Detections Digest #20250922
The issue highlights key updates from 11 repos, including 52 new and 97 modified Elastic, YARA, KQL, SublimeSecurity and Anvilogic detection rules.
This week's update highlights the most significant changes to detection rules from 11 of the 40+ monitored GitHub repositories. Between Sep 15 and Sep 22, 2025, contributors added 52 new rules and updated 97 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Elastic introduced a large set of new behavior rules to detect advanced in-memory evasion techniques on Windows. The detections target process injection, shellcode execution from unbacked memory, and module stomping. Other rules identify bypassing EDR hooks by loading a second ntdll.dll, suspicious .NET assembly loading, and the use of indirect syscalls to hide memory modifications. (
elastic/protections-artifacts)Detections for Windows post-exploitation were added and tuned across multiple repositories. New rules identify lsass.exe or services.exe running from an anomalous parent process, a common sign of process injection or masquerading. Many existing rules for Active Directory attacks and LOLBin abuse were refined to reduce false positives. Notably, the response action for 19 behavior rules was modified to terminate the entire process tree for more complete remediation. (
anvilogic-forge/armory,elastic/detection-rules,elastic/protections-artifacts)Coverage for email-based threats was expanded with a focus on impersonation and malicious attachments. New rules detect brand impersonation campaigns and fraudulent Excel attachments by inspecting EXIF metadata. Other detections identify suspicious URLs pointing to Cloudflare services and open redirects, while new KQL queries check email URLs against external threat intelligence feeds. (
sublime-security/sublime-rules,benscha/KQLAdvancedHunting)New detections focus on Azure and Entra ID compromise and persistence. One rule correlates an Entra ID Protection alert with a subsequent device registration to find persistence attempts. New KQL queries hunt for multiple risk events, risky AD FS sign-ins, and abuse of Microsoft service principals for privilege escalation. An existing query for Entra ID actor token abuse was also refined to reduce false positives. (
elastic/detection-rules,ep3p/Sentinel_KQL,Cyb3r-Monk/Threat-Hunting-and-Detection)Detection coverage for Linux systems was improved across endpoint, network, and file signatures. New behavior rules identify suspicious mount commands, script execution from world-writable directories, and silent NPM package installations. A new KQL query hunts for high-volume SMB connection attempts related to a KSMBD DoS vulnerability, and a YARA rule for the Plague backdoor was broadened to detect more variants. (
elastic/protections-artifacts,Sergio-Albea-Git/Threat-Hunting-KQL-Queries,Neo23x0/signature-base)
🚀 Make updates from this digest operational → all detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.
Table Of Contents
sublime-security/sublime-rules (+7, ✎12)
elastic/detection-rules (+1, ✎23)
elastic/protections-artifacts (+27, ✎49)
Corporate repositories (4)
sublime-security/sublime-rules (+7, ✎12)
+ New rules
Several new rules detect email-based impersonation attacks. The detections target brand impersonation of Robert Half, fraudulent communications from UK government agencies, and VIP impersonation via malicious Trello board invitations. These rules analyze sender display names, body content, and specific campaign identifiers. (Brand impersonation: Robert Half, Brand impersonation: UK government Home Office, Service abuse: Trello board invitation with VIP impersonation)
Two new rules detect malicious Microsoft Excel attachments by inspecting EXIF metadata. One rule identifies a specific malicious template identifier, while the other flags suspicious worksheet naming patterns in the 'TitlesOfParts' field, a technique used in phishing documents. (Attachment: Excel file with suspicious template identifier, Attachment: XLSX file with suspicious print titles metadata)
Detection coverage for malicious URLs in email is expanded. One rule identifies an open redirect vulnerability in the 'asemailmgmteu.com' domain. Another rule detects suspicious links to Cloudflare services like R2, Pages, and Workers from unsolicited or unauthenticated senders. (Open Redirect: asemailmgmteu.com, Suspicious Links to Cloudflare R2 and Edge Services)
✎ Modified rules
Detection for brand and government impersonation phishing was refined across five rules targeting Wix, Robert Half, the Social Security Administration, Meta, and QuickBooks. Updates include more flexible regex for lures, broader keyword matching, and new exclusions for newsletters to reduce false positives. (Brand impersonation: Wix, Brand impersonation: Robert Half, Impersonation: Social Security Administration (SSA), Brand impersonation: Meta and subsidiaries, Service abuse: QuickBooks notification with suspicious comments)
Detection for malicious attachments was improved across several rules. A rule for macro-enabled documents now has broader keyword detection in OCR text and added length checks to reduce false positives. Rules for suspicious PDFs were updated to better identify compensation lures with QR codes and documents generated by automated tools with performance appraisal themes. (Attachment: Office file with document sharing and browser instruction lures, Attachment: Compensation review lure with QR code, Attachment: Suspicious PDF created with headless browser)
Rules targeting link-based phishing lures were updated. Voicemail-themed detection now uses regex for obfuscated subjects, a machine learning model for content analysis, and more precise sender profiling. A rule for SharePoint link abuse was updated with a new regex to cover additional malicious URL formats. (Sendgrid voicemail phish, Fake voicemail notification (untrusted sender), Sharepoint link likely unrelated to sender)
elastic/detection-rules (+1, ✎23)
+ New rules
A new detection identifies a compromised Azure account attempting to establish persistence. The rule correlates an Entra ID protection alert with a device registration from the same user within a five-minute window, using Azure audit and identity protection logs. (Microsoft Entra ID Protection Alert and Device Registration)
✎ Modified rules
Multiple Active Directory detection rules for DCSync, Kerberoasting setup, and reconnaissance were tuned. The changes primarily involve lowering risk scores and severity. The DCSync rule was also refactored to a stateful query to reduce alerts from legitimate replication activity. (Potential Credential Access via DCSync, User account exposed to Kerberoasting, Suspicious Access to LDAP Attributes)
Detection for defense evasion using legitimate Windows binaries was improved. Updates focus on msdt.exe abuse patterns, expanded process monitoring for wscript.exe children, and false positive reductions for attacks using Microsoft Common Console files, mmc.exe, and eventvwr.exe. (Unusual Execution via Microsoft Common Console File, Suspicious Microsoft Diagnostics Wizard Execution, Command and Scripting Interpreter via Windows Scripts, Microsoft Management Console File from Unusual Path, Bypass UAC via Event Viewer)
Detections for post-exploitation on server applications were refined. Rules targeting web shells via IIS and suspicious child processes from SQL Server were rewritten in Kuery with extensive exclusions. The rule for IIS logging disablement was modified to alert on every instance of the behavior. (IIS HTTP Logging Disabled, Web Shell Detection: Script Process Child of Common Web Processes, Execution via MSSQL xp_cmdshell Stored Procedure)
Two rules detecting post-exploitation of the Windows DNS Server, linked to CVE-2020-1350, were updated. Changes focus on improving accuracy by refactoring logic from EQL and adding more specific process and file path exclusions to reduce false positives. (Unusual File Operation by dns.exe, Unusual Child Process of dns.exe)
A broad set of rules was tuned across multiple adversary tactics. Updates include expanded coverage for data staging via compressed archives, false positive reductions for persistence and privilege escalation techniques (including CVE-2022-38028), and converting the LSASS access detection to Kuery. A ransomware note detection was made less sensitive, a Windows Defender rule gained an investigation guide, and a PDF exploit rule was deprecated. (Encrypting Files with WinRar or 7z, LSASS Memory Dump Handle Access, Potential Ransomware Behavior - High count of Readme files by System, Potential Remote Desktop Shadowing Activity, Suspicious Startup Shell Folder Modification, Suspicious Execution from INET Cache, Potential privilege escalation via CVE-2022-38028, Windows Service Installed via an Unusual Client, PowerShell Script with Windows Defender Tampering Capabilities, Deprecated - Execution of File Written or Modified by PDF Reader)
anvilogic-forge/armory (+3)
+ New rules
New rules detect the execution of lsass.exe or services.exe from a parent process other than the expected wininit.exe. This anomalous behavior can indicate process injection, hollowing, or masquerading for credential access. The detection is implemented across multiple log sources, including Sysmon, Windows Event ID 4688, and Splunk Enterprise Security data, to provide broad coverage. (Suspicious Parent Process for lsass.exe or services.exe, Suspicious Parent Process for lsass.exe or services.exe, Suspicious Parent Process for lsass.exe or services.exe)
elastic/protections-artifacts (+27, ✎49)
+ New rules
Multiple new rules detect advanced in-memory evasion techniques on Windows. These rules identify process injection, shellcode execution, and module stomping by monitoring for API calls from unbacked or unusually protected memory regions, the loading of a second ntdll.dll to bypass EDR hooks, suspicious CLR/.NET assembly loading, and indirect syscalls to conceal memory modifications. (API Call from Inaccessible Memory Page, Microsoft Common Language Runtime Loaded from Modified Memory, NTDLL library loaded for a second time, Shellcode Allocation from Free Memory, Suspicious Executable Heap Allocation via CLR, Shellcode Heap Allocation from Unbacked Memory, Shellcode Behavior from Unusual Memory, Suspicious Image Load from a Stomped Module, Suspicious Memory Mapping from a Windows Installer, VirtualProtect via Indirect Syscall, Suspicious System Module Image Hollowing, Potential Shellcode Injection by a Browser Process)
New detections target specific Windows persistence and privilege escalation methods. The rules monitor for modifications to the Outlook Home Page URL registry key, changes to the BootExecute key to run code before security services start, hijacking of the MSDTC service via a malicious DLL, and loading of untrusted DLLs by the dns.exe process. (Outlook Home Page Registry Modification, Suspicious BootExecute Registry Modification, Persistence via MSDTC Service Hijack, Unsigned DLL loaded by DNS Service)
A set of rules was added to detect initial access and execution by abusing legitimate Windows components. Detections cover suspicious child processes spawned from Microsoft Excel via DCOM, misuse of Windows Sandbox configurations for evasion, overwriting of shortcut files by archive utilities to bypass SmartScreen, and execution chains from remote shares (CVE-2025-33053). (Execution via DCOM Excel Application, Suspicious Windows Sandbox Execution, Potential Execution via LNK Stomping, Execution from a Remote Working Directory)
Several rules for Linux were introduced to detect defense evasion and malicious execution. These rules identify suspicious use of the mount command, execution of scripting interpreters from temporary or world-writable directories like /tmp, and silent package installations using Node.js package manager flags. (Silent NPM Package Install Command, Interpreter-Based Code Execution via Unusual Parent, World Writeable Directory Exec Remount)
New rules target post-exploitation activities, including command and control (C2) and data collection. These rules detect C2 channels established through VS Code remote tunnels or DNS over HTTPS from anomalous processes. Others identify PowerShell-based information gathering, such as keylogging via the SetWindowsHookEx API and screen captures using .NET System.Drawing classes. (Potential VScode Remote Tunnel Established, Keystrokes Input Capture via PowerShell, DNS Over HTTPS by an Unusual Process, PowerShell Script with Screen Capture Capability)
✎ Modified rules
The kill_process response action for 19 Windows rules was updated to terminate the entire process tree (tree=true). This change provides more complete remediation for threats including defense evasion via LOLBins, script hosts, process injection, and credential access by stopping all related malicious processes. (NetSupport Execution form unusual Path, Binary Proxy Execution via Windows OpenSSH, DNS Query to Suspicious Top Level Domain, Indirect Command Execution via Console Window Host, DLL Dropped by MSIEXEC followed by SideLoad, Potential Image Load via Transactional NTFS, Regsvr32 Scriptlet Execution, Renamed AutoIt Scripts Interpreter, Rundll32 or Regsvr32 Executing an OverSized File, RunDLL32 with Unusual Arguments, External IP Address Discovery via a Trusted Program, Execution of a File Written by Windows Script Host, Suspicious PowerShell Execution via Windows Scripts, Inhibit System Recovery via Windows Command Shell, Suspicious Execution via Compiled HTML File, Potential Obfuscated Script Execution, Suspicious Windows Script Interpreter Child Process, Suspicious Windows Command Shell Execution, External IP Address Discovery via Untrusted Program)
Multiple Linux detections were tuned to reduce false positives. Exceptions were added for legitimate activity from package managers like Nix, Portage, and APT, development tools, and container runtimes, improving accuracy for rules that detect suspicious shell execution, binary copying, and persistence. (Proxy Shell Execution via Busybox, System Binary Copied or Moved, Linux Powershell Suspicious Child Process, Interactive Shell Spawned via Hidden Process, APT Package Manager Command Execution, Suspicious Command Execution via Busybox Proxy, Systemd Execution Followed by Network Connection, Unusual Command Executed by Web Server)
Accuracy for multiple Windows rules detecting defense evasion and credential access was improved. Exclusions were added for legitimate code signers, module hashes, and process behaviors related to API hooking, memory modification, and browser credential theft, reducing noise from security products and legitimate applications. (Suspicious Vault Client Image Load, Access to Browser Credentials from Suspicious Memory, Chrome Browser Spawned from an Unusual Parent, Process Anti-Debug via Memory Patching, Shellcode API behavior from a signed module, Network Module Loaded from Suspicious Unbacked Memory, VirtualProtect API via Stack Truncation, Library Loaded From a Potentially Altered Call Stack, Potential NTDLL Memory Unhooking, Remote Memory Write to Trusted Target Process)
Detections for Windows persistence and execution techniques were refined to reduce false positives. Several rules, including those for PowerShell, WMI, and Startup folder modifications, were updated with new exceptions for legitimate activity from enterprise management tools like SCCM and Intune, system processes, and specific applications. (Execution via WMI followed by Network Connection, Execution from Unusual Directory, Unusual File Written or Modified in Startup Folder, UAC Bypass via DelegateExecute Registry Modification, Suspicious Impersonation as Trusted Installer, Startup Persistence by a Low Reputation Process, Suspicious PowerShell Base64 Decoding, Suspicious PowerShell Execution)
Several macOS rules were refined to reduce false positives. Updates include adding exclusions for legitimate code signatures, parent process paths, command lines, and URLs related to software management tools like Jamf and development environments, improving detection accuracy for malware and persistence techniques. (Potential WizardUpdate Malware Infection, Potential Data Exfiltration via Curl, Curl Download and Execution of JavaScript Payload, Persistence via Suspicious Launch Agent or Launch Daemon)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (7)
Neo23x0/signature-base (✎7)
✎ Modified rules
The YARA rule for the Plague backdoor on Linux was broadened to find more variants. Detection logic was updated with new strings and hex patterns tied to credential theft. The matching condition is now more flexible, moving from requiring all original strings to a more general threshold based on any of the new indicators. (MAL_LNX_PLAGUE_BACKDOOR_Jul25)
A YARA rule targeting supply chain attacks in NPM packages was updated to detect additional malicious activity. New signatures identify scripts downloading the 'trufflehog' credential scanner and exfiltrating data with curl. The rule also detects common JavaScript obfuscation patterns and adds exclusions for file types like HTML, XML, and JSON to reduce false positives. (MAL_JS_NPM_SupplyChain_Compromise_Sep25)
HybridBrothers/Hunting-Queries-Detection-Rules (+2)
+ New rules
Two new KQL queries for Microsoft Defender XDR identify high-risk device configurations. One query finds devices without an active TPM that are associated with critical user accounts by using the exposure graph. The second query hunts for internet-exposed devices with high-severity, remotely exploitable vulnerabilities. (Hunt for critical credentials on non-TPM enabled devices, Hunt for public remotly exploitable devices (with high EPSS))
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+2)
+ New rules
A new KQL query hunts for high-volume TCP port 445 connection attempts on Linux systems. This activity may indicate attempts to exploit the KSMBD denial-of-service vulnerability, CVE-2025-38501. (New KSMBD DoS (CVE-2025-38501) can exhaust SMB connections via half-open TCP handshakes)
A new KQL query identifies Windows 10 and 11 devices that are approaching their end-of-service dates. The query summarizes affected devices by OS version to aid in asset lifecycle management. (Detect Windows Versions reaching end of service on October&November 2025)
ep3p/Sentinel_KQL (+3, ✎5)
+ New rules
A new set of KQL rules and a function for Microsoft Sentinel were added to detect identity threats using Microsoft Entra ID Protection risk events. The rules identify users with multiple risk events and potential account compromises in hybrid AD FS environments by analyzing AADUserRiskEvents and SigninLogs. (Multiple-Entra ID Protection risk events, Multiple-Risky AD FS sign-in, EntraIDProtectionRiskEvents)
✎ Modified rules
Two KQL rules for detecting unfamiliar Azure AD sign-ins were updated for better accuracy. The changes focus on using AADUserRiskEvents as a primary data source, refining suppression with specific watchlists, and parsing additional fields to enrich alerts with detailed risk information. (Multiple-Unfamiliar sign-in properties, Multiple-Unfamiliar sign-in properties)
Detection for suspicious activity on domain controllers is refined in two KQL rules. The updates introduce watchlists to exclude known service creations and expected remote session accounts, reducing false positives. One rule now correlates privileged operations with logon events to add source IP addresses for better context. (SecurityEvent-Unusual service creation in a domain controller, SecurityEvent-Possible unusual remote session in a domain controller)
A KQL query for Entra ID was updated to detect the potential abuse of Microsoft service principals. The new logic identifies operations initiated by principals like 'Office 365 Exchange Online' which can be used to gain Global Administrator privileges. (AuditLogs-Entra ID unusual operation)
benscha/KQLAdvancedHunting (+2)
+ New rules
Two new KQL queries for Microsoft Sentinel detect malicious URLs in emails. The rules correlate URLs from the EmailUrlInfo table against external threat intelligence feeds from CERT.PL and Phishunt.io, joining the results with EmailEvents for contextual information. (Email_TI_CertPL_Feed, Email_TI_Phishuntio)
alexverboon/Hunting-Queries-Detection-Rules (+5)
+ New rules
Two new KQL queries help monitor Microsoft Defender for Endpoint device onboarding. One tracks the historical onboarding status for a single device, while the other provides a daily fleet-wide summary and calculates day-over-day changes. (Show visual timeline of Onboarding Status Changes, Defender for Endpoint- Onboarding Status Information)
Three new KQL queries aid in analyzing aggregated event data in Microsoft Defender for Endpoint. They allow for exploring aggregated event types, comparing data ingestion volumes between aggregated and standard events, and calculating the percentage of data volume attributed to aggregation for each device. These queries are useful for monitoring data usage and costs. (MDE Aggregated Event Examples, MDE Compare Aggregated vs. Non-Aggregated Event Data Volume, MDE Percentage of Aggregated Data Volume by Device)
Cyb3r-Monk/Threat-Hunting-and-Detection (✎1)
✎ Modified rules
Detection for Microsoft Entra ID actor token abuse (CVE-2025-55241) was improved. The KQL query, which flags service-to-service operations from non-Microsoft IP addresses, now also filters Microsoft's IPv6 ranges. This change reduces false positives. (Potential Actor Token Abuse In Entra ID)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we'd love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We'd be happy to help — contact us.