This week's update highlights the most significant changes to detection rules from 10 of the 40+ monitored GitHub repositories. Between Sep 8 and Sep 15, 2025, contributors added 38 new rules and updated 55 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Detection coverage for Linux and macOS was expanded considerably. New Linux rules identify malicious use of scripting interpreters, privilege escalation via SUID binaries and cgroups, and common defense evasion methods. For macOS, new detections target malware persistence, credential harvesting using ditto, and self-deleting payloads. (elastic/protections-artifacts)

• Multiple cloud identity rules were tuned for higher fidelity. AWS anomaly detections now baseline user activity on both user and account ID, reducing noise from shared roles. Azure and Okta rules were refined for performance and to better detect MFA bombing and illicit consent grants. (elastic/detection-rules, benscha/KQLAdvancedHunting, jkerai1/KQL-Queries, ep3p/Sentinel_KQL)

• Email security rules now use new methods to find phishing. One rule uses OCR to detect credential phishing text inside images. Other rules were modified to identify campaigns that hide recipients in the BCC field by checking if the sender is the only one in the 'To' field. (sublime-security/sublime-rules)

• New detections focus on Windows defense evasion and specific malware. A new rule identifies PowerShell scripts using 'Set-MpPreference' to tamper with Windows Defender. New YARA rules were also added to detect GodRAT and VIPKeyLogger malware families based on unique strings and import hashes. (elastic/detection-rules, Neo23x0/signature-base, kevoreilly/CAPEv2)

• Community KQL queries target specific, timely threats. A new rule detects downloads of known-compromised NPM packages, addressing a supply chain vector. Another identifies ValleyRAT persistence by monitoring for service ImagePath modifications pointing to temporary directories. (Cyb3r-Monk/Threat-Hunting-and-Detection, benscha/KQLAdvancedHunting, Sergio-Albea-Git/Threat-Hunting-KQL-Queries)

🚀 Make updates from this digest operational! All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the CTI feeds

Table Of Contents

• Corporate repositories (3)

  • sublime-security/sublime-rules (+3, ✎9)

  • elastic/detection-rules (+1, ✎33)

  • elastic/protections-artifacts (+25, ✎10)

• Personal repositories (7)

  • jkerai1/KQL-Queries (+3)

  • benscha/KQLAdvancedHunting (+2, ✎1)

  • Cyb3r-Monk/Threat-Hunting-and-Detection (+1, ✎1)

  • Neo23x0/signature-base (+1)

  • ep3p/Sentinel_KQL (✎1)

  • kevoreilly/CAPEv2 (+1)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (3)

sublime-security/sublime-rules (+3, ✎9)

+ New rules

Three new rules detect email-based brand impersonation of Salesforce, Squarespace, and Fastway Couriers. The detection logic identifies sender display names containing the brand name or a close string match, while confirming the email originates from a non-legitimate domain. The rules include methods to lower false positives, such as DMARC validation and exclusions for trusted senders. (Impersonation: Salesforce fake campaign failure notification, Brand impersonation: Squarespace, Brand impersonation: Fastway)

✎ Modified rules

Three rules were updated to detect a common email spoofing pattern where the sender's address is the sole recipient in the 'To' field. This addresses campaigns that hide true recipients in the BCC field. The change improves detection of fraudulent RFQ/RFP emails, malicious EML attachments, and messages containing links to free file hosting services. (EML attachment with credential theft language (unknown sender), Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern, Link: Free file hosting with undisclosed recipients)

Detection for brand and government impersonation attacks was updated. For QuickBooks impersonation, a new content string was added and the NLU model was updated. For SSA impersonation, detection now includes checks for secure message NLU classifications and executable links. For Booking.com, a domain was added to the exclusion list and DMARC checks were tightened. (Brand impersonation: Booking.com, Brand impersonation: Quickbooks, Impersonation: Social Security Administration (SSA))

Several rules targeting phishing and Business Email Compromise (BEC) were updated. A new detection method inspects hyperlink display text for financial lures like 'Payment Batch'. Another rule now uses Optical Character Recognition (OCR) to find credential phishing text in images. A third rule improves BEC detection accuracy by using native email fields to better exclude legitimate replies and forwards. (Suspicious request for financial information, Business Email Compromise (BEC) attempt from untrusted sender, Credential phishing: Generic document sharing)

elastic/detection-rules (+1, ✎33)

+ New rules

A new rule identifies PowerShell scripts using the 'Set-MpPreference' cmdlet to disable or modify Windows Defender security settings. This is a common defense evasion technique used by attackers to weaken endpoint protection before executing malicious payloads. (PowerShell Script with Windows Defender Tampering Capabilities)

✎ Modified rules

A large set of AWS rules targeting anomalous activity were updated for greater precision. Many rules using 'new terms' logic were refined to baseline activity on a user and account ID combination, instead of only a user ARN. Other changes include shortening lookback windows for higher sensitivity and improving query logic for detecting IAM credential misuse. (AWS DynamoDB Scan by Unusual User, AWS DynamoDB Table Exported to S3, AWS SSM Session Started to EC2 Instance, AWS S3 Unauthenticated Bucket Access by Rare Source, AWS SNS Topic Message Publish by Rare User, AWS Access Token Used from Multiple Addresses, AWS SNS Topic Created by Rare User, AWS EC2 Route Table Created, AWS EC2 Route Table Modified or Deleted)

Multiple Windows endpoint rules were tuned for accuracy. Detections for suspicious DNS queries were improved by refining logic for unsigned processes. Several PowerShell script analysis rules received updates to reduce false positives and adjust risk scores. Detections for lateral movement and COM hijacking were also refined with better exception handling for trusted software. (Network Activity to a Suspicious Top Level Domain, Connection to Common Large Language Model Endpoints, System Public IP Discovery via DNS Query, Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score, Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score, Potential PowerShell HackTool Script by Author, PowerShell Suspicious Script with Audio Capture Capabilities, PowerShell Mailbox Collection Script, PowerShell Kerberos Ticket Request, Exchange Mailbox Export via PowerShell, PowerShell Share Enumeration Script, Remote Execution via File Shares, Component Object Model Hijacking)

Numerous rules for Azure, Entra ID, and Microsoft 365 were updated to improve query performance and accuracy. The changes remove the broad filebeat-* index, focusing each rule on its specific log source, such as logs-azure.graphactivitylogs-* or logs-o365.audit-*. This improves detections for illicit consent grants, suspicious sign-ins, and anomalous API usage. (Suspicious Email Access by First-Party Application via Microsoft Graph, Entra ID Protection - Risk Detection - Sign-in Risk, M365 Portal Login (Atypical Travel), M365 Portal Login (Impossible Travel), Entra ID Protection - Risk Detection - User Risk, Microsoft Graph First Occurrence of Client Request, Microsoft 365 Illicit Consent Grant via Registered Application, Microsoft 365 OAuth Phishing via Visual Studio Code Client)

Detection for Okta MFA bombing attacks was improved. The logic was updated to cover more denial scenarios and increase the event threshold before alerting. A third rule detecting MFA deactivation was tuned for better query performance by focusing on the specific Okta log index. (MFA Deactivation with no Re-Activation for Okta User Account, Potentially Successful Okta MFA Bombing via Push Notifications, Potential Okta MFA Bombing via Push Notifications)

elastic/protections-artifacts (+25, ✎10)

+ New rules

New rules detect malicious use of common scripting interpreters on Linux. They monitor command-line arguments for suspicious patterns in Lua, Perl, Ruby, and Python processes, identifying inline code execution, subprocess creation, and obfuscation techniques. (Suspicious Lua Command Execution, Suspicious Perl Command Execution, Suspicious Ruby Command Execution, Suspicious Python Shell Execution)

Coverage for Linux privilege escalation is expanded. New detections identify SUID/SGID binary abuse, exploitation of cgroups for container breakout, file creation by sudo in temporary directories (CVE-2022-0847), and sequences where a non-root process UID changes to root. (General Privilege Escalation Sequence Detected, Potential Privilege Escalation via SUID Binary, Potential Cgroup Privilege Escalation/Container Escape via Mount, Unusual Sudo File Creation)

Several rules target adversary tactics on Linux for payload delivery and defense evasion. Detections cover downloading files from hosting services, using hexadecimal IP obfuscation, creating PTYs for reverse shells, establishing netcat listeners, and self-deleting malware. This also includes detection for Langflow RCE (CVE-2025-3248). (Hexadecimal IP Command-Line Argument, File Download from or Upload to Hosting Service, Pseudoterminal (PTY) Creation from Suspicious Executable, Potential Netcat File Listener Established, Outbound Network Connection Followed by Process File Deletion, Potential Remote Code Execution via Langflow)

Detection capabilities for macOS malware are improved with rules targeting defense evasion. These rules identify multi-layered payload deobfuscation, execution of untrusted PyInstaller binaries, and self-deleting malware techniques involving Python scripts or dynamically loaded libraries. (Multi-Layered Deobfuscation via Unusual Parent, Unsigned or Untrusted PyInstaller Binary Execution, Python Library Load and Delete, Self-Deleted Python Script Outbound Network Connection)

New rules address post-exploitation, persistence, and data collection on macOS. Detections identify credential harvesting via 'ditto', reconnaissance using discovery commands, persistence through modified browser preferences or launchctl abuse, and C2 activity following an SSH session. Also covered is initial access via malicious VSCode extension installation. (Sensitive File Copy via Ditto, Shell Command Discovery Execution via Untrusted Binary, VScode Extension Install via URI Handler, Executable File Modification via SSH, Suspicious Browser Preference File Modification, Plist Loaded by Launchctl from Unusual Location, Suspicious Binary Execution via SSH)

✎ Modified rules

Detection for LD_PRELOAD hijacking on Linux was broadened. Two rules were updated to monitor for shared object creation and loading via the /proc/* path, improving coverage for this defense evasion and persistence technique. (Shared Object Injection via Process Environment Variable, Shared Object File Creation and Immediate Preload)

Multiple Linux rules were tuned to reduce false positives by adding exceptions for legitimate software and administrative activity. The updates affect detections for systemd-run and systemctl for execution and persistence, copying system binaries, suspicious commands run by web server users, and malicious use of the echo command. (Potential Proxy Execution via Systemd-run, Cron(d) Service Started by Unusual Parent, System Binary Copied or Moved, Unusual Command Executed by Web Server, Suspicious Echo Execution)

Several Windows rules were updated to improve accuracy by adding exclusions for trusted code signers and known legitimate application behavior. These changes reduce false alarms for detections covering suspicious network module loads, failed access to browser credential stores, and persistence via application shortcut modification. (Potential Evasion via Invalid Code Signature, Failed Access Attempt to Web Browser Files, Suspicious Shortcut Modification)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (7)

jkerai1/KQL-Queries (+3)

+ New rules

Two new rules improve monitoring of Microsoft Entra ID. One detects user sign-ins to Microsoft Edge from unmanaged devices, identifying potential BYOD risks. The other detects the creation of custom security attribute definitions, which can be used for privilege escalation or persistence. (Potential User Signed into Edge Browser From Unmanaged or Unregistered Device, Add custom security attribute definition in an attribute set)

A new query collects Windows Defender Application Control (WDAC) events from Microsoft Defender for Endpoint. The rule filters for code integrity actions, blocked scripts, and audited scripts to provide visibility into application control policy enforcement. (WDAC App Control Collect Data for App Control Manager)

benscha/KQLAdvancedHunting (+2, ✎1)

+ New rules

A new KQL query detects ValleyRAT persistence by monitoring for modifications to a Windows service's ImagePath registry value. The detection targets paths set to temporary locations like '%TEMP%', 'C:\Windows\Temp', or 'C:\ProgramData', a known behavior of this malware. (Valley RAT Detection)

A new KQL query identifies suspicious Multi-Factor Authentication (MFA) registration in Azure AD. It flags users who register or modify MFA settings from an IP address not seen in their sign-in history over the past 30 days, indicating a potential account takeover. (Suspicious_MFA_Registration)

✎ Modified rules

The KQL query for detecting multiple unusual user activities in Sentinel was updated to reduce false positives. The logic now includes a check for devices uncommonly used among a user's peers. Additionally, accounts created within the last 60 days are excluded, as their activity is often benignly anomalous. The query output is also standardized. (Multiple_Unusual_User_Activities)

Cyb3r-Monk/Threat-Hunting-and-Detection (+1, ✎1)

+ New rules

A new KQL rule for Microsoft Sentinel detects network requests to download specific, known-compromised NPM packages. The rule queries web proxy logs for connections to the official NPM registry and identifies requests containing both a compromised package name and its malicious version, addressing a supply chain attack vector. (Compromised NPM Packages on 08-09-2025)

✎ Modified rules

The KQL query that detects vulnerable driver loading based on Microsoft's blocklist was updated. The ingestion source for the driver hash list was changed from a markdown file to a structured JSON file, improving parsing reliability. The query now also performs case-insensitive hash matching. (Microsoft Recommended Driver Block List)

Neo23x0/signature-base (+1)

+ New rules

A new YARA rule detects GodRAT malware on Windows. Detection is based on three conditions: a "C++/WinRT version" string combined with a specific import hash, a pattern matching an SSE-optimized XOR decryption routine using NT APIs, or a distinct import hash associated with an AES-encrypted variant. (MAL_CRIME_RAT_WIN_PE_GodRat_Aug25)

ep3p/Sentinel_KQL (✎1)

✎ Modified rules

The KQL query for detecting Microsoft Entra ID password spray attacks was tuned to reduce false positives. The logic now filters out risk events that were successfully remediated when a user passed an MFA challenge driven by a risk-based policy. (Multiple-Password Spray)

kevoreilly/CAPEv2 (+1)

+ New rules

A new YARA rule detects the VIPKeyLogger malware. The rule identifies Windows executables that contain specific wide strings, including '/ VIP Recovery \', 'Clipboard Logs ID', and 'Keylogger'. (VIPKeyLogger)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new KQL query detects suspicious network connections originating from airport locations. It monitors DeviceNetworkEvents for activity from scripting tools such as powershell.exe, curl.exe, and wget.exe. The query correlates device IP addresses with known airport geolocations to identify potential compromises via spoofed Wi-Fi or click-fix attacks. (Hunting for Malicious ClickFix cases executed from Airports)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We'd be happy to help — contact us.