Detections Digest #20251006
The issue highlights key updates from 9 repos, including 47 new and 81 modified YARA, Sigma, KQL, Elastic and Sublime Security detection rules.
This week’s update highlights the most significant changes to detection rules from 9 of the 40+ monitored GitHub repositories. Between Sep 29 and Oct 6, 2025, contributors added 47 new rules and updated 81 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Multiple repositories added detections for Windows defense evasion and persistence techniques. New rules identify attempts to disable the Event Log service by creating the ‘MiniNt’ registry key. Other additions target malicious scheduled tasks that use curl and PowerShell or masquerade as system processes. (
SigmaHQ/sigma,Yamato-Security/hayabusa-rules)Detection coverage for Azure and Microsoft 365 environments was significantly updated. Numerous rules were refined to find defense evasion, such as deleting firewall policies or disabling cloud logs. Other changes improve detection of persistence via privileged role assignments and illicit OAuth consent grants. (
elastic/detection-rules,HybridBrothers/Hunting-Queries-Detection-Rules)Email security rules now use more advanced analysis to find image-based threats. Detections for Google and DocuSign impersonation were updated to apply OCR, logo detection, and NLU topic analysis on attachments. Phishing rules were also tuned to reduce false positives by excluding verified security education platform emails. (
sublime-security/sublime-rules)New rules were added to detect emerging threats and vulnerabilities. Detections now cover a privilege escalation exploit chain on Linux (CVE-2025-32463) and post-exploitation activity on SAP NetWeaver (CVE-2025-31324). Additional rules target the Amos infostealer on macOS and the EDR-Freeze hacktool. (
elastic/detection-rules,SigmaHQ/sigma,Yamato-Security/hayabusa-rules,Neo23x0/signature-base)Malicious use of the Node.js binary is a new focus area for endpoint detection. One rule identifies a persistence technique involving Node.js install scripts, as seen with the Shai-Hulud worm. Other rules detect the execution of malicious JavaScript files or inline scripts via
node.exe. (elastic/detection-rules,SigmaHQ/sigma,Yamato-Security/hayabusa-rules)
🚀 Make updates from this digest operational → All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.
Table Of Contents
sublime-security/sublime-rules (+3, ✎12)
elastic/detection-rules (+4, ✎48)
SigmaHQ/sigma (+16, ✎7)
Yamato-Security/hayabusa-rules (+21, ✎11)
Corporate repositories (4)
sublime-security/sublime-rules (+3, ✎12)
+ New rules
New rules were added to detect specific types of malicious or unwanted inbound emails. One rule identifies unsolicited ‘new job’ congratulatory spam. Another detects impersonation of system accounts like ‘mailer-daemon’ by checking for an empty sender address with a deceptive display name. A third rule targets abuse of the Cisco secure email service, focusing on messages with financial themes and header anomalies. (Spam: New job cold outreach from unsolicited sender, Headers: System account impersonation with empty sender address, Service abuse: Cisco secure email service with financial request)
✎ Modified rules
Multiple rules for detecting various phishing vectors, including EML attachments, storage alerts, QR codes, and corporate impersonation, were updated. They now exclude legitimate security education emails from a Proofpoint platform by verifying the sender, domain, and successful DMARC/SPF authentication to reduce false positives. (EML attachment with credential theft language (unknown sender), Credential phishing: Fake storage alerts (unsolicited), Compensation review with QR code in attached EML, Impersonation: Internal corporate services)
Detection for brand impersonation phishing is improved in rules targeting Google and DocuSign. Updates add OCR and logo detection for Google Careers lures in screenshots, inspect attached screenshots for Google Classroom spoofing, and apply NLU topic analysis to OCR’d text from attachments in DocuSign phishing attempts. These changes better identify image-based threats. (Service abuse: Google classroom solicitation, Brand impersonation: DocuSign branded attachment lure with no DocuSign links, Brand impersonation: Google Careers)
Several phishing detection rules received logic updates for improved accuracy. Changes include ignoring tracking pixels in voicemail lures, adding sender trust conditions for photo-sharing spam and forged calendar invites, inspecting exploded attachments for malicious links in Canva designs, and refining sender address length checks for potential BEC from ExactTarget/Salesforce infrastructure. (Fake voicemail notification (untrusted sender), Canva design with suspicious embedded link, Service Abuse: ExactTarget with suspicious sender domain, Spam: Fake photo share, Non-RFC compliant calendar files from unsolicited sender)
elastic/detection-rules (+4, ✎48)
+ New rules
Two new rules detect privilege escalation on Linux systems by targeting the exploit chain for CVE-2025-32463. One rule identifies the specific sudo --chroot command usage, while the other detects the creation of a malicious nsswitch.conf file outside the standard /etc directory. (Potential CVE-2025-32463 Sudo Chroot Execution Attempt, Potential CVE-2025-32463 Nsswitch File Creation)
A new rule detects a persistence technique on Linux hosts where adversaries abuse Node.js pre or post-install scripts. The logic identifies a node install command that spawns a subsequent child process, a behavior observed in the Shai-Hulud worm. (Node.js Pre or Post-Install Script Execution)
A new rule detects a privilege escalation technique on Windows by monitoring for the use of SeIncreaseBasePriorityPrivilege. The detection uses Windows Security Event ID 4674 and filters out common system account SIDs to reduce false positives. (Suspicious SeIncreaseBasePriorityPrivilege Use)
✎ Modified rules
Detections for Azure and Microsoft 365 defense evasion were refined. Updates improve the identification of deleted firewall policies (T1562.007), disabled cloud logs (T1562.008), and removed M365 security features like DLP, malware filters, and mailbox audit bypass. Most of these rules also had their query windows shortened and index targets specified for better performance. (Azure Frontdoor Web Application Firewall (WAF) Policy Deleted, Azure Firewall Policy Deletion, Azure Diagnostic Settings Deletion, Azure Event Hub Deletion, Azure Alert Suppression Rule Created or Modified, Microsoft 365 Exchange DLP Policy Removed, Microsoft 365 Exchange Malware Filter Rule Modification, O365 Mailbox Audit Logging Bypass, Microsoft 365 Exchange Safe Attachment Rule Disabled, Microsoft 365 Exchange Transport Rule Modification)
Coverage for account compromise and persistence in Azure AD/Entra ID was improved. Numerous rules targeting the assignment of privileged roles like Global Administrator, illicit OAuth consent grants, and suspicious sign-in activities were updated. Many rules received more specific ATT&CK mappings, such as T1098.003 (Additional Cloud Roles) and T1078.004 (Cloud Accounts). (Entra ID Global Administrator Role Assigned, Azure Global Administrator Role Addition to PIM User, Azure Privilege Identity Management Role Modified,etc)
Multiple rules for detecting adversary activity in Azure infrastructure were updated. These changes improve detection of command execution on VMs (T1651), Kubernetes privilege escalation through role binding creation, and persistence using Azure Automation accounts and webhooks. The rules were also tuned for performance by reducing query time windows and refining data source indices. (Azure Full Network Packet Capture Detected, Azure Kubernetes Events Deleted, Azure Command Execution on Virtual Machine, Azure Blob Container Access Level Modification, Azure Kubernetes Pods Deleted, Azure Kubernetes Rolebindings Created, Azure Automation Runbook Deleted, Azure Automation Account Created, Azure Automation Webhook Created)
Detections for credential access attempts and email-based threats in Microsoft 365 were updated. This includes improved ATT&CK mapping for password spraying and guessing (T1110 sub-techniques) and better identification of post-compromise actions like creating email forwarding rules. Rules for malware uploaded to SharePoint and OneDrive also received expanded ATT&CK mappings. (Multiple Microsoft 365 User Account Lockouts in Short Time Window, O365 Excessive Single Sign-On Logon Errors, Microsoft 365 User Restricted from Sending Email, O365 Email Reported by User as Malware or Phish, SharePoint Malware File Upload, OneDrive Malware File Upload, Microsoft 365 Inbox Forwarding Rule Created, Microsoft 365 Exchange Transport Rule Creation, Microsoft 365 Potential ransomware activity, Microsoft 365 Exchange Management Group Role Assignment, Microsoft 365 Teams Guest Access Enabled, New or Modified Federation Domain)
Two endpoint rules received significant logic changes. The Linux port scan detection now uses a more precise ESQL query targeting only egress traffic. A ransomware rule was rewritten in ESQL, moving from keyword search to a behavioral model that identifies multiple files with the same name created via SMB across different paths. (Potential Port Scanning Activity from Compromised Host, Potential Ransomware Behavior - Note Files by System)
SigmaHQ/sigma (+16, ✎7)
+ New rules
Four new rules detect post-exploitation activity on SAP NetWeaver systems, likely following exploitation of CVE-2025-31324. Detections target the creation of webshells in specific application directories and the subsequent execution of suspicious child processes on both Windows and Linux platforms. (Potential SAP NetWeaver Webshell Creation, Potential SAP NetWeaver Webshell Creation - Linux, Suspicious Child Process of SAP NetWeaver - Linux, Suspicious Child Process of SAP NetWeaver)
Detection for defense evasion on Windows is improved with rules that identify abuse of trusted system processes. These include mmc.exe loading scripting DLLs or using Right-to-Left Override (RLO) filenames, and conhost.exe anomalously spawning shells to break typical process ancestry. (MMC Loading Script Engines DLLs, Potentially Suspicious Child Processes Spawned by ConHost, MMC Executing Files with Reversed Extensions Using RTLO Abuse)
New rules detect attempts to disable Windows security features. Two rules identify the creation of the MiniNt registry key, a technique to stop the Event Log service. Another rule detects the use of PowerShell to uninstall the Windows Defender feature. (Security Event Logging Disabled via MiniNt Registry Key - Process, Security Event Logging Disabled via MiniNt Registry Key - Registry Set, Suspicious Uninstall of Windows Defender Feature via PowerShell)
Two rules were added to detect persistence via malicious scheduled tasks. One identifies tasks combining curl and powershell for remote payload execution, while the other detects tasks that masquerade as common Windows system processes. (Scheduled Task Creation with Curl and PowerShell Execution Combo, Scheduled Task Creation Masquerading as System Processes)
Coverage was added for several distinct threats. These include a scraper botnet identified by its ‘Hello-World/1.0’ user-agent, the Amos infostealer via its ‘FileGrabber’ binary on macOS, and the abuse of Node.js (node.exe) to run malicious JavaScript payloads. (Potential Hello-World Scraper Botnet Activity, MacOS FileGrabber Infostealer, NodeJS Execution of JavaScript File, Potentially Suspicious Inline JavaScript Execution via NodeJS Binary)
✎ Modified rules
Two rules for detecting local group enumeration via PowerShell were improved. The updates add coverage for more WMI and CIM cmdlet aliases, including ‘gwmi’, ‘gcim’, and ‘get-ciminstance’, and refine keyword matching to reduce false positives. (Suspicious Get Local Groups Information, Suspicious Get Local Groups Information - PowerShell)
Detection of Right-to-Left Override (RTLO) character abuse is broadened. Rules for identifying RTLO in filenames and command lines were updated to detect an alternative character format. The filename rule also now checks for a larger set of reversed file extensions. (Potential File Extension Spoofing Using Right-to-Left Override, Potential Defense Evasion Via Right-to-Left Override)
Rules targeting threats involving Python components were refined to reduce false positives. The Python DLL sideloading detection now excludes legitimate Anaconda and PyInstaller paths. The rule for detecting bundled Python executables was also tuned by adding a new false positive condition and lowering its severity. (Potential Python DLL SideLoading, Python Image Load By Non-Python Process)
Detection logic for the LaZagne credential retrieval tool was made more resilient. The rule no longer uses static IMPHASH values and instead focuses on behavioral indicators such as process name, execution path, and command-line arguments to identify multiple versions of the tool. (HackTool - LaZagne Execution)
Yamato-Security/hayabusa-rules (+21, ✎11)
+ New rules
A set of rules detects the creation of the MiniNt registry key to disable the Windows Event Log service. This defense evasion technique is monitored through various telemetry, including process execution of reg.exe or PowerShell, and direct registry modification events. (Security Event Logging Disabled via MiniNt Registry Key - Registry Set, Security Event Logging Disabled via MiniNt Registry Key - Process, Security Event Logging Disabled via MiniNt Registry Key - Process, Security Event Logging Disabled via MiniNt Registry Key - Registry Set)
Multiple rules target malicious scheduled task creation using schtasks.exe. One pattern identifies tasks that combine curl for payload download with powershell for execution. Another pattern detects tasks that masquerade as common system processes like svchost or rundll32. (Scheduled Task Creation with Curl and PowerShell Execution Combo, Scheduled Task Creation Masquerading as System Processes, Scheduled Task Creation with Curl and PowerShell Execution Combo, Scheduled Task Creation Masquerading as System Processes)
New detections cover the malicious use of the Node.js binary (node.exe). The rules identify both the general execution of .js files and specific inline execution patterns indicated by command-line keywords such as http, execSync, and spawn. (NodeJS Execution of JavaScript File, Potentially Suspicious Inline JavaScript Execution via NodeJS Binary, Potentially Suspicious Inline JavaScript Execution via NodeJS Binary, NodeJS Execution of JavaScript File)
Several rules address abuse of the Microsoft Management Console (mmc.exe). Detections identify the use of the Right-to-Left Override (RLO) character to disguise .msc files as documents, and the loading of scripting engines like vbscript.dll by the mmc.exe process. (MMC Executing Files with Reversed Extensions Using RTLO Abuse, MMC Loading Script Engines DLLs, MMC Executing Files with Reversed Extensions Using RTLO Abuse)
Two rules detect post-exploitation activity on SAP NetWeaver, potentially related to vulnerabilities like CVE-2025-31324. One rule finds webshell deployment by monitoring suspicious file creations (.jsp, .java) in SAP directories, while the other detects command execution via suspicious child processes. (Suspicious Child Process of SAP NetWeaver, Potential SAP NetWeaver Webshell Creation)
✎ Modified rules
Three rules targeting filename masquerading with the Right-to-Left Override (RTLO) character were updated. Detection is now broader, covering more reversed file extensions and additional string representations of the RTLO character, such as ‘\u202e’ and ‘[U+202E]’, in both command-line arguments and file creation events. (Potential Defense Evasion Via Right-to-Left Override, Potential File Extension Spoofing Using Right-to-Left Override, Potential Defense Evasion Via Right-to-Left Override)
Two rules for detecting Tor network activity were updated. The logic was expanded from just checking for ‘.onion’ to a comprehensive list of over 40 suffixes associated with Tor proxies and gateways, using an ‘endswith’ condition for precision. This applies to both Windows DNS Client logs and Sysmon DNS query events. (Query Tor Onion Address - DNS Client, DNS Query Tor .Onion Address - Sysmon)
Two rules detecting PowerShell-based local group enumeration were updated for better accuracy. The logic now includes modern CIM cmdlets like ‘get-ciminstance’ and aliases such as ‘gwmi’, and command checks require a trailing space to reduce false positives. (Suspicious Get Local Groups Information, Suspicious Get Local Groups Information - PowerShell)
Detection for Python-based threats was refined across two rules. The rule for Python DLL side-loading added filters for Anaconda and PyInstaller paths to reduce false positives. The rule for detecting bundled Python executables had its severity lowered to reflect its potential for noise. (Python Image Load By Non-Python Process, Potential Python DLL SideLoading)
Two rules for detecting the LaZagne credential dumping tool were modified. The logic was generalized by removing specific IMPHASH values, shifting the detection to focus on process names and command-line arguments for wider coverage. (HackTool - LaZagne Execution, HackTool - LaZagne Execution)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (5)
bartblaze/Yara-rules (✎1)
✎ Modified rules
The YARA rule for XiaoBa ransomware was tuned for higher fidelity. Its detection now requires finding at least two characteristic ransom note strings, instead of just one, to reduce false positives. (XiaoBa)
Neo23x0/signature-base (+1)
+ New rules
A new YARA rule detects the EDR-Freeze hacktool, a utility for EDR evasion. The rule identifies specific strings within PE files, such as the tool’s PDB path and usage instructions, to find this defense evasion tool. (HKTL_EDR_Freeze_Sep25_2)
jkerai1/KQL-Queries (+1)
+ New rules
A new KQL query summarizes Microsoft Defender for Cloud Apps events by IP address category. It groups and counts access events from sources like ‘corporate’ or ‘anonymous proxy’ to help identify unusual access patterns. (MDA - IP Address Type)
Cyb3r-Monk/Threat-Hunting-and-Detection (+1)
+ New rules
A new KQL query detects lateral movement through remote MSI package installation using DCOM. The logic identifies msiexec.exe spawned by services.exe and correlates it with inbound network connections and image load events to detect this remote execution method. (Potential Lateral Movement via MSI ODBC Driver Install over DCOM)
HybridBrothers/Hunting-Queries-Detection-Rules (✎2)
✎ Modified rules
Detection for credential addition to the Entra ID Connect Sync application is improved. The rule now monitors a broader set of operations, including ‘Add service principal’ and ‘Update application’, to better detect this persistence technique. (Detect credential add to Connect Sync Application (Sentinel))
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We’d be happy to help — contact us.