Detections Digest #20250714
The issue covers key changes from 6 GitHub repos between July 7 and July 14, 2025, including 30 new and 72 modified detection rules.
This week's update highlights the most significant changes to detection rules from 6 of the 40+ monitored GitHub repositories. Between Jul 7 and Jul 14, 2025, contributors added 30 new rules and updated 72 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
New detections for Kerberos coercion attacks, some linked to CVE-2025-33073, were added across multiple repositories. The rules use a layered approach, identifying a specific base64-encoded pattern associated with SPN spoofing. Coverage spans multiple telemetry sources, including process command lines, Active Directory DNS object modifications, and both Windows and Zeek DNS query logs. This strategy provides broad detection for the credential access technique. (
SigmaHQ/sigma
,Yamato-Security/hayabusa-rules
)A large set of new detections was added based on Cisco Network Visibility Module (NVM) telemetry. These rules correlate process execution with network activity to identify abuse of scripting engines, payload downloads, and data exfiltration. Coverage includes mshta.exe execution, curl with insecure flags, and anomalous connections from system processes without arguments. This introduces a new angle for detecting TTPs by combining process and network data. (
splunk/security_content
)A general tuning effort focused on reducing false positives in Windows endpoint detections for process injection, persistence, and PowerShell. Rules for remote thread creation were updated with more specific filters for legitimate inter-process activity from Microsoft Office and system components. Detections for persistence via registry and scheduled tasks now exclude known good processes like RuntimeBroker.exe. PowerShell rules were also refined to ignore legitimate Defender for Endpoint activity. (
Yamato-Security/hayabusa-rules
,SigmaHQ/sigma
,elastic/detection-rules
)New email security rules target phishing that uses newly registered domains or abuses legitimate services like catbox.moe and JotForm. Existing brand impersonation detections for Booking.com, Meta, and AMEX were refined with new keywords and URL patterns. Service abuse coverage for Zoom Docs and SharePoint was also expanded. Business Email Compromise rules are now more accurate, using DMARC status to identify spoofing. (
sublime-security/sublime-rules
)New rules target threats specific to Azure and Microsoft 365 environments. One detection identifies the TeamFiltration tool by its user-agent string during enumeration or password spraying attacks. Another rule detects suspicious OAuth grants in Entra ID, looking for 'user_impersonation' scope grants in unbound sessions after single-factor authentication. (
elastic/detection-rules
)
🤖 Make updates from this digest operational!
All detection rules from this digest (and more) are available as intel feeds: MISP or STIX/TAXII. Subscribe and integrate directly into your SIEM, TIP, or SOAR to automate threat detection and enrich your existing security data.
No sales talk, just clear value, transparent pricing, and fast integration.
Table Of Contents
sublime-security/sublime-rules (+3, ✎12)
Yamato-Security/hayabusa-rules (+6, ✎15)
splunk/security_content (+15, ✎5)
elastic/detection-rules (+2, ✎24)
SigmaHQ/sigma (+4, ✎12)
Corporate repositories (5)
sublime-security/sublime-rules (+3, ✎12)
+ New rules
Three new rules detect inbound email threats. One rule identifies phishing attempts using newly registered domains for both the sender and linked content by checking domain age. Two other rules target abuse of legitimate online services: one detects malicious links to the catbox.moe file host, and another identifies credential phishing via JotForm by inspecting landing page content. (Newly Registered Sender or Reply-To Domain with Newly Registered Linked Domain, Catbox.moe Link From Untrusted Source, Link: Multistage Landing - JotForm Abuse)
✎ Modified rules
Detection for brand impersonation attacks targeting Booking.com, Meta, and American Express was improved. Updates include adding new keywords and URL patterns like '/redir' and 'rebrand.ly', refining regex for display names to better match variations, and lowering an ML topic model's confidence threshold to identify a wider range of phishing attempts. (Brand Impersonation: Booking.com, Brand Impersonation: Meta and Subsidiaries, Brand impersonation: American Express (AMEX))
Coverage for phishing attacks using legitimate services was broadened. Updates add logic to inspect for suspicious link redirections from Zoom Docs, identify additional Microsoft protected message URL paths, and detect social engineering keywords like 'kindly' in attacks that use SharePoint. (Service Abuse: Suspicious Zoom Docs Link, Link: Microsoft Protected Message with Matching Sender and Recipient Addresses, Link: Secure SharePoint file share from new or unusual sender)
Two rules targeting Business Email Compromise were refined for accuracy. One now incorporates DMARC authentication status to detect sophisticated spoofing of trusted domains. The other reduces false positives by excluding alerts where a VIP is the sole recipient of an email impersonating them. (Employee impersonation with urgent request (untrusted sender), VIP / Executive impersonation in subject (untrusted))
Rules targeting specific phishing lures were refined. Detection for voicemail-themed attacks now includes the term 'voice note'. Spam detection for photo-sharing pretexts is more focused on link-based threats by requiring zero attachments. A rule for encrypted PDFs now uses a more specific sender profiling method. (Fake voicemail notification (untrusted sender), Spam: Fake photo share, Attachment: Encrypted PDF With Credential Theft Body)
Yamato-Security/hayabusa-rules (+6, ✎15)
+ New rules
New rules provide layered detection for Kerberos coercion attacks related to CVE-2025-33073. They identify a specific base64-encoded pattern associated with SPN spoofing across different telemetry, including process command lines, Active Directory DNS object modifications, and Sysmon DNS queries. This approach gives broad coverage for this credential access technique. (Attempts of Kerberos Coercion Via DNS SPN Spoofing, Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation, Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing, Attempts of Kerberos Coercion Via DNS SPN Spoofing)
Two new rules detect the 'FileFix' social engineering technique. They monitor for web browsers writing to the 'TypedPaths' registry key, specifically looking for values that contain a '#' character and names of command-line utilities. This pattern indicates a user was likely tricked into executing commands through a file dialog box. (FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse, FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse)
✎ Modified rules
Multiple rules detecting persistence through registry and scheduled task modifications were refined. Updates focus on reducing false positives by adding filter exclusions for legitimate processes like RuntimeBroker.exe across various detections for ASEPs, internet settings, and task cache changes. (Modification of IE Registry Settings, Scheduled TaskCache Change by Uncommon Program, CurrentVersion NT Autorun Keys Modification, CurrentVersion NT Autorun Keys Modification, Modification of IE Registry Settings, Scheduled TaskCache Change by Uncommon Program)
Four rules that detect process injection using Sysmon remote thread creation events (EID 8) were updated. The changes introduce more specific filter conditions to reduce false positives by excluding known legitimate inter-process activity from Microsoft Office applications, installers, and standard Windows shells. (Rare Remote Thread Creation By Uncommon Source Image, Remote Thread Creation By Uncommon Source Image, Remote Thread Creation In Uncommon Target Image, Remote Thread Created In Shell Application)
Two rules targeting potential exploitation of a Sysmon privilege escalation vulnerability, CVE-2022-41120, were improved. Both rules now use more precise filters to exclude legitimate Sysmon process creations originating from user temporary directories, reducing noise while maintaining detection of anomalous parent-child relationships. (Suspicious Sysmon as Execution Parent, Suspicious Sysmon as Execution Parent)
The rule for detecting AS-REP Roasting attacks was corrected. A fix to an event field name (PreAuthType
) ensures the rule properly identifies Kerberos TGT requests with disabled pre-authentication, improving its ability to detect this credential access technique. (Potential AS-REP Roasting via Kerberos TGT Requests)
Detections for suspicious execution patterns were tuned. A rule for PowerShell creating files now covers powershell_ise.exe
and filters legitimate module installations. A separate rule for anomalous userinit.exe
child processes now excludes events with null image paths to reduce noise. (Potential Binary Or Script Dropper Via PowerShell, Suspicious Userinit Child Process)
splunk/security_content (+15, ✎5)
+ New rules
Multiple new rules detect the abuse of Windows scripting engines and utilities for code execution. Detections target mshta.exe and rundll32.exe executing obfuscated HTML applications, scripts spawned from archive utilities, and msxsl.exe making outbound network connections. These rules use Cisco NVM data to correlate process execution with network activity. (Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI, Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download, Cisco NVM - Susp Script From Archive Triggering Network Activity, Cisco NVM - Suspicious Network Connection Initiated via MsXsl)
Detection coverage is added for various payload acquisition techniques. New rules identify downloads using curl.exe with disabled certificate validation, LOLBins connecting to file-sharing sites, headless browsers, compromised web servers, and pip installing known typosquatted packages. All analytics are based on Cisco NVM flow data. (Cisco NVM - Curl Execution With Insecure Flags, Cisco NVM - Suspicious Download From File Sharing Website, Cisco NVM - Suspicious File Download via Headless Browser, Cisco NVM - Webserver Download From File Sharing Website, Cisco NVM - Installation of Typosquatted Python Package)
Two rules target anomalous network activity from legitimate Windows processes. One detects outbound connections from binaries not typically associated with networking, like notepad.exe. The other flags system processes like svchost.exe making network connections without command-line arguments, a common sign of process injection for C2. (Cisco NVM - Non-Network Binary Making Network Connection, Cisco NVM - Suspicious Network Connection From Process With No Args)
New analytics identify network patterns related to C2, data exfiltration, and reconnaissance. Coverage includes outbound connections to non-standard ports used by C2 frameworks, rclone.exe activity indicative of exfiltration to cloud services, and reconnaissance via IP lookup services by non-browser processes. (Cisco NVM - Outbound Connection to Suspicious Port, Cisco NVM - Rclone Execution With Network Activity, Cisco NVM - Suspicious Network Connection to IP Lookup Service API)
A new rule processes, normalizes, and enriches CrowdStrike Falcon alerts within Splunk. It focuses on DetectionSummaryEvent and IdpDetectionSummaryEvent types to standardize data and create investigative drilldowns, improving alert triage from this source. (CrowdStrike Falcon Stream Alerts)
✎ Modified rules
Three rules that monitor Cisco Secure Firewall logs were updated to cover more log variations. The changes add 'Trust', 'allowed', and 'Block with reset' as monitored connection actions. This improves detection of outbound connections from curl or wget, traffic to known malicious file-sharing sites, and blocked network attempts. (Cisco Secure Firewall - Blocked Connection, Cisco Secure Firewall - Wget or Curl Download, Cisco Secure Firewall - Connection to File Sharing Domain)
Detections using Cisco Network Visibility Module (NVM) data were improved. The rule for identifying known attacker tools now supports NVM as a data source. The rule that finds typosquatted Python package installations was modified to prevent incorrect alert grouping, giving more precise details for each package. (Attacker Tools On Endpoint, Cisco NVM - Installation of Typosquatted Python Package)
elastic/detection-rules (+2, ✎24)
+ New rules
A new rule detects anomalous OAuth grants in Entra ID. It identifies when a user, after single-factor authentication, grants 'user_impersonation' scope in an unbound session, a pattern indicative of token abuse for unauthorized access. (Suspicious Entra ID OAuth User Impersonation Scope Detected)
A new detection identifies the TeamFiltration tool targeting Microsoft Azure and M365. The rule inspects sign-in and audit logs for user-agent strings characteristic of the tool to spot enumeration or password spraying attacks. (TeamFiltration User-Agents Detected)
✎ Modified rules
A set of rules for Kubernetes security were updated, primarily with investigation guides. Detections cover forbidden API requests, deletion of audit events, network configuration changes via kubectl, direct API access with tools like curl, remote configuration application using kubectl apply
, and unauthorized kubeconfig file modification. (Forbidden Request from Unusual User Agent in Kubernetes, Kubernetes Events Deleted, Kubectl Network Configuration Modification, Kubernetes Direct API Request via Curl or Wget, Kubectl Apply Pod from URL, Kubeconfig File Creation or Modification)
Multiple Linux detections were updated with investigation guides. These rules identify various adversary techniques, including SSH tunneling, process memory dumping, command-line obfuscation, kernel parameter manipulation, LD_PRELOAD
hijacking, cgroup release_agent abuse (CVE-2022-0492), data exfiltration with curl, and suspicious child processes of the kernel thread daemon. (Potential Linux Tunneling and/or Port Forwarding via SSH Option, Manual Memory Dumping via Proc Filesystem, Potential Hex Payload Execution via Command-Line, Suspicious Kernel Feature Activity, Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments, Docker Release File Creation, Potential Data Exfiltration Through Curl, Unusual Execution from Kernel Thread (kthreadd) Parent)
Detections for malicious PowerShell activity were improved. Four rules targeting obfuscation via high numeric content, IEX reconstruction, character arrays, and string concatenation received investigation guides. Two other rules for in-memory PE loading and process injection were tuned to reduce false positives by excluding Microsoft Defender for Endpoint activity. (Potential PowerShell Obfuscation via High Numeric Character Proportion, Potential Dynamic IEX Reconstruction via Environment Variables, Potential PowerShell Obfuscation via Character Array Reconstruction, Potential PowerShell Obfuscation via String Concatenation, Suspicious .NET Reflection via PowerShell, Potential Process Injection via PowerShell)
Three machine learning rules for detecting anomalous activity were updated. Two rules for Okta, which identify privileged operations from uncommon devices and spikes in group changes, received new investigation guides. A rule detecting unusual volumes of Windows user account management events was updated for wider compatibility. (Unusual Host Name for Okta Privileged Operations Detected, Spike in Group Lifecycle Change Events, Spike in User Account Management Events)
The rule that detects the first-time modification of a scheduled task by a user on a host received a new investigation guide. This detection helps identify a common persistence technique by flagging novel update events while excluding routine system account activity. (Unusual Scheduled Task Update)
SigmaHQ/sigma (+4, ✎12)
+ New rules
Four new rules detect Kerberos coercion attacks, some linked to CVE-2025-33073. All rules search for a specific base64 pattern ('UWhRCA...BAAAA') indicating a marshaled CREDENTIAL_TARGET_INFORMATION structure. This provides defense-in-depth by monitoring Zeek DNS logs, Windows Active Directory modifications, Windows DNS queries, and process command lines for this malicious activity. (Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network, Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation, Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing, Attempts of Kerberos Coercion Via DNS SPN Spoofing)
✎ Modified rules
Four rules that detect process injection via remote thread creation were updated to reduce false positives. The changes add numerous filters for legitimate behaviors, such as thread creation by system components like winlogon.exe, msiexec.exe, and explorer.exe, improving the accuracy of these detections. (Remote Thread Created In Shell Application, Rare Remote Thread Creation By Uncommon Source Image, Remote Thread Creation In Uncommon Target Image, Remote Thread Creation By Uncommon Source Image)
Three rules targeting persistence via Windows Registry modifications were updated for better accuracy. New filters were added to exclude legitimate changes made by common processes like RuntimeBroker.exe, svchost.exe, and MicrosoftEdgeUpdate.exe to autorun, scheduled task, and internet settings keys. (Modification of IE Registry Settings, Scheduled TaskCache Change by Uncommon Program, CurrentVersion NT Autorun Keys Modification)
Detection of malicious PowerShell activity is improved. One rule now identifies the 'Invoke-PowerDPAPI.ps1' script. Another rule now monitors 'powershell_ise.exe' for suspicious file creation and adds filters to ignore benign writes during module and package installations. (Malicious PowerShell Scripts - FileCreation, Potential Binary Or Script Dropper Via PowerShell)
Two rules detecting anomalous child processes of trusted parents, 'Sysmon.exe' and 'userinit.exe', were tuned to reduce noise. The updates add more specific filters for processes running from temporary directories or events with null image paths, improving detection of potential exploitation like CVE-2022-41120. (Suspicious Sysmon as Execution Parent, Suspicious Userinit Child Process)
The rule for detecting Active Directory reconnaissance, commonly used by tools like BloodHound, was tuned to reduce false positives. A noisy LDAP search filter for computer objects was disabled to improve the rule's signal quality in production environments. (Potential Active Directory Reconnaissance/Enumeration Via LDAP)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities.
Personal repositories (1)
Neo23x0/signature-base (✎4)
✎ Modified rules
New YARA rules provide detection for multiple PHP webshells. The rules identify specific tools like Weevely and 'h4ntu shell', along with a webshell designed for MySQL database interaction. Detections are based on file content analysis, targeting code obfuscation patterns, static UI strings, command execution functions, and specific file size attributes. (Weevely_Webshell, WEBSHELL_H4ntu_Shell_Powered_Tsoi, webshell_PHP_sql)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by an LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.