Detections Digest #20250721
This issue highlights key updates to detection rules from 11 repositories, including 50 new (❗️) and 80 modified rules.
This week's update highlights the most significant changes to detection rules from 11 of the 40+ monitored GitHub repositories. Between Jul 14 and Jul 21, 2025, contributors added 50 new rules and updated 80 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Splunk introduced a large set of rules for VMware ESXi, targeting the full attack lifecycle. Detections cover defense evasion, like disabling the firewall or audit logging. Persistence techniques such as creating local accounts or enabling SSH are also monitored, along with execution of malicious VIBs and post-compromise actions like VM discovery and termination. (
splunk/security_content
)Elastic added a suite of behavioral rules for advanced Windows defense evasion. The new detections identify process injection and concealment by inspecting process call stacks for manipulation. This includes module stomping, execution from unbacked memory, and network operations from a manipulated process context. (
elastic/protections-artifacts
)New rules for cloud environments focus on identity and credential abuse. Detections for Azure identify anomalous Key Vault access and modification of Entra ID authentication policies used in BYOIDP attacks. Multiple AWS rules were also updated to refine detection of IAM policy changes, SSM secret access, and S3 data exfiltration. (
elastic/detection-rules
)Detections for Active Directory reconnaissance using ADExplorer were added and refined. The rules now identify the creation of AD snapshot
.dat
files and use more resilient logic against process renaming. Rules targeting network transfer of credential files like ntds.dit and SAM were also tuned for precision with exact path matching. (SigmaHQ/sigma
,Yamato-Security/hayabusa-rules
)Phishing and initial access detections received updates. Sublime Security rules now apply OCR to analyze screenshots within emails for indicators of credential theft. Separately, new YARA rules were added to detect malicious scripts and executables embedded within Windows shortcut (.LNK) files, a common email attachment vector. (
sublime-security/sublime-rules
,bartblaze/Yara-rules
)
🤖 Make updates from this digest operational:
All new and updated detection rules from this digest are available in MISP and STIX/TAXII intel feeds.
Subscribe and integrate directly into your SIEM, TIP, or SOAR solution to automate threat detection and enrich your existing intel.
Table Of Contents
Yamato-Security/hayabusa-rules (+3, ✎7)
sublime-security/sublime-rules (+1, ✎8)
SigmaHQ/sigma (+1, ✎5)
elastic/protections-artifacts (+16, ✎38)
elastic/detection-rules (+5, ✎12)
splunk/security_content (+23)
Corporate repositories (6)
Yamato-Security/hayabusa-rules (+3, ✎7)
+ New rules
New rules detect the creation of scheduled tasks that establish persistent reverse SSH tunnels. The detection logic targets schtasks.exe
command lines that execute ssh.exe
or sshd.exe
with specific flags, a common technique for C2 and maintaining access. (Potential SSH Tunnel Persistence Install Using A Scheduled Task, Potential SSH Tunnel Persistence Install Using A Scheduled Task)
A new rule detects Active Directory reconnaissance performed with ADExplorer. It monitors for the creation of .dat
snapshot files by ADExplorer processes, which indicates an attacker is collecting domain information for offline analysis. (ADExplorer Writing Complete AD Snapshot Into .dat File)
✎ Modified rules
Detection coverage for Active Directory reconnaissance via ADExplorer snapshots is expanded across four rules. Updates include more executable name variants and additional file metadata checks, making detection more resilient. The associated MITRE ATT&CK techniques were reclassified as Discovery (T1087.002, T1069.002, T1482). (Active Directory Database Snapshot Via ADExplorer, Suspicious Active Directory Database Snapshot Via ADExplorer, Active Directory Database Snapshot Via ADExplorer, Suspicious Active Directory Database Snapshot Via ADExplorer)
Two rules for defense evasion were updated to reduce false positives. The rule for COM hijacking cleanup now filters activity from Microsoft Office and Edge updates. The rule for VSS abuse now excludes vssadmin.exe
from its process checks. (Removal of Potential COM Hijacking Registry Keys, Suspicious Volume Shadow Copy VSS_PS.dll Load)
The rule detecting network transfer of credential files was modified for higher precision. It now uses exact path matches for ntds.dit
, SAM
, and other system hives, reducing false positives from broader filename searches. (Transferring Files with Credential Data via Network Shares)
sublime-security/sublime-rules (+1, ✎8)
+ New rules
A new rule detects credential phishing emails that spoof SharePoint file sharing notifications. The detection logic identifies specific SharePoint message IDs and correlates the file name in the HTML body with the sender's display name to find malicious patterns. (Link: Uncommon SharePoint Document Type With Sender's Display Name)
✎ Modified rules
Credential phishing detection was improved across multiple rules. Updates add Optical Character Recognition (OCR) analysis of message screenshots to find malicious intent hidden in images. Other changes refine image analysis to better identify lures and reduce false positives by excluding sites that use Google reCAPTCHA. (Credential phishing link (unknown sender), Credential Phishing: Fake Password Expiration from New and Unsolicited sender, Attachment: Encrypted PDF With Credential Theft Body)
Detection for brand impersonation attacks targeting Microsoft, SharePoint, and Chase Bank was refined. Updates include better exclusion of legitimate notifications to reduce false positives by checking for trusted link destinations and specific message headers. Coverage for Chase-related phishing was also expanded with more flexible pattern matching. (Brand impersonation: Microsoft, Brand impersonation: Chase Bank, Brand impersonation: Sharepoint)
Rules targeting business-related scams were updated. Detection for Request for Quote (RFQ) scams now includes NLU analysis for financial terms and identifies emails mentioning non-existent attachments. A second rule targeting scams that sell event attendee lists was modified to reduce potential false negatives. (Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern, Spam: Attendee List solicitation)
SigmaHQ/sigma (+1, ✎5)
+ New rules
A new rule detects the use of the Sysinternals ADExplorer tool to create Active Directory snapshot files. The detection monitors for file creation events with a '.dat' extension originating from 'ADExplorer.exe' or 'ADExp.exe'. This helps identify attempts to exfiltrate AD data for offline analysis and credential gathering. (ADExplorer Writing Complete AD Snapshot Into .dat File)
✎ Modified rules
Two rules detecting Active Directory database dumping via Sysinternals ADExplorer were updated for greater resilience. The detection logic now checks multiple executable names and process metadata fields, such as OriginalFileName and Product, to counter evasion by file renaming. This improves discovery threat coverage (T1087.002, T1069.002, T1482). (Suspicious Active Directory Database Snapshot Via ADExplorer, Active Directory Database Snapshot Via ADExplorer)
Detection for network transfer of credential stores is more precise. The rule targeting Event ID 5145 now uses specific file paths for ntds.dit
and SAM
instead of broad keywords to reduce false positives. Coverage was also extended to include the SYSTEM hive file. (Transferring Files with Credential Data via Network Shares)
The rule detecting potential Volume Shadow Copy deletion attempts by monitoring vss_ps.dll
loads is now more accurate. A filter was added for the legitimate vssadmin.exe
process to decrease false positives. (Suspicious Volume Shadow Copy VSS_PS.dll Load)
A rule detecting removal of persistence traces by deleting COM hijacking registry keys was tuned. Additional filters for Microsoft Edge updates and 64-bit Office processes were added to reduce benign alerts. (Removal of Potential COM Hijacking Registry Keys)
elastic/protections-artifacts (+16, ✎38)
+ New rules
A set of seven rules targets advanced Windows defense evasion techniques. These rules detect process injection and concealment by inspecting process call stacks for manipulation, such as module stomping, spoofing, and execution from unbacked memory, during library loading, memory writing, and network operations. (Cross Process API Activity with Truncated Stack, Potential Module Stomping with Network Activity, Suspicious Network Library Load, Registry Modification from a Potentially Altered Call Stack, Suspicious Network Module LoadLibrary, Windows Socket Creation from Stomped Module, Windows Socket Creation from Unbacked Memory)
Four new rules target Linux post-exploitation techniques. Detections identify suspicious PHP command-line execution for webshells, script-based payload downloads using curl or wget, execution from world-writable directories like /tmp, and privilege escalation to root from processes in temporary paths. (Suspicious PHP Command Execution, Command Interpreter with IP Address Argument, World Writeable Directory File Creation and Outbound Connection, UID Change to 0 from Unusual Process Executable)
New detections for macOS cover multiple attack stages. The rules identify initial access via fake Homebrew installers, persistence through Dock plist modifications by scripting interpreters, and credential theft by SSH processes accessing wallet or browser files. (Malicious Homebrew Initial Access, Suspicious Dock Plist Configuration Modification, Crypto Wallet or Web Browser File Access via SSH)
Two new rules detect the abuse of legitimate Windows applications for malicious execution. One rule targets the Loki C2 framework by identifying Electron-based applications launched with suspicious user data directory arguments. The other detects browser processes spawning utilities from the Downloads folder, a common phishing outcome. (Execution via Loki Command and Control, Potential Execution via Clickfix Phishing)
✎ Modified rules
Multiple Linux rules for persistence and defense evasion were updated. These rules find malicious use of cron
, systemd
, chattr
, and execution from temporary directories. The changes primarily reduce false positives by adding specific exclusions for package managers, system administration tools, and various benign processes. (Potential Persistence via Direct Crontab Modification, Chattr Execution with Unusual Target File, Linux Suspicious Child Process Execution via Interactive Shell, Potential Proxy Execution via Systemd-run, Decode Activity via Web Server, Script Executed Through Unusual Parent Process, Scheduled Task Unusual Command Execution, Hidden Payload Executed via Scheduled Job, System V Init (init.d) Egress Network Connection, Suspicious Echo Execution)
Several macOS rules targeting payload download, execution, and exfiltration were updated. Detections for curl
abuse now require file output arguments, improving precision. Coverage was broadened for ruby
script staging, interpreter connections to AWS, and execution from mounted devices, focusing on high-confidence malware behavior. (Curl Execution via Application Shell Script, Suspicious Binary AWS S3 Connection, Curl to Suspicious Top Level Domain, Suspicious Executable Download via Ruby, Curl Download and Execution of JavaScript Payload, Potential Data Exfiltration via Curl, Suspicious Script or Process Execution from Mounted Device)
A set of macOS rules for defense evasion and persistence was tuned. Detections for dylib injection and suspicious child processes from code editors were narrowed with an argument count condition. Other rules for JXA execution, credential store access, and StartupParameters.plist
persistence received specific process exclusions to reduce false positives. (Dylib Injection via Process Environment Variables, In-Memory JXA Execution via ScriptingAdditions, Web Browser Credential Data Accessed by Unsigned or Untrusted Process, Embedded Payload Dropped and Executed, Code Editor Untrusted or Unsigned Child Process Execution, Suspicious Installer Remote Plugin Service Child Process, Suspicious StartupItem Plist Creation or Modification)
Detection for Windows memory and process manipulation was refined. Rules for direct system calls, writing to suspended processes, and shellcode in unbacked memory received exclusions for legitimate software to reduce noise. Coverage improved for malicious call stacks with new signatures and for Antimalware Scan Interface tampering by adding amsi.dll
to the watchlist. (Library Loaded From a Potentially Altered Call Stack, Execution from Suspicious Stack Trailing Bytes, Shellcode from Unusual Microsoft Signed Module, Direct Syscall from Unsigned Module, Potential Suspended Process Code Injection, Suspicious API Call from a PowerShell Script, Potential Obfuscated PowerShell Script)
Multiple Windows rules for lateral movement and persistence were tuned to lower false positives. Detections for access token manipulation, suspicious processes from network logons, and RDP tunneling received many new exceptions for legitimate enterprise software. Rules for shortcut modification and script host abuse were also refined with new exclusions. (NetSupport Execution form unusual Path, Chrome Browser Spawned from an Unusual Parent, Potential Remote Desktop Protocol Tunneling, Suspicious Windows Script Interpreter Child Process, Suspicious Shortcut Modification, Access Token Manipulation via Child Process, Suspicious Process Execution via Network Logon)
elastic/detection-rules (+5, ✎12)
+ New rules
New rules detect anomalous Azure Key Vault activity. Detections identify first-time vault modifications or secret retrievals by a user, and high-volume retrieval operations that may indicate credential harvesting. The rules analyze Azure activity logs for specific API calls, using behavioral and volume-based conditions. (Azure Key Vault Modified, Excessive Secret or Key Retrieval from Azure Key Vault, Azure Key Vault Secret Key Usage by Unusual Identity)
Two rules were added to detect manipulation of Microsoft Entra ID authentication policies. They identify changes to External Authentication Methods and OpenID Connect discovery URLs, techniques used in bring-your-own identity provider (BYOIDP) attacks to bypass MFA and establish persistence. The rules analyze Microsoft Graph API and Azure Audit logs. (External Authentication Method Addition or Modification in Entra ID, OIDC Discovery URL Changed in Entra ID)
✎ Modified rules
Multiple AWS rules for detecting credential access and privilege escalation were updated. The changes refine anomaly detection for IAM policy attachments, role trust policy changes, sensitive API calls, and SSM secret access. Updates improve alert precision by keying on combinations of user and cloud account ID and standardizing on ECS fields. (AWS IAM API Calls via Temporary Session Tokens, AWS IAM Customer-Managed Policy Attached to Role by Rare User, AWS IAM Assume Role Policy Update, AWS Systems Manager SecureString Parameter Request with Decryption Flag)
Detection for AWS data exfiltration and ransomware techniques was updated. Rules targeting S3 object encryption with customer-provided keys were broadened, and thresholding logic was improved. A rule for DynamoDB data exfiltration to S3 was also updated to focus on successful events and refine its anomaly detection. (Unusual AWS S3 Object Encryption with SSE-C, Excessive AWS S3 Object Encryption with SSE-C, AWS DynamoDB Table Exported to S3)
Rules targeting AWS EC2 reconnaissance and insecure configurations were refined. Updates expand detection to cover more event types for security group modifications and broaden searches for deprecated AMIs. Alerting for insecure network rules and suspicious access to instance user data was updated to align with current data schemas. (AWS EC2 Deprecated AMI Discovery, AWS EC2 User Data Retrieval for EC2 Instance, Insecure AWS EC2 VPC Security Group Ingress Rule Added, AWS EC2 Security Group Configuration Change)
The rule detecting sudoers file modification on Linux and macOS was migrated to EQL. This update modernizes the query for identifying this common on-host privilege escalation technique. The core detection logic, which monitors for changes to /etc/sudoers
, remains the same. (Sudoers File Modification)
splunk/security_content (+23)
+ New rules
A set of new rules detects defense evasion on VMware ESXi hosts by monitoring syslog data. These rules identify the disabling of security controls like the firewall, Lockdown Mode, and encryption settings. They also detect tampering with logging configurations and system clocks, which are common anti-forensic techniques. (ESXi Encryption Settings Modified, ESXi Lockdown Mode Disabled, ESXi Firewall Disabled, ESXi Audit Tampering, ESXi Loghost Config Tampering, ESXi Syslog Config Change, ESXi System Clock Manipulation)
New detections identify adversary persistence and privilege escalation on ESXi hosts. The rules monitor syslog for the creation of local user accounts, the enabling of remote access via SSH or the ESXi Shell, and the assignment of the Administrator role to a user, all common actions for maintaining access. (ESXi Account Modified, ESXi SSH Enabled, ESXi Shell Access Enabled, ESXi User Granted Admin Role)
Coverage for malicious code execution on ESXi is added. These rules detect the installation of unauthorized VMware Installation Bundles (VIBs) by bypassing signature validation, and identify command patterns typical of reverse shells. Also monitored are failed file downloads, which can be precursors to payload delivery. (ESXi Download Errors, ESXi Malicious VIB Forced Install, ESXi Reverse Shell Patterns, ESXi VIB Acceptance Level Tampering)
Several rules were added to detect credential access attempts and misuse on ESXi hosts. The logic identifies SSH brute-force attacks by monitoring high-volume authentication failures. It also flags risky account behavior, including root logins from external IP addresses and a single root account used from multiple IPs in a short time. (ESXi External Root Login Activity, ESXi Shared or Stolen Root Account, ESXi SSH Brute Force)
New detections target post-compromise adversary activity including reconnaissance, exfiltration, and destructive actions. The rules find the use of esxcli
commands to discover VMs and system configurations, access to sensitive files, exfiltration of VM disks via NFC, and commands for bulk virtual machine termination. (ESXi Bulk VM Termination, ESXi VM Exported via Remote Tool, ESXi VM Discovery, ESXi Sensitive Files Accessed, ESXi System Information Discovery)
Cyber OSINT Overview is a free weekly newsletter by CTIChef that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities.
Personal repositories (5)
HybridBrothers/Hunting-Queries-Detection-Rules (✎2)
✎ Modified rules
Detection for phishing emails that use the Microsoft Exchange Direct Send feature was improved. The rule now checks if the sender's IP address country is anomalous compared to the user's sign-in history. This change reduces false positives for both the Defender XDR and Sentinel versions of the rule. (Detect Direct Send phishing emails)
Cloud-Architekt/AzureSentinel (✎1)
✎ Modified rules
Metadata for the KQL function EnrichedMicrosoftGraphActivity
was updated. The function combines GraphAPIAuditEvents
with asset criticality from Microsoft Defender and permission classifications to provide context for Graph API activity investigations. (Function to get enrichment for GraphAPIAuditEvents with critical assets from Exposure Management, EntraOps Graph API permissions and action classification.)
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)
+ New rules
A new KQL rule detects attempts to remove Remote Desktop Protocol connection history. The rule monitors command-line processes for modifications to specific registry keys where RDP client connection history is stored, identifying adversary attempts to cover their tracks. (RDP Trace Removal Detection)
bartblaze/Yara-rules (✎4)
✎ Modified rules
A new set of YARA rules detects multiple malicious uses of Windows shortcut (.LNK) files. These rules identify embedded PowerShell, JScript, and VBScript commands; base64-encoded PE files; and references to compressed archives. This provides coverage against .LNK files used for payload delivery and execution. (PDF_in_LNK, Script_in_LNK, EXE_in_LNK, Archive_in_LNK)
Neo23x0/signature-base (✎3)
✎ Modified rules
New detections cover the SharePoint RCE vulnerability CVE-2025-53770. The rules identify multiple stages of the exploit chain, including the dropped ASPX web shell via file content, specific URI access patterns in web logs, and forensic artifacts like Base64-encoded PowerShell commands and specific User-Agent strings. (WEBSHELL_ASPX_Compiled_Sharepoint_Drop_CVE_2025_53770_Jul25_2, APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_2)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.