This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Apr 28 and May 5, 2025, contributors added 46 new rules and updated 60 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

Endpoint defense evasion and execution — Extensive updates enhance detection of advanced Windows and macOS TTPs, including direct syscalls, memory injection, AMSI/WLDP bypass, LSASS access techniques, Office-based execution vectors, macOS artifact manipulation, and script-based attacks (elastic/protections-artifacts, rabbitstack/fibratus).

Specific vulnerability exploitation response — Rules rapidly address emerging threats by targeting exploit activity for SAP NetWeaver (CVE-2025-31324), Commvault services in Azure, and Apache HTTP Server (CVE-2024-38475) (Neo23x0/signature-base, SlimKQL/Hunting-Queries-Detection-Rules).

Threat intelligence integration in hunting queries — KQL queries leverage TI feeds to proactively hunt for known TTPs such as Mshta execution (T1218.005), Fast Flux C2 infrastructure (T1568.001), and credential theft from web browsers (T1555.003) (SlimKQL/Hunting-Queries-Detection-Rules).

macOS behavioral detection expansion — Significant new coverage for macOS monitors suspicious screen captures, curl+execution combos, osascript activity, in-memory JXA, Python process killing, Launchpad hijacks, Finder cache modifications, and C2 patterns involving OAST domains or S3 connections (elastic/protections-artifacts).

Windows Defender tampering detection — New rules specifically target attempts to disable or weaken Windows Defender protections by modifying registry settings or adding suspicious exclusions (rabbitstack/fibratus).

Anomalous Linux/macOS network and process activity — Osquery rules identify unusual HTTPS communications from unexpected programs and monitor for anomalous long-running root processes, with refinements to exclude common developer and system utilities (chainguard-dev/osquery-defense-kit).

Table Of Contents

• Corporate repositories (5)

  • elastic/detection-rules (+6)

  • sublime-security/sublime-rules (+9, ✎6)

  • chainguard-dev/osquery-defense-kit (+1, ✎2)

  • elastic/protections-artifacts (+17, ✎43)

  • splunk/security_content (✎1)

• Personal repositories (3)

  • Neo23x0/signature-base (+3)

  • rabbitstack/fibratus (+4, ✎6)

  • SlimKQL/Hunting-Queries-Detection-Rules (+6)

• Feedback

• Disclaimer

• Powered by

🔔 All new rules in this issue are available for download as a STIX2 bundle JSON file:

Corporate repositories (6)

elastic/detection-rules (+6)

https://github.com/elastic/detection-rules

+ New rules

New rules have been added to monitor Microsoft Entra ID and Microsoft 365 activities. "Microsoft Entra ID Protection Anonymized IP Risk Detection" identifies sign-ins from anonymized IPs using KQL in the azure.identity_protection dataset. "Multiple Microsoft Entra ID Protection Alerts by User Principal" finds multiple alerts for a user within ten minutes, suggesting possible account compromise. "Microsoft Graph First Occurrence of Client Request" detects new client app IDs requesting access to the Microsoft Graph API for a specific tenant and user, using elastic-siem, indicating potential unauthorized access. (Entra Anonymized IP, Entra Alerts, Graph First Occurrence)

A new rule detects phishing in Microsoft 365 OAuth flows. "Microsoft 365 OAuth Phishing via Visual Studio Code Client" spots suspicious OAuth phishing attempts using the Visual Studio Code client ID, aiming to misuse Microsoft Graph resources. (OAuth Phishing VS Code)

The "Microsoft 365 OAuth Redirect to Device Registration for User Principal" rule identifies new device registration attempts post OAuth authentication, which may indicate OAuth phishing. The rule is now in production. (OAuth Redirect Device Registration)

Finally, in AWS, "AWS S3 Static Site JavaScript File Uploaded" detects suspicious JavaScript file uploads to S3 static site directories, monitoring PutObject actions in static/js/ paths via CloudTrail logs, to spot unauthorized web content changes. (AWS S3 JS Upload)

sublime-security/sublime-rules (+9, ✎6)

https://github.com/sublime-security/sublime-rules

+ New rules

New rules have been introduced to improve the detection of callback phishing attempts. These include analyses targeting AOL senders with suspicious HTML templates or PDFs and phishing using Xodo Sign comments by examining keywords, brand names, and phone numbers in messages. (Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment, Callback Phishing via Xodo Sign comment)

Several rules have been added to detect service abuses and email-based threats. These include detecting Adobe Sign notifications with unsolicited reply-to addresses and HelloSign messages from unknown senders, focusing on identifying new and suspicious email headers and addresses to prevent BEC/Fraud and credential phishing. (Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address, Service Abuse: HelloSign From an Unsolicited Sender Address)

New detection rules target URL-based threats, such as a rule for open redirects exploiting business.google.com URL parameters to counter phishing that misuses the 'f' parameter and detecting direct links to gamma.app presentations in present mode to protect against credential and malware attacks. (Open Redirect: business.google.com website_shared URL Param, Link: Direct Link to gamma.app Presentation in Present Mode)

A new rule identifies brand impersonation of AliExpress by scanning email content for specific footer text and social media links, which improves the detection of phishing attacks that use brand impersonation to deceive users. (Brand Impersonation: AliExpress)

Detection for ScreenConnect installers with suspicious relay domains has been added, using 'ml.link_analysis' to analyze URLs, files, and content. This seeks out potential malware or social engineering in remote access tool abuse. (Link: ScreenConnect Installer With Suspicious Relay Domain)

A rule that detects fake voicemail attempts through single-page PDFs with URLs or QR codes helps to identify credential phishing attacks masked as voicemail notifications. (Attachment: Fake Voicemail via PDF)

✎ Modified rules

The "Credential phishing link (unknown sender)" rule was updated to include a new check that filters out domains with a high number of links, potentially improving phishing detection accuracy by refining detection criteria to better isolate unknown sender threats (Credential phishing link (unknown sender)).

The "Brand impersonation: DocuSign branded attachment lure with no DocuSign links" rule underwent two updates: one on profile usage shifting from profile.by_sender() to profile.by_sender_email() to improve sender email-specific profiling, and another to refine legitimate document exclusion criteria by including Adobe Sign and adjusting conditions related to page count and string length, aiming to reduce false positives (Brand impersonation: DocuSign).

The "Suspicious message with unscannable Cloudflare link" rule was updated to detect links ending with '.exe' in email bodies, increasing detection rates for malicious emails distributing executable files (Suspicious message with unscannable Cloudflare link).

The "Open Redirect: adnxs.com" rule logic was enhanced to recognize a second form of open redirect via secure.adnxs.com domain using the 'redir=' parameter, and to target 'getuid' and 'redir' parameters specifically in different adnxs domains, preventing undesired redirects (Open Redirect: adnxs.com).

The "Salesforce Infrastructure Abuse" rule was updated for enhanced phishing detection by including logo detection for Facebook, Meta, and Instagram, checking for links with base64 encoded email addresses, and assessing for Cloudflare turnstile or phishing warning pages (Salesforce Infrastructure Abuse).

📰 Cybersec Feeds Overview newsletter consolidates updates from 80+ sources: government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.

Read the latest issue

chainguard-dev/osquery-defense-kit (+1, ✎2)

https://github.com/chainguard-dev/osquery-defense-kit

+ New rules

A new osquery rule was added to detect unusual programs communicating over HTTPS. It uses process open sockets and metadata to identify abnormal network connections while excluding common legitimate processes. This rule helps to uncover potential command and control or other malicious activities on Linux systems, (Unexpected programs communicating over HTTPS (state-based)).

✎ Modified rules

The rule "Unexpected programs communicating over HTTPS (state-based)" had its exception list updated to eliminate false positives tied to common developer tools and system utilities. This includes the removal of specific alt_exception_key entries, refining the rule to reduce noise and better target genuine threats, (Unexpected programs communicating over HTTPS (state-based)).

The rule "Unexpected long-running processes running as root" was modified to exclude the executable path '/opt/finch/bin/socket_vmnet' from being flagged. This change addresses false positives by identifying this service as expected when running for long durations, (Unexpected long-running processes running as root).

elastic/protections-artifacts (+17, ✎43)

https://github.com/elastic/protections-artifacts

+ New rules

Several new rules were created to improve detection on macOS systems. These include rules for identifying suspicious image creation via ScreenCapture, payload delivery through Curl with immediate execution, and temporary binary execution via osascript. Rules also target defense evasion tactics such as in-memory JXA execution via ScriptingAdditions, killall execution via Python, Launchpad hijack, suspicious script-based deobfuscation, and Finder cache file modifications. Additional rules cover command and control actions such as detecting Curl local file operations via osascript and network connections to .oast domains, as well as suspicious binaries connecting to AWS S3 and executable downloads using Curl. (Suspicious Image Creation via ScreenCapture, Payload Delivery via Curl and Immediate Execution, Temporary Binary Execution via Osascript, In-Memory JXA Execution via ScriptingAdditions, Killall Execution via Python, Launchpad Hijack, Suspicious Deobfuscation via Shell Script, Suspicious Finder Cache File Modification, Curl Local File Read or Write via Osascript, Network Connection to Oast Domain via Package Service or Script, Suspicious Binary AWS S3 Connection, Suspicious Executable Download via Curl)

Windows rules focus on detecting attempts to access sensitive registry keys for credential theft, COM to .NET redirection, direct syscalls from unsigned modules, image load via synthetic stack spoofing, and suspicious changes to Windows Core Modules for defense evasion. These rules aim to improve detection capabilities on Windows systems against various evasion and credential access techniques. (Remote Access to Sensitive Registry Keys, COM to .NET Redirection via Registry, Direct Syscall from Unsigned Module, Image Load via Synthetic Stack Spoofing, Suspicious Windows Core Module Change)

✎ Modified rules

Several Linux rules received updates to improve exclusion logic and detection accuracy, relying on conditions like process.executable and fixing entity fields in actions. Updates add more executables and paths to exception lists. (Linux Base64 Descendant Egress Network Connection, Linux Powershell Suspicious Child Process, Suspicious Echo Execution)

Multiple Windows rules were modified to refine detection queries and exclusions, focusing on improving detection accuracy and reducing false positives. Changes include adjusting operators, adding API behaviors, and updating exclusion lists. (Potential Remote Desktop Protocol Tunneling, Potential Known TCP Port Traffic Tunneling, LSASS Access Attempt from an Unsigned Executable, LSASS Access Attempt via PPL Bypass, Potential Browser Debugging via Localhost, Attempt to Hide Files via Registry Modification, AMSI or WLDP Bypass via Memory Patching, Delayed Common Language Runtime Load, Direct Syscall via Assembly Bytes, Image Hollow from Unusual Stack)

MacOS rules were revised to improve detection capabilities and exclude non-suspicious activities. The update on Discovery Result Written to a Suspicious File via Discovery Process involved adding more paths to exceptions, especially for Jamf-managed environments. Suspicious File Attribute Clearing included a specific check for attribute removal actions. (Discovery Result Written to a Suspicious File via Discovery Process, Suspicious File Attribute Clearing)

Additional Windows security rules received targeted improvements focusing on API call detection, new exclusions, and false positive reduction. Notable updates include logic refinement and additional exclusions in Potential Injection via Asynchronous Procedure Call, Potential LogonUser API Hooking, and Potential NTDLL Memory Unhooking, among others. (Potential Injection via Asynchronous Procedure Call, Potential LogonUser API Hooking, Potential NTDLL Memory Unhooking)

Various Windows rules addressing shellcode and memory injection were updated. Changes focus on modifying condition operators, excluding benign software processes, and adding more indicators of suspicious behavior. Examples include Potential Shellcode Injection via Node.js, Potential Shellcode Fluctuation v1, and Shellcode Execution via Python Script. (Potential Shellcode Injection via Node.js, Potential Shellcode Fluctuation v1, Shellcode Execution via Python Script)

Rules detecting suspicious behaviors and system exploitation techniques on Windows were strengthened, updating logic and exclusion lists. Rules impacted include WriteProcessMemory to Suspicious Memory Location, Execution via Obfuscated Windows Script, and Remote Process Memory Write by Low Reputation Module, among others. (WriteProcessMemory to Suspicious Memory Location, Execution via Obfuscated Windows Script, Remote Process Memory Write by Low Reputation Module)

splunk/security_content (✎1)

https://github.com/splunk/security_content

✎ Modified rules

The detection query in the "Detect Remote Access Software Usage Process" rule was updated to improve accuracy by using the inputlookup command to filter processes. The rule version was changed from 8 to 9, and the date was updated. (Detect Remote Access Software Usage Process)

Personal repositories (3)

Neo23x0/signature-base (+3)

https://github.com/Neo23x0/signature-base

+ New rules

Two new YARA rules target SAP NetWeaver exploitation linked to CVE-2025-31324. 'APT_SAP_NetWeaver_Exploitation_Activity_Apr25_1' focuses on specific file paths and commands used in SAP NetWeaver attacks, while 'APT_SAP_NetWeaver_Exploitation_Activity_Apr25_2' detects MSBuild.exe execution from the c:\programdata\ directory. Both rules improve detection of SAP NetWeaver-related threats, adding layers of protection against exploitation attempts (APT_SAP_NetWeaver_Exploitation_Activity_Apr25_1, APT_SAP_NetWeaver_Exploitation_Activity_Apr25_2).

The YARA rule 'LOG_SUSP_WEBSHELL_Cmd_Indicator_Apr25' was introduced to detect patterns associated with web shell activity. It identifies suspicious 'cmd' parameters in ASP, ASPX, JSP, and PHP files using regex. This improves the detection of web shell command execution, thereby strengthening security measures (LOG_SUSP_WEBSHELL_Cmd_Indicator_Apr25).

rabbitstack/fibratus (+4, ✎6)

https://github.com/rabbitstack/fibratus

+ New rules

Two new rules for detecting defense evasion methods were introduced. "DLL Side-Loading via Microsoft Office dropped file" identifies when a Microsoft Office process creates a DLL or executable that is then loaded by another trusted binary, using a sequence of file creation and DLL loading events. "Microsoft Office file execution via script interpreter" detects the execution of executable files created by Office processes through Windows script interpreters, focusing on phishing attempts with malicious executables in Office documents, using a sequence of create_file and spawn_process events (DLL Side-Loading via Microsoft Office dropped file, Microsoft Office file execution via script interpreter).

Two rules focusing on Windows Defender tampering were introduced. "Windows Defender protection tampering via registry" detects processes modifying Defender settings via registry to disable protection. "Suspicious Windows Defender exclusions registry modification" identifies suspicious changes to Defender exclusions in the registry, targeting defense evasion attempts (Windows Defender protection tampering via registry, Suspicious Windows Defender exclusions registry modification).

✎ Modified rules

Several rules were refined to reduce false positives. The "Suspicious Vault client DLL load" rule removed false positives related to svchost.exe and added exceptions for specific executables. Meanwhile, the "Potential SAM hive dumping" rule incorporated svchost.exe into allowed executables and expanded exclusions. The "Suspicious DLL loaded via memory section mapping" rule now excludes firefox.exe, minimizing noise from legitimate activities. Lastly, the "Suspicious object symbolic link creation" rule added spoolsv.exe and csrss.exe to allowed processes and excluded certain symbolic links, all to improve detection accuracy (Suspicious Vault client DLL load, Potential SAM hive dumping, Suspicious DLL loaded via memory section mapping, Suspicious object symbolic link creation).

Detection logic updates were added to several rules. The "Process execution from a self-deleting binary" modified detections by adjusting the list of relevant executables and removing the command line match section to improve coverage. The "Macro execution via script interpreter" rule fixed a process tree relationship, refocusing its sequence relationship (Process execution from a self-deleting binary, Macro execution via script interpreter).

SlimKQL/Hunting-Queries-Detection-Rules (+6)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

Detection rules for specific vulnerabilities and exploits have been introduced. A rule was added to spot potential Commvault exploitation in Azure by analyzing AzureActivity and SigninLogs for connections from known bad IPs. Another rule targets CVE-2025-31324 exploitation attempts on SAP NetWeaver servers by tracking processes on internet-facing devices. Additionally, a rule for the CVE-2024-38475 Apache HTTP Server improper output escaping vulnerability flags old server versions in DeviceProcessEvents. (Detecting Commvault Exploitation in Azure, Hunting CVE-2025-31324, CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability)

New rules for threat intelligence applications across potential threat methods are in place. A rule for Mshta threats correlates Threat Intelligence (TI) indicators across different event types and utilizes the MITRE ID T1218.005. Another rule spots the Fast Flux technique (T1568.001) by analyzing DNS connections for malicious activity matched against TI indicators. An additional rule detects web browser credential theft (T1555.003) using TI data to classify and sort threats for prioritization. (Threat Hunting Mshta with Sentinel TI, Uncovering Fast Flux with Sentinel Threat Intelligence, T1555.003 - Credentials from Web Browsers)

What SIEM are you using? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.