This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Mar 17 and Mar 24, 2025, contributors added 77 new rules and updated 97 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

TLDR

WolfsBane and wmRAT backdoor detection — New YARA rules added to detect Linux and Windows backdoors, including WolfsBane and wmRAT, focusing on embedded libraries, C2 communications, and file manipulations (reversinglabs/reversinglabs-yara-rules).

Open redirect and phishing detection — Multiple new rules have been added for detecting phishing attempts via open redirects in domains like cm[.]labcluster[.]com and tkqlhce[.]com. These rules analyze URL patterns and sender domains (sublime-security/sublime-rules).

AWS S3 object deletion detection — New Panther rules were created to detect AWS CloudTrail 'DeleteObject' events and unauthorized S3 data deletion, improving monitoring of potentially harmful actions (panther-labs/panther-analysis).

Linux process and file anomaly detection — Osquery rules updated to enhance detection of unexpected processes, large data writes, and environment variable anomalies. Adjustments include process exclusions and monitoring of shared memory (chainguard-dev/osquery-defense-kit).

Machine learning for privilege access detection — Elastic added several machine learning rules to detect anomalies in Okta and Windows environments, such as unusual IPs and high command line entropy, emphasizing potential privilege escalation or access misuse (elastic/detection-rules).

Misconfigured EXO transport rules and shortcut exploit detection — New KQL rules were introduced to identify misconfigured Exchange Online Transport rules and suspicious creation of ShellLink files, improving detection of abnormal email deliveries and command exploits (SlimKQL/Hunting-Queries-Detection-Rules).

YARA rule enhancements for suspicious payloads — Updates in YARA rules to detect suspicious JS payloads and reverse shell scripts in SVG files. Changes include metadata updates, new string patterns, and enhanced detection conditions (Neo23x0/signature-base).

Detection rule optimizations for AWS — Refinements across Splunk's AWS detection rules include field renaming, source focus updates, and aggregation adjustments, intended to improve clarity and accuracy in detecting unauthorized actions and privilege escalations (splunk/security_content).

Enhanced investigation guidance in detection rules — Comprehensive updates across Elastic detection rules, adding detailed notes for investigation steps, false positives, and response actions, ensuring operational effectiveness in addressing various threats (elastic/detection-rules).

Table Of Contents

• Corporate repositories (6)

  • reversinglabs/reversinglabs-yara-rules (+2)

  • sublime-security/sublime-rules (+14, ✎10)

  • chainguard-dev/osquery-defense-kit (✎13)

  • splunk/security_content (✎58)

  • panther-labs/panther-analysis (+10, ✎7)

  • elastic/detection-rules (+44, ✎1)

• Personal repositories (2)

  • Neo23x0/signature-base (+5, ✎8)

  • SlimKQL/Hunting-Queries-Detection-Rules (+2)

• Feedback

• Disclaimer

• Powered by

Cybersec Feeds Overview by CTIChef.com summarizes updates from 80+ RSS security feeds by vendors, government agencies, research teams, experts, and communities.

Read the latest issue

Corporate repositories (6)

reversinglabs/reversinglabs-yara-rules (+2)

https://github.com/reversinglabs/reversinglabs-yara-rules/

+ New rules

Two new YARA rules were added to detect backdoor threats. The Linux rule identifies WolfsBane using embedded libraries and removal conditions to improve detection accuracy, while the Windows rule targets wmRAT by matching specific strings that check for command-and-control actions and file changes (Linux_Backdoor_WolfsBane, Win64_Backdoor_wmRAT).

sublime-security/sublime-rules (+14, ✎10)

https://github.com/sublime-security/sublime-rules

+ New rules

A new detection rule checks for a Windows library file (.library-ms) with a network path that can cause NTLM hash leakage. It inspects both direct file attachments and those within archives (Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability).

Multiple rules now target open redirect attacks used in phishing. They inspect URL patterns, sender domains, and URL-encoded variations across several domains including Shibboleth SSO, labcluster[.]com, tkqlhce[.]com, smore[.]com, Bitrix24, adnxs[.]com, agena-smile[.]com, buildingengines[.]com, amaterasu-for-website-5[.]com, eaoko[.]org, obunsha[.]co.jp, and shoppermeet[.]net (Open Redirect: Shibboleth SSO Logout Return Parameter, Open Redirect: labcluster.com, Open Redirect: tkqlhce.com, Open Redirect: smore.com, Open Redirect: Bitrix24 URL Path, Open Redirect: adnxs.com, Open Redirect: agena-smile.com, Open Redirect: buildingengines.com, Open Redirect: amaterasu-for-website-5.com, Open Redirect: eaoko.org, Open Redirect: obunsha.co.jp, Open Redirect: shoppermeet.net).

A new rule detects fraudulent messages impersonating SendGrid. It checks display names and domains against known security themes to spot fake SendGrid messages (Brand Impersonation: SendGrid).

✎ Modified rules

The detection rules "Open Redirect: Cartoon Network" and "Open Redirect: Samsung" were refined to improve detection accuracy. Changes include clearer subdomain checks, domain references, URL analysis, and sender analysis with specific conditions for redirection domains and query parameters. (Open Redirect: Cartoon Network, Open Redirect: Samsung)

Updates to rule logic were made to improve recognition of brand impersonation and human resources spoofing, enhancing detection capabilities through refined regex checks and additions like natural language understanding conditions for sender display names. There were also corrections such as references from 'profile.by_sender()' to 'profile.by_sender_email()'. (Brand impersonation: Google Drive fake file share, Impersonation: Human Resources)

The "Credential phishing: Engaging language and other indicators" rule saw improvements in regex patterns and added sender display names to boost detection of suspicious login attempts and improve specificity for credential phishing attacks. The update also included criteria for email greetings aligned with recipient email parts. (Credential phishing: Engaging language)

Adjustments in rule logic for "Attachment: QR code with credential phishing indicators" increased the coverage for malicious attachments. This involved expanded filename checks and finer specifications on QR code patterns. (Attachment: QR code)

The "Inbound Message from Popular Service" rule changed its sender domain source check mechanism from $majestic_million to $tranco_50k and refined logic associated with Sender Rewrite Scheme handling. This included improvements to conditions concerning return path headers and SPF designators. (Inbound Message from Popular Service)

Improved regex logic was applied to the "Callback phishing via Intuit service abuse" rule to better capture variations of the 'payment' keyword related to fraudulent email identification. (Callback phishing via Intuit)

"Suspicious Attachment: Duplicate decoy PDF files" rule updated its detection to require all PDF attachments not to contain URLs or links, rather than allowing any, which refines the conditions for identifying decoy PDFs. (Suspicious Attachment: Duplicate PDF files)

chainguard-dev/osquery-defense-kit (✎13)

https://github.com/chainguard-dev/osquery-defense-kit

✎ Modified rules

The rule "Unexpected programs communicating over HTTPS (state-based)" now checks for the 'codebook-lsp' process to spot potential command and control actions using HTTPS. In addition, exceptions were made for 'wolfi-vm' and 'main' while removing 'Keybase' to refine detection (Unexpected programs communicating over HTTPS (state-based))

The rule for detecting programs writing an unusually large amount of data was updated to exclude 'lxd' and 'Autodesk Fusion 360' from detections, improving accuracy by reducing false positives. The rule was also updated to raise the bytes_read_rate threshold and broaden tags, while adding exclusions for processes and paths (Programs which are writing an unusually large amount of data).

The chrome extensions rule added exceptions for 'Privacy Badger', 'CSP Evaluator', and improved details for 'Better History', to improve monitoring specificity (Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist).

The '/dev' files rule now includes paths matching '/dev/shm/lsp-catalog-%.lock' to better detect evasive file behaviors (Find unexpected files in /dev).

Exceptions paths were increased in the unexpected device linux rule, excluding '/dev/nvme-fabrics,character' and '/dev/shm/lsp-catalog-%.shm,regular' (Finds unexpected device names, sometimes used for communication to a rootkit).

The root processes rule added 'lxcfs' and 'lxd' and adjusted 'pcscd' inclusion, while removing 'iotop', adding 'cupsd', and clarifying 'dovecot', to improve monitoring of unauthorized activities (Unexpected long-running processes running as root).

Added exclusions for 'drkonqi-coredump-processor' and 'launcher' in DNS traffic to refine anomaly detection (Catch DNS traffic going to machines other than the host-configured DNS server (event-based)).

The libcurl process monitoring rule excludes 'virt-manager', 'xdg-desktop-por', and 'dnf' to improve process monitoring (Find programs processes which link against libcurl, common among cross-platform malware).

The ld.so.conf files rule now includes '/etc/ld.so.conf.d/llvm19-x86_64.conf' for added file scope (Find unexpected ld.so.conf files).

The launch constraint rule updated SQL with an exclusion for Elastic Endpoint's path, maintaining its detection efficacy (Catch programs that failed to run due to a launch constraint violation, such as a signing issue.).

The macOS environment variable rule added a condition excluding '%/libR.dylib', to enhance specificity (Applications setting environment variables to bypass security protections).

The chmod detection for Linux included mode '0775' with '0755', broadening its detection scope (Things that call chmod to set executable permissions).

Setuid binaries detection rule expanded its monitoring paths to include several new system paths (Find unexpected setuid binaries on disk).

Share

splunk/security_content (✎58)

https://github.com/splunk/security_content

✎ Modified rules

Several AWS detection rules were updated by refining field renaming and removing unnecessary evaluations. These changes aimed at improving clarity, simplifying statistics aggregation, and enhancing query performance. Rules affected include AWS Create Policy Version to Allow All Resources, AWS Credential Access Failed Login, AWS CreateAccessKey, AWS Console Login Failed During MFA Challenge, AWS AMI Attribute Modification for Exfiltration, AWS Credential Access RDS Password Reset, and AWS Credential Access GetPasswordData, among others. These updates ensure logic remains effective in detecting unauthorized access while making search queries leaner and focusing on distinct data metrics such as 'signature'.

The AWS SAML Update Identity Provider rule received multiple updates to refine the detection logic by adjusting the parameter references and improving the specificity of the monitored parameters. The updates include replacing ‘eventName’ with ‘requestParameters.sAMLProviderArn’ for improved accuracy and aligning aggregation metrics with other rules for consistency. (AWS SAML Update Identity Provider)

Updates to several AWS rules focused on streamlining search logic and enhancing clarity by renaming multiple fields, including 'eventName' to 'action' and 'eventSource' to 'dest'. These changes aim to make the detection terms more consistent and ensure clear mappings for fields while focusing on relevant data analytics. The rules like AWS IAM AccessDenied Discovery Events, AWS Successful Console Authentication From Multiple IPs, AWS Successful Single-Factor Authentication, and AWS Defense Evasion Delete CloudTrail received simplifications and improved granularity in stats calculations.

Changes in rules like AWS Exfiltration via EC2 Snapshot and AWS Exfiltration via DataSync Task were aimed at improving the accuracy of data extraction and reporting. These updates involved refining renaming strategies and incorporating additional fields in the statistics aggregation to deliver a better contextual understanding of activities related to data leaks and snapshots sharing. (AWS EC2 Snapshot Shared Externally, AWS Exfiltration via DataSync Task, AWS Exfiltration via EC2 Snapshot)

The rule “AWS Unusual Number of Failed Authentications From IP” was updated to correct variable names in the stats calculation, aiming to improve the detection accuracy of authentication anomalies from distinct IP addresses. The change from 'src_ip' to 'src' ensures clear and consistent recognition of source IPs. Additionally, this update included refining the granularity of data collection. (AWS Unusual Number of Failed Authentications From IP)

Some rules saw improvements in their alert messaging and qualitative reporting, with updates including adjusting the risk-based alert messages to better align with new field naming conventions and ensuring more precise mappings. Examples include the AWS SetDefaultPolicyVersion rule, which saw changes to the RBA message format to reflect more accurate data interpretation. (AWS SetDefaultPolicyVersion)

panther-labs/panther-analysis (+10, ✎7)

https://github.com/panther-labs/panther-analysis

+ New rules

New rules detect excessive access to AWS SSM parameters with decryption enabled. They count parameter accesses and trigger an alert when counts exceed a threshold of 10. (Excessive SSM parameter decryption by [{actor}] in [{account_name}], AWS Decrypt SSM Parameters)

A group of rules monitor S3 deletion events, as reported by AWS CloudTrail. They check for individual and bulk deletes, providing detailed conditions, runbooks, and test cases to track potentially harmful deletions. (aws_s3_delete_object, AWS S3 Delete Objects, AWS S3 Delete Objects Detection, AWS S3 Delete Object Detection)

Two rules were added to flag S3 copy events that use client-side encryption. They check CloudTrail logs for client-side encryption details in copy requests to spot potential unauthorized data access. (AWS S3 Copy Object with Client Side Encryption, AWS S3 Copy Object with Client-Side Encryption)

New rules detect use of AWS Systems Manager for sending commands across multiple EC2 instances. They track the number of targeted instances using caching to spot cases where commands are sent to a large set of machines. (AWS SSM Distributed Command, AWS.SSM.DistributedCommand)

✎ Modified rules

The Azure Role Changed PIM rule in both Python and YAML formats was updated. A unique row ID is used for every event to be treated separately, improving the alert mechanism. Deduplication logic was revised by adjusting the DedupPeriodMinutes to 5 and adding a p_row_id field for better event correlation. (Azure Role Changed PIM, Azure Role Changed PIM)

The Snowflake query rules have been revised. The 'snowflake_stream_file_downloaded' rule improved regex patterns for path and stage extraction, converting 'stage' to lowercase for consistency. 'Snowflake Table Copied Into Stage' has a more detailed query test for specific data destinations, while Snowflake File Downloaded was updated to check downloads from a specific directory. 'Snowflake Temporary Stage Created' was refined by changing the query text, enhancing detection logic accuracy. (snowflake_stream_file_downloaded, Snowflake Table Copied Into Stage, Snowflake File Downloaded, Snowflake Temporary Stage Created)

The Unusual 1Password client detection rule now includes '1Password for Linux' in the client_allowlist, improving the detection of unusual 1Password clients. (Unusual 1Password client - detected)

elastic/detection-rules (+44, ✎1)

https://github.com/elastic/detection-rules

+ New rules

New Okta rules use machine learning to find spikes in group events and user lifecycle changes, and to flag unusual source IPs, host names, region names, and session counts in privileged operations. (Spike in Group Membership Events, Spike in Group Lifecycle Change Events, Spike in Group Privilege Change Events, Spike in Group Application Assignment Change Events, Spike in User Lifecycle Management Change Events, Unusual Source IP for Okta Privileged Operations Detected, Unusual Host Name for Okta Privileged Operations Detected, Unusual Region Name for Okta Privileged Operations Detected, Unusual Spike in Concurrent Active Sessions by a User)

New Windows rules use machine learning to monitor privileged operations by checking for unusual group names, hostnames, source IPs, region names, and privilege types. They also detect spikes in groups, user accounts, special privilege use, and special logon events that may signal unauthorized activity. (Unusual Group Name Accessed by a User, Unusual Host Name for Windows Privileged Operations Detected, Unusual Source IP for Windows Privileged Operations Detected, Spike in Group Management Events, Spike in User Account Management Events, Spike in Special Privilege Use Events, Spike in Special Logon Events, Unusual Region Name for Windows Privileged Operations Detected, Unusual Privilege Type assigned to a User)

New Linux rules run machine learning jobs to detect spikes in privileged command execution, high median command line entropy, and unusual process executions. Such detections can help identify potential unauthorized access by tracking anomalies in user command patterns. (Spike in Privileged Command Execution by a User, High Command Line Entropy Detected for Privileged Commands, Unusual Process Detected for Privileged Commands by a User)

New AWS rules now monitor DynamoDB activity by tracking scan and export operations performed by users who do not typically engage in these actions. Logs from CloudTrail help detect first-time or anomalous user behavior. (AWS DynamoDB Scan by Unusual User, AWS DynamoDB Table Exported to S3)

✎ Modified rules

The detection rule for identifying suspicious .NET reflection via PowerShell was improved by removing redundant condition checks for 'System.Reflection' within the PowerShell script block text. (Suspicious .NET Reflection via PowerShell).

Share

Personal repositories (2)

Neo23x0/signature-base (+5, ✎8)

https://github.com/Neo23x0/signature-base

+ New rules

Two rules target Octowave loader files. One rule detects supporting files with hardcoded values using unique key identifiers and size checks, while the other inspects loader DLLs and WAV steganography for opcode patterns.(Octowave_Loader_Supporting_File_03_2025, Octowave_Loader_03_2025)

Two rules detect suspicious payload activity. One rule flags SVG files that include JavaScript payloads with file hash, size, and string checks (with a warning for potential false positives), while another detects Bash-based reverse shells using a unique identifier and updated metadata. (SUSP_SVG_JS_Payload_Mar25, SUSP_shellpop_Bash)

A rule identifies padded LNK files used for exploiting the ZDI-CAN-25373 vulnerability. It matches specific patterns and assigns an impact score of 80. (EXT_EXPL_ZTH_LNK_EXPLOIT_A)

✎ Modified rules

The rule "SUSP_Double_Base64_Encoded_Executable" was modified with additional hashes and strings related to file paths, improving detection logic. Similarly, "APT_APT29_NOBELIUM_BoomBox_May21_1" had author updates, hash updates, and additional checks related to PE files. Both changes aim to improve detection capabilities. (SUSP_Double_Base64_Encoded_Executable, APT_APT29_NOBELIUM_BoomBox_May21_1)

"SUSP_LNX_Base64_Exec_Apr24" and "SUSP_SVG_JS_Payload_Mar25" rules were refined for better specificity. The former now explicitly excludes certain patterns, while the latter added clear condition boundaries, improving precision (SUSP_LNX_Base64_Exec_Apr24, SUSP_SVG_JS_Payload_Mar25)

The "Octowave_Loader_03_2025" rule was expanded with new opcode definitions, values, patterns, and refined conditions. This strengthened detection logic and improved coverage of specific obfuscation methods, and reduced false positives. (Octowave_Loader_03_2025)

The "Suspicious_Size_spoolsv_exe" rule updated the file size threshold from 1000KB to 1500KB to allow more variance and increased sensitivity in detecting suspicious activities. (Suspicious_Size_spoolsv_exe)

SlimKQL/Hunting-Queries-Detection-Rules (+2)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

SlimKQL added two new rules were added to track exploitation and misconfiguration. One rule tracks the creation of ShellLink files with abnormal command line arguments, while the other inspects inbound email events to flag misconfigured Exchange Online transport rules by counting non-spam deliveries (Windows Shortcut Exploit Abused Detection, Detecting Misconfigured EXO Transport Rules).

What SIEM do you use? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.