This week's update highlights the most significant changes to detection rules from 7 of the 40+ monitored GitHub repositories. Between Jun 9 and Jun 16, 2025, contributors added 38 new rules and updated 22 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Multiple new rules were added to detect RCE vulnerability CVE-2025-33053. Detections monitor process execution, image loading, and process access events originating from a WebDAV share. (Yamato-Security/hayabusa-rules, SigmaHQ/sigma)

• Email security rules saw several updates for initial access. New rules detect specific payload delivery methods like Python-generated PDFs, while existing rules for brand impersonation and links on legitimate platforms were tuned for accuracy. (sublime-security/sublime-rules)

• Coverage for Windows defense evasion was broadened across multiple techniques. Rules for RegAsm.exe and mshta.exe abuse were added or improved, and detections for Windows Defender tampering now monitor additional registry keys. (Yamato-Security/hayabusa-rules, SigmaHQ/sigma)

• Detections for post-compromise adversary activity were added and updated. This includes improved rules for the LaZagne credential dumper, new rules for the SharpSuccessor AD privesc tool, and detections for destructive MSSQL database commands. (Yamato-Security/hayabusa-rules, SigmaHQ/sigma)

• New KQL hunting queries were added for Microsoft security products. The queries identify Entra ID misconfigurations, NTLM reflection attacks (CVE-2025-33073), a Discord invite hijacking campaign, and endpoint posture weaknesses. (alexverboon/Hunting-Queries-Detection-Rules, SlimKQL/Hunting-Queries-Detection-Rules)

• New YARA rules were created for static file detection of two Windows malware families: the Skuld infostealer and VanHelsing ransomware. (reversinglabs/reversinglabs-yara-rules)

🔔 All rule changes mentioned in this issue are available in CTI feeds by CTIChef.com:

Integrate the feeds into your SIEM, TIP, or SOAR solution for ready-to-use detections and to connect them directly to the threats you're already tracking.

Table Of Contents

• Corporate repositories (5)

  • elastic/detection-rules (✎1)

  • sublime-security/sublime-rules (+4, ✎5)

  • reversinglabs/reversinglabs-yara-rules (+2)

  • Yamato-Security/hayabusa-rules (+15, ✎8)

  • SigmaHQ/sigma (+9, ✎3)

• Personal repositories (2)

  • alexverboon/Hunting-Queries-Detection-Rules (+6, ✎5)

  • SlimKQL/Hunting-Queries-Detection-Rules (+2)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (5)

elastic/detection-rules (✎1)

✎ Modified rules

Detection for anomalous Windows parent-child process relationships was improved. The rule now includes additional parent-child combinations in its EQL query, giving better coverage for identifying masquerading or other suspicious activity. (Unusual Parent-Child Relationship)

sublime-security/sublime-rules (+4, ✎5)

+ New rules

New rules detect specific attachment-based payload delivery techniques. One identifies PDFs generated by Python scripts containing URLs, a method used by PikaBot. Another finds macro-enabled office documents with embedded MHT files, a known content obfuscation tactic. (Attachment: Python generated PDF with link, Attachment: Macro Files Containing MHT Content)

Detection for malicious links is improved with two new rules. One targets a specific link formatting pattern seen in tech support scams. The other identifies unscannable Vercel links when combined with suspicious subjects and poor sender reputation. (Link: /index.php Enclosed in Three Asterisks, Suspicious message with unscannable Vercel link)

✎ Modified rules

Detections for Adobe and TurboTax brand impersonation phishing were updated. The rule for Adobe adds coverage with new keywords and a lower machine learning confidence score. The TurboTax rule reduces false positives by adding exceptions for legitimate partner domains. (Brand impersonation: Adobe with suspicious language and link, Brand impersonation: TurboTax)

Rules targeting phishing links hosted on legitimate platforms were improved for accuracy. Detection of malicious SharePoint links from new senders was refined. Separately, the rule identifying phishing links on webflow.io now uses more precise sender email address profiling. (Link: Secure SharePoint file share from new or unusual sender, Link: Webflow Link from Unsolicited Sender)

Detection of credential theft within EML attachments was improved. The rule now uses Optical Character Recognition (OCR) to analyze text within attachments nested inside an EML file. It also has better logic to ignore legitimate bounce-back messages and emails from internal domains. (EML attachment with credential theft language (unknown sender))

reversinglabs/reversinglabs-yara-rules (+2)

+ New rules

New YARA rules add static detection for two Windows malware families. One rule targets the Skuld infostealer by matching byte patterns for its data theft functions. The other identifies VanHelsing ransomware by detecting code sequences for encryption, lateral movement, and shadow copy deletion. (Win64_Infostealer_Skuld, Win32_Ransomware_VanHelsing)

Yamato-Security/hayabusa-rules (+15, ✎8)

+ New rules

Multiple new rules detect exploitation of the remote code execution vulnerability CVE-2025-33053. Detections monitor for process creation, image loads, and process access events where executables originate from a WebDAV share. This addresses the technique of using legitimate utilities to run malicious code from a remote location. (Potential Exploitation of RCE Vulnerability CVE-2025-33053, Process Execution From WebDAV Share, Potential Exploitation of RCE Vulnerability CVE-2025-33053, Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access, Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load, Process Execution From WebDAV Share)

Two new rules identify the anomalous execution of RegAsm.exe without command-line arguments. This specific behavior is a known defense evasion technique used to host malicious code for process injection. (RegAsm.EXE Execution Without CommandLine Flags or Files, RegAsm.EXE Execution Without CommandLine Flags or Files)

New detections target the SharpSuccessor hacktool, which is used for privilege escalation in Active Directory. The rules identify the tool by its process name and specific command-line arguments associated with its operation. (HKTL - SharpSuccessor Privilege Escalation Tool Execution, HKTL - SharpSuccessor Privilege Escalation Tool Execution)

Two rules were added to detect system information discovery on Windows. These rules monitor for reg.exe and PowerShell usage to query specific registry keys containing OS, network, and software configuration details. (System Information Discovery via Registry Queries, System Information Discovery via Registry Queries)

New rules target distinct adversary tactics. One rule detects destructive MSSQL commands such as DROP TABLE. Another identifies DNS queries to suspicious URL shortener domains. A third rule flags the loading of BitsProxy.dll by non-standard processes to detect BITS abuse. (MSSQL Destructive Query, DNS Query To Common Malware Hosting and Shortener Services, BITS Client BitsProxy DLL Loaded By Uncommon Process)

✎ Modified rules

Detection for the LaZagne credential dumping utility is improved across two rules. The updates add detection based on specific IMPHASH values and expand the list of suspicious execution directories, increasing accuracy and coverage for this tool. (HackTool - LaZagne Execution, HackTool - LaZagne Execution)

Detection for suspicious mshta.exe execution (CVE-2020-1599) is expanded. The rules now identify a much broader list of non-standard file extensions in command lines and improve process identification to better detect this LOLBIN abuse technique. (MSHTA Execution with Suspicious File Extensions, MSHTA Execution with Suspicious File Extensions)

Four rules targeting Windows defense evasion via registry modification have broader coverage. The updates add more registry keys and values to detect the disabling of system tools like Command Prompt, as well as specific Windows Defender security features. (Disable Internal Tools or Feature in Registry, Disable Internal Tools or Feature in Registry, Suspicious Windows Defender Registry Key Tampering Via Reg.EXE, Suspicious Windows Defender Registry Key Tampering Via Reg.EXE)

SigmaHQ/sigma (+9, ✎3)

+ New rules

Three rules were added to detect remote code execution via WebDAV, targeting patterns associated with CVE-2025-33053. Detections identify general process execution from a WebDAV path and specific exploitation where iediagcmd.exe or CustomShellHost.exe accesses or spawns a process from a remote share. (Process Execution From WebDAV Share, Potential Exploitation of RCE Vulnerability CVE-2025-33053, Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access)

New detections cover system discovery and evasion using legitimate Windows binaries. One rule flags anomalous execution of RegAsm.exe without parameters. Another identifies reconnaissance activity that uses reg.exe or PowerShell to query specific system and configuration registry keys. (RegAsm.EXE Execution Without CommandLine Flags or Files, System Information Discovery via Registry Queries)

Detection coverage for initial access and C2 is improved. One rule identifies potential Java webshell uploads to SAP NetViewer servers, linked to CVE-2025-31324. Another rule detects DNS queries for domains frequently used for malware hosting and URL shortening. (Potential Java WebShell Upload in SAP NetViewer Server, DNS Query To Common Malware Hosting and Shortener Services)

New rules detect high-impact post-compromise actions. One rule monitors MSSQL audit logs for destructive commands like 'DROP TABLE' or 'TRUNCATE TABLE'. Another identifies the execution of the SharpSuccessor tool, used for Active Directory privilege escalation. (MSSQL Destructive Query, HKTL - SharpSuccessor Privilege Escalation Tool Execution)

✎ Modified rules

Detection for the LaZagne credential dumper is improved. The rule now detects specific variants by their IMPHASH and monitors a wider range of user and system directories for execution, providing more robust coverage. (HackTool - LaZagne Execution)

Windows Defender tampering detection is broadened. The rule now monitors for additional registry modifications via reg.exe that disable specific security features like cloud and network protection. (Suspicious Windows Defender Registry Key Tampering Via Reg.EXE)

Detection for mshta.exe abuse is expanded. The rule identifies a larger set of suspicious file extensions used in polyglot attacks and improves process identification, helping find adversaries using mshta.exe as a LOLBIN. (MSHTA Execution with Suspicious File Extensions)

Follow RuleCheck.io on LinkedIn

Personal repositories (2)

alexverboon/Hunting-Queries-Detection-Rules (+6, ✎5)

+ New rules

New KQL queries audit Microsoft Entra ID for high-risk activities and misconfigurations. The rules identify privileged identity management (PIM) role activations, detect disabled user accounts with assigned privileged roles, and report the deletion of Enterprise Applications by querying AuditLogs and IdentityInfo tables. (Entra ID - PIM Role Activations, Entra ID - Enterprise Applications - Deletions, Defender for Identity - Disabled Accounts with Privileged Roles)

A set of KQL queries identifies endpoint security posture weaknesses using Defender for Endpoint data. The rules report on Windows devices missing security updates, list Microsoft Office installations to check support status, and find endpoints where Microsoft Defender Antivirus is in passive mode. (Microsoft Office 365 - Version History Information, Defender for Endpoint - identify devices running in Passive mode, Windows Server & Client Missing Updates)

✎ Modified rules

A set of five KQL queries uses Microsoft Defender for Endpoint data to identify an organization's external attack surface. The queries detect internet-facing devices by analyzing the DeviceInfo table and identify high-risk exposed services like RDP and SMB. Another query identifies devices recently targeted by external scanners by checking DeviceNetworkEvents for inbound scan activity. (Microsoft Sentinel, Devices detected by an external scan, SMB, RDP, ExternalNetworkConnection (still testing....))

SlimKQL/Hunting-Queries-Detection-Rules (+2)

+ New rules

A new KQL rule detects potential NTLM reflection attacks linked to CVE-2025-33073. The detection logic monitors DNS events for queries to single-label domains that contain long, base64-encoded strings, which are indicative of this attack. (CVE-2025-33073 Detection)

A new KQL query detects a Discord invite hijacking campaign. It identifies compromised devices by correlating network connections, first to legitimate Discord domains and then to a known malicious domain associated with an infostealer. (Discord Invite Hijacking Detection)

What SIEM are you using? Tell us!

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have suggestions for new data sources to include, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving this resource for the detection engineering community.

Disclaimer

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.