Detections Digest #20250707
This issue highlights key updates to detection rules from 9 GitHub repositories, including 29 new and 35 modified rules.
This week's update highlights the most significant changes to detection rules from 9 of the 40+ monitored GitHub repositories. Between Jun 30 and Jul 7, 2025, contributors added 29 new rules and updated 35 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
New detections cover multiple stages of a Kubernetes attack. They identify reconnaissance using direct API queries, execution via remote kubectl commands, and persistence through sensitive file changes. The rules also spot defense evasions like kubectl process masquerading and the deletion of audit events. (
elastic/detection-rules
)New rules focus on cloud identity and certificate-based attacks. One detects anomalous ROPC logins in Entra ID, a legacy flow that can bypass MFA, while others identify AD CS abuse through suspicious certificate authentication. Detections for risky Azure AD sign-ins from untrusted devices were also refined for accuracy. (
elastic/detection-rules
,anvilogic-forge/armory
,SigmaHQ/sigma
)Multiple repositories added coverage for common Windows adversary tools. New Sigma rules detect the Doppelganger LSASS dumper, the HollowReaper process hollowing tool, and proxy execution with vshadow.exe. Both repos also added rules for a Notepad++ LPE vulnerability, identifying path interception via regsvr32.exe. (
SigmaHQ/sigma
,Yamato-Security/hayabusa-rules
)Email security rules were updated to counter phishing and service abuse tactics. New detections identify misuse of Microsoft Protected Messages and SharePoint OTP notifications for credential theft. Existing rules have been improved to detect QuickBooks phishing better, and OCR is now used to identify QR codes in images. (
sublime-security/sublime-rules
)New and updated YARA rules add coverage for specific malware and APT groups. Rules now detect the .NET ResolverRAT and Linux ChaosRAT backdoors by matching unique bytecode and hex patterns. Signature sets for Winnti, Twisted Panda, APT28, and the Nighthawk RAT were expanded with new indicators. (
reversinglabs/reversinglabs-yara-rules
,Neo23x0/signature-base
)
Table Of Contents
sublime-security/sublime-rules (+4, ✎7)
SigmaHQ/sigma (+4, ✎3)
Yamato-Security/hayabusa-rules (+8, ✎5)
🤖 Make updates from this digest operational:
All detection rules from this digest (and more) can be downloaded as structured, high-fidelity CTI feeds. Subscribe and integrate directly into your SIEM, TIP, or SOAR to automate threat detection and enrich your existing security data.
No sales talk, just transparent pricing, fast integration, and clear value.
Corporate repositories (7)
elastic/detection-rules (+7)
+ New rules
New rules improve the detection of adversary activity within Kubernetes environments. They identify reconnaissance via direct API queries with curl or wget, malicious execution through kubectl network commands and remote applies from URLs, persistence via sensitive configuration file modification, and defense evasion through kubectl masquerading and audit event deletion. (Kubectl Network Configuration Modification, Potential Kubectl Masquerading via Unexpected Process, Kubernetes Direct API Request via Curl or Wget, Kubernetes Sensitive Configuration File Activity, Kubernetes Events Deleted, Kubectl Apply Pod from URL)
A new rule detects anomalous single-factor Resource Owner Password Credential (ROPC) logins in Microsoft Entra ID. It targets a legacy authentication flow that can bypass MFA, flagging first-time ROPC logins by a user in a 10-day period to spot potential password spraying or initial access. (Unusual ROPC Login Attempt by User Principal)
reversinglabs/reversinglabs-yara-rules (+2)
+ New rules
New YARA rules were added to detect two separate backdoors. One rule targets the .NET-based ResolverRAT on Windows by identifying specific bytecode patterns in PE files. The other rule detects the Linux variant of ChaosRAT by matching hexadecimal sequences related to its functions in ELF files. (ByteCode_MSIL_Backdoor_ResolverRAT, Linux_Backdoor_ChaosRAT)
sublime-security/sublime-rules (+4, ✎7)
+ New rules
New rules detect credential phishing attempts misusing Microsoft services. One rule targets emails with Microsoft Protected Message attachments where the sender and recipient are identical. Another identifies malicious SharePoint OTP notifications where the shared document name matches the sending organization's name. (Link: Microsoft Protected Message with Matching Sender and Recipient Addresses, SharePoint OTP for Filename Matching Org Name)
Two rules were added to detect specific phishing infrastructure. One identifies the use of a known open redirect vulnerability on a specific domain. The other detects a phishing kit used by the Iranian Educated Manticore actor by correlating low-reputation TLDs with specific strings in the destination page's content. (Open Redirect: queue.swytchbike.com, Suspicious Link to TLD with Iranian Manticore Signals)
✎ Modified rules
Multiple rules targeting abuse of legitimate services were updated. Detection for QuickBooks phishing was refactored to use precise XPath queries on HTML content. The Notion abuse rule now monitors the 'notion.site' domain. The Meta impersonation rule was simplified to focus on primary indicators like logos and sender details. (Service Abuse: QuickBooks Notification with Suspicious Comments, Notion suspicious file share, Brand Impersonation: Meta and Subsidiaries)
Detection for threats within images and documents was improved through Optical Character Recognition (OCR). One rule now uses OCR to find keywords related to QR codes in images. Another rule was updated to better identify malicious auto-generated PDFs by expanding pattern matching and adding OCR checks for specific phrases. (Attachment: Suspicious PDF Created With Headless Browser, QR Code with suspicious indicators)
Detection for specific social engineering pretexts was refined. The password-expiration phishing rule now better identifies spoofed internal senders by checking for SPF failures. The photo-sharing spam rule was updated to detect a new variant using specific link obfuscation from free email providers. (Credential Phishing: Fake Password Expiration from New and Unsolicited sender, Spam: Fake photo share)
anvilogic-forge/armory (+3)
+ New rules
Two new rules detect Active Directory Certificate Services (AD CS) abuse. One rule identifies suspicious certificate-based Kerberos authentication, and another monitors for modifications to AD CS security settings and templates. Together, they target the creation and use of malicious certificates for unauthorized access. (Suspicious Certificate Authentication, Suspicious Certificate Modification)
A new rule detects when a guest user is invited to an Azure Active Directory tenant. It monitors Azure activity logs for external user invitations, which adversaries can use to establish persistence in a cloud environment. (Azure External Invite)
SigmaHQ/sigma (+4, ✎3)
+ New rules
New rules detect multiple adversary tools and techniques on Windows. Coverage now includes the Doppelganger hacktool for LSASS memory dumping, the HollowReaper tool for process hollowing, and the use of vshadow.exe for proxy execution as a LOLBAS. (Proxy Execution via Vshadow, HackTool - Doppelanger LSASS Dumper Execution, HackTool - HollowReaper Execution)
A new rule detects potential exploitation of a local privilege escalation vulnerability, CVE-2025-49144, in Notepad++ installers. The detection identifies regsvr32.exe running from an illegitimate directory, a sign of path interception. (Potential Notepad++ CVE-2025-49144 Exploitation)
✎ Modified rules
A new rule detects the use of the macOS hdiutil
utility to mount disk images. This addresses a common adversary technique for payload delivery by monitoring process creation events for hdiutil
with attach
or mount
arguments. (Disk Image Mounting Via Hdiutil - MacOS)
Detection for COM hijacking persistence on Windows was expanded. The rule now monitors three additional CLSIDs for malicious registry modifications, improving its ability to spot malware registering itself as a COM server in suspicious file locations. (COM Object Hijacking Via Modification Of Default System CLSID Default Value)
The rule for detecting risky Azure AD sign-ins from untrusted devices was refined. It now more accurately identifies non-registered devices by checking for both empty and null DeviceDetail.trusttype
values, reducing gaps in spotting single-factor authentications. (Suspicious SignIns From A Non Registered Device)
Yamato-Security/hayabusa-rules (+8, ✎5)
+ New rules
Two new rules detect potential exploitation of the Notepad++ installer vulnerability, CVE-2025-49144. The detection logic identifies regsvr32.exe
running from non-standard directories to register NppShell.dll
, a specific behavior of this local privilege escalation exploit. (Potential Notepad++ CVE-2025-49144 Exploitation, Potential Notepad++ CVE-2025-49144 Exploitation)
New rules identify proxy execution via the VShadow tool. Detection is based on process creation events where vshadow.exe
is run with the -exec
parameter to execute a malicious command or script. (Proxy Execution via Vshadow, Proxy Execution via Vshadow)
New detection coverage added for the HollowReaper hacktool, used for process hollowing. The rules identify the tool's execution by its process name, HollowReaper.exe
, to spot malicious code running within another process. (HackTool - HollowReaper Execution, HackTool - HollowReaper Execution)
Two new rules detect the Doppelganger hacktool, used for LSASS memory dumping and credential theft. Detection identifies the tool's process name, Doppelganger.exe
, or its known IMPHASH values. (HackTool - Doppelanger LSASS Dumper Execution, HackTool - Doppelanger LSASS Dumper Execution)
✎ Modified rules
Detection for persistence via COM hijacking is expanded in two rules. Both were updated to monitor for modifications to additional, known-abused system CLSIDs, improving coverage against this technique. (COM Object Hijacking Via Modification Of Default System CLSID Default Value, COM Object Hijacking Via Modification Of Default System CLSID Default Value)
Two rules for detecting malicious use of the native Windows ssh.exe client were made more accurate. The updates add checks for the 'OpenSSH for Windows' product name and known IMPHASH values, reducing false positives from unrelated executables named ssh.exe. (Program Executed Using Proxy/Local Command Via SSH.EXE, Program Executed Using Proxy/Local Command Via SSH.EXE)
Coverage for the 'FileFix' social engineering technique is extended. The rule now detects cmd.exe as a suspicious child process spawned from web browsers, a known pattern in this attack where users are tricked into executing malicious commands. (FileFix - Suspicious Child Process from Browser File Upload Abuse)
magicsword-io/LOLDrivers (✎3)
✎ Modified rules
Detection for malicious and vulnerable driver loading is improved through updates to multiple rules. These rules identify privilege escalation attempts by monitoring for Windows driver load events. The updates refresh detection signatures, including lists of known malicious driver filenames sourced from the LOLDrivers project, and add numerous new file hashes and IMPHASH values for known threats. (Malicious Driver Load By Name, Vulnerable Driver Load By Name, Malicious Driver Load Despite HVCI)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities.
Personal repositories (2)
Neo23x0/signature-base (✎17)
✎ Modified rules
A set of YARA rules adds broad coverage for the Winnti APT group. Detections target various components, including rootkits, drivers, and DLLs. The rules identify malware through specific strings, such as fraudulent certificate subjects, driver filenames, and registry paths, as well as unique hexadecimal code patterns. One hex pattern was adjusted for better matching. (Winnti_signing_cert, Winnti_malware_Nsiproxy, Winnti_malware_UpdateDLL, Winnti_malware_FWPK, APT_Winnti_MAL_Dec19_3)
New and updated rules target malware from the Twisted Panda APT. Detections identify the group's droppers, loaders, and SPINNER backdoors. The logic relies on byte sequences from decryption routines, API call patterns, and characteristic stack strings. One rule's byte pattern was widened to cover more loader variants. (APT_CN_TwistedPanda_droppers, APT_CN_TwistedPanda_SPINNER_2)
Detection coverage for Russian APT malware is expanded. Multiple rules target variants of the APT28 'Downrage' implant by identifying specific hexadecimal byte patterns, including XOR loops and encoding routines. A related rule for the APT29 'Onion Duke' implant was refined to correctly validate PE file headers. (IMPLANT_9_v1)
Two YARA rules now detect the Nighthawk RAT. One identifies beacons using specific byte sequences, while the other uses a mix of byte patterns and PE section names like '.profile'. An update to one rule corrects its condition logic for compatibility with newer YARA versions. (EXT_HKTL_Nighthawk_RAT, HKTL_MAL_Nighthawk_Nov_2022_1)
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)
+ New rules
A new KQL rule detects the deletion of Windows Prefetch files. It monitors command-line activity for the use of del
targeting the C:\Windows\Prefetch
directory and .pf
files, aiming to spot a common defense evasion technique. (Detect the removal of evidence on executed programs)
Feedback
Your feedback helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.