Detections Digest #20250901
This issue highlights key updates from 12 repositories, including 28 new and 198 (💥) modified Splunk, Sigma, YARA, Elastic, Hayabusa and other detection rules.
This week's update highlights the most significant changes to detection rules from 12 of the 40+ monitored GitHub repositories. Between Aug 25 and Sep 1, 2025, contributors added 28 new rules and updated 198 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Detection coverage for cloud identity threats has expanded across multiple repositories. New rules target suspicious M365 and Azure logins using impossible travel and atypical travel analytics. Other rules focus on persistence techniques, such as new Azure service principal creation, and credential access in AWS via services like Secrets Manager. (
elastic/detection-rules,anvilogic-forge/armory,HybridBrothers/Hunting-Queries-Detection-Rules)The Elastic detection ruleset now integrates multiple third-party EDR data sources. A large number of Windows endpoint rules were updated to process logs from CrowdStrike Falcon, SentinelOne, and Elastic Endgame. This update extends existing detection logic for defense evasion, persistence, and execution to these new telemetry sources. (
elastic/detection-rules)Email threat detections are advancing to counter new phishing techniques. Rules for brand impersonation were updated to use OCR on image attachments and NLU models for callback scams. A new detection identifies potential AI prompt injection attacks in email bodies by looking for specific non-standard HTML tags. (
sublime-security/sublime-rules)Detections for Windows endpoint attacks saw widespread refinement. New rules identify COM hijacking via SpeechRuntime.exe and malicious DLL loads from temporary directories. A large number of Sigma rules targeting LOLBin abuse and persistence received syntax corrections, improving their operational reliability. (
splunk/security_content,Yamato-Security/hayabusa-rules,SigmaHQ/sigma,elastic/detection-rules)Coverage for specific malware families was expanded with new signatures and tuned rules. New YARA rules were created to detect the Linux rootkit Pumakit and the Windows trojans PathWiper and GodRAT. Additionally, Sigma rules for Raspberry Robin and Qakbot were corrected to better detect their known TTPs. (
reversinglabs/reversinglabs-yara-rules,Neo23x0/signature-base,Yamato-Security/hayabusa-rules,SigmaHQ/sigma)
🚀 Make updates from this digest operational: all detection rules from this digest are available in our MISP and STIX/TAXII feeds.
Subscribe and integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.
Table Of Contents
Corporate repositories (9)
sublime-security/sublime-rules (+5, ✎9)
+ New rules
New rules improve detection of email-based impersonation and phishing. Two rules target brand and government agency impersonation by analyzing sender display names for variations of 'United Healthcare' and 'Social Security Administration'. Another rule identifies suspicious sender domains from ExactTarget infrastructure by flagging unusually long subdomains or those with UTF-8 characters. (Brand impersonation: United Healthcare, Impersonation: Social Security Administration with secure message language, Service Abuse: ExactTarget with suspicious sender domain)
A new rule detects potential AI prompt injection attacks in inbound emails. The detection searches the HTML body for non-standard tags containing references to major AI platforms like Gemini, Copilot, ChatGPT, or Claude. (Potential Prompt Injection Attack in Body HTML)
A new rule detects a fileless attack technique where a malicious payload is encoded into a filename, a method used by threats like VShell. The detection logic examines both direct attachments and files within archives. (Attachment: Base64 encoded bash command in filename)
✎ Modified rules
Detection for Stripe and Wix brand impersonation was improved. The Stripe rule now uses OCR on image attachments to find the 'stripe' keyword and an NLU model to identify callback scams. The Wix rule adds a condition to detect emails with 'wix' in the display name combined with specific domain expiration warning phrases in the body. (Brand Impersonation: Stripe, Brand impersonation: Wix)
Two rules targeting e-signature phishing were updated for broader coverage. One rule now detects malicious DocuSign share emails using 'rare' in addition to 'new' reply-to addresses. The other rule improves general e-signature phishing detection by adding the phrase 'action required' and increasing the HTML text character limit. (Service abuse: DocuSign share from an unsolicited reply-to address, Credential phishing: Suspicious e-sign agreement document notification)
Detection of evasive phishing techniques was updated. One rule targeting HTML smuggling refines sender validation with prevalence and DMARC checks. Another rule for obfuscated PHP links now correctly handles newline characters to prevent regex bypass. A third rule now identifies phishing links hosted on content creation platforms and URL shorteners. (HTML smuggling containing recipient email address, Link: /index.php enclosed in three asterisks, Link: Display text matches subject line)
Rules for financial-themed threats were updated. Invoice phishing detection now includes a new regular expression for suspicious subject line formats and identifies the phrase 'please see attached'. The cryptocurrency spam rule was expanded with keywords like 'trezor' and 'ledger' and updated to use a new NLU classifier. (Suspicious invoice reference with missing or image-only attachments, Spam: Cryptocurrency airdrop/giveaway)
elastic/detection-rules (+3, ✎57)
+ New rules
Three new rules improve detection of Microsoft 365 threats by analyzing audit logs. Two rules identify suspicious logins by flagging impossible travel and access from geographically uncommon locations for a user. A third rule detects threats surfaced by Microsoft Defender for Office 365's Threat Intelligence service, indicating potential account compromise. (M365 Portal Login (Impossible Travel), M365 Portal Login (Atypical Travel), M365 Threat Intelligence Signal)
✎ Modified rules
A large set of Windows endpoint rules were updated to include CrowdStrike Falcon as a data source. This expands detection coverage for numerous defense evasion, persistence, and execution techniques by processing CrowdStrike FDR logs. Updates include adding NT Object Path formats to queries to handle CrowdStrike's event structure. (Code Signing Policy Modification Through Registry, DNS-over-HTTPS Enabled via Registry, Microsoft Build Engine Using an Alternate Name, Executable File Creation with Multiple Extensions, Network-Level Authentication (NLA) Disabled, Potential DLL Side-Loading via Trusted Microsoft Programs, Potential DLL Side-Loading via Microsoft Antimalware Service Executable, etc)
Multiple rules were updated to better detect Windows defense evasion and persistence through registry modifications. These changes target techniques such as disabling security features like UAC, Defender, and LSA Protection; enabling RDP; and establishing persistence via methods like AppCertDLLs, Office add-ins, Time Providers, and PowerShell profiles. (PowerShell Script Block Logging Disabled, Code Signing Policy Modification Through Registry, Network-Level Authentication (NLA) Disabled, RDP Enabled via Registry, Microsoft Windows Defender Tampering, Disabling Lsa Protection via Registry Modification, MS Office Macro Security Registry Modifications, Scheduled Tasks AT Command Enabled, etc)
Detection for abuse of legitimate Windows binaries and masquerading was improved. Updates focus on renamed executables like MSBuild.exe and AutoIt.exe, and on system utilities such as cmd.exe, mshta.exe, and hh.exe making unexpected outbound network connections for payload download or C2 communication. (Microsoft Build Engine Using an Alternate Name, Renamed AutoIt Scripts Interpreter, Renamed Utility Executed with Short Program Name, Potential DLL Side-Loading via Trusted Microsoft Programs, Potential DLL Side-Loading via Microsoft Antimalware Service Executable, etc)
Cloud identity threat detection is improved for AWS and Entra ID. AWS rules were refined to better detect credential discovery via GetCallerIdentity, exfiltration from Secrets Manager, and persistence using GetFederationToken. A separate rule was tuned to detect Entra ID session hijacking by identifying session token reuse from a new IP address. (AWS STS GetCallerIdentity API Called for the First Time, First Time Seen AWS Secret Value Accessed in Secrets Manager, AWS First Occurrence of STS GetFederationToken Request by User, Microsoft Entra ID Suspicious Session Reuse to Graph Access)
Detection coverage was broadened across multiple rules by adding support for SentinelOne and Elastic Endgame data sources. These updates allow for the identification of suspicious process executions, lateral movement via WinRM, and abuse of system utilities in environments monitored by these tools. (Suspicious Communication App Child Process, Potential Masquerading as Communication Apps, Mshta Making Network Connections, Network Connection via Signed Binary, Script Execution via Microsoft HTML Application, Command and Scripting Interpreter via Windows Scripts, Suspicious Microsoft Diagnostics Wizard Execution, Unusual Process Network Connection, Potential Evasion via Filter Manager, PsExec Network Connection, Network Connection via Compiled HTML File, Command Prompt Network Connection, Incoming Execution via WinRM Remote Shell)
anvilogic-forge/armory (+2)
+ New rules
Two new rules target identity-based threats in Microsoft Azure. One rule detects the creation of new service principals from Azure activity logs, a persistence technique used by groups like APT29. Another rule identifies impossible travel scenarios by analyzing user sign-in data, which can indicate compromised credentials. (Azure New Service Principal, Azure Impossible Travels Sign-in)
splunk/security_content (+3)
+ New rules
Three new rules detect malicious DLL loading on Windows. One rule finds DLLs loaded from temporary directories using Sysmon Event ID 7. Two other rules target COM hijacking via SpeechRuntime.exe by detecting DLL loads from outside standard system directories and the spawning of suspicious child processes like cmd.exe or powershell.exe. (Windows DLL Module Loaded in Temp Dir, Windows SpeechRuntime COM Hijacking DLL Load, Windows SpeechRuntime Suspicious Child Process)
reversinglabs/reversinglabs-yara-rules (+2)
+ New rules
Two new YARA rules detect malware on different platforms. One rule targets the Pumakit rootkit on Linux, identifying its syscall hooking patterns in ELF files. The other rule detects the PathWiper trojan on Windows by matching byte signatures for its file enumeration and data destruction functions. (Linux_Rootkit_Pumakit, Win32_Trojan_PathWiper)
Yamato-Security/hayabusa-rules (✎87)
✎ Modified rules
A large set of Sigma rules underwent syntax corrections, primarily reordering the windash and contains modifiers for command-line argument matching. This change improves rule parsing and compatibility with various detection engines, increasing operational reliability without altering the intended detection logic. (LSASS Process Reconnaissance Via Findstr.EXE, Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location, LSASS Process Reconnaissance Via Findstr.EXE, Exports Registry Key To a File, Remote File Download Via Findstr.EXE, Insensitive Subfolder Search Via Findstr.EXE, Remote File Download Via Findstr.EXE, File Decoded From Base64/Hex Via Certutil.EXE, Loaded Module Enumeration Via Tasklist.EXE, System Information Discovery via Registry Queries, Windows Recovery Environment Disabled Via Reagentc, Qakbot Regsvr32 Calc Pattern, Raspberry Robin Subsequent Execution of Commands, etc)
Coverage for malware families like Raspberry Robin and Qakbot is updated. Detections target Raspberry Robin's execution chain, including UAC bypass via fodhelper.exe and payload download using msiexec.exe. Rules also detect Qakbot techniques, such as specific regsvr32.exe command lines and browser data theft with esentutl.exe. (Qakbot Regsvr32 Calc Pattern, Raspberry Robin Subsequent Execution of Commands, Raspberry Robin Initial Execution From External Drive, Esentutl Steals Browser Information, Raspberry Robin Subsequent Execution of Commands, Raspberry Robin Initial Execution From External Drive, Qakbot Regsvr32 Calc Pattern)
Detection for signed binary proxy execution via msiexec.exe (T1218.007) is improved. The rules target quiet or silent installations, including from remote locations, and the registration or unregistration of DLLs using flags like /q, /y, and /z. This helps identify attackers using the legitimate Windows Installer to run malicious code. (Raspberry Robin Initial Execution From External Drive, Msiexec Quiet Installation, Suspicious Msiexec Quiet Install From Remote Location, Suspicious Msiexec Execute Arbitrary DLL, DllUnregisterServer Function Call Via Msiexec.EXE, Raspberry Robin Initial Execution From External Drive, DllUnregisterServer Function Call Via Msiexec.EXE, Suspicious Msiexec Execute Arbitrary DLL, Suspicious Msiexec Quiet Install From Remote Location, Msiexec Quiet Installation)
Multiple rules targeting credential access techniques were updated. Detections cover copying sensitive files like ntds.dit with esentutl.exe, process memory dumping with renamed ProcDump or tools like rdrleakdiag.exe, forcing NTLM hash capture with rpcping.exe, and exporting certificates with private keys using certutil.exe. (Esentutl Steals Browser Information, Copying Sensitive Files with Credential Data, Process Memory Dump via RdrLeakDiag.EXE, Capture Credentials with Rpcping.exe, Renamed ProcDump Execution, Certificate Exported Via Certutil.EXE, Copying Sensitive Files with Credential Data, Process Memory Dump via RdrLeakDiag.EXE, Renamed ProcDump Execution)
Rules detecting various reconnaissance and defense evasion tactics were corrected. These include detecting system discovery with dir /s, reg query, and chcp. Coverage also includes process enumeration for lsass using findstr, and file deletion paired with a ping delay command to erase forensic evidence. (LSASS Process Reconnaissance Via Findstr.EXE, LSASS Process Reconnaissance Via Findstr.EXE, Insensitive Subfolder Search Via Findstr.EXE, Loaded Module Enumeration Via Tasklist.EXE, System Information Discovery via Registry Queries, File And SubFolder Enumeration Via Dir Command, Suspicious Ping/Del Command Combination, Console CodePage Lookup Via CHCP, File And SubFolder Enumeration Via Dir Command, Suspicious Ping/Del Command Combination)
SigmaHQ/sigma (✎40)
✎ Modified rules
A broad set of rules for Living-Off-the-Land Binaries (LOLBins) received syntax corrections to their command-line parsers. This improves the reliability of detecting techniques such as certutil for file encoding, msiexec for DLL proxy execution, findstr for discovery, esentutl for copying credential files, and msdt.exe use related to CVE-2022-30190. (File Encoded To Base64 Via Certutil.EXE, Suspicious File Encoded To Base64 Via Certutil.EXE, Certificate Exported Via Certutil.EXE, DllUnregisterServer Function Call Via Msiexec.EXE, Suspicious Msiexec Execute Arbitrary DLL, LSASS Process Reconnaissance Via Findstr.EXE, Remote File Download Via Findstr.EXE, Insensitive Subfolder Search Via Findstr.EXE, System Information Discovery via Registry Queries, etc)
Detection for Sysinternals and other administrative tool abuse was improved. The PsLogList rule adds coverage for event log clearing (-c) and exporting (-g). Syntactic fixes were also applied across this group to solidify detection of PsExec for SYSTEM privilege escalation, Sysmon uninstallation, renamed ProcDump execution, and memory dumping with rdrleakdiag.exe. (Suspicious Use of PsLogList, PsExec/PAExec Escalation to LOCAL SYSTEM, Potential Privilege Escalation To LOCAL SYSTEM, Uninstall Sysinternals Sysmon, Renamed ProcDump Execution, Process Memory Dump via RdrLeakDiag.EXE, Potential Execution of Sysinternals Tools)
Two rules detecting Raspberry Robin malware received syntax corrections. The changes address command-line modifier logic to more reliably identify the malware's initial execution via msiexec.exe with a URL and its subsequent process chain involving fodhelper.exe and odbcconf.exe. (Raspberry Robin Subsequent Execution of Commands, Raspberry Robin Initial Execution From External Drive)
auth0/auth0-customer-detections (✎1)
✎ Modified rules
Detection for potential Cross-Site Scripting (XSS) in Auth0 LiquidJS error page templates is now more precise. The rule was updated to specifically identify unfiltered or insecurely filtered LiquidJS variables, which are direct indicators of XSS vulnerabilities. This change reduces false positives. (Loaded LiquidJS error page template contains XSS vulnerabilities)
magicsword-io/LOLDrivers (✎4)
✎ Modified rules
Detection coverage for malicious and vulnerable drivers on Windows is improved. Four rules were updated to synchronize their detection logic with the latest intelligence from the loldrivers.io project. These rules monitor for driver load events and match against refreshed lists of known malicious driver filenames and file hashes, including MD5, SHA1, SHA256, and IMPHASH. (Malicious Driver Load By Name, Vulnerable Driver Load By Name, Malicious Driver Load Despite HVCI, Vulnerable Driver Load Despite HVCI)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (3)
HybridBrothers/Hunting-Queries-Detection-Rules (+1)
+ New rules
A new KQL query identifies systems using Seamless SSO in Entra ID Connect by analyzing Kerberos events in Microsoft Defender for Identity logs. This helps administrators find and assess this potentially risky configuration for possible disablement. (Hunt domains with Seamless SSO enabled in Entra ID Connect)
alexverboon/Hunting-Queries-Detection-Rules (+11)
+ New rules
A set of four new KQL queries provides detection for malicious activity associated with abused Top-Level Domains (TLDs). These queries inspect telemetry from Defender for Endpoint and Defender for Office 365 to find outbound network connections, URLs in emails, and user clicks involving TLDs known for malicious use, including those on the Spamhaus list and the .zip and .mov TLDs. (Connections to Spamhaus Abused TLDs, Connections to .zip and .mov Domains, Abused TLDs in Email URLs, User Clicks on URLs with Abused TLDs)
New KQL queries improve identity and access monitoring across hybrid environments. The rules audit administrative changes in Microsoft Entra Connect Sync, identify inactive Active Directory user accounts, report sign-ins blocked by Purview Insider Risk policies, and track logon activity of the built-in Administrator account (SID -500). (Entra ID - Microsoft Entra Connect Sync Audit Events, Active Directory - User last logon, Microsoft Purview - Entra ID - Conditional Access - Block - Insider Risk, Use of Administrator Account)
Two new KQL queries detect anomalous endpoint network activity. One identifies network scanning techniques by searching for uncommon TCP flag combinations in Defender for Endpoint data. The other finds network connections from PowerShell processes spawned by the MDE Sense service, which may indicate misuse of live response features. (Defender for Endpoint - Potential suspicious TCP Flags, MDE - Sense triggers PowerShell with public IP network connection)
A new KQL query inventories Azure DevOps projects and repositories using Microsoft 365 Defender's exposure graph data. This provides visibility into the organization's DevOps assets for security posture management. (DevOps - Azure DevOps Inventory)
Neo23x0/signature-base (+1)
+ New rules
A new YARA rule detects the GodRAT remote access trojan on Windows. The detection logic identifies specific import hashes, a common XOR decryption routine using SSE instructions, a C++/WinRT version string, and NT API function names used for process injection. (MAL_CRIME_RAT_WIN_PE_GodRat_Aug23)
🚀 All detection rules from this digest are available in our MISP and STIX/TAXII feeds.
Subscribe and integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.