This week's update highlights the most significant changes to detection rules from 9 of the 40+ monitored GitHub repositories. Between Jul 21 and Jul 28, 2025, contributors added 20 new rules and updated 43 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Multiple repositories added layered detection for SharePoint RCE CVE-2025-53770. Rules from Sigma and Splunk detect initial exploit attempts in IIS logs, webshell file creation, and post-exploitation process activity. YARA rules from Neo23x0 identify the dropped webshells, their compiled variants, and forensic artifacts from the exploit chain. (SigmaHQ/sigma, splunk/security_content, Neo23x0/signature-base)

• The phishing detection logic was broadly updated, with a focus on callback scams and multistage attacks. New rules target e-signature and financial lures, while many existing rules now detect redirection through social media and legitimate hosting services. Logic for finding obfuscated phone numbers in callback phish was also improved. (sublime-security/sublime-rules)

• New YARA rules were added for multiple malware families and offensive security tools. Coverage now includes Amadey malware, Warlock ransomware, and the StormDNS C2 framework. Other rules detect .NET reconnaissance tools like SharpHostInfo and SharpAdidnsdump by matching unique strings and GUIDs. (Neo23x0/signature-base, bartblaze/Yara-rules)

• New endpoint detections target initial access and defense evasion. One rule identifies browsers spawning shell or script interpreters, common in drive-by attacks. Another rule detects the unloading of Windows Defender kernel drivers, and a third identifies the delivery of WinRAR path traversal exploits via email. (anvilogic-forge/armory, rabbitstack/fibratus, delivr-to/detections)

• Cloud security rules were added for Kubernetes and Azure. A new rule detects potential impersonation via kubectl commands using alternate authentication arguments. The rule for unusual access to Azure Key Vault secrets was migrated to KQL to find potential credential theft. (elastic/detection-rules)

🚀 Make updates from this digest operational:

All detection rules from this digest are available in our MISP and STIX/TAXII feeds.

Subscribe to integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Learn more

Table Of Contents

• Corporate repositories (6)

  • SigmaHQ/sigma (+3)

  • anvilogic-forge/armory (+1)

  • sublime-security/sublime-rules (+4, ✎22)

  • elastic/detection-rules (+1, ✎1)

  • splunk/security_content (+3, ✎1)

  • delivr-to/detections (+1)

• Personal repositories (3)

  • Neo23x0/signature-base (+1, ✎19)

  • bartblaze/Yara-rules (+5)

  • rabbitstack/fibratus (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (6)

SigmaHQ/sigma (+3)

+ New rules

New rules provide layered detection for the SharePoint RCE vulnerability CVE-2025-53770. Coverage includes identifying initial exploit attempts in IIS logs, post-exploitation command execution by the SharePoint worker process, and the creation of the malicious spinstall0.aspx file on disk. (SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS, Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators, Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create)

anvilogic-forge/armory (+1)

+ New rules

A new rule detects web browsers on Windows spawning common LOLBAS or script interpreters. It monitors for browsers like Chrome, Edge, and Firefox launching powershell.exe, cmd.exe, or rundll32.exe. This activity helps identify potential code execution from drive-by downloads or malicious browser extensions. (Suspicious Browser Child Process - Windows)

sublime-security/sublime-rules (+4, ✎22)

+ New rules

Two new rules detect callback phishing emails that use e-signature themes. The detection logic identifies a phone number, financial keywords, and impersonated brand names in the email body or in images via OCR. One rule specifically targets abuse of the signfree.io service, while the other is a broader catch for e-signature lures where the reply-to address is from a free email provider. (Callback Phishing via SignFree E-Signature Request, Callback Phishing Via E-Signature Service)

New rules add detection for two types of financial phishing. One rule targets suspicious Xero invoice emails, identifying brand impersonation through confusable characters in the sender name. A second rule detects cryptocurrency phishing lures, such as airdrop scams, by matching keywords and platform names while excluding legitimate, DMARC-verified communications. (Xero Invoice Abuse, Spam: Cryptocurrency Airdrop/Giveaway)

✎ Modified rules

Numerous rules were updated to detect phishing links that point to social media landing pages. This change applies to rules targeting the abuse of services, such as Google, Adobe, and Microsoft, as well as general phishing. It improves coverage for multistage attacks that use these platforms for redirection or hosting. (Vendor Compromise: GovDelivery Message With Suspicious Link, Attachment: QR code with credential phishing indicators, Brand Impersonation: Microsoft Planner With Suspicious Link, Link: Multistage Landing - Published Google Doc, Google Presentation Open Redirect Phishing, Link: Multistage Landing - Abused Adobe frame.io, Brand Impersonation: Coinbase with suspicious links, Link: Multistage Landing - Abused Docusign, Link: Multistage Landing - Abused Google Drive, Brand impersonation: Microsoft with low reputation links, Credential phishing: Engaging language and other indicators (untrusted sender), Link: Abused Adobe Express, Spam: URL shortener with short body content and emojis, Link: QuickBooks image lure with suspicious link)

Detection for callback phishing is improved in two rules. The logic now uses more comprehensive regular expressions to identify obfuscated phone numbers in email bodies and attachments. This change addresses evasion techniques such as varied separators and character substitutions. (Callback Phishing via DocuSign comment, Attachment: Callback Phishing solicitation via text-based file)

Four brand impersonation rules were refined with varied logic. Detections for SendGrid and Amazon now use machine learning for logo identification and intent analysis. Chase impersonation detection is broadened with new keyword logic, and the Zoom Docs rule uses a more flexible display name match. (Brand Impersonation: SendGrid, Service Abuse: Suspicious Zoom Docs Link, Brand impersonation: Amazon, Brand impersonation: Chase Bank)

Detection for abuse of specific legitimate services was expanded. The rule for gamma.app now identifies malicious content hosted with the 'mode=doc' parameter. The Constant Contact abuse rule was updated to monitor for suspicious links from 'constantcontactpages.com'. (Link: Direct Link to gamma.app Document With Mode Parameter, Constant Contact link infrastructure abuse)

elastic/detection-rules (+1, ✎1)

+ New rules

A new rule detects potential impersonation in Kubernetes by monitoring for kubectl commands with specific arguments. The detection triggers on the use of --kubeconfig, --token, --as, or --as-group, which may indicate an adversary is using alternate authentication material for unauthorized access or privilege escalation. (Potential Impersonation Attempt via Kubectl)

✎ Modified rules

The rule for detecting first-time user access to an Azure Key Vault was migrated from ES|QL to KQL. The detection logic identifies when a user principal retrieves a secret, key, or certificate from a vault they have not accessed in the prior 14 days, which can indicate unauthorized access. (Azure Key Vault Secret Key Usage by Unusual Identity)

splunk/security_content (+3, ✎1)

+ New rules

Three new rules provide layered detection for the SharePoint vulnerability CVE-2025-53770 (ToolShell). The coverage includes initial exploit attempts via HTTP POST requests to ToolPane.aspx, webshell deployment by detecting the creation of spinstall0.aspx, and post-exploitation access by monitoring GET requests to the same webshell file. (Windows SharePoint Spinstall0 Webshell File Creation, Windows SharePoint ToolPane Endpoint Exploitation Attempt, Windows SharePoint Spinstall0 GET Request)

✎ Modified rules

Detection coverage for IP address reconnaissance via DNS queries is expanded. The update adds twelve new domains used for IP checking services. This rule monitors Sysmon Event ID 22 to identify activity associated with malware like Trickbot and Quasar RAT. (Windows Gather Victim Network Info Through Ip Check Web Services)

delivr-to/detections (+1)

+ New rules

A new rule detects unsolicited emails attempting to exploit the WinRAR path traversal vulnerability, CVE-2025-6218. The detection identifies inbound emails with RAR or ZIP attachments that contain directory traversal patterns or match a specific YARA rule for this exploit. (Attachment: Archive with Directory Traversal CVE-2025-6218 (Unsolicited))

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities.

Read the latest issue

Personal repositories (3)

Neo23x0/signature-base (+1, ✎19)

+ New rules

A new YARA rule detects Amadey malware, version 5.34. The rule identifies the malware's PE file signature combined with unique byte sequences from its RC4 algorithm, PE section processing, and string decryption routines. (MAL_Win_Amadey_Jun25)

✎ Modified rules

Multiple YARA rules for SharePoint RCE CVE-2025-53770 were added and updated. One rule set detects the dropped payload, identifying both source ASPX webshells and their compiled PE variants through code snippets and embedded strings. Another rule set detects forensic artifacts of the exploit, including URI patterns in logs, encoded PowerShell commands, and dropper file paths. Updates broadened detection by generalizing regular expressions for paths, adding file hashes, and including new indicators. (WEBSHELL_ASPX_Compiled_Sharepoint_Drop_CVE_2025_53770_Jul25_2, APT_EXPL_Sharepoint_CVE_2025_53770_ForensicArtefact_Jul25_2)

New YARA rules provide layered detection for PHP webshells. The rules identify webshells through several methods: finding common execution functions, detecting indirect execution via callback functions, identifying base64-decoded payloads, and matching a specific pattern of obfuscated code. This approach covers generic, obfuscated, and structurally distinct webshells. (WEBSHELL_PHP_Generic_Callback, WEBSHELL_PHP_Base64_Encoded_Payloads, WEBSHELL_PHP_Unknown_1)

bartblaze/Yara-rules (+5)

+ New rules

New YARA rules detect multiple .NET-based tools used for reconnaissance and data theft. The rules identify SharpHostInfo and SharpAdidnsdump for network and Active Directory enumeration, and a webshell that extracts MachineKey configuration from SharePoint servers. Detections rely on string artifacts, specific .NET class names, and assembly GUIDs. (SharpHostInfo, SharpAdidnsdump, Extract_MachineKey_SharePoint)

Detection coverage was added for two distinct malware families. A new YARA rule identifies Warlock ransomware, a Lockbit Black derivative, using ransom note text and PDB paths. Another rule finds the StormDNS C2 shell by matching operational strings and its unique PDB path. (Warlock, StormDNS)

rabbitstack/fibratus (+1)

+ New rules

A new fibratus rule detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys. This action indicates a defense evasion attempt to disable antivirus capabilities, as legitimate unloads of these drivers are uncommon. (Windows Defender driver unloading)

Fill out a short survey on your SIEM usage

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.