Detections Digest #20250421
This issue covers detection rule updates from 12 GitHub repositories between Apr 14 and Apr 21, 2025, including 48 new rules and 69 modified ones.
This week's update highlights the most significant changes to detection rules from 12 of the 40+ monitored GitHub repositories. Between Apr 14 and Apr 21, 2025, contributors added 48 new rules and updated 69 existing ones.
Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
CrushFTP and CentreStack exploitation — Multiple repositories added rules to detect specific post-exploitation behaviors associated with recent vulnerabilities CVE-2025-31161 (CrushFTP) and CVE-2025-30406 (CentreStack), monitoring for suspicious child process execution (SigmaHQ/sigma
, Yamato-Security/hayabusa-rules
, splunk/security_content
).
Cloud identity and configuration risks — New detections focus on anomalous Azure/Entra ID and AWS activities, including rare Service Principal credential additions, AWS STS temporary token use from multiple IPs, rare authentication requirements, S3 object encryption using SSE-C, Azure MCP listeners, and overprivileged OAuth applications (elastic/detection-rules
, anvilogic-forge/armory
, SlimKQL/Hunting-Queries-Detection-Rules
, splunk/security_content
).
Windows endpoint threat detection expansion — Numerous rules were added across repositories to identify techniques like data exfiltration using curl.exe
, PowerShell CreateDecryptor
method usage for potential unpacking, suspicious script execution (XSL, HTA), LNK command-line padding, and loading of unusual DLLs by Office or Print Processors (anvilogic-forge/armory
, SigmaHQ/sigma
, Yamato-Security/hayabusa-rules
, rabbitstack/fibratus
).
Advanced phishing and service abuse tactics — Rules address evolving email threats, including callback phishing (via SumUp infrastructure or calendar invites), QR code usage, specific phishing kits (PagoPA), and the abuse of legitimate services like SurveyMonkey, Google Accounts, and Adobe Acrobat, often correlating with newly registered domains (phish-report/IOK
, sublime-security/sublime-rules
).
Ransomware family detection — Specific YARA rules were added for Akira and Megazord ransomware. Related endpoint rules were updated to detect tools like esentutl.exe
used by Akira for browser data theft (Neo23x0/signature-base
, SigmaHQ/sigma
, Yamato-Security/hayabusa-rules
).
Data exfiltration pathways — New rules target potential data movement channels, specifically focusing on HTTP POST uploads via curl.exe
on Windows systems and monitoring for large file downloads from Salesforce using osquery (anvilogic-forge/armory
, chainguard-dev/osquery-defense-kit
).
Rule tuning and telemetry adjustments — Existing rules saw refinements: PowerShell obfuscation detection logic was updated, WMI event subscription queries gained flexibility, event log clearing detection expanded, SSH key deletion switched from process to file telemetry, and Cisco Secure Firewall log fields were standardized (elastic/detection-rules
, SigmaHQ/sigma
, Yamato-Security/hayabusa-rules
, splunk/security_content
, sublime-security/sublime-rules
).
Table Of Contents
elastic/detection-rules (+2, ✎3)
chainguard-dev/osquery-defense-kit (+2, ✎1)
phish-report/IOK (+1)
sublime-security/sublime-rules (+6, ✎22)
SigmaHQ/sigma (+3, ✎5)
Yamato-Security/hayabusa-rules (+5, ✎11)
splunk/security_content (+3, ✎19)
Neo23x0/signature-base (+4, ✎3)
rabbitstack/fibratus (+6, ✎1)
☝🏻 Download STIX2 bundle with new rules mentioned in this issue from CTIChef.com:
Corporate repositories (9)
elastic/detection-rules (+2, ✎3)
https://github.com/elastic/detection-rules
+ New rules
Two new detection rules have been added. The first one tracks when new Service Principal credentials are added in Microsoft Entra ID by a user who hasn’t done this in the last 10 days. This suspicious activity uses Azure audit logs to detect potential credential abuse. (Microsoft Entra ID Service Principal Credentials Added by Rare User)
The second rule identifies when AWS STS temporary IAM session tokens are used from multiple IP addresses in a short time. This suggests potential credential theft. The rule uses CloudTrail logs to monitor source IP addresses related to IAM actions. (AWS STS Temporary IAM Session Token Used from Multiple Addresses)
✎ Modified rules
The rule for detecting suspicious WMI event subscriptions on Windows has been updated to include optional operators in the query, improving its flexibility and accuracy across various data structures. (Suspicious WMI Event Subscription Created)
The Azure-related detection rule was renamed to reflect Microsoft's branding update, and its query was refined with added conditions for authentication methods. It excludes multi-factor authentication requirements and now includes MITRE ATT&CK mappings for Brute Force tactics and Password Spraying techniques. (Microsoft Entra ID Rare Authentication Requirement for Principal User)
The SSH authorized keys file deletion rule on Linux was adjusted to switch the data source from process to file. This aligns the detection with the goal of capturing unauthorized key file deletions accurately. (SSH Authorized Keys File Deletion)
anvilogic-forge/armory (+9)
https://github.com/anvilogic-forge/armory
+ New rules
Multiple rules were added for detecting potential data exfiltration via curl.exe
on Windows systems. These rules monitor process creation events using distinct curl arguments that suggest HTTP POST data uploads, with sources including PowerShell, Sysmon, Windows event logs, and EDR logs. (Exfiltration via curl.exe - Windows - PowerShell, Exfiltration via curl.exe - Windows - Sysmon, Exfiltration via curl.exe - Windows - Windows event logs, Exfiltration via curl.exe - Windows - EDR)
Four new detection rules were implemented to track the use of the CreateDecryptor
method in PowerShell activities, which may indicate obfuscated or file-less attacks such as malware unpacking. These rules leverage different telemetry sources, including PowerShell logs, Sysmon, Windows event logs, and EDR data, to identify suspicious script activities. (PowerShell CreateDecryptor - PowerShell, PowerShell CreateDecryptor - Sysmon, PowerShell CreateDecryptor - Windows event logs, PowerShell CreateDecryptor - EDR)
A rule was introduced to detect AWS S3 object uploads that utilize server-side encryption with customer-provided keys (SSE-C). The aim is to identify data uploads that may lack forensic visibility by analyzing specific API call parameters. (AWS S3 Object Encryption with SSE-C)
Cybersec Feeds Overview newsletter consolidates updates from 80+ sources: government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.
chainguard-dev/osquery-defense-kit (+2, ✎1)
https://github.com/chainguard-dev/osquery-defense-kit
+ New rules
Two new osquery rules have been added to monitor large file downloads from Salesforce, potentially indicating data exfiltration. The first rule targets files exceeding 500KB from Salesforce domains, while the second rule identifies files in Unix-like system Downloads directories that match specific naming patterns and sizes. (Surface Salesforce exports (possible data exfiltration), Salesforce Large Download Detection)
✎ Modified rules
A change was made to the detection rule for Salesforce exports indicating potential data exfiltration. The logic now excludes software downloads matching the path pattern "%/sfc/dist/version/download/%" and concentrates on files created within the last 24 hours, improving focus on more relevant activities. (Surface Salesforce exports (possible data exfiltration))
phish-report/IOK (+1)
https://github.com/phish-report/IOK
+ New rules
A new detection rule was created to spot phishing sites that mimic the PagoPA platform by identifying specific JavaScript libraries and characteristics in the DOM elements. (PagoPA Phishing Kit 019638cd)
sublime-security/sublime-rules (+6, ✎22)
https://github.com/sublime-security/sublime-rules
+ New rules
New rule targets SurveyMonkey surveys linked to newly registered reply-to domains, using beta features for domain age and email profiling. Testing for stability is advised (Service Abuse: SurveyMonkey Survey From Newly Registered Domain).
Introduced a rule for detecting service abuse from newly registered domains by tracking sender identity in the reply-to field. The rule uses beta features to monitor message history and domain age (Generic Service Abuse From Newly Registered Domain).
New rule detects callback phishing through SumUp infrastructure by analyzing email content with regex and text matching. Focus is on fraudulent content from specific sender domains (Callback Phishing: SumUp Infrastructure Abuse).
Added rule to detect phishing emails mimicking Google Account notifications that link to free file hosting services (Service Abuse: Google Account Notification with Links to Free File Host).
New rule to identify callback phishing through calendar invites by evaluating invite descriptions with natural language understanding and sender profile checks. Includes DMARC validation against trusted senders (Callback Phishing via Calendar Invite).
Rule introduced for detecting messages with Adobe Acrobat links that lead to potentially harmful PDFs. Uses computer vision and OCR to analyze document characteristics and content (Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF).
✎ Modified rules
Regex patterns in multiple rules were updated to improve detection logic. The "Spam: Attendee List solicitation" now includes patterns for past thread references to refine detection. The "Attachment: EML with Suspicious Indicators" rule added conditions for detecting EML attachments with HTML body references and sender checks. The "Impersonation: Amazon" rule consolidated evaluations into a regex for better performance. Finally, "Open redirect: Linkedin" now checks URLs for specific path parameters to cover more threats, (Spam: Attendee List Solicitation, Attachment: EML with Suspicious Indicators, Brand impersonation: Amazon, Open redirect: Linkedin).
Improvements in attachment and embedded code analysis were made. The rules for detecting embedded JavaScript in SVG files were refined by adjusting file inputs and script tag evaluations, focusing the logic solely on file content without unrelated sender checks. This applies to "Attachment: EML with Embedded Javascript," "Attachment: Embedded Javascript in SVG file," and "Fake voicemail notification," (Attachment: EML with Embedded Javascript in SVG File, Attachment: Embedded Javascript in SVG file, Fake voicemail notification (untrusted sender)).
Several brand impersonation rules were sharpened for phishing identification. Detection logic updates were made for "Brand Impersonation: Booking.com" by exploiting domain age and now include domain checks. "Brand Impersonation: Microsoft with embedded logo and credential theft language" expanded detection using broader pattern matching in IDs and headers. Additionally, "Brand Impersonation: Netflix" now uses regex for comprehensive checks of impersonations, while "Brand Impersonation: SendGrid" adds logic targeting email sender patterns, (Brand Impersonation: Booking.com, Brand impersonation: Microsoft with embedded logo and credential theft language, Brand impersonation: Netflix, Brand Impersonation: SendGrid).
Rules focusing on QR code detection and phishing were optimized. The "Link: QR Code with suspicious language" and "Link: QR code with phishing disposition" rules now incorporate DMARC checks and domain conditions for stronger sender validation. Meanwhile, detection logic for phishing links with captchas was augmented to tackle sophisticated scams, (Link: QR Code with suspicious language (untrusted sender), Link: QR code with phishing disposition in img or pdf, Credential phishing link (unknown sender)).
The rules concerning misleading notifications and credential theft were revised. The "Impersonation: Human Resources" rule now evaluates the urgency and intent in communications, incorporating content context. The "Fake Fax" rule shifts from link and logo conditions to emphasize fax-related language, and "Link: Multistage Landing - Microsoft Forms Abuse" implements regex-based detection adjustments for phishing indicators, (Impersonation: Human Resources with link or attachment and engaging language, Brand Impersonation: Fake Fax, Link: Multistage Landing - Microsoft Forms Abuse).
The rule "Spam: Fake photo share" was updated to capture a wider range of spam pretexts by including new keywords for better spam theme variation detection. Lastly, "Brand impersonation: Microsoft (QR code)" enhanced its detection logic by adding regex patterns and conditions to refine image and text lure identification, (Spam: Fake photo share, Brand impersonation: Microsoft (QR code)).
panther-labs/panther-analysis (+2)
https://github.com/panther-labs/panther-analysis
+ New rules
Two new detection rules named orca_passthrough.py
and Orca Passthrough
were added. The orca_passthrough.py
rule focuses on checking if the event state status is open, with functions for context creation and severity assessment. It uses deduplication based on severity and alert titles. The Orca Passthrough
rule is designed to re-raise alerts from Orca in Panther for centralized alert management, and it includes test cases for weak hash algorithms, network misconfigurations, and SSH issues. ( orca_passthrough.py, Orca Passthrough )
SigmaHQ/sigma (+3, ✎5)
https://github.com/SigmaHQ/sigma
+ New rules
Two new Sigma rules were introduced to detect exploits related to specific CVEs. One targets suspicious child processes spawned by the CrushFTP service, addressing CVE-2025-31161. The other detects command shell executions within CentreStack environments, potentially exploiting CVE-2025-30406. These rules aim to identify processes that may be used post-exploitation for malicious activity (Suspicious CrushFTP Child Process, Suspicious Process Spawned by CentreStack Portal AppPool).
A new Sigma rule was added to detect suspicious use of command-line padding with whitespace characters in LNK files. This rule focuses on identifying potential hidden payloads by catching discrepancies in command-line length (Suspicious LNK Command-Line Padding with Whitespace Characters).
✎ Modified rules
The detection logic for the "Obfuscated PowerShell OneLiner Execution" rule was updated to replace specific command line patterns with more generalized indicators, focusing on the 'Invoke' keyword, improving pattern recognition for obfuscated PowerShell commands. (Obfuscated PowerShell OneLiner Execution)
Rules regarding event log clearing were modified. "Suspicious Eventlog Clear" now includes checks for 'Eventing.Reader.EventLogSession' and 'Diagnostics.EventLog', with an expanded author list and additional references. "Suspicious Eventlog Clearing or Configuration Change Activity" was improved by modifying detection parameters, renaming SIGMA fields for clarity, and adding extra filtering logic, along with extra authors and references. (Suspicious Eventlog Clear, Suspicious Eventlog Clearing or Configuration Change Activity)
The "Potential Browser Data Stealing" rule was updated to include a reference to a CISA report and added detection for the esentutl.exe utility associated with Akira ransomware. The 'modified' date was also updated. (Potential Browser Data Stealing)
"Potential Binary Impersonating Sysinternals Tools" was improved by adding ARM64 binary paths for Sysinternals tools, updating tags for better alignment with MITRE ATT&CK, and expanding the description for clarity. (Potential Binary Impersonating Sysinternals Tools)
Yamato-Security/hayabusa-rules (+5, ✎11)
https://github.com/Yamato-Security/hayabusa-rules
+ New rules
New Sigma rules were added to detect potential exploitation activities. One monitors processes spawned by CentreStack Portal's 'w3wp.exe' involving 'cmd.exe' and 'portal.config', which may signal CVE-2025-30406 exploitation. Another targets suspicious child processes from CrushFTP, such as bash, cmd, and powershell, indicating possible CVE-2025-31161 exploitation. These are designed to capture signs of malicious behavior linked to specific applications. (Suspicious Process Spawned by CentreStack Portal AppPool, Suspicious CrushFTP Child Process, Suspicious CrushFTP Child Process)
A Sigma rule was introduced to detect suspicious LNK file executions using whitespace padding. It targets process creation logs to spot command-line padding intended to obscure malicious commands. This aims to catch evasion techniques that hide command lines beyond user interface visibility. (Suspicious LNK Command-Line Padding with Whitespace Characters, Suspicious LNK Command-Line Padding with Whitespace Characters)
✎ Modified rules
PowerShell and Event Log Detection Rules:
Several PowerShell and event log related rules were updated. The "Suspicious Eventlog Clear" rule and "Suspicious Eventlog Clearing or Configuration Change Activity" underwent changes to broaden detection criteria for PowerShell script blocks, included new references, and refined command line detection. Meanwhile, the "Obfuscated PowerShell OneLiner Execution" rules focused on improving accuracy by updating detection logic to use 'Invoke' instead of previous patterns. (Suspicious Eventlog Clear, Suspicious Eventlog Clearing or Configuration Change Activity, Obfuscated PowerShell OneLiner Execution, Obfuscated PowerShell OneLiner Execution)
Process Creation Detection Rules:
Rules targeting potential browser data theft and Sysinternals tools masquerading received updates. The "Potential Browser Data Stealing" rule included detection of esentutl.exe
exploitation by adding references and modifying logic for enhanced detection accuracy. The "Potential Binary Impersonating Sysinternals Tools" rule was extended by incorporating ARM64 filename detection and enriching rule descriptions and tags to better align with MITRE ATT&CK. (Potential Browser Data Stealing, Potential Browser Data Stealing, Potential Binary Impersonating Sysinternals Tools, Potential Binary Impersonating Sysinternals Tools)
WMIC and Reconnaissance Detection Updates:
The "Potential Product Class Reconnaissance Via Wmic.EXE" rule was broadened to include antispyware products in detection logic and received additional metadata updates for wider threat coverage. (Potential Product Class Reconnaissance Via Wmic.EXE)
splunk/security_content (+3, ✎19)
https://github.com/splunk/security_content
+ New rules
A new rule detects exploitation attempts on CrushFTP servers using CVE-2025-31161. It focuses on command executions, suspicious processes like mesch.exe, and post-exploitation tactics for unauthorized access. Another rule tracks shell processes initiated by CrushFTP scenarios tied to the same CVE, focusing on EDR process telemetry. These rules together help in identifying unauthorized access and suspicious activity originating from CrushFTP servers (CrushFTP Authentication Bypass Exploitation, Windows Shell Process from CrushFTP).
A new rule monitors and flags when CrushFTP denies access due to an IP exceeding maximum concurrent connections. This is intended to identify potential brute force or automated attacks, using log analysis and established thresholds (CrushFTP Max Simultaneous Users From IP).
✎ Modified rules
Windows Shell Process from CrushFTP rule was promoted to production and expanded with fields for process data to give more context. Description was clarified (Windows Shell Process from CrushFTP).
AWS Bedrock rules were updated to include 'vendor_product' and 'dest' fields in statistics aggregation, refining event context. References for Foundation Model Failures also gained relevant URLs (AWS Bedrock Delete GuardRails, AWS Bedrock High Number List Foundation Model Failures).
Multiple Cisco Secure Firewall rules were refined. Repeated Blocked Connections and High EVE Threat Confidence rules were improved with updated logic and risk field adjustments. Fields were standardized from 'InitiatorIP' and 'ResponderIP' to 'src_ip', 'dest', and 'dest_port'. Specificity and consistency in detection and alerts were the focus (Cisco Secure Firewall - Repeated Blocked Connections, Cisco Secure Firewall - High EVE Threat Confidence, Cisco Secure Firewall - Malware File Downloaded, Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint, Cisco Secure Firewall - Blocked Connection, Cisco Secure Firewall - Communication Over Suspicious Ports, Cisco Secure Firewall - Potential Data Exfiltration, Cisco Secure Firewall - Repeated Malware Downloads).
Connection to File Sharing Domain rule updated field names and conformed output fields for better Splunk integration (Cisco Secure Firewall - Connection to File Sharing Domain).
The Windows Registry Payload Injection rule has been streamlined by removing Sysmon Event IDs and improved with data model joining for improved process detection (Windows Registry Payload Injection).
Personal repositories (3)
Neo23x0/signature-base (+4, ✎3)
https://github.com/Neo23x0/signature-base
+ New rules
New YARA rules were introduced to detect specific ransomware threats. The 'MAL_WIN_Akira_Apr25' rule targets signature patterns linked to Akira ransomware. Meanwhile, 'MAL_WIN_Megazord_Apr25' focuses on identifying unique signatures of the Megazord Ransomware, with an emphasis on the win.akira family detection. (MAL_WIN_Akira_Apr25, MAL_WIN_Megazord_Apr25)
A new YARA rule was developed for Erlang/OTP SSH to identify vulnerabilities related to CVE-2025-32433. This rule outlines detection logic and includes metadata such as authors and references. (VULN_Erlang_OTP_SSH_CVE_2025_32433_Apr25)
A new rule variant addresses VMware Workspace ONE exploit detection (CVE-2022-22954) by logging specific patterns related to potential exploit attempts. Enhancements include strings designed to evade ModSecurity and detect HTTP 302 responses. (LOG_SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_)
✎ Modified rules
The rule "SUSP_shellpop_Bash" was updated for better detection. The detection logic was altered to match any $x* strings while ensuring none of the $fp* strings match. Additionally, the rule now covers base64 encoded reverse shell strings to improve its detection of obfuscated payloads (SUSP_shellpop_Bash).
The "SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_1" rule name saw a change with an extra identifier. The detection score was revised from 70 to 60, and an ASCII-encoded payload string was removed to refine detection and cut down on false positives (SUSP_EXPL_POC_VMWare_Workspace_ONE_CVE_2022_22954_Apr22_1).
rabbitstack/fibratus (+6, ✎1)
https://github.com/rabbitstack/fibratus
+ New rules
New fibratus rules were added to detect suspicious script execution activities. The "Suspicious XSL script execution" identifies execution using WMIC or MSXSL through process creation and DLL loading monitoring. "Suspicious HTML Application script execution" addresses potential malicious use of mshta.exe with command-line pattern recognition. "Potential process creation via shellcode" targets process creation suspicions involving shellcode and unbacked memory stack frames (Suspicious XSL script execution, Suspicious HTML Application script execution, Potential process creation via shellcode)
New fibratus rules were implemented focusing on persistence and credential access threats. "Suspicious Microsoft Office add-in loaded" and "Suspicious print processor loaded" rules detect unsigned modules or DLLs loaded by trusted Microsoft processes. The "Suspicious Vault client DLL load" rule tracks irregular Vault client DLL activity, including exceptions to minimize false alerts (Suspicious Microsoft Office add-in loaded, Suspicious print processor loaded, Suspicious Vault client DLL load).
✎ Modified rules
The detection rule for identifying suspicious port monitor loading was improved by refining the condition to detect only unsigned or untrusted DLL loads by the print spool service. Less specific image signature level checks were removed, streamlining the logic (Suspicious port monitor loaded).
SlimKQL/Hunting-Queries-Detection-Rules (+5)
https://github.com/SlimKQL/Hunting-Queries-Detection-Rules
+ New rules
A new rule was introduced to detect Azure MCP listening connections on port 5008, monitoring for suspicious command-line activity concerning Azure MCP implementation (Mitigating security risks in MCP implementations).
A detection rule was implemented to identify CVE-2025-24054 NTLM exploit attempts by tracking the creation of '.library-ms' files and related network activity (CVE-2025-24054 NTLM Exploit in the Wild Detection).
A rule has been introduced to detect Chrome extensions with hidden tracking. The rule captures and verifies specific file events, such as creations, modifications, and renames of files ending in .crx, against IDs from SecureAnnex. It was further improved by removing the "FileRenamed" condition to boost performance and focus on relevant events. Query accuracy was maintained by summarizing actions by ExtensionID, reducing dataset processing (Hunting chrome extension with hidden tracking).
A new rule detects overprivileged admin-consented OAuth applications with unnecessary permissions, helping to enforce the principle of least privilege and tighten security (Overprivileged Admin-Consented OAuth Applications).
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.
Disclaimer
The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.