This week's update highlights the most significant changes to detection rules from 10 of the 40+ monitored GitHub repositories. Between Mar 31 and Apr 7, 2025, contributors added 41 new rules and updated 31 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

Detection enhancements for homoglyph attacks — 4 new rules added to detect homoglyph attacks in Windows process command lines, using Splunk logic with emphasis on PowerShell and Sysmon logs. These rules employ regex to catch Unicode-based obfuscation (anvilogic-forge/armory).

Increased focus on network anomaly detection — Several new rules were introduced to detect unusual network activities, such as connections to suspicious domains on macOS, unexpected system processes engaging in network activity, and potential covert command and control links (elastic/detection-rules, anvilogic-forge/armory).

Phishing tactics and brand impersonation defenses — Multiple rules added to detect phishing emails leveraging third-party platforms (e.g., DocuSign, TikTok) and infrastructure abuse like Squarespace and Canva. These rules employ ML and regex methods to identify spoofing and evasion in email headers and contents (sublime-security/sublime-rules).

Malware detection improvements with YARA — New YARA rules introduced to identify specific Windows Trojans such as ShelbyLoader, ShelbyC2, and Rhadamanthys, focusing on string and byte pattern detection in x86 architectures (elastic/protections-artifacts).

Enhancements to cloud service monitoring — Detection logic updated for AWS, Google Workspace, GCP, and Slack, refining rules for multi-instance connections, mass downloads, and permission scope changes. Improvements include deduplication and caching for better alert accuracy and sensitivity (panther-labs/panther-analysis).

Refinement of driver vulnerability detection — Sigma rules for detecting vulnerable and malicious driver loads updated with new hash values and driver names. These changes broaden the scope to include current vulnerabilities and reduce false positives by aligning with recent data from loldrivers.io (magicsword-io/LOLDrivers).

Updates to Windows intrusion techniques detection — New and revised rules to improve the detection of techniques like LNK exploitation, process hollowing exclusions, and suspicious LSASS activities. (rabbitstack/fibratus, splunk/security_content).

Focus on Unix and Linux threat vectors — New rules for detecting suspicious activities on Unix systems, including high-frequency nft executions and system binary movements, aim to highlight potential privilege escalation attempts (anvilogic-forge/armory).

Improved security for Office 365 environments — New KQL queries detect non-RFC compliant emails, service accounts, and malicious portable apps, aiming to identify security risks and improve compliance within Microsoft environments (alexverboon/Hunting-Queries-Detection-Rules).

Table Of Contents

• Corporate repositories (7)

  • elastic/detection-rules (+2, ✎1)

  • anvilogic-forge/armory (+12)

  • elastic/protections-artifacts (+3, ✎1)

  • sublime-security/sublime-rules (+10, ✎6)

  • splunk/security_content (✎6)

  • panther-labs/panther-analysis (+2, ✎9)

  • magicsword-io/LOLDrivers (+1)

• Personal repositories (3)

  • RussianPanda95/Yara-Rules (+1)

  • rabbitstack/fibratus (+5, ✎1)

  • alexverboon/Hunting-Queries-Detection-Rules (+5, ✎1)

• Feedback

• Disclaimer

• Powered by

🔔 We’ve introduced a new format for detection rules: all new rules are now also published as a STIX2 bundle, packaged as indicators.

These bundles can be ingested into threat intelligence platforms like OpenCTI, making managing detection coverage together with threat intel easier.

You can download the STIX2 bundle from GitHub or preview it with CTIChef.

Corporate repositories (7)

elastic/detection-rules (+2, ✎1)

https://github.com/elastic/detection-rules

+ New rules

Two new macOS rules focus on spotting unusual network connections. The first rule detects outbound connections to suspicious top-level domains using network logs. The second identifies connections to domains associated with file sharing, which could signal data exfiltration, raising alerts for potential Command and Control activities (Unusual Network Connection to Suspicious Top Level Domain, Unusual Network Connection to Suspicious Web Service).

✎ Modified rules

The detection rule for Microsoft Windows Defender Tampering was improved by correcting the detection logic error: the registry path was replaced with the correct registry value, increasing accuracy in monitoring tampering activities (Microsoft Windows Defender Tampering).

anvilogic-forge/armory (+12)

https://github.com/anvilogic-forge/armory

+ New rules

New detection rules were developed to identify high-frequency 'nft' executions by unprivileged users that may signal exploitation of CVE-2024-1086. These rules utilize Splunk to track more than five 'nft' executions within 10 seconds and recognize specific execution patterns to identify privilege escalation attempts (High-Frequency nft Executions by Unprivileged User - Splunk Unix, High-Frequency nft Executions by Unprivileged User - Splunk EDR).

A suite of new rules identifies homoglyph attacks in Windows command lines using Unicode characters. These rules apply Splunk to monitor PowerShell, EDR, Windows event, and Sysmon logs for suspicious character usage, helping spot command obfuscation and impersonation tactics (Command Line Homoglyphs - Windows Splunk PowerShell, Command Line Homoglyphs - Windows Splunk EDR, Command Line Homoglyphs - Windows Splunk Windows Event, Command Line Homoglyphs - Windows Splunk Sysmon).

Rules introduced for Unix-based systems detect the copying of system binaries from the /bin directory as a potential evasion tactic. These use Splunk to note when binaries are moved or renamed, analyzing endpoint and EDR data sources for evasive activities (System Binary Copied - *nix Splunk Unix, System Binary Copied - *nix Splunk EDR).

New rules detect processes spawned by explorer.exe with suspicious command line padding on Windows. These uses include whitespace or non-printable character padding as a stealth technique in LNK-based attacks, employing Splunk to check Sysmon and EDR logs for such anomalies (Explorer Child Process with Suspicious Command Line Padding Splunk Sysmon, Explorer Child Process with Suspicious Command Line Padding Splunk EDR).

New detection rules track network activity from typically offline system processes, intended to spot process injection or covert C2 actions. These rules leverage Splunk to monitor processes like conhost.exe and lsass.exe through Windows Event and Sysmon logs (Unexpected Network Connection from System Process Splunk Windows Event, Unexpected Network Connection from System Process Splunk Sysmon).

elastic/protections-artifacts (+3, ✎1)

https://github.com/elastic/protections-artifacts

+ New rules

New YARA rules were added to detect specific Windows Trojans. The ShelbyLoader rule identifies peculiar strings, byte patterns, process alerts, and API call sequences. The ShelbyC2 rule targets x86 Windows systems with string and byte pattern detections. The Rhadamanthys rule focuses on byte sequences in files and memory characteristic of the threat (Windows_Trojan_ShelbyLoader_ca4d5de6, Windows_Trojan_ShelbyC2_dae5bc1d, Windows_Trojan_Rhadamanthys_baba80fb).

✎ Modified rules

The rule 'Windows_Generic_Threat_baba80fb' was deprecated, indicating its removal from active detection due to irrelevance or replacement by better logic (Windows_Generic_Threat_baba80fb).

sublime-security/sublime-rules (+10, ✎6)

https://github.com/sublime-security/sublime-rules

+ New rules

Two new rules were added for detecting links and URLs used in phishing campaigns. One targets suspicious CloudHQ links impersonating DocuSign, utilizing header, URL, content, and sender analysis. Another detects open redirects in whitefox.pl URLs in emails, indicating credential phishing or malware threats (DocuSign Impersonation via CloudHQ Links, Open Redirect: whitefox.pl).

Four new rules address brand impersonation threats. Rules detecting emails impersonating Vanguard and Navan make use of NLP, header analysis, heuristics, and machine learning to identify spoofed communications. A separate rule targets impersonation related to TikTok, using machine learning for logo detection and NLP to filter out trusted domains (Brand Impersonation: Vanguard, Brand Impersonation: Navan, Brand Impersonation: TikTok).

The new Canva and Squarespace rules aim to detect abuse of their infrastructures. The Canva rule finds fraudulent emails using design-sharing features and specific text markers, while the Squarespace rule checks for tracking links in emails without legitimate Squarespace sender patterns (Canva Infrastructure Abuse, Link: Squarespace Infrastructure Abuse).

Two new rules address HTML and email attachment-based phishing efforts. One detects suspicious HTML files with obfuscated text using regex. Another identifies emails featuring compensation reviews with QR codes in EML attachments, applying OCR and other analyses (Attachment: HTML With Suspicious Comments, Compensation Review With QR Code in Attached EML).

A new detection rule identifies emails suggesting employee policy updates, which might deliver credential phishing content through QR codes in Word documents. This targets malicious emails utilizing these social engineering tactics (Attachment: Suspicious Employee Policy Update Document Lure).

✎ Modified rules

The rule for Business Email Compromise (BEC) was improved by updating the regex match to include 'current' for identifying mobile solicitation and adding sender's display name conditions for BEC classification (Business Email Compromise (BEC) with request for mobile number).

The Credential Phishing rule updated sender profile criteria from "new" or "outlier" to not "common", broadening its detection range for suspicious senders (Credential phishing: Engaging language and other indicators (untrusted sender)).

The HTML Smuggling rule was corrected by changing 'not profile.by_sender().solicited' to 'not profile.by_sender_email().solicited', fixing the logic for evaluating unsolicited emails (HTML smuggling containing recipient email address).

The rule for Request for Quote or Purchase (RFQ|RFP) expanded regex patterns to include 'Request for Proposal' and added checks for 'cred_theft' intents in email links, improving detection scope (Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern).

Corporate Services Impersonation Phishing rule was refined by adding checks for email content and headers, adjusting regex for subject lines, detecting QR codes in attachments, and reducing false positives (Corporate Services Impersonation Phishing).

Improvements to Quickbooks Brand Impersonation rule enhanced the detection of email content, phone numbers, and trademark references related to Quickbooks, consolidating detection logic in social engineering contexts and adjusting formatting for readability (Brand impersonation: Quickbooks).

splunk/security_content (✎6)

https://github.com/splunk/security_content

✎ Modified rules

Several rules were updated to include additional fields for improved detection precision and context. The "Windows Explorer LNK Exploit Process Launch With Padding" and "Windows SSH Proxy Command" rules incorporated fields such as process_exec, process_hash, process_integrity_level, and others, enhancing the detail and accuracy of process execution tracking (Windows Explorer LNK Exploit Process Launch With Padding, Windows SSH Proxy Command).

The "Common Ransomware Extensions" rule was updated to refine search logic by including file_extension and Name values, while correcting the field reference for RBA message, thus improving detection logic clarity (Common Ransomware Extensions).

The "SchCache Change By App Connect And Create ADSI Object" and "Spoolsv Suspicious Loaded Modules" rules were modified to capture additional event data, incorporating the 'Image' field to enhance detection and analysis precision (SchCache Change By App Connect And Create ADSI Object, Spoolsv Suspicious Loaded Modules).

The "Detect Large ICMP Traffic" rule now includes fields related to application, byte counts, protocols, and user attributes, allowing a more detailed analysis of ICMP traffic patterns (Detect Large ICMP Traffic).

panther-labs/panther-analysis (+2, ✎9)

https://github.com/panther-labs/panther-analysis

+ New rules

Introduced a new detection rule for Google Workspace to identify users downloading many documents quickly from Google Drive. The rule captures document and actor details for additional context and implements a threshold of 20 documents in 5 minutes. The rule maps to MITRE ATT&CK technique T1567, (google_workspace_many_docs_downloaded, Google Workspace Many Docs Downloaded).

✎ Modified rules

The AWS rules for modifying cloud compute infrastructure were updated. The Python rule now disqualifies readOnly events and includes deduplication for instance IDs. The YAML rule format changed from YAML to JSON and increased the deduplication period from 60 to 120 minutes (AWS Modify Cloud Compute Infrastructure - Python, AWS Modify Cloud Compute Infrastructure - YAML).

The AWS EC2 Multi Instance Connect rules saw significant updates. The Python rule now uses caching, for instance, IDs linked with SSH keys to improve detection efficacy. The YAML rule altered the alert threshold for SSH public key pushes and updated test cases for better differentiation in scenarios (AWS EC2 Multi Instance Connect - Python, AWS EC2 Multi Instance Connect - YAML).

GCP and Slack rules have been improved. The GCP firewall rule replaced regex with a direct method lookup and added deduplication using the acting principal’s email. The Slack rules were updated for better scope change detection, with added tests and functions to track scope differences (GCP Firewall Rule Deleted, Slack App Access Expanded - Python, Slack App Access Expanded - YAML).

The Azure RiskLevel Passthrough rule increased deduplication time from 10 to 40 minutes and updated the reference URL. The AWS Lambda code overwrite rule now disables alert generation for reduced noise (Azure RiskLevel Passthrough, Lambda Update Function Code).

magicsword-io/LOLDrivers (✎6)

https://github.com/magicsword-io/LOLDrivers

✎ Modified rules

Several Sigma rules related to driver loads were updated with new hash values. This includes changes in hashes for potentially vulnerable (Vulnerable Driver Load, Vulnerable Driver Load Despite HVCI) and malicious drivers (Malicious Driver Load, Malicious Driver Load Despite HVCI) on Windows systems. These updates align with the latest threat data and aim to improve detection coverage.

In other modifications, sigma rules focusing on driver names were updated. The rules for loading both vulnerable (Vulnerable Driver Load By Name) and malicious drivers (Malicious Driver Load By Name) by name were updated, including adding new driver names and removing outdated ones, aiming to refine detection accuracy and broaden the scope based on recent findings.

Personal repositories (3)

RussianPanda95/Yara-Rules (+1)

https://github.com/RussianPanda95/Yara-Rules

+ New rules

New YARA rule introduced to detect AMOS Stealer malware. This rule identifies malicious binaries through specific string patterns and PE header checks (AMOS_Stealer).

rabbitstack/fibratus (+5, ✎1)

https://github.com/rabbitstack/fibratus

+ New rules

A new fibratus rule detects symbolic link creations by untrusted or unsigned processes, which may indicate defense evasion attempts. Additionally, a macro was introduced to identify successful symbolic link object creation, enhancing detection of bypass or manipulation efforts (Suspicious object symbolic link creation, create_symbolic_link_object).

A rule targets attempts to dump LSASS memory using the MiniDumpWriteDump function, matching specific process and call stack behaviors of potential attacks (LSASS memory dump via MiniDumpWriteDump).

A new rule detects unsigned DLLs used by a svchost process to drop executable files, focusing on unauthorized persistence activities (Executable file dropped by an unsigned service DLL).

Detection of a potential ClickFix infection chain via the Run window has been introduced, aimed at identifying possible phishing-related process executions. This rule can terminate suspicious processes (Potential ClickFix infection chain via Run window).

✎ Modified rules

The "Potential Process Hollowing" rule in fibratus now excludes the path '?:\Users\*\AppData\Local\Programs\Common\OneDriveCloud\taskhostw.exe' from detection, improving the accuracy of process exclusions (Potential Process Hollowing).

alexverboon/Hunting-Queries-Detection-Rules (+5, ✎1)

https://github.com/alexverboon/Hunting-Queries-Detection-Rules

+ New rules

New rules were added for Microsoft Defender for Office 365. One identifies non-RFC compliant emails by detecting P2Sender addresses not matching standard RFC patterns. Another rule tracks domains of blocked URLs by filtering URL click events and email interactions based on action types and detection methods (Defender for Office 365 - Identify Non-RFC Compliant Emails, Defender for Office 365 - Blocked URLs).

A new rule was introduced in Microsoft Defender for Identity to detect Active Directory Service Accounts, focusing on accounts like gMSA and sMSA. It identifies accounts with specific configurations (Defender for Identity - Service Accounts).

Defender for Endpoint now includes a rule to identify portable applications. Using various KQL queries, it detects executable files marked as portable, differentiating between regular and portable applications (Defender for Endpoint - Identify Portable Apps).

Two new queries focus on detecting and reporting affected Windows 11 devices. One uses Log Analytics to find devices based on specific OS build revisions, enhancing visibility with Intune logs. The other generates a report for Windows Update for Business, targeting devices with known problematic OS revisions to support update management (MDE - Windows 11 - Issues might occur with media which installs the October or November update).

✎ Modified rules

The rule "MDE - Windows 11 - Issues with OS Build 26100 and Revisions" has been updated by adding multiple OS build revisions (2033, 2161, 2314, 2454, 863, 1742) to broaden detection coverage. New queries have been added to locate affected devices using Log Analytics and Windows Update for Business Report (MDE - Windows 11 - Issues with OS Build 26100 and Revisions).

What SIEM are you using? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.