This week's update highlights the most significant changes to detection rules from 12 of the 40+ monitored GitHub repositories. Between Mar 24 and Mar 31, 2025, contributors added 55 new rules and updated 104 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Summary

New rules were added to detect unauthorized AWS VPC endpoint activities and the enabling of additional AWS regions via CloudTrail (panther-labs/panther-analysis).

Multiple rules now target suspicious Windows activities, including NirCmd.exe execution, unauthorized network scanning with FScan.exe, remote browser debugging, and fsutil/fsinfo execution (anvilogic-forge/armory).

New phishing kit rules were also introduced for PagoPA, Rakuten, and Discord platforms (phish-report/IOK).

Detection rules for vulnerable and malicious driver loads have been updated with new MD5 hash lists and revised driver name checks (magicsword-io/LOLDrivers).

MacOS, Windows, and cross-platform behavior detections have been expanded. New rules address anomalous binary execution, large script executions, API call patterns, and potential exploit activities. Modifications include updated alert generation intervals and refined query logic (elastic/protections-artifacts, elastic/detection-rules).

Personal repository updates include two new YARA rules for detecting the h4ntu shell and improvements to VMware exploit detection, a new KQL rule for Internet-facing devices, and updates to Fibratus detection rules for process injection. (Neo23x0/signature-base, SlimKQL/Hunting-Queries-Detection-Rules, rabbitstack/fibratus)

Table Of Contents

• Corporate repositories (9)

  • panther-labs/panther-analysis (+10, ✎2)

  • anvilogic-forge/armory (+18)

  • sublime-security/sublime-rules (+2, ✎9)

  • reversinglabs/reversinglabs-yara-rules (+2)

  • splunk/security_content (+1, ✎1)

  • phish-report/IOK (+3)

  • magicsword-io/LOLDrivers (✎6)

  • elastic/protections-artifacts (+13, ✎57)

  • elastic/detection-rules (+3, ✎26)

• Personal repositories (3)

  • Neo23x0/signature-base (+2, ✎1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+1)

  • rabbitstack/fibratus (✎2)

• Feedback

• Disclaimer

• Powered by

Cybersec Feeds Overview by CTIChef.com summarizes updates from 80+ RSS feeds by cybersec vendors, government agencies, research teams, experts, and communities.

Read the latest issue

Corporate repositories (9)

panther-labs/panther-analysis (+10, ✎2)

https://github.com/panther-labs/panther-analysis

+ New rules

New rules were added to monitor VPC Endpoint activities in AWS. These include detecting specific sensitive API calls, access denied events, S3 data access from external IPs, and unauthorized access by external principals through VPC Endpoint network activity. Each rule is designed to identify potential threats or unusual activity and includes scenarios for effective detection (Sensitive AWS API calls via VPC Endpoint, VPC Endpoint Access Denied, S3 Access via VPC Endpoint from External IP, External Principal Accessing Resources in Account).

Additional rules were introduced in YAML format corresponding to the existing features. These rules aim to detect unauthorized access, sensitive API calls, and potential data exfiltration through public IPs using VPC Endpoints. They come with thorough test cases and response protocols. (Sensitive API Calls Via VPC Endpoint, VPC Endpoint Access Denied, S3 Access Via VPC Endpoint From External IP, External Principal Accessing AWS Resources Via VPC Endpoint)

A new rule was created to detect the enabling of additional AWS regions via CloudTrail, which involves monitoring the 'EnableRegion' action. This rule provides context about the action performer and the affected region, helping to identify any unnecessary region activations. (AWS CloudTrail region enabled, AWS Cloudtrail Region Enabled)

✎ Modified rules

The "EC2 Launch Unusual EC2 Instances" rule logic was updated to use a specific function for retrieving instance types, improving maintainability. Additionally, a new test case named 'Successful Unusual EC2 (Dictionary)' was added, providing detailed logs and expected results to improve alert accuracy for unusual EC2 launches, (EC2 Launch Unusual EC2 Instances, AWS EC2 Launch Unusual EC2 Instances).

anvilogic-forge/armory (+18)

https://github.com/anvilogic-forge/armory

+ New rules

Multiple rules for detecting NirCmd.exe execution have been introduced. These rules target identifying execution patterns associated with malicious activities using telemetry from various sources such as Sysmon, EDR, Windows event logs, and PowerShell logs. The logic includes capturing command-line parameters, event codes, and regex matching to highlight potentially abusive execution behaviors (NirCmd Execution - Splunk Sysmon, NirCmd Execution - Splunk Windows Event, NirCmd Execution - Splunk EDR, NirCmd Execution - Splunk PowerShell).

New rules were created to detect unauthorized network scanning using FScan.exe. These rules analyze ICMP ping requests to private IP ranges to identify potential reconnaissance efforts by monitoring for excessive network activity, leveraging logs from various sources such as EDR, Sysmon, and Windows Event logs (FScan.exe Network Scan - Splunk EDR, FScan.exe Network Scan - Splunk Sysmon, FScan.exe Network Scan - Splunk Windows Event).

Detection rules have been introduced to identify security software discovery activities via findstr.exe or find.exe. These rules look for attempts to search for security software using different logging methods such as Sysmon, EDR, Windows event logs, and PowerShell logs. The logic includes matching known security software process names (Security Software Discovery via Findstr.exe - Splunk PowerShell, Security Software Discovery via Findstr.exe - Splunk EDR, Security Software Discovery via Findstr.exe - Splunk Sysmon, Security Software Discovery via Findstr.exe - Splunk Windows Event).

A new series of rules have been added to detect browsers starting in remote debugging mode, which threat actors could exploit. The logic considers both process creation and specific event codes, with coverage across PowerShell, Sysmon, EDR, and Windows event logs (Browser Started with Remote Debugging - Windows - Splunk PowerShell, Browser Started with Remote Debugging - Windows - Splunk Sysmon, Browser Started with Remote Debugging - Windows - Splunk EDR, Browser Started with Remote Debugging - Windows - Splunk Windows Event).

Detection rules for fsutil and fsinfo execution have been set to identify potential discovery of peripheral devices by adversaries. These rules use EDR and Windows event logs to capture process command-line activities and event data (Fsutil fsinfo execution - Splunk EDR, Fsutil fsinfo execution - Splunk Windows Event).

A new rule was introduced for monitoring AWS DescribeImages API requests that do not include an owner parameter, to detect potential name confusion attacks. This rule uses AWS CloudTrail logs to track and flag suspicious API activity (AWS DescribeImages without owner parameter).

sublime-security/sublime-rules (+2, ✎9)

https://github.com/sublime-security/sublime-rules

+ New rules

Two new rules were added aimed at detecting email-related threats. The first rule targets emails spoofing DocuSign by pretending to be from Intuit domains, focusing on failed authentication and DocuSign branding. The second rule spots phishing attempts via mindmixer[.]com by analyzing link redirects and checking for DMARC failures in trusted domains (DocuSign Impersonation via Spoofed Intuit Sender, Open Redirect: mindmixer.com).

✎ Modified rules

Regex and detection logic improvements were made to enhance the detection of phishing attempts, particularly related to credential phishing with payroll themes and disguised 'DocuSign' variations, as well as improved email domain checks to streamline brand impersonation detection for Meta (Credential phishing: Engaging language and other indicators, Brand Impersonation: Meta and Subsidiaries, Brand impersonation: DocuSign).

Detection logic involving QR code data processing was refined by specifying format parameters as 'url', improving the accuracy of detecting phishing attempts within attachment and link QR codes (Brand impersonation: Adobe (QR code), Link: QR Code with suspicious language, Attachment: QR Code Link With Base64-Encoded Recipient Address).

Enhancements to unsolicited email detection were made through refining source logic, ensuring encoding consistency and improved email solicitation checks. The upgrade includes updated text parsing functions for SVG files removing specific file extension conditions and restructuring sender email checks for callback phishing with PDFs (Attachment: Embedded Javascript in SVG file, Attachment: Callback Phishing solicitation via PDF file, Attachment: EML file with HTML attachment).

reversinglabs/reversinglabs-yara-rules (+2)

https://github.com/reversinglabs/reversinglabs-yara-rules/

+ New rules

Two new YARA rules have been added to detect specific Linux backdoors. The first rule identifies the GobRAT backdoor by analyzing local addresses, MAC addresses, TCP communications, and telnet tasks. The second rule targets the Sshdinjector backdoor through specific string patterns related to its operation. (Linux_Backdoor_GobRAT, Linux_Backdoor_Sshdinjector)

splunk/security_content (+1, ✎1)

https://github.com/splunk/security_content

+ New rules

A new Splunk rule detects large ICMP traffic aimed at external IPs, focusing on packets over 1000 bytes that aren't blocked. It uses the Network_Traffic data model to spot potential covert communications or data exfiltration (Detect Large ICMP Traffic).

✎ Modified rules

The "Windows Service Created with Suspicious Service Name" rule underwent modifications that improved detection accuracy. The logic now checks for 'tool_name' not being null, instead of not being 'false'. This refines service detection by focusing on valid entries. (Windows Service Created with Suspicious Service Name).

phish-report/IOK (+3)

https://github.com/phish-report/IOK

+ New rules

New detection rules were introduced to identify phishing attempts on various platforms. For the PagoPA platform, the rule detects phishing by monitoring specific request patterns and domains, with conditions on PHP files and exclusion of legitimate PagoPA domains (PagoPA Phishing Kit 197bb96bc).

A separate rule targets Rakuten phishing kits aimed at Japanese users by checking for JavaScript inclusions and hidden input fields (Rakuten Phishing Kit 1f160470).

Additionally, a new rule identifies Discord phishing kits by detecting HTML content and titles linked to fake 404 and login pages (Discord Fake Error 43143a94).

magicsword-io/LOLDrivers (✎6)

https://github.com/magicsword-io/LOLDrivers

✎ Modified rules

The latest rule updates in the LOLDrivers GitHub repository primarily address enhanced detection of vulnerable and malicious drivers on Windows systems.

The detection logic for multiple Sigma rules related to loading both vulnerable and malicious drivers was updated. Several rules now contain updated MD5 hash lists, with old hashes removed and new ones added. This aims to better detect and target both vulnerable and malicious driver loads, potentially reducing false positives and covering more threats (Vulnerable Driver Load, Malicious Driver Load, Malicious Driver Load Despite HVCI, Vulnerable Driver Load Despite HVCI).

Two rules saw changes in detected driver names. The "Vulnerable Driver Load By Name" and "Malicious Driver Load By Name" rules had their list of driver names updated. Known vulnerable or malicious driver names were added, and some were removed, aiming to improve the rules' detection scope (Vulnerable Driver Load By Name, Malicious Driver Load By Name).

elastic/protections-artifacts (+13, ✎57)

https://github.com/elastic/protections-artifacts

+ New rules

Multiple rules were introduced targeting macOS behavior detections, including rules for detecting suspicious execution of binaries from volume mounts lacking a typical application structure, large script executions via shell commands, and unusual bundle executions via shell interpreters. Other detections focus on unsigned or untrusted binaries execution via zshrc and identifying crypto wallet or web browser file access via Python and Osascript. Additionally, there is a detection for arbitrary Python code execution using Nodejs. Each rule includes specific conditions and actions to terminate identified processes, adding to threat coverage (Lone Binary Execution from Volume Mount, Unusual Bundle Execution via Shell, Suspicious Large Script Execution via Shell Command, Unsigned or Untrusted Binary Execution via Zshrc, Crypto Wallet or Web Browser File Access via Python, Arbitrary Python Code Execution via Nodejs, Crypto Wallet or Web Browser File Access via Osascript).

Several Windows behavior detection rules were introduced. These include detecting API calls via unusual ROP gadgets and timer callback events, potential Elastic tampering via PendingFileRename operations, and suspicious command executions via the Windows Run window. Additionally, potential exploits using library loading via thread fiber callbacks and ComDotNet exploits targeting specific services were added to enhance threat insight. (API Call via Jump ROP Gadget, API Call via Timer Callback Event, Potential Elastic Tampering via PendingFileRename, Suspicious Command Shell Execution via Windows Run, Library Loaded via Thread Fiber CallBack, Potential Exploitation via ComDotNet Exploit)

✎ Modified rules

Linux rules received updates, including improved exclusions and query logic refinements to increase detection accuracy and reduce false positives. Changes included version increments and conditions for potential proxy execution, hidden process executions, shared object injection, amended paths, command pattern adjustments, and new logic checks. These updates span rules related to PHP proxy execution, network connections, shared object injections, deleted executable egress, and others (Potential Proxy Execution via PHP, Hidden Process Execution followed by Network Connection, Shared Object Injection via Process Environment Variable, amongst others).

Cross-platform and macOS rules received query updates to improve detection. These changes included process exclusions and query refinements for crontab modifications, unusual command executions, and execution patterns. Rules addressed persistence techniques and various suspicious activities (Potential Persistence via Direct Crontab Modification, Pebble Reverse Shell Activity via Terminal, Curl to Suspicious Top Level Domain).

Windows rule updates included detection improvements through expanded exclusion lists, enhanced query logic, and added conditions for suspicious activities and evasion techniques. Notable changes involved updated DNS queries, stack pattern checks, and refined detection logic for API spoofing, PowerShell executions, and other defense evasion tactics (Connection to WebService by a Signed Binary Proxy, Execution from Suspicious Stack Trailing Bytes, Potential Pentesting PowerShell Script).

elastic/detection-rules (+3, ✎26)

https://github.com/elastic/detection-rules

+ New rules

New rules have been introduced to detect illicit consent grant requests for Microsoft platforms. The first rule catches suspicious consent grant requests in Microsoft Entra ID applications by monitoring risky actions in Azure audit logs. The second rule targets unauthorized consent grants in Microsoft 365, focusing on phishing attacks aiming to gain user access permissions (Microsoft Entra ID Illicit Consent Grant via Registered Application, Microsoft 365 Illicit Consent Grant via Registered Application).

A new rule detects modifications to Microsoft Entra ID Conditional Access Policies (CAP), tracking changes in Azure audit logs. The aim is to prevent potential security gaps by identifying successful updates. The rule offers triage and investigation guidance for alerts (Microsoft Entra ID Conditional Access Policy (CAP) Modified).

✎ Modified rules

Several detection rules were updated by shortening the alert generation interval from 10 minutes to 1 minute, reducing the max signals from 10,000 to 1,000, and modifying the detection time window from 'now-15m' to 'now-2m'. These changes aim to improve responsiveness and alert accuracy while ensuring system compliance. These changes have potential operational and performance impacts.

Updates were made across various rule types, including announcements of promotions to production readiness status. (Permission Theft - Detected - Elastic Endgame, Process Injection - Detected - Elastic Endgame, Credential Dumping - Detected - Elastic Endgame, Adversary Behavior - Detected - Elastic Endgame, Malware - Detected - Elastic Endgame, Ransomware - Detected - Elastic Endgame, Malware - Prevented - Elastic Endgame, Ransomware - Prevented - Elastic Endgame, Exploit - Detected - Elastic Endgame, Credential Manipulation - Detected - Elastic Endgame, Exploit - Prevented - Elastic Endgame, Credential Manipulation - Prevented - Elastic Endgame, Credential Dumping - Prevented - Elastic Endgame, Process Injection - Prevented - Elastic Endgame, Permission Theft - Prevented - Elastic Endgame)

Several rules focusing on endpoint security were updated to align with alerting limits by reducing max signals from 10,000 to 1,000, and updating the 'updated_date' to reflect the latest version. (Endpoint Security (Elastic Defend), Behavior - Detected - Elastic Defend, Memory Threat - Prevented- Elastic Defend, Malicious File - Detected - Elastic Defend, Memory Threat - Detected - Elastic Defend, Ransomware - Detected - Elastic Defend, Ransomware - Prevented - Elastic Defend, Malicious File - Prevented - Elastic Defend)

Two rules aimed at remote file download detection have been updated with new investigation queries. These updates provide more context for alerts on user and host activities over the past 48 hours, centering on process network events, improving the rule's investigative scope. (Remote File Download via Desktopimgdownldr Utility, Remote File Download via MpCmdRun)

Personal repositories (3)

Neo23x0/signature-base (+2, ✎1)

https://github.com/Neo23x0/signature-base

+ New rules

Two YARA rules were added to detect the h4ntu shell, targeting the h4ntu shell powered by tsoi and version details via metadata and string patterns (WEBSHELL_H4ntu_Shell_Powered_Tsoi_3, WEBSHELL_H4ntu_Shell_Powered_Tsoi).

✎ Modified rules

The YARA rule detecting VMware Workspace ONE CVE-2022-22954 exploits was updated with additional strings to improve detection. Also, the condition logic was adjusted (SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22).

SlimKQL/Hunting-Queries-Detection-Rules (+1)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

A new KQL detection rule was introduced to identify Internet-facing devices with the 'nginx-ingress' process, using device information and process events to track potentially vulnerable systems (Hunting IngressNightmare (CVSS 9.8)).

rabbitstack/fibratus (✎2)

https://github.com/rabbitstack/fibratus

✎ Modified rules

Two Fibratus rules were updated to version 1.0.1. The "Macro execution via script interpreter" rule removed redundant checks for actions like spawn_process and create_file, focusing the detection logic. Meanwhile, the "Potential process injection via tainted memory section" rule was improved by including more checks for executable paths to refine its detection of process injection attempts (Macro execution via script interpreter, Potential process injection via tainted memory section).

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.