This week's update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Aug 11 and Aug 18, 2025, contributors added 19 new rules and updated 43 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New detections for reagentc.exe abuse and jli.dll side-loading were added across multiple repositories. These rules target ransomware preparation and APT techniques like those used by APT41. Several existing Sigma rules for registry-based persistence were broadened by removing specific event type filters. This change expands detection from just value writes to any key modification. (SigmaHQ/sigma, Yamato-Security/hayabusa-rules)

• Email security rules were updated for common phishing and impersonation tactics. New detections identify credential phishing via Box file-sharing and Wix brand impersonation. Rules for Microsoft phishing were modified to check WHOIS data for .ms domains, improving detection of adversary-owned sites. (sublime-security/sublime-rules)

• New EDR behavioral rules for Linux were created to detect common adversary actions. The rules identify network traffic anonymization with 'torsocks' and defense evasion by copying system binaries. Execution from atypical directories like /boot and /proc is also now monitored. (elastic/protections-artifacts)

• Coverage for Windows execution abuse and exploits was expanded. New rules detect UAC bypass attempts using consent.exe (CVE-2024-30051) and malicious child processes spawned by the WMI Provider Service. Detection for malicious drivers was also updated with numerous new file hashes and names. (anvilogic-forge/armory, magicsword-io/LOLDrivers)

• YARA signatures were added for malware delivery and post-exploitation tools. One new rule detects Office documents with remote template injection, excluding common SharePoint and Office domains. Another rule targets path traversal exploits in archives aimed at Windows Startup folder persistence. (Neo23x0/signature-base)

🚀 Make updates from this digest operational: all detection rules from this digest are available in our MISP and STIX/TAXII feeds.

Subscribe to integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Learn more

Table Of Contents

• Corporate repositories (7)

  • anvilogic-forge/armory (+5)

  • elastic/protections-artifacts (+3, ✎4)

  • sublime-security/sublime-rules (+2, ✎5)

  • elastic/detection-rules (✎4)

  • magicsword-io/LOLDrivers (✎4)

  • Yamato-Security/hayabusa-rules (+5, ✎10)

  • SigmaHQ/sigma (+2, ✎6)

• Personal repositories (1)

  • Neo23x0/signature-base (+2, ✎10)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (7)

anvilogic-forge/armory (+5)

+ New rules

Three new rules detect User Account Control (UAC) bypass attempts related to CVE-2024-30051. They monitor for suspicious child processes spawned by consent.exe using multiple telemetry sources, including generic process logs, Security Event ID 4688, and Sysmon Event ID 1. Each rule excludes WerFault.exe to reduce false positives. (Consent.exe Suspicious Child Process, Consent.exe Suspicious Child Process, Consent.exe Suspicious Child Process)

Two new rules identify malicious use of Windows Management Instrumentation (WMI). They detect the WMI Provider Service (WmiPrvSE.exe) spawning LOLBINs and scripting engines such as certutil.exe and mshta.exe. The logic excludes known legitimate processes and system accounts to focus on anomalous execution. (WmiPrvSE Suspicious Child Process, WmiPrvSE Suspicious Child Process)

elastic/protections-artifacts (+3, ✎4)

+ New rules

Three new rules add detection for common adversary tactics on Linux systems. The rules identify the use of 'torsocks' for anonymizing network traffic, the copying or moving of system binaries for defense evasion, and process execution from unusual directories like /boot or /proc. All three detections are based on Elastic EDR process execution events. (Torsocks Execution, System Binary Copied or Moved, Unusual Process Execution)

✎ Modified rules

Two Linux detection rules were tuned to reduce false positives. The rule for systemd-run abuse now excludes a new parent process and uses more flexible patterns for package listing commands. The rule for malicious use of the echo command was updated with additional process exclusions. (Potential Proxy Execution via Systemd-run, Suspicious Echo Execution)

Accuracy was improved for two Windows detection rules. The rule for suspicious PowerShell API calls now suppresses activity from Microsoft Defender for Endpoint processes. The rule detecting unusual chrome.exe parent processes was updated with a new trusted code signer to its allowlist. (Chrome Browser Spawned from an Unusual Parent, Suspicious API Call from a PowerShell Script)

sublime-security/sublime-rules (+2, ✎5)

+ New rules

Two new rules detect email-based attacks that abuse or impersonate popular web services. One rule identifies credential phishing using Box file-sharing by analyzing email content, links, and applying machine learning. The other rule detects Wix brand impersonation by inspecting sender display names and domains, with exclusions for legitimate, authenticated mail. (Service Abuse: Box File Sharing with Credential Phishing Intent, Brand impersonation: Wix)

✎ Modified rules

Two rules targeting Microsoft phishing were updated to reduce false negatives from adversary-owned '.ms' domains. The rules now perform a WHOIS lookup to verify that domains ending in '.ms' are registered to Microsoft, refining detection for both SharePoint brand impersonation and credential theft via Microsoft Forms. (Brand impersonation: Sharepoint, Link: Multistage landing - Microsoft Forms abuse)

Impersonation detection is improved for both internal VIPs and the external 'X' (formerly Twitter) brand. The VIP rule adds more precise sender profiling and a check for internal domain spoofing via DMARC failure. The 'X' rule adds new heuristic checks for sender domains and keywords like 'copyright' to supplement existing ML logo detection. (VIP local_part impersonation from unsolicited sender, Brand impersonation: Twitter)

Detection of Business Email Compromise (BEC) attempts requesting financial information was expanded. The rule now includes additional keywords and phrases, such as 'AP', 'AR & AP', and 'recent', to identify a wider range of requests for sensitive accounting reports. (Suspicious request for financial information)

elastic/detection-rules (✎4)

✎ Modified rules

Detections for identity-based attacks were improved. One rule targeting Entra ID session hijacking via OAuth phishing was refined for query performance. Another rule for Okta MFA deactivation was updated to more accurately track changes on a per-user basis, improving detection of authentication weakening. (Microsoft Entra ID Suspicious Session Reuse to Graph Access, MFA Deactivation with no Re-Activation for Okta User Account)

Two rules for Windows defense evasion techniques were tuned to reduce false positives. The rule for malicious root certificate installation now excludes more legitimate software processes but retains detection for LOLBins. The rule for disabling PowerShell Script Block Logging now excludes specific system processes operating under the LOCAL SYSTEM account. (Creation or Modification of Root Certificate, PowerShell Script Block Logging Disabled)

magicsword-io/LOLDrivers (✎4)

✎ Modified rules

Detection coverage for malicious and vulnerable Windows drivers was expanded across four rules. The updates refreshed indicator lists by adding numerous new driver filenames and file hashes (MD5, SHA1, SHA256, IMPHASH). These changes, some synchronized with the LOLDrivers project, improve detection of privilege escalation and defense evasion techniques that exploit compromised drivers. (Malicious Driver Load By Name, Vulnerable Driver Load By Name, Malicious Driver Load Despite HVCI, Vulnerable Driver Load Despite HVCI)

Yamato-Security/hayabusa-rules (+5, ✎10)

+ New rules

Two new rules detect attempts to disable the Windows Recovery Environment (WinRE). They monitor for the execution of reagentc.exe with the /disable command-line argument, a common preparatory action by ransomware groups to impede system recovery. (Windows Recovery Environment Disabled Via Reagentc, Windows Recovery Environment Disabled Via Reagentc)

New detection coverage added for SharePoint RCE vulnerability CVE-2025-53770. The rules identify suspicious child processes of the IIS worker process (w3wp.exe) containing base64 encoded command strings linked to post-exploitation webshells. (Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators, Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators)

A new rule detects DLL hijacking of the Java library jli.dll. The detection identifies when this DLL is loaded from non-standard file paths, a technique used by adversaries like APT41 and XWorm to execute payloads in a trusted process context. (Potential JLI.dll Side-Loading)

✎ Modified rules

Multiple detections for registry-based persistence and evasion techniques were broadened. By removing a specific OperationType filter from Windows Event ID 4657 checks, these rules now detect any modification to the target keys, not just value writes. This improves coverage for BgInfo abuse, persistence via Windows Error Reporting and Shell Open commands, and scheduling file operations at reboot. (New BgInfo.EXE Custom DB Path Registry Configuration, New BgInfo.EXE Custom VBScript Registry Configuration, New BgInfo.EXE Custom WMI Query Registry Configuration, Potential WerFault ReflectDebugger Registry Value Abuse, Potential PendingFileRenameOperations Tampering, Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace)

Rules detecting event log tampering through registry permission changes are now more accurate. Detections based on Windows Security Logs and Sysmon were updated to filter out legitimate activity from system processes like TrustedInstaller.exe and TiWorker.exe, reducing false positives. (Windows Event Log Access Tampering Via Registry, Windows Event Log Access Tampering Via Registry)

Detection coverage for adversaries hiding user accounts via the SpecialAccounts\UserList registry key was improved. A rule monitoring Windows Event Logs was broadened to catch more modification types, and a previously non-functional rule using Sysmon telemetry was corrected. (Hiding User Account Via SpecialAccounts Registry Key, Hiding User Account Via SpecialAccounts Registry Key)

SigmaHQ/sigma (+2, ✎6)

+ New rules

A new rule detects potential DLL side-loading using the legitimate Java component jli.dll. The detection identifies when jli.dll is loaded from a non-standard directory or has mismatched file properties, a technique associated with APT41 and XWorm for defense evasion. (Potential JLI.dll Side-Loading)

A new rule detects attempts to disable the Windows Recovery Environment (WinRE). The detection monitors for the execution of reagentc.exe with the /disable argument, an action intended to inhibit system recovery during impact-focused attacks. (Windows Recovery Environment Disabled Via Reagentc)

✎ Modified rules

Four rules detecting adversary persistence and defense evasion via the Windows Registry were updated to broaden their scope. The rules cover abuse of BgInfo, Windows Error Reporting hangs, hiding user accounts, and pending file rename operations. By removing the specific 'EventType: SetValue' condition, these detections now trigger on a wider range of registry modification events, improving coverage. (New BgInfo.EXE Custom VBScript Registry Configuration, Potential WerFault ReflectDebugger Registry Value Abuse, Hiding User Account Via SpecialAccounts Registry Key, Potential PendingFileRenameOperations Tampering)

MITRE ATT&CK mappings for two cloud security rules were corrected for better accuracy. The rule for suspicious inbox forwarding is now aligned with T1114.003 (Email Forwarding Rule). The rule for new federated domain creation is now mapped to T1484.002 (Domain Trust Modification). These changes improve the classification of the detected behaviors. (Suspicious Inbox Forwarding Identity Protection, New Federated Domain Added)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (1)

Neo23x0/signature-base (+2, ✎10)

+ New rules

A new YARA rule detects Microsoft Office template injection used for malware delivery. The rule identifies documents where the 'attachedTemplate' attribute points to an external HTTP or HTTPS URL. To reduce false positives, it excludes templates from '.sharepoint.com' and '.office.com' domains. (EXPL_Office_TemplateInjection_Aug19)

A new YARA rule detects malicious RAR and ZIP archives exploiting path traversal vulnerabilities, including CVE-2025-8088 and CVE-2025-6218. The detection logic targets attempts to write a file to the Windows Startup folder to establish persistence. (EXPL_RAR_Archive_with_Path_Traversal_Aug25)

✎ Modified rules

Five YARA rules provide detection for various components of Winnti APT malware. The rules identify specific artifacts including a signing certificate, rootkit driver paths, unique strings in known DLLs, a specific driver file (FWPKCLNT.SYS), and named event objects. One rule for detecting named event objects was tuned to reduce false positives. (Winnti_signing_cert, Winnti_malware_Nsiproxy, Winnti_malware_UpdateDLL, Winnti_malware_FWPK, APT_Winnti_MAL_Dec19_1)

A set of five YARA rules was added to detect C# based hacking tools. The detections target specific typelib GUIDs embedded in the PE files of tools including CSharpSetThreadContext, Ladon, and Certify. The rule for Certify was updated with an additional GUID to cover more variants. (HKTL_NET_GUID_CSharpSetThreadContext, HKTL_NET_GUID_DLL_Injection, HKTL_NET_GUID_LimeUSB_Csharp, HKTL_NET_GUID_Ladon, HKTL_NET_GUID_Certify)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.