This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between May 5 and May 12, 2025, contributors added 80 new rules and updated 19 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

Remote .msi installation detection — An extensive set of new rules was added to identify remote .msi installations, enhancing detection of msiexec.exe abuse for executing malicious payloads (anvilogic-forge/armory).

Data exfiltration via AWS CLI — New rules detect data exfiltration using AWS CLI on both *nix and Windows systems, focusing on suspicious use of commands for recursive copying to custom S3 endpoints (anvilogic-forge/armory).

PowerShell obfuscation techniques — Numerous rules were added focusing on detecting PowerShell obfuscation via various methods like special character overuse, string concatenation, and reverse keywords, presenting a strong strategic emphasis on identifying PowerShell-based threats (elastic/detection-rules).

Linux-focused threat detection — Enhanced Linux detection rules focus on identifying unusual activities such as suspicious child processes from kernel threads, use of LD_PRELOAD and LD_LIBRARY_PATH, and potential data exfiltration through curl or hex payload execution (elastic/detection-rules).

Exchange Online and Graph API accesses — Focused detection of suspicious mailbox delegation and email access via Graph API in Exchange Online, aimed at recognizing unauthorized content access and potential security breaches (elastic/detection-rules).

Golden Chickens malware detection — Introduction of detection rules specifically targeting Golden Chickens malware such as TerraLogger and TerraStealerV2 activities, highlighting an initiative to combat noted malicious toolkits (SlimKQL/Hunting-Queries-Detection-Rules).

Table Of Contents

• Corporate repositories (6)

  • anvilogic-forge/armory (+10)

  • elastic/protections-artifacts (+7, ✎2)

  • panther-labs/panther-analysis (✎1)

  • chainguard-dev/osquery-defense-kit (+1)

  • sublime-security/sublime-rules (+10, ✎7)

  • elastic/detection-rules (+36, ✎1)

• Personal repositories (2)

  • SlimKQL/Hunting-Queries-Detection-Rules (+8, ✎1)

  • alexverboon/Hunting-Queries-Detection-Rules (+8)

• Feedback

• Disclaimer

• Powered by

🔔 All new rules in this issue are available for download as a STIX2 bundle:

Corporate repositories (8)

anvilogic-forge/armory (+10)

https://github.com/anvilogic-forge/armory

+ New rules

Several rules have been added or improved for detecting remote .msi installations via msiexec.exe, a technique often used by adversaries. These rules focus on identifying the installation of .msi packages from remote locations, using various data sources such as Splunk, Sysmon, EDR, and PowerShell. They identify command-line executions, process monitoring, and event logs indicative of remote payload execution, enhancing detection coverage for the System Binary Proxy Execution technique (T1218.007). (Remote .msi Installation - Splunk Sysmon, Remote .msi Installation - Snowflake Crowdstrike FDR Process, Remote .msi Installation - Splunk EDR, Remote .msi Installation - Splunk Winevent, Remote .msi Installation - Splunk PowerShell)

New rules have been added to detect data exfiltration attempts using the AWS CLI on both *nix and Windows systems. The rules specifically identify the use of 's3 cp' command with the recursive, region, and custom endpoint URL flags indicative of transferring data to unauthorized S3-compatible storage. Multiple data sources such as EDR, Unix, and Winevent logs are utilized for monitoring these suspicious activities. (Data Exfiltration via AWS CLI - *nix Splunk EDR, Data Exfiltration via AWS CLI - Windows Splunk EDR, Data Exfiltration via AWS CLI - *nix Splunk Unix, Data Exfiltration via AWS CLI - Windows Splunk Sysmon, Data Exfiltration via AWS CLI - Windows Splunk Winevent)

elastic/protections-artifacts (+7, ✎2)

https://github.com/elastic/protections-artifacts

+ New rules

New rules in the 'elastic-edr' language have been added to detect various attack techniques. The "Asynchronous Procedure Call from Unusual Module" rule identifies attempts to queue an APC to a remote process, indicating possible remote code injection, while excluding trusted sources. The "Evasion via Sleep API Hooking" rule detects hooking of the Sleep function, a technique used by malware for evasion, by monitoring specific API calls targeting kernel32.dll!Sleep. Both rules introduce new detection capabilities for defense evasion tactics, (Asynchronous Procedure Call from Unusual Module, Evasion via Sleep API Hooking).

A rule was added to detect potential NetNTLMv1 downgrade attacks through registry modifications, specifically targeting the LmCompatibilityLevel value. This rule helps identify systems being forced into weaker authentication modes, (Potential NetNTLMv1 Downgrade Attack).

The new "NTDLL Memory Protection Change via Unsigned DLL" rule catches attempts to modify memory protection of NTDLL with unsigned DLLs, a common evasion strategy used by malware. This rule responds to the threat of unsigned code tampering with critical system libraries, (NTDLL Memory Protection Change via Unsigned DLL).

Improved detection of PowerShell-based attacks is achieved with two new rules monitoring execution of code from the PowerShell Empire tool. The "PowerShell Empire Script Execution" focuses on known patterns in AmsiScanBuffer API calls, while "Potential PowerShell Empire Execution" targets suspicious command line arguments related to Empire, (PowerShell Empire Script Execution, Potential PowerShell Empire Execution).

A detection rule for suspicious PHP script executions has also been included, focusing on scripts that might create network activity or child processes, signaling possible command and control behavior. This aims to identify potentially malicious scripts executing unwanted actions post-deployment, (Suspicious PHP Script Execution).

✎ Modified rules

The "Suspicious Remote Registry Modification" rule was updated by adding an exception for svchost.exe when running as localService and incorporating more registry paths to the exceptions. This helps in reducing false positives for registry modifications. (Suspicious Remote Registry Modification)

The "Suspicious Windows Core Module Change" rule was refined by adding new SHA256 hashes and subject names, improving its accuracy by filtering out legitimate software and system processes, thereby reducing false positives for suspicious memory protection changes. (Suspicious Windows Core Module Change)

📰 Cybersec Overview newsletter consolidates updates from 80+ sources: government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.

Read the latest issue

panther-labs/panther-analysis (✎1)

https://github.com/panther-labs/panther-analysis

✎ Modified rules

The AWS EC2 multi-instance connect rule logic was improved by incorporating a time-based offset in the cache key. This change aims to improve detection accuracy and reduce false positives by grouping connections within the same hour. A datetime import was added to support this functionality, enhancing the rule's precision in identifying rapid connections while avoiding repeated alerts for legitimate repeated usage over extended periods. (aws_ec2_multi_instance_connect)

chainguard-dev/osquery-defense-kit (+1)

https://github.com/chainguard-dev/osquery-defense-kit

+ New rules

A new osquery rule detects unexpected hidden files in the Application Support directory. It identifies files with a leading dot and filters out known false positives by analyzing directory, file path, magic data, and file mode/size. (Find unexpected hidden files in a users Application Support directory)

sublime-security/sublime-rules (+10, ✎7)

https://github.com/sublime-security/sublime-rules

+ New rules

Rules targeting phishing through suspicious links were added. They include mechanisms to detect compromised platforms like Canva, Figma, Issuu, and POWR.io by analyzing embedded links and phishing languages. These rules use techniques like URL analysis, OCR, and natural language understanding to find credential theft and other malicious intents. Additionally, they check metadata indicators such as sender analysis and suspicious domain use (Canva Design With Suspicious Embedded Link, Issuu Document With Suspicious Embedded Link, Link: Figma Design Deck With Credential Phishing Language, Link: Direct POWR.io Form Builder with Suspicious Patterns).

New rules were introduced for detecting brand impersonation attempts, particularly those involving Microsoft Teams and Mailchimp. The rules analyze email headers, sender domain authenticity, and visual spoofing indicators such as brand logos (Brand Impersonation: Microsoft Teams Invitation, Brand Impersonation: Mailchimp).

Detections focus on emails with suspicious characteristics within platforms like GovDelivery and Xero. These rules involve scrutiny of non-government domains, URL shorteners, and newly registered domains. They also assess external links and repetitive patterns to identify phishing (Vendor Compromise: GovDelivery Message With Suspicious Link, Xero Infrastructure Abuse).

A rule is in place to spot emails where the link's display text matches the subject line. This addresses potential BEC/Fraud and Credential Phishing threats by examining link characteristics and patterns in recipient behavior (Link: Display Text Matches Subject Line).

Detection of state-sponsored threats has been improved through a rule that identifies Apple's threat notifications. The rule flags specific emails signaling potential risks from mercenary activity (Apple State-Sponsored Attack Warning).

✎ Modified rules

Updates were made to the Salesforce and DocuSign impersonation detection rules. The Salesforce rule logic now checks for newly registered domains in email links and adds 'social media' to suspicious subjects. DocuSign rule enhancements involve expanded keyword matching, improved HTML analysis, additional negations to reduce false positives, and broader detection coverage against phishing with enhanced identification of malicious emails (Salesforce Infrastructure Abuse, Brand impersonation: DocuSign).

Two rules focusing on phishing detection were updated. The Intuit service abuse rule was modified to relocate the source code block ensuring proper beta feature application. The credential phishing rule added a base64 encoded email detection condition, corrected root domain matching logic, and optimized for sensitive accounts with no change to MITRE ATT&CK references, improving detection accuracy while minimizing false positives (Callback phishing via Intuit service abuse, Credential phishing: Engaging language and other indicators).

The HR DocuSign impersonation rule and the Google Drive multistage link rule both had changes in code arrangement. The DocuSign rule repositioned conditions related to beta features for better logic flow, and the Google Drive rule fixed formatting issues and included an additional link-path inspection block (HR Impersonation via E-sign Agreement Comment, Link: Multistage Landing - Abused Google Drive).

The Adobe image lure rule had its logic structure modified by separating Adobe logo matching into a distinct grouping for better organization without affecting functionality (Attachment: Adobe image lure in body or attachment with suspicious link).

elastic/detection-rules (+36, ✎1)

https://github.com/elastic/detection-rules

+ New rules

The Microsoft Entra ID rules detect suspicious session and sign-in activities, indicating potential session hijacking, credential access, or unauthorized Microsoft services access. They emphasize session reuse, suspicious IP addresses, and the use of OAuth tokens in unauthorized ways. These rules are now in production status, improving cloud environment threat detection capabilities. (Microsoft Entra ID Session Reuse with Suspicious Graph Access, Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties, Suspicious Activity via Auth Broker On-Behalf-of Principal User, Suspicious Email Access by First-Party Application via Microsoft Graph)

A range of rules target potential PowerShell obfuscation techniques, detecting unusual use of characters, strings, and command invocation to evade detection. These rules enhance the ability to identify obfuscated PowerShell scripts, indicating potential malicious activities. (Potential Dynamic IEX Reconstruction via Environment Variables, Potential PowerShell Obfuscation via Special Character Overuse, Potential PowerShell Obfuscation via High Numeric Character Proportion, Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion, Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation, PowerShell Obfuscation via Negative Index String Reversal, Potential PowerShell Obfuscation via Invalid Escape Sequences, Potential PowerShell Obfuscation via Character Array Reconstruction, Potential PowerShell Obfuscation via Reverse Keywords, Potential PowerShell Obfuscation via String Concatenation)

Linux endpoint rules focus on identifying suspicious activities, including unusual process executions, named pipe creations, and kernel feature modifications. These rules improve detection of persistence, defense evasion, and potential command-and-control activities. (Unusual Execution from Kernel Thread (kthreadd) Parent, Potential Data Exfiltration Through Curl, Unusual Exim4 Child Process, Linux Telegram API Request, Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments, System Binary Symlink to Suspicious Location, Potential Hex Payload Execution via Command-Line)

Rules have been added to detect suspicious activities on Microsoft 365 and Windows systems, focusing on unauthorized access attempts and abuse of platform features. These rules target potential initial access, defense evasion, and privilege escalation tactics. (Suspicious Microsoft 365 UserLoggedIn via OAuth Code, Suspicious Mailbox Permission Delegation in Exchange Online, Windows Sandbox with Sensitive Configuration, Potential Backdoor Execution Through PAM_EXEC, Rare Connection to WebDAV Target, Microsoft Azure or Mail Sign-in from a Suspicious Source, Suspicious Named Pipe Creation)

Additional Linux rules focus on potential system abuse, privilege escalation, and credential access. They monitor SSH tunneling, manual memory dumping, Docker file modifications, and suspicious file downloads, providing comprehensive threat coverage for Linux environments. (Potential Linux Tunneling and/or Port Forwarding via SSH Option, Suspicious Path Mounted, Manual Memory Dumping via Proc Filesystem, Docker Release File Creation, Manual Mount Discovery via /etc/exports or /etc/fstab, Git Repository or File Download to Suspicious Directory, Suspicious Kernel Feature Activity)

✎ Modified rules

The "Suspicious /proc/maps Discovery" rule was updated to include more data sources, now covering logs from Crowdstrike, SentinelOne, and Elastic endpoint data. Detection logic expanded with new event actions (exec_event, start, ProcessRollup2) and process names (tail, less, more, egrep, fgrep) to widen its detection capability for suspicious /proc/maps discovery attempts. (Suspicious /proc/maps Discovery)

Personal repositories (2)

SlimKQL/Hunting-Queries-Detection-Rules (+8, ✎1)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

New detection rules were introduced to monitor specific malicious activities across various platforms. Key additions include a KQL rule for identifying Cisco Catalyst devices vulnerable to CVE-2025-20188 (CVE-2025-20188 CVSS 10 out of 10), and a rule for detecting SAP NetWeaver attacks by a Chinese threat actor using known malicious IPs (SAP NetWeaver Attack by Chinese Threat Actor Impact Assessment).

A rule for monitoring remote access tools through Microsoft Sentinel's Threat Intelligence Indicators table focuses on identifying MITRE ATT&CK technique T1219 (RMM Hunting with Sentinel TI).

Two new rules targeting Golden Chickens malware were added. One detects Golden Chickens TerraLogger by identifying specific file creation events (Golden Chickens TerraLogger Detection), while the other identifies TerraStealerV2 malware through 'HttpConnectionInspected' events (Golden Chickens TerraStealerV2 Malware Detection).

For Microsoft 365 Copilot, new rules include detecting potentially malicious activity by tracking blocked URL clicks (M365 Copilot Gone Rouge), and monitoring excessive prompts to Copilot Agent for SharePoint, which may indicate prompt testing or attempts at exploitation (Monitor Copilot Agent for SharePoint).

A rule was also introduced to detect personal OneDrive sync activities on corporate endpoints by tracking specific registry key creations (Detect Personal OneDrive Sync on corporate endpoints).

✎ Modified rules

The detection rule for "Golden Chickens TerraStealerV2 Malware" was updated. The query now uses the condition ActionType == "ConnectionSuccess" and RemoteUrl == "wetransfers.io", replacing the previous complex parsing logic. This change aims to improve accuracy and reduce false positives in network connection detections. (Golden Chickens TerraStealerV2 Malware Detection)

alexverboon/Hunting-Queries-Detection-Rules (+8)

https://github.com/alexverboon/Hunting-Queries-Detection-Rules

+ New rules

Two rules were updated to track Entra ID Administrative Units activities. One rule checks AuditLogs for operations like adding or removing members or roles within restricted units. The second rule examines CloudAppEvents for similar actions and notes a detail about ActionType format, (Entra ID - Administrative Units - AuditLogs, Entra ID - Administrative Units - CloudAppEvents).

Several new rules in Microsoft Purview DLP focus on detecting specific file movements: files copied to clipboard, uploaded to the cloud, printed, and copied to remote desktop sessions. These rules are based on the CloudAppEvents table and extract details such as ObjectId, file hashes, and policy names for a thorough review, (Microsoft Purview - DLP - File copied to clipboard, Microsoft Purview - DLP - File copied to Cloud, Microsoft Purview - DLP - File printed, Microsoft Purview - DLP - File copied to remote desktop session).

An additional update to the remote desktop session rule further enriches DLP events by correlating them with RDP connection events, focusing on those initiated by 'mstsc' within a 5-minute window. This step adds a detailed layer for spotting data leaks over remote desktop connections, (Microsoft Purview - DLP - File copied to remote desktop session).

A new rule for Defender for Office 365 detects Teams messages and embedded links. It uses the MessageEvents and MessageUrlInfo tables for information retrieval, (Defender for Office 365 - Teams Messages).

What SIEM are you using? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.