This week's update highlights the most significant changes to detection rules from 12 of the 40+ monitored GitHub repositories. Between Mar 3 and Mar 10, 2025, contributors added 63 new rules and updated 91 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

Cloud threat detection advanced — New rules target Office 365 mailbox tampering, AWS GuardDuty critical events, and Azure OpenAI abuse for tighter cloud alerts. anvilogic-forge/armory, panther-labs/panther-analysis, elastic/detection-rules)

Container rule deprecation — Multiple container workload rules are marked as deprecated with guidance to use Linux-based alternatives, signaling a move away from deprecated integrations. (elastic/detection-rules)

Driver threat detection expanded — Extensive updates in driver detection add new MD5/SHA hashes and modify driver name lists to spot malicious and vulnerable drivers more accurately. (magicsword-io/LOLDrivers)

Enhanced PowerShell and script detection — Updates in several rules include extra references for Veeam-Get-Creds, additional malicious script paths, and adjusted conditions to improve detection of PowerShell attacks. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

Refined email and header analysis — Rule modifications focus on external forwarding, header anomalies, and suspicious attachment patterns to reduce noise and catch genuine phishing attempts. (panther-labs/panther-analysis, sublime-security/sublime-rules)

Fortified network and process anomaly alerts — Numerous Elastic rules now include extra conditions and refined exclusions to detect unusual network connections, reverse shells, and atypical process behavior more precisely. (elastic/detection-rules, elastic/protections-artifacts)

OS and browser telemetry improvements — New OSQuery queries list browser extensions and refine autostart execution detections to improve system telemetry insights. (SophosRapidResponse/OSQuery, chainguard-dev/osquery-defense-kit)

KQL hunting queries updated for zero-day threats — New KQL rules now cover zero-day privilege escalation and command injection attempts, concentrating on vulnerable Windows and Hyper-V endpoints. (SlimKQL/Hunting-Queries-Detection-Rules)

Detection logic precision improved — Updates across several repositories adjust regex conditions, process exclusions, and file path matches to reduce false positives and increase alert accuracy. (splunk/security_content, sublime-security/sublime-rules, elastic/protections-artifacts)

Table Of Contents

• Corporate repositories (11)

  • anvilogic-forge/armory (+1)

  • splunk/security_content (✎3)

  • panther-labs/panther-analysis (+2, ✎1)

  • sublime-security/sublime-rules (+5, ✎11)

  • elastic/detection-rules (+16)

  • SigmaHQ/sigma (+2, ✎7)

  • SophosRapidResponse/OSQuery (+3, ✎1)

  • chainguard-dev/osquery-defense-kit (✎14)

  • elastic/protections-artifacts (+21, ✎41)

  • Yamato-Security/hayabusa-rules (+2, ✎9)

  • magicsword-io/LOLDrivers (+7, ✎4)

• Personal repositories (1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+4)

• Feedback

• Disclaimer

• Powered by

Cybersec Feeds Overview summarizes updates from 80+ security RSS feeds by vendors, government agencies, security research teams, experts, and communities of practitioners. Created by CTIChef.com

Read the latest issue

Corporate repositories (11)

anvilogic-forge/armory (+1)

https://github.com/anvilogic-forge/armory

+ New rules

O365 Mailbox Tampering
This rule has been added to detect multiple O365 events indicating potential mailbox tampering. It identifies when a user performs a specific combination of actions suggesting unauthorized access attempts.

splunk/security_content (✎3)

https://github.com/splunk/security_content

✎ Modified rules

Windows SQL Server Configuration Option Hunt
Updated data source to specify Event ID 15457 for more precise monitoring of SQL Server configuration changes, enhancing the detection accuracy.

Windows Process With NetExec Command Line Parameters
Modified the query to exclude Linux OS processes from the detection logic, improving the specificity of detection for Windows environments. This adjustment enhances alert accuracy by reducing false positives related to Linux processes.

Windows Command and Scripting Interpreter Path Traversal Exec
The search query was updated to enhance its effectiveness by ensuring that it only evaluates processes that are not running on Linux, which refines the detection of path traversal attempts in Windows environments.

panther-labs/panther-analysis (+2, ✎1)

https://github.com/panther-labs/panther-analysis

+ New rules

AWS GuardDuty Critical Severity Finding
New detection rule added for AWS GuardDuty to identify critical severity findings related to potential credential compromises. The rule includes specifications for log types, tests, and summary attributes relevant to discern threats effectively.

AWS GuardDuty Critical Severity Findings
This rule has been added to detect AWS GuardDuty findings with a severity score between 9.0 and 10.0, filtering out sample data based on the additionalInfo field.

✎ Modified rules

Microsoft365: External Forwarding Created
Updated detection logic to include checks for suspicious email forwarding configurations, allowing better identification of potentially harmful forwarding practices. Additionally, improved the title function to handle multiple forwarding addresses more gracefully and include suspicious configuration details in alerts.

sublime-security/sublime-rules (+5, ✎11)

https://github.com/sublime-security/sublime-rules

+ New rules

Attachment: EML with Embedded Javascript in SVG File (unsolicited)
This rule detects incoming messages with EML attachments containing embedded SVG files that house malicious JavaScript. It targets specific patterns associated with potential phishing and malware attempts, enhancing alert capabilities for these types of threats.

Recruitee Infrastructure Abuse
A new detection rule has been implemented that identifies inbound messages from Recruitee domains with recruitment-related topics and application links, focusing on sender history and URL analysis.

Google Drive direct download link from unsolicited sender
This rule has been added to detect Google Drive links using a direct download URL pattern, which threat actors often exploit to disseminate malware. It utilizes multiple conditions to validate the sender and the structure of the URLs.

Impersonation: SharePoint Reply Header Anomaly
This rule was added to detect messages with SharePoint reply headers lacking standard reply characteristics, focusing on inconsistencies in thread elements and recipient patterns.

Brand Impersonation: Booking.com
This rule has been added to detect messages falsely claiming to be from Booking.com's support team, focusing on suspicious credential collection patterns and sender verification through DMARC authentication checks.

✎ Modified rules

Attachment: Embedded Javascript in SVG file (unsolicited)
The detection logic was enhanced by refining the conditions for identifying embedded JavaScript in SVG files, particularly improving the regex and file analysis mechanisms to catch more nuanced threats.

Fake voicemail notification (untrusted sender)
The detection logic was enhanced by adding constraint to the attachment count, specifying the maximum of 8 distinct attachments. Additionally, the regex patterns used for matching voicemail-related keywords were made more precise. Specific regex expressions were adjusted to include necessary boundaries, improving detection accuracy for phishing attempts involving voicemail messages.

Credential Phishing: Suspicious E-sign Agreement Document Notification
Added two new regex patterns for detecting additional suspicious document sharing phrases. Enhanced the logic for analyzing HTML content by including checks for high counts of mailto links and empty HTML elements. Minor adjustments to formatting in the condition for detecting legitimate documents.

Salesforce Infrastructure Abuse
The detection logic for credential theft related to Salesforce has been updated to include additional conditions and thresholds, enhancing specificity by incorporating subject match patterns and refining URL checks. Several new subject patterns were added to strengthen detection capabilities against phishing attempts.

Link to auto-download of a suspicious file type (unsolicited)
Enhanced detection logic by clearly defining the conditions for identifying direct Google Drive downloads alongside existing file types in the source. An additional comment was added for clarity on detecting suspicious links that utilize Google Drive for downloading archived files.

COVID-19 themed fraud with sender and reply-to mismatch or compensation award
The rule name was modified to include 'or compensation award'. The description was updated to emphasize detection of compensation or award-related language, enhancing the rule's clarity. Several regex adjustments were made for improved pattern matching in email content.

Brand Impersonation: QuickBooks Notification From Intuit Themed Company Name
Removed the condition checking if the subject contains 'Quickbooks' or 'Intuit', which may decrease false positives. Updated regex patterns for better matching of company names in the HTML body.

PayPal Invoice Abuse
Added a new detection condition to capture fraudulent messages containing 'Address Updated:' in the email body, enhancing detection of relevant phishing attempts.

Brand impersonation: Twitter
The detection logic was enhanced by restructuring the boolean conditions within the source. The check for the 'cred_theft' intent from multiple sources was clarified and consolidated for improved readability and functionality.

Suspicious invoice reference with missing or image-only attachments
The rule now wraps the exclusion logic for warning banners in additional parentheses for clarity and correctness, ensuring that false positives related to attachments are minimized.

Link: Multistage Landing - Abused Adobe frame.io
Updated the logic to limit the detection scope to only messages with the word 'shared' in the subject line, enhancing specificity in identifying relevant phishing attempts.

elastic/detection-rules (+16)

https://github.com/elastic/detection-rules

+ New rules

WDAC Policy File by an Unusual Process
This rule has been newly implemented to detect the creation of a Windows Defender Application Control (WDAC) policy file by unusual processes, addressing potential malicious use of crafted policies to restrict security functionality.

Decline in host-based traffic
This rule was added to identify sudden drops in host-based traffic using machine learning, which may indicate security issues such as compromise, service failure, or misconfiguration. The rule includes comprehensive guidelines for setup and response to potential alerts.

Potential Denial of Azure OpenAI ML Service
This rule was created to detect Denial-of-Service (DoS) attacks on machine learning models by analyzing patterns indicative of high volume and frequency of requests that could cause performance degradation or service disruption. Key metrics include the count of requests and their average size over a specified time window.

Unusual Process Spawned from Web Server Parent
This rule has been added to detect unusual processes spawned from web server parent processes based on low frequency counts of process spawning activity. It aims to identify potential persistence, command execution, or command and control activities.

Potential Azure OpenAI Model Theft
This rule was created to monitor for suspicious activities indicative of theft or unauthorized duplication of machine learning models through unauthorized API calls and unusual access patterns.

Unusual Command Execution from Web Server Parent
This rule was added to detect unusual command execution from web server parent processes on Linux hosts, identifying potential web shell attacks that could indicate compromised systems. The rule utilizes ESQL with a defined query structure to filter relevant events from the Elastic Defend integration.

Uncommon Destination Port Connection by Web Server
This rule has been added to identify unusual destination port network activity from a web server process, detecting potential web shell activity or unauthorized communication.

Potential Port Scanning Activity from Compromised Host
This new rule detects potential port scanning activity from a compromised host by monitoring network connection attempts to a large number of ports within a short time frame, using Elastic Security's ESQL language.

Docker Socket Enumeration
This rule has been added to detect potential Docker socket enumeration activities by monitoring specific process interactions with the Docker socket file.

Azure OpenAI Insecure Output Handling
New rule added to detect Azure OpenAI requests that result in zero response length, which may indicate potential security issues. The rule includes specific conditions for triggering alerts based on response integrity and API behavior.

Spike in host-based traffic
This detection rule utilizes a machine learning job to monitor for spikes in host-based traffic, which may indicate various security issues including DDoS attacks or data exfiltration. It incorporates an anomaly threshold of 75 and includes comprehensive setup instructions for integration with Elastic Defend.

Potential Subnet Scanning Activity from Compromised Host
This rule was added to detect potential subnet scanning activity from compromised hosts by monitoring network connections. It identifies a high volume of connection attempts to numerous hosts initiated by a single agent in a short timeframe, meeting the criteria for significant reconnaissance behavior.

Potential Cross Site Scripting (XSS)
This rule has been added to detect potential Cross-Site Scripting (XSS) attacks by identifying malicious scripts injected into trusted websites. It includes specific conditions for monitoring transaction processor names and script patterns in URL fragments.

Python Site or User Customize File Creation
This rule was introduced to detect the creation and modification of sitecustomize.py and usercustomize.py files, which can be exploited by attackers for persistence. It monitors various locations for unauthorized changes that may indicate backdooring attempts.

Python Path File (pth) Creation
This is a new rule that detects the creation of .pth files in Python package directories, which can indicate unauthorized persistence activities. The rule includes specific details about file paths, actions to monitor, and a robust query to identify potential threats.

Successful SSH Authentication from Unusual User
This rule has been added to detect successful SSH authentications by users who have not logged in within the last 10 days, indicating potential unauthorized access attempts. The rule employs the new_terms rule type and includes a history window for evaluation.

SigmaHQ/sigma (+2, ✎7)

https://github.com/SigmaHQ/sigma

+ New rules

HTTP Request to Low Reputation TLD or Suspicious File Extension
A new rule was introduced to detect HTTP requests targeting low reputation TLDs or using suspicious file extensions, enhancing detection of potential malicious activities.

Notepad Password Files Discovery
This rule was added to detect the execution of Notepad to open files containing the string 'password', which may indicate unauthorized access to credentials.

✎ Modified rules

Remote Access Tool - Anydesk Execution From Suspicious Folder
Updated detection logic by adding a new file extension to the 'Image|endswith' condition for AnyDesk execution. Additionally, the modified date was updated to reflect recent changes and a new reference was added to the metadata.

Malicious PowerShell Scripts - FileCreation
Updated the list of references by adding a new link to a known malicious PowerShell script for credential harvesting. Also included a new detection entry for the script within the PowerShell script detection logic, enhancing detection capabilities for related threats.

Anydesk Remote Access Software Service Installation
Updated detection logic to enhance accuracy by modifying the selection conditions to check for both ServiceName and ImagePath containing 'AnyDesk'. Metadata updated to include new authors and the modification date.

Suspicious Binary Writes Via AnyDesk
Updated detection logic to include both 'AnyDesk.exe' and 'AnyDeskMSI.exe' in the selection criteria. Added reference URL and updated the modification date.

Remote Access Tool - AnyDesk Execution
The rule was updated to include an additional file name 'AnyDeskMSI.exe' in the detection selection and added a new reference URL for further context. Additionally, the modified date was updated to reflect the latest changes.

Remote Access Tool - AnyDesk Incoming Connection
The detection rule was updated to include an additional image condition, now detecting both 'AnyDesk.exe' and 'AnyDeskMSI.exe'. Additionally, the modification date was updated for accuracy in rule versioning.

Nslookup PowerShell Download Cradle
Updated the modified date to 2025-02-25 and added condition to the detection logic that checks for '-type=txt http' in the payloads extracted from DNS records.

SophosRapidResponse/OSQuery (+3, ✎1)

https://github.com/SophosRapidResponse/OSQuery

+ New rules

Investigating Creds_4h (T1003.002) events
This is a new detection rule that captures instances of the use of the Impacket tool SecretsDump to extract credentials from remote hosts.

Internet Explorer browser extensions installed
This rule detects all Internet Explorer browser extensions installed on the host by querying the relevant database tables and joining necessary user data.

Firefox browser extensions installed
This rule was added to detect and list all Firefox extensions and add-ons installed on the host, capturing relevant details such as name, type, version, and active state.

✎ Modified rules

Autostart Execution
The query logic has been refined to standardize the usage of 'NULL' for missing values and to improve clarity. Specifically, all data sources now use a consistent naming convention with lowercase and a streamlined construction of fields for better readability.

chainguard-dev/osquery-defense-kit (✎14)

https://github.com/chainguard-dev/osquery-defense-kit

✎ Modified rules

Unexpected UID 0 Daemon Detection
Added additional checks for the presence of 'dovecot', 'glances', and 'ncdu' processes running as root to enhance the detection coverage for potential malicious activities.

Find unexpected hidden directories in operating-system folders
Updated exclusion paths by adding new entries for '.netrwhist', '.vim', and '.viminfo', while also ensuring '.ydotool_socket' is conditionally excluded in multiple instances to refine detection logic.

Catch programs that failed to run due to a launch constraint violation
Updated the condition to exclude additional command lines from triggering the alert, improving specificity in detection.

Touched Executables Detection on macOS
Added 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)' to the list of exception signatures to reduce false positives.

Suspicious parenting of fetch tools (state-based)
An exception for the fetch tool 'emacs' has been added to the detection logic, which may affect the rule's alerting behavior regarding processes that typically invoke fetch tools.

High Disk Bytes Written
Updated the exclusion list of processes that should not trigger alerts by adding '/usr/libexec/rtcreportingd' to the existing conditions.

Unexpected programs communicating over non-HTTPS protocols
The rule now includes 'librewolf' in its exception handling, allowing for a broader coverage of potential threats by excluding this application over specified network conditions and adding 'mbsync' to the monitored processes.

Unexpected programs communicating over HTTPS (state-based)
The rule was updated to improve its detection logic by adding exceptions for processes like 'packagekit-dnf-refresh-repo' and restoring exceptions for 'git' and 'argo'. Removing previously listed exceptions for 'librewolf' and 'zig' allows a more precise filtering of process communications.

Unusual Executable Name Detection for macOS
Added a condition to exclude process names that end with '.test' to enhance detection precision by avoiding false positives.

Unexpected long-running processes running as root
Updated the rule to include an additional developer ID for Slack Technologies (SLACK TECHNOLOGIES L.L.C.) to reduce false positives.

Unexpected programs communicating over HTTPS (state-based)
Added '500,cmd,cmd,500u,20g' to the alt_exception_key list, broadening the exceptions for processes considered benign, which may enhance alert accuracy by reducing false positives.

Unexpected programs listening on a TCP port
Added exceptions for the program 'OrbStack Helper' to the list of allowed TCP ports, enhancing specificity in detection logic.

YARA Exec Connect Process Linux
Modified the rule to exclude 'git-remote-htp' as a valid process name to enhance precision of detection for potentially malicious process connections.

Sketchy Mounted Disk Images
Added 'Developer ID Application: Geocomply USA, Inc. (6YPTSWJK4P)' to the ignored signatures list to enhance detection accuracy for malicious applications.

elastic/protections-artifacts (+21, ✎41)

https://github.com/elastic/protections-artifacts

+ New rules

Hidden Payload Executed via Scheduled Job
This rule detects hidden executables executed through cron and systemd, identifying potential malicious activity aimed at establishing persistence or escalating privileges.

Scheduled Job Executing Binary in Unusual Location
This rule has been added to detect unusual executions of binaries by systemd and cron processes, specifically targeting non-standard locations often used by malware to avoid detection.

Scheduled Task Unusual Command Execution
This rule has been newly created to detect suspicious command executions by system processes like systemd and cron, focusing on potential misuse for persistence or privilege escalation.

Curl to Suspicious Top Level Domain
This rule has been added to detect when Curl makes outbound network connections to suspicious top-level domains. It utilizes a sequence condition involving process execution and network events to ensure only relevant actions trigger an alert.

Pbpaste Execution via Unusual Parent
This rule detects execution of the Pbpaste binary by unusual parent processes such as Node or Python, aimed at identifying potential clipboard data theft linked to the OtterCookie malware. The rule includes actions to kill suspicious processes and references MITRE ATT&CK techniques and tactics for enhanced threat coverage.

Suspicious Curl File Download from Raw IP
This rule was created to detect outbound network connections made by Curl to raw IP addresses for downloading potentially harmful scripts or binaries. It combines network events and file modification conditions to identify suspicious activity involving Curl.

Crypto Wallet or Web Browser File Access via Nodejs
This rule has been newly created to detect when Node accesses crypto wallet or web browser files on macOS systems, targeting sensitive file paths associated with various wallet applications and cookies.

User Keychain Access in Unusual Location
This rule has been added to detect when the user keychain database is accessed outside its standard location, which may indicate malicious activity. The rule includes specific actions to kill the process associated with unauthorized access attempts.

Suspicious Curl to OAST Domain
A new detection rule has been introduced to identify outbound network connections made by curl to .oast domains, enhancing the ability to detect potential data exfiltration activities by threat actors.

Tccutil Reset via Suspicious Binary
This rule detects the use of 'tccutil' to reset TCC database decisions by monitoring specific process executions, with actions defined to kill the suspicious process.

Unusual Launch Service Creation via Unsigned or Untrusted Binary
This rule has been newly added to detect when an unsigned or untrusted binary creates a launch service with specific conditions, notably missing program arguments. The rule aims to enhance detection capabilities regarding persistence mechanisms used by modern threats.

Memory Allocation from a High Entropy Module
This rule identifies code injection attempts by monitoring the loading of signed DLLs followed by the VirtualAlloc API call. It features a sequence query detecting specific file and API behaviors indicative of potential threats.

Shellcode API behavior from a signed module
This rule identifies shellcode API behavior from a signed module, indicating potential code injection attempts exploiting valid code signing certificates. The rule includes various conditions for detecting suspicious API actions associated with reflective code loading and defense evasion tactics.

Shellcode behavior from suspicious RWX provenance
This rule identifies suspicious API calls involving shellcode allocation from unbacked RWX memory, indicating potential code injection attempts. It utilizes a comprehensive query to analyze various process and thread attributes related to shellcode execution.

System Module Unhooking via ROP Gadgets
New rule added to detect hollowing of system critical images via ROP gadgets, potentially indicating evasion of endpoint security.

MSI Rollback Script File by Unusual Process
This rule identifies the creation or modification of a Windows Installer rollback script by unusual processes, helping detect potential privilege escalation attempts. It leverages specific file activity patterns related to rbs files in the Windows environment.

Python Outbound Network Connection over FTP
This rule has been added to detect Python processes establishing outbound FTP connections. It includes a sequence query monitoring process execution with network connection attributes.

Suspicious Network Connection to Gmail via Nodejs
This rule identifies outbound network connections initiated by the Node binary to Gmail's SMTP servers, aiming to detect potential data exfiltration via malicious NPM packages.

Suspicious User Keychain Access via Nodejs
This rule detects access to the user Keychain database by the Node process followed by network connections to raw IP addresses, providing a sequence detection capability with specified conditions.

File Hidden via SetFile
This rule was newly created to detect the use of SetFile to modify file attributes on macOS, aiming to identify the evasion of visibility by malware. It includes a specific query targeting processes invoking SetFile with the intended arguments, alongside associated MITRE ATT&CK techniques for better context.

Potential PDF Adware Behavior
This rule identifies the download or execution of files associated with PDF Adware patterns using specific file creation and process start events.

✎ Modified rules

Timestomping Detected via Touch
Updated version from 1.0.7 to 1.0.8 and expanded detection conditions to include additional patterns in arguments for the 'touch' command, specifically including '/var/tmp/portage*'.

Suspicious Execution from Foomatic-rip or Cupsd Parent
Updated version from 1.0.4 to 1.0.5. Modified the query to include additional exclusion condition for process.parent.command_line to improve detection accuracy.

Potential Reverse Shell via Named Pipe
Updated version from 1.0.9 to 1.0.10. Added condition to the query to track processes with name 'node' invoking a specific pattern in args, and included an additional exclusion for 'language_server_linux_x64'.

Suspicious Named Pipe Creation
Updated version to 1.0.8 and modified the query to include an additional exclusion condition for '/var/tmp/portage/*'.

Socat Reverse Shell or Listener Activity
Updated the detection logic by replacing 'process.args' with 'process.command_line' for condition checks, enhancing accuracy in detecting potentially malicious usage of the socat command. The version has also been updated from 1.0.5 to 1.0.6.

Hexadecimal Payload Execution
Updated to version 1.0.12. Added '/usr/bin/xdg-email' to the list of executable patterns to enhance detection precision and included '/opt/multiscan/tools/testssl.sh/testssl.sh' in the arguments check for greater threat coverage.

Linux Powershell Egress Network Connection
Updated the version from 1.0.7 to 1.0.8. Added new conditions to the PowerShell command execution detection logic, specifically allowing detection of commands related to GitHub authentication and Azure CLI usage.

Potential Data Exfiltration Through Curl
Updated the version from 1.0.5 to 1.0.6 and refined the query by adding a condition to exclude process command lines that contain 'api.telegram.org'.

Egress Network Connection from Deleted Executable
The version was updated from 1.0.3 to 1.0.4. The query logic was enhanced by including the '/usr/local/bin/*' directory in process executable checks and adding '/usr/lib64/firefox/firefox' and '/usr/sbin/rhcd' to the process name conditions.

Network Connection through Shell Profile
Updated version number from 1.0.11 to 1.0.12 and added exclusion for process executable patterns in the detection logic.

Unusual Command Executed by Web Server
Updated to version 1.0.13 and added a new condition to detect the execution of 'ssh-keygen' command for potentially illicit key exposure.

Crypto Wallet File Access via CommandLine
Updated the version to 1.0.5 and modified the query to enhance detection logic by expanding the file paths being monitored for suspicious activity and correcting existing path references.

Crypto Wallet File Access by Unsigned or Untrusted Binary
Updated the version from 1.0.12 to 1.0.13 and modified the query to expand file path patterns for improved detection of crypto wallet access, enhancing accuracy and coverage.

User Keychain DB Access by Self-Signed Binary
Updated version from 1.0.9 to 1.0.10. Added additional exclusion pattern for 'MicrosoftSqlToolsServiceLayer-*' to the query for more precise filtering of legitimate processes.

Suspicious File Attribute Clearing
Updated query logic to improve detection accuracy by changing the process parent executable condition from an equality check to a like~ check. Also updated the version number from 1.0.5 to 1.0.6.

Dylib Injection via Process Environment Variables
The version was updated from 1.0.36 to 1.0.37 and the query condition for effective parent executable has been modified from an equality check to a like condition, improving the detection logic for parent processes.

Keystrokes Input Capture from Suspicious CallStack
Updated version from 1.0.14 to 1.0.15, modified the executable exclusion list to include additional software, enhancing detection capabilities against keylogging threats.

Unsigned or Untrusted Process Execution via Installer
Updated version number from 1.0.3 to 1.0.4. Enhanced the query logic to use a regex for matching the effective parent executable instead of a strict equality. Also updated the minimum endpoint version from 8.8.0 to 8.11.0.

Access to Browser Credentials from Suspicious Memory
Updated detection logic to refine the query for access attempts by including additional conditions related to call stack summaries and adding new exclusions for processes and their signatures. The version has been incremented to 1.0.36 and the reference links have been slightly changed.

DLL Control Panel Items Registry Modification
Updated version number from 1.0.23 to 1.0.24 and added a condition to exclude certain registry strings, enhancing the detection logic.

Failed Access Attempt to Web Browser Files
The rule version has been updated from 1.0.31 to 1.0.32. The query now includes additional conditions for excluding certain process signatures and enhanced criteria for analyzing the call stack, which increases the precision of detecting unauthorized access attempts to browser credential stores.

Network Module Loaded from Suspicious Unbacked Memory
Updated the version number from 1.0.46 to 1.0.47 and added new byte patterns to the detection logic to enhance detection capabilities.

Potential Library Load via ROP Gadgets
Updated the version from 1.0.22 to 1.0.23. Enhanced detection logic by adding additional symbols to the existing list for improved accuracy in detecting potential library loads via ROP gadgets.

Microsoft Common Language Runtime Loaded from Suspicious Memory
Updated version to 1.0.25 and modified the query to include additional exclusions for ManageEngine executables and SqlServerExtension.Service.exe, enhancing detection coverage for potentially malicious activity.

Remote Process Memory Write by Low Reputation Module
Updated the version from 1.0.1 to 1.0.2 and added several new SHA256 hashes to the exclusion list for final user modules. This enhances the rule's ability to filter out known good processes, improving detection accuracy.

Suspicious Memory Protection Change via VirtualProtect
Updated version from 1.0.4 to 1.0.5 and added additional hashes to the query conditions, enhancing the detection capabilities for process injections.

URL as Process Argument via Installer Package
Updated the version from 1.0.4 to 1.0.5 and modified the detection logic to allow for a broader match on the effective parent executable by changing equality to a like regex operation.

Suspicious Memory Write to a Remote Process
Updated version to 1.0.23 and added new conditions to the query to enhance detection accuracy. Introduced new exclusions related to specific process executions and expanded whitelist for trusted processes.

Suspicious Memory Page Protection
Updated the rule version from 1.0.1 to 1.0.2, refined query logic by modifying a condition to improve threat detection accuracy, and corrected formatting in the KQL query.

Unbacked Shellcode from Unsigned Module
Updated the version number from 1.0.4 to 1.0.5. Added an additional hash to the detection query for increased coverage against potential threats.

Web Browser Credential Access via Unusual Process
Updated the query to enforce stricter conditions on process.executable and added additional trusted code signatures. The minimum endpoint version was also raised from 8.1.0 to 8.7.0, improving compatibility and detection accuracy.

Execution via Obfuscated PowerShell Script
Updated the version number to 1.0.3 and added a new condition to exclude a specific command line pattern that indicates a known obfuscated PowerShell usage.

Process Creation from an Unusual WMI Client
Updated version from 1.0.2 to 1.0.3, expanded the list of trusted code signatures and modified exclusion conditions in the detection logic to improve detection of unusual process creation scenarios.

Potential Windows Script Evasion via Sleep
Updated the rule version from 1.0.3 to 1.0.4 and added exclusion for the Imprivata OneSign Agent executable to enhance detection accuracy.

Suspicious PowerShell Base64 Decoding
Updated the rule to version 1.0.3, with additional exclusions added to the detection logic, specifically for 'C:\Program Files (x86)\CentraStage\CagService.exe' and further paths in 'D:\Octopus*' and 'F:\Clean-*'.

Suspicious PowerShell Execution
Updated the version number to 1.0.42 and expanded the command line phase exclusions to include additional patterns and specific command line conditions.

Potential Privilege Escalation via Token Impersonation
Updated version to 1.0.31. Added additional check for 'Remote Utilities LLC' and 'Bayside Computer Systems Inc' in the code signature validation logic, enhancing detection capabilities.

Unsigned File Execution via Network Logon
Updated version from 1.0.20 to 1.0.21, added additional hashes to the query for enhanced detection of potentially malicious unsigned files executed via network logon.

Privilege Escalation via SeImpersonatePrivilege
Updated the version from 1.0.15 to 1.0.16. Added a condition to the existing logic to check if the process code signature subject name is in a specified list and if it is trusted, enhancing the detection logic for privilege escalation attempts.

Privilege Escalation via EXTENDED STARTUPINFO
Updated the version from 1.0.36 to 1.0.37. Added additional exclusions for process parent executable conditions to enhance detection fidelity, including additions for 'PURSLANE', 'Remote Utilities LLC', and 'ZOHO Corporation Private Limited'.

Suspicious Impersonation as Trusted Installer
Updated the rule version from 1.0.28 to 1.0.29 and refined the query by adding an exclusion for event actions with specific values, as well as enhancing the conditions related to process signatures for improved detection logic.

Yamato-Security/hayabusa-rules (+2, ✎9)

https://github.com/Yamato-Security/hayabusa-rules

+ New rules

Notepad Password Files Discovery
This rule has been added to detect the execution of Notepad when opening files that contain the string 'password', indicating potential unauthorized access to credentials.

Notepad Password Files Discovery
This rule has been added to detect unauthorized access to credentials by monitoring the execution of Notepad with certain file types containing the string 'password'.

✎ Modified rules

Nslookup PowerShell Download Cradle
Updated the modified date and added a new detection logic for '-type=txt http' to the existing PowerShell cradle detection rule.

Malicious PowerShell Scripts - PoshModule
Updated references to include an additional malicious PowerShell script 'Veeam-Get-Creds.ps1' in both the references and detection sections. The modification date was also changed to reflect the latest update.

Remote Access Tool - AnyDesk Incoming Connection
The detection rule was updated to include an additional application selection for AnyDeskMSI.exe, enhancing its coverage for incoming connections to remote access tools. The modified date metadata was also updated accordingly.

Remote Access Tool - AnyDesk Execution
The rule was updated to include an additional process name 'AnyDeskMSI.exe' in the detection logic. The last modified date was also changed to reflect a newer date, and a new reference was added.

Remote Access Tool - Anydesk Execution From Suspicious Folder
Updated detection logic to include AnyDeskMSI.exe in addition to AnyDesk.exe as part of the NewProcessName detection criteria. The last modified date was updated to reflect recent changes and an additional reference URL was added for further context.

Anydesk Remote Access Software Service Installation
Updated detection logic by refining conditions and separating service selection criteria, improving specificity for AnyDesk installations. Additionally, metadata was modified to include a co-author and an updated modification date.

Remote Access Tool - AnyDesk Incoming Connection
Updated the selection criteria to include both AnyDesk and AnyDeskMSI executable names, enhancing detection accuracy for incoming connections while maintaining the original condition.

Remote Access Tool - AnyDesk Execution
Updated the detection logic to add support for AnyDeskMSI.exe in the selection criteria and included an additional reference link to the DFIR report on LockBit ransomware.

Remote Access Tool - Anydesk Execution From Suspicious Folder
The detection rule's selection criteria were enhanced to include AnyDeskMSI.exe alongside AnyDesk.exe. The modification date was updated to reflect recent changes. Additionally, a new reference link was added to enhance the contextual understanding of the rule.

magicsword-io/LOLDrivers (+7, ✎4)

https://github.com/magicsword-io/LOLDrivers

+ New rules

MAL_Driver_Crowdstrikeinc_Csagentsys_Crowdstrikefalconsensor_94B8
New rule added to detect malicious driver idmtdi.sys using VersionInfo values from the PE header with specific conditions and strings.

MAL_Driver_Windowsrwinddkprovider_Netfiltersys_Windowsrwinddkdriver_2060
New rule added to detect malicious driver driver_206006a1.sys using VersionInfo values with detailed metadata and string checks.

MAL_Driver_Pinchinstechnologycoltd_Rwtkrlsys_Ransomwareterminator_1A74
New rule added to detect malicious driver driver_1a74c2bd.sys using VersionInfo values with detailed metadata and string checks.

MAL_Driver_Pinchinstechnologycoltd_Rwtkrlsys_Ransomwareterminator_930D
New rule added to detect malicious driver driver_930da474.sys using VersionInfo values with detailed metadata and string checks.

MAL_Driver_Pinchinstechnologycoltd_Rwtkrlsys_Ransomwareterminator_146B
New rule added to detect malicious driver driver_146b8f4f.sys using VersionInfo values with detailed metadata and string checks.

PUA_VULN_Driver_Microsoftcorporation_Afdsys_Microsoftwindowsoperatingsystem_EBF6
New detection rule added to detect vulnerable driver Afd.sys based on VersionInfo values.

PUA_VULN_Renamed_Driver_Microsoftcorporation_Afdsys_Microsoftwindowsoperatingsystem_EBF6
New rule created to detect the renamed vulnerable driver Afd.sys with its associated metadata and detection logic.

✎ Modified rules

Multiple rules were updated to include additional hashes for detection while removing old hashes, enhancing its ability to detect known malicious drivers effectively: Malicious Driver Load, Malicious Driver Load Despite HVCI, Vulnerable Driver Load, Vulnerable Driver Load Despite HVCI

Personal repositories (1)

SlimKQL/Hunting-Queries-Detection-Rules (+4)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

CVE-2025-22224 (CVSS 9.3 CRITICAL) Internet facing VMware server discovery
This rule has been added to detect internet-facing VMware servers vulnerable to ongoing attacks related to CVE-2025-22224. It identifies devices with public IPs running the 'vmtoolsd' process in the last 30 days.

Detecting Zero-Day CVE-2025-21333 Privilege Escalation
This rule has been added to detect privilege escalation attempts related to the zero-day vulnerability CVE-2025-21333. It focuses on identifying instances where a new executable is created and subsequently modified in context of Hyper-V enabled endpoints and known vulnerabilities.

CVE-2025-27607 (CVSS 8.8)
New detection rule created to identify the installation of the 'python-json-logger' package, which has a known remote code execution vulnerability.

Detecting psexecsvc.py
New rule added to detect the execution of PSEXECSVC through file creation events in the ADMIN$ share and service installations related to PSEXECSVC.

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.