Detections Digest #20250623
The issue covers key changes from 9 GitHub repos between Jun 16 to Jun 23, 2025, including 29 new and 93 modified detection rules.
This week's update highlights the most significant changes to detection rules from 9 of the 40+ monitored GitHub repositories. Between Jun 16 and Jun 23, 2025, contributors added 29 new rules and updated 93 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
New detections target cloud services and infrastructure. Rules for Kubernetes identify reconnaissance via kubectl permission checks and persistence through kubeconfig file modification. For Microsoft Entra ID, new rules find credential stuffing and persistence using OAuth token abuse. An AWS rule detects CloudTrail logging evasion, and a KQL query identifies unauthorized Cloudflare Tunnel execution. (
elastic/detection-rules
,lawndoc/AdvancedHuntingQueries
)Coverage for Windows defense evasion is expanded with a focus on in-memory threats. New behavior rules detect process hollowing by monitoring memory permission changes and identify call stack tampering. A large set of existing rules for shellcode injection, direct syscalls, and execution from RWX memory were tuned. The updates add exceptions for legitimate software hashes and module paths to reduce false positives. (
elastic/protections-artifacts
)Detections for Windows credential access attacks were added and refined. New rules target Kerberos coercion and NTLM relay attacks by monitoring for suspicious DNS queries and specific SMB access patterns. Other rules flag browser execution with security-disabled command-line flags, a technique for credential theft. Existing detections for ntds.dit access were also tuned. (
elastic/detection-rules
,splunk/security_content
,elastic/protections-artifacts
)Coverage for specific malware families and TTPs was updated. The Cobalt Strike named pipe detection was broadened with new patterns from Artifact Kit and Malleable C2 profiles. New YARA rules detect the Arechclient2 Trojan and several disk wiper families on Windows and Linux. The GPulse malware also received new detection patterns. (
splunk/security_content
,Neo23x0/signature-base
,elastic/protections-artifacts
)Phishing detections now identify more complex delivery methods. One rule inspects PDF metadata for signs of creation by 'Soda PDF', a tool used in phishing campaigns. Another rule uses OCR to find impersonated brand names inside images to detect callback phishing. A new query hunts for phishing attempts that use Microsoft Teams messages from external senders. (
sublime-security/sublime-rules
,SlimKQL/Hunting-Queries-Detection-Rules
)
💡 All rule changes mentioned in this issue are available in CTI feeds by CTIChef.com:
Integrate the feeds into your SIEM, TIP, or SOAR solution for ready-to-use detections and to connect them directly to the threats you're already tracking.
Table Of Contents
elastic/protections-artifacts (+5, ✎62)
sublime-security/sublime-rules (+1, ✎3)
elastic/detection-rules (+12, ✎12)
SigmaHQ/sigma (✎1)
splunk/security_content (+4, ✎11)
Neo23x0/signature-base (+3, ✎1)
Corporate repositories (6)
elastic/protections-artifacts (+5, ✎62)
+ New rules
Three new rules detect Windows defense evasion techniques. One rule identifies process hollowing by monitoring memory permission changes from untrusted modules. Another detects call stack tampering by analyzing anomalous library loads. A third rule targets attempts to disable Windows Defender by registering a rogue anti-virus product. (Hollow Image Behavior via Native API, Library Loaded From a Potentially Altered Call Stack, Suspicious Antivirus Registration)
A new YARA rule detects the Arechclient2 Trojan on Windows systems. The rule identifies the malware's file and memory artifacts, which are associated with stealing credentials from cryptocurrency wallets, VPN clients, and Steam accounts. (Windows_Trojan_Arechclient2_b6ea1c83)
A new detection rule targets post-exploitation activity related to CVE-2025-33053. The rule monitors the Internet Explorer Diagnostics Utility for suspicious behavior, such as its execution from a network share or spawning system utilities like route.exe or netsh.exe. (Potential CVE-2025-33053 Exploitation)
✎ Modified rules
Multiple rules detecting code injection and in-memory execution were tuned. Techniques covered include direct syscalls, execution from unbacked or RWX memory, process hollowing, API hooking, and remote process memory writes. The updates primarily add exceptions for legitimate software hashes, call stack patterns, and known module paths to reduce false positives. (Unbacked Shellcode from Unsigned Module, Suspicious Memory Page Protection, Network Module Loaded from Suspicious Unbacked Memory, Potential Shellcode Injection via CLR, Direct Syscall from Unsigned Module, Potential Suspended Process Code Injection, Remote Memory Write to Trusted Target Process, Process Creation from Backed RWX Memory, Shellcode Execution from Low Reputation Module, Shellcode Injection from Mounted Device, Evasion via Sleep API Hooking, Shellcode Injection with Parent as Provenance, Network Connect API from Unbacked Memory, Potential Process Creation via Direct Syscall)
Detections for credential and data theft were refined through new exclusions. These rules monitor for unauthorized access to browser credential stores, RDCMan settings files, and the ntds.dit database. They also detect keylogging behavior via Windows hooks and input capture API calls. Updates primarily add allowlists for legitimate processes and trusted code signers. (Access to Browser Credentials from Suspicious Memory, Failed Attempts to Access Sensitive Files, Keystroke Messages Hooking via SetWindowsHookEx, Keystrokes Input Capture from Unsigned DLL, Chrome Browser Spawned from an Unusual Parent, Sensitive File Access - Remote Desktop Connection Manager, Suspicious Access to Active Directory Database File, Potential Browser Information Discovery)
Detections for adversary abuse of legitimate Windows binaries were refined. These rules target proxy execution using tools like rundll32.exe, regsvr32.exe, and msiexec.exe, as well as masquerading or tampering with system recovery utilities. Most updates add exclusions for benign software installation or administrative actions to improve accuracy. (Binary Masquerading via Untrusted Path, Suspicious API call via a Windows Installer Module, RunDLL32/Regsvr32 Loads Dropped Executable, Library Load of a File Written by a Signed Binary Proxy, Control Panel Process with Unusual Arguments, Execution via Windows Installer Transforms, Execution via Renamed Signed Binary Proxy, Rundll32 or Regsvr32 Loaded a DLL from Unbacked Memory, Suspicious MsiExec Child Process, Inhibit System Recovery via Untrusted Parent Process, Inhibit System Recovery via Renamed Utilities)
Multiple rules targeting persistence and privilege escalation were tuned. These detections identify techniques like writing to registry run keys and startup folders, scheduled task creation, and IFEO abuse. Privilege escalation techniques covered include PPID spoofing, access token manipulation, and exploitation of CVE-2024-21338. Updates add exclusions for legitimate software and administrative tools. (Parent Process PID Spoofing, Startup Persistence from Backed RWX Memory, Potential NetNTLMv1 Downgrade Attack, Potential Execution via Token Theft, Process Explorer Device Access by Unusual Process, Access Token Manipulation via Child Process, Potential CVE-2024-21338 Exploitation, Script Interpreter Process Writing to Commonly Abused Persistence Locations, Scheduled Task from a Removable or Mounted ISO Device, Suspicious Image File Execution Options Modification, Untrusted Process Writing to Commonly Abused Persistence Locations, Startup Persistence by a Low Reputation Process)
A broad set of rules targeting various adversary tactics were updated. This includes detection of C2 activity via suspicious DNS queries, initial access through web shells or Office macros, and defense evasion via binary padding or security product enumeration. Several rules for WMI abuse were tuned to reduce false positives from legitimate administrative and software management tools. A specific update adds patterns for GPulse malware. (Process Creation from an Unusual WMI Client, Execution from Suspicious Stack Trailing Bytes, DNS Query to Suspicious Top Level Domain, Suspicious Security Product Enumeration, Suspicious Windows Script Base64 Encoding, Suspicious PHP Script Execution, Suspicious Cmd Execution via WMI, Connection to Dynamic DNS Provider by an Unsigned Binary, Connection to WebService by an Unsigned Binary, Potential Evasion via Oversized Image Load, Suspicious Execution from an Oversized Executable, Potential Command and Control via Windows Scripts, Suspicious Windows Script Process Execution, Suspicious WMI Library Load, Execution via a Suspicious WMI Client, Suspicious File Dropped by a Macro Enabled Document, Suspicious Microsoft IIS Worker Descendant)
sublime-security/sublime-rules (+1, ✎3)
+ New rules
A new rule detects credential phishing emails with PDF attachments created by "Soda PDF". The detection logic inspects the PDF's OCR output for phrases related to encryption, a tactic used to direct users to malicious links. (Attachment: Soda PDF Producer with Encryption Themes)
✎ Modified rules
Phishing detection was improved through multiple rule updates. One change adds detection for password-protected PDFs hosted on Adobe Acrobat by inspecting file EXIF data. Another update uses Optical Character Recognition (OCR) to find impersonated brand names within images, targeting callback phishing. Logic for invoice-themed phishing was also refined to reduce false positives by trusting emails from specific domains that pass DMARC. (Link: Multistage Landing - Abuse Adobe Acrobat Hosted PDF, Suspicious invoice reference with missing or image-only attachments, Callback Phishing solicitation in message body)
elastic/detection-rules (+12, ✎12)
+ New rules
New detections for Kubernetes threats were added. These rules identify reconnaissance through kubectl
permission checks and kubeconfig
file discovery. They also detect access and persistence attempts via modification of kubeconfig
files and monitor for denied API requests from unrecognized user agents. (Kubectl Permission Discovery, Kubeconfig File Discovery, Kubeconfig File Creation or Modification, Forbidden Request from Unusual User Agent in Kubernetes)
A set of rules now targets Microsoft Entra ID account compromise. Detections identify initial access attempts like password spraying and credential stuffing. They also find OAuth token abuse and anomalous device sign-ins, which are tactics used to acquire a Primary Refresh Token (PRT) for persistence. (Suspicious Microsoft OAuth Flow via Auth Broker to DRS, Suspicious ADRS Token Request by Microsoft Auth Broker, Entra ID User Signed In from Unusual Device, Microsoft Entra ID Sign-In Brute Force Activity)
New rules detect Kerberos coercion and NTLM relay attacks on Windows systems. Detections monitor for malicious DNS queries and record creation used for SPN spoofing. Another rule identifies network share access patterns consistent with a successful coerced authentication and credential relay. (Potential Machine Account Relay Attack via SMB, Potential Kerberos SPN Spoofing via Suspicious DNS Query, Potential Kerberos Coercion via DNS-Based SPN Spoofing)
A new rule detects an AWS CloudTrail logging evasion technique. It identifies successful IAM events where the policy details were omitted from logs because the request was too large, a method used to obscure malicious policy changes. (AWS CloudTrail Log Evasion)
✎ Modified rules
A suite of five rules for detecting PowerShell obfuscation was updated to reduce false positives. The changes refine detection of techniques like string manipulation, character-based encoding, and invalid escape sequences by adding exclusions for common tools like Icinga and VSCode, normalizing script content, and adjusting numeric thresholds. One rule's risk score was also increased from low to medium. (Potential PowerShell Obfuscation via String Concatenation, Potential PowerShell Obfuscation via String Reordering, Potential PowerShell Obfuscation via Special Character Overuse, Potential PowerShell Obfuscation via Invalid Escape Sequences, Potential PowerShell Obfuscation via High Numeric Character Proportion)
Three rules for AWS were updated to improve detection of reconnaissance and policy modification. The changes refine CloudTrail queries for identifying searches for deprecated AMIs, EC2 user data retrieval, and IAM role trust policy updates (T1078.004). Updates focus on using more specific user and resource fields to increase accuracy and reduce noise. (AWS EC2 Deprecated AMI Discovery, AWS IAM Assume Role Policy Update, AWS EC2 User Data Retrieval for EC2 Instance)
Two rules targeting Windows privilege escalation via service creation were updated for better precision. The changes focus on identifying services configured to run as LocalSystem and detecting patterns indicative of Kerberos relay attacks, such as logons with elevated tokens followed by immediate service creation. (Windows Service Installed via an Unusual Client, Service Creation via Local Kerberos Authentication)
Detection for Microsoft 365 brute-force attacks was updated by rewriting the query logic. The rule now analyzes Entra ID sign-in failures over a longer time window, uses an expanded set of error codes, and applies more specific thresholds to better distinguish between password spraying, credential stuffing, and guessing attempts. (Microsoft 365 Brute Force via Entra ID Sign-Ins)
The rule for detecting container management utility execution on Linux was refined to reduce false positives. The query now targets only interactive processes and excludes events spawned by legitimate container daemons, focusing alerts on suspicious interactive activity within a container. (Container Management Utility Run Inside A Container)
SigmaHQ/sigma (✎1)
✎ Modified rules
The rule for detecting Windows Registry persistence modifications was refined. It now includes a new filter for the 64-bit 'integrator.exe' process, reducing false positives from legitimate Microsoft Office installations. (Common Autorun Keys Modification)
splunk/security_content (+4, ✎11)
+ New rules
A set of new rules detects suspicious browser executions. The detections identify the use of command-line flags to disable security features, such as '--no-sandbox' in Chromium browsers and '-extoff' in Internet Explorer. Another rule flags the '--user-data-dir' argument, a technique for stealth and credential theft. (Windows Chromium Browser No Security Sandbox Process, Windows Disable Internet Explorer Addons, Windows Chromium Browser with Custom User Data Directory)
A new rule detects potential command-and-control activity by monitoring Sysmon DNS events. It specifically targets DNS queries to 'tinyurl.com' originating from processes running in suspicious directories like AppData or Temp, which is a common malware technique. (Windows DNS Query Request To TinyUrl)
✎ Modified rules
Detection for file and directory permission modification on Windows using icacls
, cacls
, and xcacls
is improved across five rules. Updates broaden coverage by adding more command-line variations for granting and denying permissions, fix a syntax error, and optimize query performance. These changes strengthen detection of defense evasion technique T1222. (ICACLS Grant Command, Excessive Usage Of Cacls App, Icacls Deny Command, Modify ACL permission To Files Or Folder, Windows Files and Dirs Access Rights Modification Via Icacls)
Three rules targeting various Windows defense evasion techniques were updated. The rule for detecting renamed WinRAR binaries was corrected to fix a logic flaw causing false positives. The rule for identifying suspicious file copies from system directories was refactored for performance. The rule for finding hidden scheduled tasks now uses a more reliable string search method. (Detect Renamed WinRAR, Suspicious Copy on System32, Windows Hidden Schedule Task Settings)
Coverage for Cobalt Strike is improved by expanding the list of monitored malicious named pipes. The rule now detects additional indicators associated with Artifact Kit and Malleable C2 profiles, such as those starting with interprocess_
, lsarpc_
, mojo_
, netlogon_
, samr_
, and wkssvc_
. (Cobalt Strike Named Pipes)
Two rules for Google Workspace were updated. They detect potential data exfiltration via cross-domain file sharing and phishing attempts using suspicious filenames. Both rules were moved to an experimental state and had their log sourcetypes updated from gsuite:drive:json
to gws:reports:drive
. (Gsuite Drive Share In External Email, Gsuite Suspicious Shared File Name)
chainguard-dev/osquery-defense-kit (✎1)
✎ Modified rules
The OSQuery rule for detecting unexpected setuid files on POSIX systems was tuned to reduce false positives. The allowlist was expanded to include ssh-keysign
and certain binaries with group ID 8, improving the accuracy of this privilege escalation detection. (Find unexpected setuid binaries on disk)
Personal repositories (3)
SlimKQL/Hunting-Queries-Detection-Rules (+3, ✎2)
+ New rules
New KQL queries detect tactics used by threat actors TA4557 and UNC3944. One rule identifies malicious shell link (.lnk) file creation associated with the More_Eggs backdoor by monitoring DeviceEvents. Another rule hunts for potential phishing via Microsoft Teams from external senders using social engineering keywords. (TA4557 drops More_Eggs, Spidey Senses Tingling: Sniffing Out UNC3944 on Teams)
A new KQL query helps map the external attack surface. It finds internet-facing devices by checking the ExposureGraphNodes table and correlates them with listening connections from DeviceNetworkEvents to identify exposed ports. (External Attack Surface Monitoring (EASM) KQL)
✎ Modified rules
A KQL query that detects a mail bomb attack followed by an outbound RMM connection was updated. The change restricts the mail bombing event search to the last hour, which improves query performance and focuses on immediate, correlated activities. (Social Engineering Attack (Mail Bomb followed by Social Engineered Call - Initial access via RMM Tool))
The KQL query for identifying internet-exposed devices with listening ports was updated to use the Timestamp
field. This change corrects the query's function following a data schema update. (External Attack Surface Monitoring (EASM) KQL)
Neo23x0/signature-base (+3, ✎1)
+ New rules
New YARA rules were added to detect disk wiper malware across Windows and Linux. The rules identify specific PE files, Linux shell scripts, and Python-based executables by targeting unique strings, file headers, and size constraints, adding coverage for destructive malware. (MAL_WIPER_Unknown_Jun25, SUSP_LNX_SH_Disk_Wiper_Script_Jun25, SUSP_PY_PYInstaller_Swiper_Jun25)
✎ Modified rules
A new YARA rule detects a specific disk wiper malware. The rule identifies the executable based on file size, the MZ header, and the presence of unique strings, including a release path and error messages about disk geometry. (MAL_WIPER_Unknown_Jun25)
lawndoc/AdvancedHuntingQueries (+1)
+ New rules
A new KQL rule detects unauthorized Cloudflare Tunnel execution. It monitors process command lines for 'tunnel run' and a token, decodes the token to extract the Cloudflare Account ID, and alerts if the ID is not an approved corporate account. This identifies potential C2 or data exfiltration channels using a legitimate service. (CloudflaredTunnel)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by an LLM, based on the system and user prompts provided. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter?
We'd be happy to help — contact us.