This week's update highlights the most significant changes to detection rules from 7 of the 40+ monitored GitHub repositories. Between Sep 1 and Sep 8, 2025, contributors added 29 new rules and updated 49 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New detections target defense evasion and execution using trusted Windows binaries like ssh.exe, conhost.exe, and mshta.exe. Rules that monitor LOLBAS network activity were tuned to reduce false positives by excluding legitimate software. Several existing LOLBAS rules were updated to add support for Elastic Defend, CrowdStrike, and SentinelOne data sources. (elastic/detection-rules)

• New email detections identify complex phishing campaigns, including callback phishing in Yammer comments and brand impersonation of services like Gemini and Procore. These rules apply NLU, OCR, and ML to analyze content. Existing rules were modified to counter phone number obfuscation and find malicious links hidden in QR codes. (sublime-security/sublime-rules)

• Coverage for Active Directory credential access was expanded. New rules correlate coerced authentication events with network logons from a different source to find potential NTLM and Kerberos relay attacks. Other detections identify AD reconnaissance with AdExplorer and attempts to steal browser credentials from unusual parent processes. (elastic/detection-rules)

• Detections using DNS telemetry are expanding to cover data exfiltration and C2. New rules identify DNS queries to LLM domains, suspicious TLDs, and public IP lookup services originating from system utilities. A Splunk rule for Hugging Face DNS lookups was updated to include queries from cmd.exe and powershell.exe. (elastic/detection-rules, splunk/security_content)

• Several repositories modified rules for improved compatibility and reliability across data sources. Many Elastic rules were updated to correctly parse NT Object paths from CrowdStrike logs by changing wildcard usage. Splunk's Azure Automation rules now use non-localized operation names, making them language-independent. (elastic/detection-rules, splunk/security_content)

🚀 Make updates from this digest operational: all detection rules from this digest are available in our MISP and STIX/TAXII feeds.

Subscribe and integrate directly into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (3)

  • elastic/detection-rules (+20, ✎24)

  • sublime-security/sublime-rules (+8, ✎15)

  • splunk/security_content (✎4)

• Personal repositories (4)

  • Neo23x0/signature-base (✎4)

  • kevoreilly/CAPEv2 (+1)

  • benscha/KQLAdvancedHunting (✎1)

  • alexverboon/Hunting-Queries-Detection-Rules (✎1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (3)

elastic/detection-rules (+20, ✎24)

+ New rules

New rules target defense evasion and execution techniques that use trusted Windows binaries. Detections monitor for command execution proxied through ssh.exe and conhost.exe, remote package installation via msiexec.exe, suspicious child processes spawned by mshta.exe, script execution from archive temporary paths via wscript.exe, and command execution from WebDAV shares. (Proxy Execution via Windows OpenSSH, Proxy Execution via Console Window Host, Potential Remote Install via MsiExec, Suspicious Microsoft HTML Application Child Process, Suspicious Execution from a WebDav Share, Windows Script Execution from Archive)

A set of new rules identifies command-and-control and discovery activity through DNS monitoring. Detections target queries to Large Language Model (LLM) domains, suspicious Top-Level Domains (TLDs), and public IP address lookup services. The rules focus on queries originating from unsigned processes, common scripting utilities, and LOLBINs. (Connection to Common Large Language Model Endpoints, Network Activity to a Suspicious Top Level Domain, System Public IP Discovery via DNS Query)

Coverage for credential access and Active Directory attacks is improved. Two rules detect NTLM and Kerberos relay attacks by correlating coerced authentication events with subsequent network logons from a mismatched source IP. Other rules detect ADExplorer execution for reconnaissance and attempts to steal browser credentials by spotting unusual parent processes launching Chrome or Edge in headless or debug mode. (Browser Process Spawned from an Unusual Parent, Potential Kerberos Relay Attack against a Computer Account, Potential NTLM Relay Attack against a Computer Account, Active Directory Discovery using AdExplorer)

Two new rules address social engineering attacks that trick users into executing malicious commands. The detections identify phishing techniques like Fake CAPTCHA and FileFix/ClickFix by monitoring for browser-spawned processes with suspicious command-line arguments or executables running from the Downloads folder. (Potential Execution via FileFix Phishing Attack, Potential Fake CAPTCHA Phishing Attack)

New rules detect specific malware, remote access tools, and system integrity attacks. Detections include file and registry artifacts for the Remcos RAT, execution of NetSupport Manager from non-standard paths, and suspicious NodeJS interpreter usage. System integrity is covered by rules that find attempts to modify permissions on system files or delete critical Windows boot files. (NetSupport Manager Execution from an Unusual Path, Potential REMCOS Trojan Execution, System File Ownership Change, Suspicious Execution with NodeJS, Potential System Tampering via File Modification)

✎ Modified rules

Numerous rules were updated to improve compatibility with CrowdStrike logs and other data sources that use the NT Object path format. The changes primarily involve replacing single-character wildcards with multi-character wildcards in \Device\HarddiskVolume paths, ensuring correct filtering and detection on systems with multiple volumes. (Program Files Directory Masquerading, PowerShell Script Block Logging Disabled, Execution via Windows Command Debugging Utility, Signed Proxy Execution via MS Work Folders, Attempt to Install Kali Linux via WSL, Microsoft Management Console File from Unusual Path, Execution via local SxS Shared Module, Suspicious Windows Command Shell Arguments, UAC Bypass via DiskCleanup Scheduled Task Hijack, Registry Persistence via AppInit DLL, Unusual Print Spooler Child Process)

Three rules that detect network activity following process execution were tuned to reduce false positives. These rules target msiexec.exe, general LOLBAS binaries, and DNS queries to abused web services. Updates include adding specific exclusions for legitimate software publishers, common system tools, and trusted domains. (MsiExec Service Child Process With Network Connection, Unusual Network Activity from a Windows System Binary, Connection to Commonly Abused Web Services)

Detection for defense evasion techniques was expanded. Updates broaden coverage for computer account relay attacks beyond NTLM, add detection for renamed AutoHotkey and KIX32 interpreters, and improve identification of unsigned kernel driver loads. One rule logic was corrected to properly detect file ownership changes via icacls.exe. (Potential Computer Account Relay Activity, Renamed Automation Script Interpreter, Untrusted Driver Loaded, System File Ownership Change)

Rules targeting persistence and privilege escalation received logic and data source updates. The rule for remote scheduled task creation now monitors all registry hives. Detection for a print spooler vulnerability, CVE-2020-1030, was refined for accuracy. Several rules in this group added support for SentinelOne and Microsoft Defender for Endpoint. (Remote Scheduled Task Creation, Suspicious Print Spooler Point and Print DLL)

Coverage was extended for several data sources across multiple rules targeting LOLBAS and scripting. New integrations include Elastic Defend, CrowdStrike, and SentinelOne for rules detecting suspicious PowerShell arguments, HTA file execution, and rundll32.exe network activity. In addition, an investigation guide was added to a rule for O365 Threat Intelligence alerts. (Script Execution via Microsoft HTML Application, Unusual Network Connection via RunDLL32, Suspicious Windows Powershell Arguments, M365 Threat Intelligence Signal)

sublime-security/sublime-rules (+8, ✎15)

+ New rules

Multiple new rules detect brand and service impersonation attacks. The detections identify callback phishing in Yammer comments using NLU, Google Classroom lures to WhatsApp via keyword and OCR analysis, and impersonation of Gemini and Procore through checks on sender domains, email footers, and ML-based logo detection. (Callback phishing via Yammer comment, Google Classroom Spoofing With WhatsApp Contact Information, Brand Impersonation: Gemini Trust Company, Brand Impersonation: Procore)

Two rules target threats delivered via Microsoft Office documents. One rule detects macro-enabled files containing social engineering text by matching keywords and using OCR on images. The other identifies documents with embedded phishing links by applying machine learning analysis to URLs after filtering out legitimate schema links. (Attachment: Office file with document sharing and browser instruction lures, Attachment: Office file with credential phishing URLs)

New detections identify email reconnaissance and initial-stage phishing from free email providers. One rule detects simple probes with generic greetings used for email address validation. Another rule identifies potential email harvesting messages based on characteristics like short subjects, an email address in the body, and a single link. (Reconnaissance: Email address harvesting attempt, Reconnaissance: Short generic greeting message)

✎ Modified rules

Multiple rules for callback phishing were updated to counter phone number obfuscation. Regular expressions were changed to detect digits substituted with letters like 'i', 'l', and 'o' and to handle varied spacing. The updates target campaigns using student loan forgiveness, Payoneer, PayPal, and Intuit services as lures. (BEC/Fraud: Student loan callback phishing, Service abuse: Payoneer callback scam, PayPal invoice abuse, Callback phishing via Intuit service abuse)

Detection for financially motivated phishing and Business Email Compromise was broadened. Updates include new keywords for compensation-themed lures, expanded regular expressions for financial document requests, and a wider set of keywords and a lower machine learning confidence threshold for detecting extortion attempts. (Attachment: Suspicious employee policy update document lure, Suspicious request for financial information, Extortion / sextortion (untrusted sender))

Detection for evasion techniques was improved. Changes include identifying HTML files embedded in ICS invites, scanning QR codes for links hidden behind Cloudflare CAPTCHAs, and refining logic for malformed URLs to reduce false positives from Microsoft Safe Links. (Attachment: ICS with embedded document, Malformed URL prefix, Suspicious message with unscannable Cloudflare link)

Rules targeting brand impersonation and abuse of third-party platforms were improved. Coverage was added for Twilio impersonation in addition to SendGrid. PayPal impersonation detection was updated with a new string. Detection for phishing on disabled JotForm pages now scans more metadata fields for suspicious keywords. (Link: Multistage landing - JotForm abuse, Brand impersonation: SendGrid, Brand Impersonation: PayPal)

The rule for detecting suspicious SharePoint links was refined. Sender profiling logic was updated to use a more specific function, profile.by_sender_email(), which improves the accuracy of identifying new or unusual senders. (Link: Secure SharePoint file share from new or unusual sender)

splunk/security_content (✎4)

✎ Modified rules

Three rules for detecting suspicious Azure Automation activity were updated for improved reliability. These rules monitor Azure Audit logs for the creation of Automation accounts, runbooks, and webhooks. The detection logic in each now uses the non-localized programmatic operation name, making the rules independent of language settings. (Azure Automation Account Created, Azure Automation Runbook Created, Azure Runbook Webhook Created)

Detection for DNS queries to the Hugging Face AI platform was broadened. The rule now monitors for queries originating from command-line interpreters like cmd.exe and powershell.exe, in addition to python.exe. This change, which uses Sysmon Event ID 22, helps identify potential data exfiltration or unauthorized AI service use from a wider set of processes. (Windows AI Platform DNS Query)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (4)

Neo23x0/signature-base (✎4)

✎ Modified rules

New YARA rules detect the Sindoor dropper from APT36 on Linux. One rule identifies a custom UPX-packed ELF payload by its null magic byte and 'UPX!' signature. A second rule detects a malicious Desktop Entry file by identifying shell commands used to reconstruct the ELF binary for execution. (SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25, SUSP_LNX_Sindoor_DesktopFile_Aug25)

kevoreilly/CAPEv2 (+1)

+ New rules

A new YARA rule detects the AuraStealer payload. The rule identifies specific byte patterns related to the malware's configuration data, key generation routines, and anti-virtualization checks, requiring three matches to trigger. (AuraStealer)

benscha/KQLAdvancedHunting (✎1)

✎ Modified rules

A KQL query that detects account compromise by correlating a malicious URL click alert with a subsequent Azure AD sign-in from a new IP has been updated. The change standardizes output fields like AccountName and AccountUpn to improve analyst workflow. (Phishing_LoginfromNewIP_after_potentially_maliciousurlclick)

alexverboon/Hunting-Queries-Detection-Rules (✎1)

✎ Modified rules

A new Kusto query for Microsoft Sentinel parses Microsoft Entra Connect Sync audit logs. It extracts administrative actions from Windows Security Events, processing XML and nested JSON to make configuration changes auditable. (Entra ID - Microsoft Entra Connect Sync Audit Events)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.