Elastic and Splunk enhanced OneDrive exfiltration monitoring, PowerShell-based credential theft detection, and EDR evasion techniques. Anvilogic Forge introduced a new rule for mega[.]nz C2 traffic detection, while Sigma and Yamato-Security addressed Kalambur backdoor activity and NimScan port scanning. Sublime Security improved phishing detection with rules for brand impersonation (MetaMask, Trust Wallet, Google Drive), SVG evasion, and Unicode Braille pattern abuse.

New detection techniques focus on exploits, cloud API abuse, and stealthy persistence mechanisms. Improvements include fileless execution monitoring, suspicious registry modifications, and audit policy changes to detect adversary techniques more effectively. ESET introduced indicators for DeceptiveDevelopment malware targeting freelancers, while Elastic’s new rule detects high-volume OAuth-based OneDrive exfiltration. Microsoft cloud environments received greater scrutiny, with multiple detections for Azure/Entra ID account abuse, OAuth token misuse, and API reconnaissance in Microsoft Graph.

Several rule updates refined filtering conditions, improved registry modification tracking, and optimized audit policy checks. Many detections were fine-tuned to improve real-world detection accuracy while reducing noise.

Table Of Contents

• Corporate repositories (12)

  • anvilogic-forge/armory (+2)

  • SigmaHQ/sigma (+4, ✎4)

  • panther-labs/panther-analysis (✎1)

  • falcosecurity/rules (✎1)

  • chronicle/detection-rules (+46)

  • eset/malware-ioc (+1)

  • sublime-security/sublime-rules (+6, ✎6)

  • chainguard-dev/osquery-defense-kit (+1, ✎13)

  • Yamato-Security/hayabusa-rules (+5, ✎4)

  • splunk/security_content (+10, ✎6)

  • elastic/detection-rules (+2, ✎7)

  • elastic/protections-artifacts (+19, ✎269)

• Personal repositories (1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+4)

• Feedback

• Disclaimer

• Powered by

Cybersec Feeds Overview summarizes updates from 80+ security RSS feeds by vendors, government agencies, security research teams, experts, and communities of practitioners. Created by CTIChef.com.

Read the latest issue

Corporate repositories (12)

anvilogic-forge/armory (+2)

https://github.com/anvilogic-forge/armory

The team at Anvilogic Forge added two high-impact detection rules: one detecting attempted remote code execution through SharePoint CVE-2019-0604 (+SharePoint CVE-2019-0604) and another targeting mega[.]nz traffic to spot potential Command and Control abuse (+mega.nz Traffic).

SigmaHQ/sigma (+4, ✎4)

https://github.com/SigmaHQ/sigma

4 new detection rules were added to the repo. They include one that flags the execution of curl.exe with SOCKS and .onion references, which may indicate Kalambur backdoor activity (+Kalambur Backdoor Curl TOR SOCKS Proxy Execution). Another rule watches for Clfs.sys loaded from a suspicious process location (+Clfs.SYS Loaded By Process Located In a Potential Suspicious Location). A rule targets NimScan based on process image name and known hash values (+PUA - NimScan Execution). There is also a rule that alerts on WDAC policy file creation by abnormal processes (+Potentially Suspicious WDAC Policy File Creation).

Several existing rules were updated. The Python inline command execution rule now checks for pip commands and has renamed filters (✎Python Inline Command Execution). Two AADInternals PowerShell detections received improvements; one for process creation now adds new command-line patterns (✎AADInternals PowerShell Cmdlets Execution - ProccessCreation) and another for PsScript now includes additional cmdlet options (✎AADInternals PowerShell Cmdlets Execution - PsScript). The registry rule for Windows event log access tampering now refines key selection and adds an attack tag (✎Windows Event Log Access Tampering Via Registry).

panther-labs/panther-analysis (✎1)

https://github.com/panther-labs/panther-analysis

The AWS Secrets Manager Retrieve Secrets Multi Region rule now accepts unique_regions as a JSON string (✎AWS Secrets Manager Retrieve Secrets Multi Region). This change improves event processing reliability for multi-region secret retrieval cases.

falcosecurity/rules (✎1)

https://github.com/falcosecurity/rules

The Fileless execution via memfd_create rule now checks process names and adjusts executable path conditions to better capture fileless execution behaviors (✎Fileless execution via memfd_create).

chronicle/detection-rules (+46)

https://github.com/chronicle/detection-rules

Office 365 logging controls saw significant updates. New rules detect both enabling (+Office 365 logging has been enabled) and disabling (+Office 365 logging is disabled) of the Unified Audit Log in Office 365.

Multiple Entra ID activities now have detection rules. Added rules cover cases of newly created users assigned admin roles (+Entra ID Recently Created User Assigned an Entra ID Role), deletion events for applications (+Entra ID Application Deletion), hard deletion (+Entra ID Application Hard Deletion), application restoration (+Entra ID Application Restore), permission changes (+Entra ID Excessive Permission Changes to Application), secret additions (+Client Secret Added to Entra ID Application), login activities outside expected channels (+Entra ID Admin Login Activity to Uncommon MS Cloud Apps) and additions of users outside PIM (+Entra ID Add User Outside PIM). Other new detections cover application creation (+Entra ID Application Creation), conditional access policy changes (+Entra ID conditional access policy modification) and expired token use (+Hunt for Expired Tokens Attempting to sign-in to Entra ID). A rule now also detects addition of users to admin roles (+Entra ID Add User To Admin Role) and successful group deletion (+Entra ID Successful Group Deletion).

New detections for Microsoft Graph activity have been added to cover a range of API calls and enumeration methods. These include API calls for authorization policies (+Hunt for authorization policy API calls in the Microsoft Graph), suspicious user agent strings (+Suspicious User Agent Strings associated withGraphRunner), delete method calls (+Hunt for the delete method in Microsoft Graph API calls), undocumented API calls (+Hunt for Undocumented API - Estimate Access called in Microsoft Graph API), and various enumeration activities (+Enumeration observed in the Microsoft Graph API using GraphRunner GraphRecon command, +Hunt for user API endpoint requests in the Microsoft Graph, +Hunt for application API calls in the Microsoft Graph). Additional rules target group actions (+Hunt for Groups endpoint requests in the Microsoft Graph API, +Hunt for successful group creation in the Microsoft Graph API) and search/query operations (+Hunt for search/query endpoint API requests in the Microsoft Graph).

Several Office 365 actions are now in focus. New rules detect mail access via unexpected apps (+Office 365 mail accessed via unexpected application), non-anonymous file downloads (+Hunt for Non-Anonymous Office 365 file downloads), and group events such as creation (+Hunt for Office 365 group creation success), modification (+Hunt for Office 365 group modification add member success, +Office 365 group modification add member success has exceeded a defined threshold, +Hunt for Office 365 group modification remove member success), creation failures (+Hunt for Office 365 group creation failures), and deletion events (+Office 365 group deletion success). A new rule also monitors Teams group membership changes (+Office 365 Teams member removed).

Multiple failed download attempts from OneDrive were targeted with two new rules: one for repeated file downloads (+Multiple failed file downloads from OneDrive observed in the Microsoft Graph API) and one for unique documents (+Multiple failed unique file downloads from OneDrive observed in the Microsoft Graph API). An additional rule detects bad request errors at the groups endpoint (+Hunt for Bad Request errors against the Groups endpoint in the Microsoft Graph API). A final update identifies enumeration of updatable groups (+Enumeration of updatable groups in the Microsoft Graph API) and application enumeration (+Entra ID application enumeration observed in the Microsoft Graph API).

A rule was also added to spot suspicious external sign-ins to Entra ID (+Hunt for suspicious sign-in to Entra ID Using Extrnal Call Method).

These updates from Chronicle's rule repo expand coverage for emerging threats, improve accuracy in detecting suspicious account activities, API misuse, file downloads, and group modifications across Office 365, Entra ID, and Microsoft Graph.

eset/malware-ioc (+1)

https://github.com/eset/malware-ioc

A new rule has been added that alerts for indicators linked to DeceptiveDevelopment targeting freelance developers. The rule looks for file patterns and network signals tied to this threat (+DeceptiveDevelopment targets freelance developers – Indicators of Compromise).

sublime-security/sublime-rules (+6, ✎6)

https://github.com/sublime-security/sublime-rules

The team at Sublime Security added several high-impact rules to spot new evasion and spoofing methods. They added rules to detect SVG files with evasion elements (+Attachment: SVG Files With Evasion Elements), attachments with hidden Unicode Braille patterns in filenames (+Attachment: Filename Containing Unicode Braille Pattern Blank Character), and QR code attachments with userinfo data (+Attachment: QR Code With Userinfo Portion). They also added brand impersonation rules for MetaMask (+Brand Impersonation: MetaMask), Trust Wallet (+Brand Impersonation: Trust Wallet), and Google Drive fake file shares (+Brand impersonation: Google Drive fake file share).

Modifications were made to improve detection accuracy. The sender email domain logic for Wise was updated (✎Brand impersonation: Wise). The rule for SharePoint fake file shares now adds conditions for shared documents and subject line checks (✎Brand impersonation: Sharepoint fake file share). Updates in the DocuSign rule now ignore envelope variations in OCR for better attachment checks (✎Brand impersonation: DocuSign branded attachment lure with no DocuSign links). Logic in the Capital One impersonation rule was refined with updated topic filters (✎Brand Impersonation: Capital One). Changes to the scam Piano Giveaway rule replaced string matching with regex for improved detection (✎Scam: Piano Giveaway), while the PayPal Invoice Abuse rule now uses refined regex and keywords for better filtering (✎PayPal Invoice Abuse).

chainguard-dev/osquery-defense-kit (+1, ✎13)

https://github.com/chainguard-dev/osquery-defense-kit

A new rule was added to detect unexpected UPX executable processes using YARA signatures (+Currently running UPX executable).

Several rules were updated to reduce false positives and improve accuracy. The disk activity rule now uses an expanded exclusion list for processes (+ improved filtering) (✎High Disk Bytes Written). The rule for programs listening on TCP ports was modified to filter Docker container processes and specific DHCP client addresses (✎Unexpected programs listening on a TCP port (state-based)). The HTTPS detection rule was updated with adjustments to process exception lists (✎Unexpected programs communicating over HTTPS (state-based)) and the DNS rule removed redundant conditions (✎Catch unexpected DNS traffic).

Additional modifications target improved detection accuracy and reduced false alerts. Changes include revised time thresholds and added path exclusions for recently created executables (✎Recently Created Executables - Long Lived Linux), updated exclusion lists for disk images and webmail downloads on macOS (✎Unexpected Disk Image Source on macOS, ✎Unexpected Webmail Downloads), refined conditions for hidden executables and files in /var (✎Hidden Executable Detection, ✎Unexpected Executables in /var), updated exceptions for programs accessing /dev (✎Detects unexpected programs opening files in /dev on Linux), and improved detection logic for unexpected device paths and Chrome extensions (✎Unexpected Device Linux Detection, ✎Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist).

Yamato-Security/hayabusa-rules (+5, ✎4)

https://github.com/Yamato-Security/hayabusa-rules

The team at Yamato Security added rules to detect emerging malware activity. New detections cover Kalambur backdoor activity when curl.exe is run with SOCKS and .onion references (+Kalambur Backdoor Curl TOR SOCKS Proxy Execution, +Kalambur Backdoor Curl TOR SOCKS Proxy Execution). A rule was added to catch abnormal WDAC policy file creation events (+Potentially Suspicious WDAC Policy File Creation), and two rules were added that monitor for NimScan portscanner execution, triggered by process creation activities and hash values (+PUA - NimScan Execution, +PUA - NimScan Execution).

Updated rules improve detection detail and cut false positives. Changes expand PowerShell command detection for AADInternals cmdlets and add a contributor (+AADInternals PowerShell Cmdlets Execution - PsScript, ✎AADInternals PowerShell Cmdlets Execution - ProccessCreation). Other updates adjust registry object conditions for Windows Event Log tampering (+Windows Event Log Access Tampering Via Registry, ✎Windows Event Log Access Tampering Via Registry).

splunk/security_content (+10, ✎6)

https://github.com/splunk/security_content

10 new detection rules were added to spot defense evasion tactics via EDR data. They target suspicious use of auditpol commands, covering disabled, cleared, restored, or altered audit policy settings and global object access audits. A new rule also monitors potential Telegram API use via the command line and another detects Windows Event Log service shutdown. (+Potential Telegram API Request Via CommandLine, +Windows Audit Policy Disabled via Legacy Auditpol, +Windows Audit Policy Auditing Option Disabled via Auditpol, +Windows Event Logging Service Has Shutdown, +Windows Important Audit Policy Disabled, +Windows Audit Policy Cleared Via Auditpol, +Windows Audit Policy Disabled Via Auditpol, +Windows Audit Policy Restored Via Auditpol, +Windows Global Object Access Audit List Cleared Via Auditpol, +Windows Audit Policy Excluded Category Via Auditpol).

Search logic updates were made to refine queries and data sources. The Windows Process Execution in Temp Dir rule fixed a formatting issue, the Exchange PowerShell Abuse via SSRF rule updated its version and source, and the Windows Compatibility Telemetry Tampering Through Registry rule now targets a single Sysmon event. Two Cisco Secure Endpoint rules were updated for field normalization, date, and search query tuning to improve accuracy and limit false positives. (✎Windows Process Execution in Temp Dir, ✎Exchange PowerShell Abuse via SSRF, ✎Windows Compatibility Telemetry Tampering Through Registry, ✎Windows Cisco Secure Endpoint Related Service Stopped, ✎Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc, ✎Windows Cisco Secure Endpoint Unblock File Via Sfc).

elastic/detection-rules (+2, ✎7)

https://github.com/elastic/detection-rules

Two high-impact rules were added to catch new phishing and data exfiltration tactics. A rule detects high volume file downloads from OneDrive using OAuth tokens (+M365 OneDrive Excessive File Downloads with OAuth Token), and another flags SNS topic creation by rare users in AWS (+AWS SNS Topic Created by Rare User).

Multiple Windows rules were updated to improve log coverage and detection accuracy. The update includes tracking suspicious file renames via SMB (✎Suspicious File Renamed via SMB), monitoring registry hive dumps for credential access (✎Credential Acquisition via Registry Hive Dumping), flagging suspicious remote registry access (✎Suspicious Remote Registry Access via SeBackupPrivilege), tracking execution in Windows Subsystem for Linux (✎Execution via Windows Subsystem for Linux), detecting potential Foxmail exploitation (✎Potential Foxmail Exploitation), capturing new ActiveSync device additions via PowerShell (✎New ActiveSyncAllowedDeviceID Added via PowerShell), and tracking accounts set with never-expiring passwords (✎Account Configured with Never-Expiring Password).

elastic/protections-artifacts (+19, ✎269)

https://github.com/elastic/protections-artifacts

New detection rules have been added to catch suspicious Windows script behavior and evasive activities. These include rules for PowerShell scripts that take screenshots (+PowerShell Script with Screen Capture Capability), remote process memory writes by low reputation modules (+Remote Process Memory Write by Low Reputation Module), and several rules that flag obfuscated script executions and credential access attempts (+Execution via Obfuscated Windows Script, +PowerShell Script with Passwords Vault Access Capability).

Modifications span multiple operating systems and focus on improving detection response. Many rules now add actions to terminate parent processes and adjust query conditions to tighten filtering and reduce false positives. For example, updates to file deletion, network connection, and privilege escalation detections include new kill process actions (✎Suspicious Recursive File Deletion via Built-In Utilities, ✎File Downloaded via Curl or Wget to Hidden Directory, ✎Privilege Escalation Enumeration via LinPEAS). Similar improvements are applied across Linux, macOS, and Windows rules.

Other enhancements include refined query logic, adjusted exclusion lists, and version upgrades that increase detection accuracy for emerging threats such as reverse shells, tunneling, and suspicious memory modifications (✎Potential Reverse Shell via Powershell, ✎Potential Protocol Tunneling via Legit Utilities). These updates improve the rules’ ability to catch tactics used by adversaries while cutting down on noise.

What SIEM do you use? Tell us!

Personal repositories (1)

SlimKQL/Hunting-Queries-Detection-Rules (+4)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

4 new KQL rules were introduced by SlimKQL. The rules include a rule to detect a new variant of Snake Keylogger using several IOCs (+Hunting New Variant of Snake Keylogger) and a rule that flags potential EDR evasion through shellcode injection via MSSQL CLR Assembly (+EDR Evasion - Inject Shellcode via MSSQL CLR Assembly Detection). The update also adds a weekly scan rule for OSINT indicators over the past 30 days (+DefenderXDR Weekly OSINT Indicators Scan) and a rule to detect exploits targeting Palo Alto firewalls with GreyNoise IPs from the last 10 days (+Detecting Palo Alto Firewall Exploits).

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.