This week's update highlights the most significant changes to detection rules from 7 of the 40+ monitored GitHub repositories. Between Aug 18 and Aug 25, 2025, contributors added 46 new rules and updated 47 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New behavioral rules target advanced in-memory threats on Windows and macOS. Detections for Windows focus on module stomping, image hollowing, AMSI bypass, and call stack manipulation. New macOS rules identify malicious Python activity, reflective code loading, and abuse of automation tools for payload delivery. A cross-platform rule also detects command-line obfuscation via whitespace padding. (elastic/protections-artifacts, elastic/detection-rules)

• New email security rules target phishing campaigns that abuse legitimate cloud services like Trello, Freshdesk, and ActiveCampaign. Detections identify suspicious links, open redirects, and display text spoofing. Additional rules were added for brand impersonation of Google Careers and callback scams using TimeTrade infrastructure. Existing brand impersonation rules for Adobe and DocuSign were refined to lower false positives. (sublime-security/sublime-rules)

• New detections cover exploitation of Cisco and Commvault vulnerabilities. A suite of rules detects Static Tundra TTPs against Cisco Smart Install, from initial access to post-compromise actions like account creation and data exfiltration. New YARA rules identify exploit artifacts and web shells from a Commvault authentication bypass vulnerability. (splunk/security_content, Neo23x0/signature-base)

• Multiple repositories refined existing rules to reduce false positives from legitimate software. Numerous PowerShell obfuscation and Windows in-memory threat detections were updated with specific process and signer exclusions. Email security rules were also improved with stricter logic and exceptions for benign communications. (elastic/detection-rules, elastic/protections-artifacts, sublime-security/sublime-rules)

• Detection coverage for macOS threats has grown with many new behavioral rules. The new rules detect malicious Python scripts dropping executables, using ROT encoding, and deleting themselves after execution. Other detections target abuse of osascript and Automator for payload delivery, trojanized Ledger Live software, and NPM-based reverse shells. (elastic/protections-artifacts)

🚀 Make updates from this digest operational! All detection rules from this digest are available in our free and commercial MISP and STIX feeds.

Subscribe to integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (4)

  • splunk/security_content (+7, ✎3)

  • sublime-security/sublime-rules (+10, ✎11)

  • elastic/detection-rules (+1, ✎10)

  • elastic/protections-artifacts (+22, ✎21)

• Personal repositories (3)

  • kevoreilly/CAPEv2 (✎2)

  • Neo23x0/signature-base (+5)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (4)

splunk/security_content (+7, ✎3)

+ New rules

A new set of rules detects Static Tundra TTPs against Cisco devices, often related to CVE-2018-0171. Initial exploitation of the Cisco Smart Install protocol is found by identifying oversized messages and correlating multiple Snort signatures. Post-compromise actions are detected in Cisco IOS logs, including creating privileged accounts, modifying SNMP strings, configuring TFTP for data exfiltration, and altering network interfaces. A broad hunting query combines several of these post-compromise indicators. (Cisco IOS Suspicious Privileged Account Creation, Cisco SNMP Community String Configuration Changes, Cisco Configuration Archive Logging Analysis, Cisco Smart Install Oversized Packet Detection, Cisco Network Interface Modifications, Cisco TFTP Server Configuration for Data Exfiltration, Cisco Secure Firewall - Static Tundra Smart Install Abuse)

✎ Modified rules

Three rules for detecting potentially malicious MSIX or AppX package installations were updated to align with Splunk's CIM. The detections cover unsigned packages (Event ID 603), successful installations (Event ID 854), and packages with full trust privileges (Event ID 400). All updates standardize the host field to dest for data model consistency. (Windows AppX Deployment Unsigned Package Installation, Windows AppX Deployment Package Installation Success, Windows AppX Deployment Full Trust Package Installation)

sublime-security/sublime-rules (+10, ✎11)

+ New rules

Multiple new rules target phishing and malware campaigns that abuse legitimate cloud and file-hosting services. Detections identify suspicious single-link emails pointing to services like Limewire, Riddle, ActiveCampaign, Trello, and Freshdesk. The logic inspects for malicious indicators such as open redirects, specific URL paths, link display text spoofing PDF files with financial keywords, and analysis of hosted content, often combined with checks for poor sender reputation or failed DMARC authentication. (Link: Direct link to limewire hosted file, Link: Direct link to riddle.com hosted showcase, Link: MyActiveCampaign Link Abuse, Link: Multistage landing - Trello board abuse, Link: Multistage landing - FreshDesk knowledge base abuse, Link: PDF and financial display text to free file host)

New detection coverage for brand impersonation attacks was added. One rule identifies callback phone scams abusing TimeTrade infrastructure to impersonate tech and payment companies like McAfee and PayPal. A second rule detects phishing emails that impersonate Google Careers in multiple languages, filtering out legitimate communications from 'google.com' that pass DMARC. (Callback scam: Impersonation via TimeTrade infrastructure, Brand impersonation: Google Careers)

Two rules were added to detect specific phishing techniques within email content and headers. One rule identifies attacks using PDF attachments personalized with the recipient's domain in the filename and a hyperlink containing the recipient's full email address, possibly inside a QR code. The other rule detects suspicious messages by combining signals such as emojis in the sender's display name, financial symbols in the subject, and DMARC failures from non-reputable domains. (Display Name Emoji with Financial Symbols, Attachment: PDF with recipient email in link)

✎ Modified rules

Multiple rules for brand impersonation of Adobe, DocuSign, TikTok, Twitter/X, Vanguard, and Zoom were updated to improve accuracy. The changes add specific exclusions for legitimate content like meeting summaries and career development emails. Other refinements include more precise logo detection logic and updated machine learning classifiers to reduce false positives. (Brand impersonation: Vanguard, Brand impersonation: Adobe with suspicious language and link, Brand impersonation: DocuSign branded attachment lure with no DocuSign links, Brand impersonation: Twitter, Brand impersonation: Zoom, Brand impersonation: TikTok)

Detection for several phishing delivery techniques was improved. A rule for encrypted PDF lures now has expanded keyword matching. The rule for HTML smuggling in EML attachments has more detailed sender trust evaluation. The QR code phishing rule was made more strict by requiring that the sender has no history of benign messages. (Attachment: Encrypted PDF with credential theft body, Attachment: EML file with HTML attachment (unsolicited), QR Code with suspicious indicators)

Rules targeting specific business-related scams were updated. The rule for PayPal callback phishing was modified to use a current HTML parsing function. The rule detecting attendee list purchase scams now uses an NLU classifier and also searches previous email threads for keywords. (PayPal invoice abuse, Spam: Attendee list solicitation)

elastic/detection-rules (+1, ✎10)

+ New rules

A new rule detects command-line obfuscation where attackers use a sequence of 100 or more whitespace characters. This technique pads malicious commands to evade signature-based security tools. The detection monitors process execution events for this pattern on Windows, macOS, and Linux systems. (Command Line Obfuscation via Whitespace Padding)

✎ Modified rules

Multiple rules targeting PowerShell obfuscation were updated to reduce false positives. Techniques covered include IEX reconstruction, invalid escape sequences, high numeric character counts, and string reordering. Updates added specific exclusions for legitimate software such as the Maester module, JAMS Agent, and Defender ATP. One rule's detection patterns were expanded, while risk scores for two others were adjusted. (Dynamic IEX Reconstruction via Method String Access, Potential Dynamic IEX Reconstruction via Environment Variables, Potential PowerShell Obfuscation via Invalid Escape Sequences, Potential PowerShell Obfuscation via High Numeric Character Proportion, Potential PowerShell Obfuscation via String Reordering, Suspicious Windows Powershell Arguments)

Two rules for Windows host threats were tuned for accuracy. The rule for Print Spooler DLL creation (CVE-2020-1048) had its path filters corrected. The rule for COM session hijacking was updated with broad exclusions for common processes like MsMpEng.exe and TeamViewer.exe, and its severity was lowered. (Potential RemoteMonologue Attack, Suspicious PrintSpooler Service Executable File Creation)

The rule that detects potential C2 activity by monitoring DNS queries to abused web services was refined. An exclusion was added for DNS queries to raw.githubusercontent.com from processes signed by 'JetBrains s.r.o.' to reduce alerts from developer tools. (Connection to Commonly Abused Web Services)

A rule detecting AWS role assumption with a new MFA device was updated for better operational use. The change modifies the query schedule and adds relevant fields for triage to the investigation guide, which helps analysts investigate alerts. (AWS STS AssumeRole with New MFA Device)

elastic/protections-artifacts (+22, ✎21)

+ New rules

A set of new rules targets advanced in-memory threats on Windows. Detections cover code injection techniques like module stomping and image hollowing, AMSI bypass, and defense evasion methods that manipulate the call stack, such as truncation, spoofing, and indirect API invocation via thread pool callbacks. (Network Connect API from Modified Memory, Network Activity from Modified Module, Library Load from a Truncated Stack, Potential Image Hollowing via Mapping, Potential AMSI Bypass via SetThreadContext, Windows API via Work Callback, VirtualProtect API via Stack Truncation, VirtualProtect API Call from Unusual Stack)

New detections target malicious Python activity on macOS. These rules identify scripts dropping Mach-O executables, using ROT encoding for obfuscation, forking untrusted binaries, and deleting themselves after execution to evade analysis. (ROT encoded Python Script Execution, Suspicious Executable File Creation via Python, Self-Deleting Python Script, Unsigned or Untrusted Binary Fork via Python)

Added rules to detect abuse of legitimate macOS automation tools for payload delivery. The detections identify sequences where osascript (AppleScript) or Automator are used to spawn a shell and execute curl to download and stage malicious files. (Curl Hidden Binary Modification via Osascript, Shell Command Curl Execution via Osascript, Suspicious Curl Execution via Automator Workflow)

New detections added for several distinct macOS threats. These rules identify trojanized cryptocurrency wallet software (Ledger Live), reflective code loading for in-memory execution, malicious NPM packages establishing reverse shells, and specific curl abuse patterns associated with threat actors or targeting of JAMF Pro endpoints. (Malicious Ledger Live Execution, Reflective Binary Load, Suspicious Curl User Agent, Suspicious Curl to Jamf Endpoint, Javascript Reverse Shell via Nodejs)

Two rules address post-exploitation on Windows. One detects persistence when a decompression utility writes to a Startup folder, indicating a path traversal exploit (CVE-2025-6218). The other identifies a UAC bypass technique involving service creation from a non-elevated loopback logon. (Potential Execution via Archive Exploit, UAC Bypass via Service Creation)

✎ Modified rules

Multiple macOS detections were refined to reduce false positives. These rules cover threats like the WizardUpdate trojan, unauthorized keychain access, Gatekeeper bypass using xattr, and suspicious processes spawned by PowerShell or code editors. The updates improve precision by adding or modifying exclusions based on code signatures, parent processes, and specific command-line arguments. (Suspicious File Attribute Clearing, User Keychain Access in Unusual Location, Code Editor Untrusted or Unsigned Child Process Execution, Potential WizardUpdate Malware Infection, Suspicious Powershell Child Process)

Coverage for Windows in-memory threats like process injection and shellcode was updated. A new call stack byte signature was added to one rule to detect more malware variants. Other rules targeting techniques such as mavinject.exe abuse, NTDLL hijacking, and suspicious API calls from PowerShell were refined to reduce false positives by adding specific software exclusions and improving query logic for better matching. (Shellcode API behavior from a signed module, Execution from Suspicious Stack Trailing Bytes, API Call via Timer Callback Event, Potential Injection from a LUA Script, Shellcode Injection via PowerShell, Suspicious API Call from a PowerShell Script, Evasion via LdrpKernel32 Overwrite, DLL Injection via MavInject Utility)

Rules for detecting Windows credential access and lateral movement were updated to reduce false positives. The changes refine detections for unauthorized browser credential store access, network tunneling via loopback connections, and remote payload execution over SMB. Updates primarily involve adding new exclusions for trusted software signers, system processes, and specific call stack patterns from benign applications. (Execution of a File Dropped from SMB, Failed Access Attempt to Web Browser Files, Potential Remote Desktop Protocol Tunneling, Potential Known TCP Port Traffic Tunneling)

Detections for Windows defense evasion and persistence were improved. The rule for fodhelper.exe UAC bypass now correlates events over a longer time window. Detection for obfuscated scripts was made more precise by raising the file entropy threshold. Other rules covering Windows Defender exclusions and shortcut modification were tuned with more specific exceptions to reduce false positives from legitimate software. (Potential Obfuscated Script Execution, Windows Defender Exclusions via WMI, Suspicious Shortcut Modification, UAC Bypass via FodHelper Execution Hijack)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (3)

kevoreilly/CAPEv2 (✎2)

✎ Modified rules

Detection for the Stealc infostealer is refined with updated YARA signatures. One signature was tightened to require a match on all specified byte sequences, reducing false positives. A second signature was added to identify Stealc v2 by matching at least two of six byte patterns in its 32-bit and 64-bit payloads. (StealcV2)

Neo23x0/signature-base (+5)

+ New rules

New YARA rules detect exploit artifacts for a Commvault authentication bypass vulnerability (CVE-2025-57791). The rules identify QCommand argument injection by searching for strings like _localadmin__ and -localadmin in both plain text and base64-encoded forms within files. (EXPL_JSP_CommVault_CVE_2025_57791_Aug25_2, SUSP_EXPL_CommVault_CVE_2025_57791_Artifact_Aug25)

New YARA rules target JSP web shells dropped after exploiting a post-authentication RCE vulnerability in Commvault (CVE-2025-57791). Detection identifies files containing both specific Commvault XML tags and Java code for command execution. (EXPL_JSP_CommVault_CVE_2025_57791_Aug25_2)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new KQL rule was added to monitor for high-volume email sending from default 'onmicrosoft.com' domains. The rule identifies accounts that may be impacted by new Microsoft email throttling limits by counting the number of distinct external recipients daily. (Detecting Onmicrosoft domains impacted by email exchange restrictions with External Domains(June 2026))

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.