Detections Digest #20251013
The issue highlights key updates from 8 repos, including 20 new and 83 modified Splunk, Sigma, KQL, Elastic and Sublime Security detection rules.
This week’s update highlights the most significant changes to detection rules from 8 of the 40+ monitored GitHub repositories. Between Oct 6 and Oct 13, 2025, contributors added 20 new rules and updated 83 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
New email threat rules target credential phishing and brand impersonation, using service abuse from platforms like AppSheet and Salesforce as a vector. Detections now use link analysis, NLU for intent, and ML for logo identification. Existing rules for BEC and common lures were updated to counter obfuscation and improve sender profiling by checking DMARC or SPF failures. (
sublime-security/sublime-rules)Coverage for Microsoft Azure is growing with new rules for privileged RBAC role assignments, public storage access, and Entra ID token abuse. KQL queries for Entra ID risk events were improved by parsing additional data for better alert context. Other KQL queries identify high-risk sign-ins by checking IP addresses against known malicious Autonomous System Numbers. (
elastic/detection-rules,ep3p/Sentinel_KQL,Sergio-Albea-Git/Threat-Hunting-KQL-Queries)Multiple repositories added detections for defense evasion on Windows. New rules target IIS log deletion and the use of short name file paths for obfuscation. A large set of Sigma rules were tuned to reduce false positives in detections for DLL sideloading, shadow copy deletion, and LOLBIN abuse, adding filters for legitimate software. (
SigmaHQ/sigma,Yamato-Security/hayabusa-rules,splunk/security_content)New KQL queries detect Windows persistence and credential access techniques. One rule finds services pointing to executables in unusual paths, common in BYOVD attacks. Others identify scheduled tasks running unsigned binaries with low prevalence and rundll32.exe used to dump LSASS credentials via the comsvcs process. (
benscha/KQLAdvancedHunting)New Linux detections target log clearing with journalctl and a VMware Tools LPE vulnerability exploit. Several existing Linux rules for persistence and defense evasion were tuned to lower false positives. The updates add specific exceptions for common activity from container runtimes like runc and podman, as well as configuration tools like Ansible. (
elastic/detection-rules)
🚀 Make updates from this digest operational → All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.
Table Of Contents
sublime-security/sublime-rules (+5, ✎13)
elastic/detection-rules (+5, ✎13)
SigmaHQ/sigma (+2, ✎48)
splunk/security_content (+1, ✎1)
Corporate repositories (5)
sublime-security/sublime-rules (+5, ✎13)
+ New rules
Two new rules target credential phishing. One detects attacks from noreply@appsheet.com using link analysis for suspicious domains and NLU for credential theft intent. The other identifies phishing with a file sharing pretext by analyzing links pointing to self-service creation platforms where the link text matches the subject. (Service abuse: AppSheet infrastructure with suspicious indicators, Link: File sharing pretext with suspicious body and link)
Three new rules detect brand impersonation and abuse of legitimate services. Detections cover impersonation of AWS and Aquent by inspecting sender display names and email content. Another rule identifies suspicious recruiting messages sent from trusted platforms like Salesforce, LADesk, and AWS by analyzing sender address length and message topics. (Service abuse: Recruiting with suspicious language patterns from legitimate platforms, Brand impersonation: Aquent, Brand impersonation: Amazon Web Services (AWS))
✎ Modified rules
Detection for brand and government impersonation was updated across four rules targeting Meta, PNC, United Healthcare, and the Social Security Administration. The changes add multiple detection layers, including machine learning for logo identification, checks for homoglyphs in sender names, and new body text patterns. Accuracy is improved by adding exclusions for email forwards, replies, and known legitimate domains. (Brand impersonation: United Healthcare, Impersonation: Social Security Administration (SSA), Brand impersonation: Meta and subsidiaries, Brand impersonation: PNC)
Several rules targeting common phishing lures were updated to counter attacker evasion. Detection for e-signature phishing now checks for the recipient’s name in the body and URL. Voicemail phishing detection handles character obfuscation in keywords. Password expiration phishing detection now identifies links that use an IP address. (Credential phishing: Suspicious e-sign agreement document notification, Credential phishing: Fake password expiration from new and unsolicited sender, Fake voicemail notification (untrusted sender))
Detection for Business Email Compromise and extortion attempts was improved. One rule now uses a machine learning classifier to identify malicious intent. Another rule targeting extortion was updated with an NLU model for topic detection and expanded regular expressions to find Unicode confusables and evasive keywords. (Suspicious request for financial information, Extortion / sextortion (untrusted sender))
Sender profiling logic was refined in two rules to better identify high-risk messages. The rules now flag emails from senders with a mixed history of benign and malicious activity, provided the current message also fails DMARC or SPF authentication. This change applies to rules detecting corporate service impersonation and suspicious financial requests. (Credential phishing: Suspicious subject with urgent financial request and link, Impersonation: Internal corporate services)
Rules targeting specialized phishing threats were tuned for accuracy. The rule for detecting personalized phishing links in PDF attachments now inspects multiple attachments and adds exclusions for URLs in PDF metadata. The rule for academic journal phishing was updated to ignore Microsoft quarantine notifications. (Predatory Academic Journal Solicitation, Attachment: PDF with recipient email in link)
elastic/detection-rules (+5, ✎13)
+ New rules
Three new rules detect high-risk activities in Microsoft Azure. Detections cover the assignment of privileged Azure RBAC roles, the enabling of public access on storage blobs, and the potential abuse of actor tokens in Entra ID related to CVE-2025-55241. These rules monitor Azure activity and audit logs for signs of privilege escalation and data exposure. (Entra ID Actor Token User Impersonation Abuse, Azure Storage Account Blob Public Access Enabled, Azure RBAC Built-In Administrator Roles Assigned)
Two new rules target threats on Linux systems. One rule detects attempts to exploit a privilege escalation vulnerability in VMware Tools (CVE-2025-41244) by monitoring for unexpected child processes. The other rule identifies defense evasion by detecting journalctl commands used to clear system logs. (Attempt to Clear Logs via Journalctl, Potential CVE-2025-41244 vmtoolsd LPE Exploitation Attempt)
✎ Modified rules
Three AWS detection rules for S3 and STS were rewritten, migrating logic from ES|QL to Kuery or EQL. The changes refine detection for S3 object enumeration, S3 ransomware note uploads (T1486), and STS role chaining. The updates also include new investigation guides and more accurate ATT�&CK mappings. (AWS S3 Bucket Enumeration or Brute Force, Potential AWS S3 Bucket Ransomware Note Uploaded, AWS STS Role Chaining)
Seven Linux detection rules for persistence and defense evasion were updated to reduce false positives. New exceptions filter legitimate activity from container runtimes like runc and podman, configuration management tools like Ansible, and various package managers. Techniques covered include modifying dynamic linker files, stopping logging services, and unusual command executions. (Unusual Remote File Creation, Attempt to Disable Syslog Service, Dynamic Linker Creation or Modification, Kill Command Execution, Suspicious Path Invocation from Command Line, Dynamic Linker (ld.so) Creation, Initramfs Extraction via CPIO)
Detections for cloud credential access were tuned for accuracy. A rule for rare Azure Entra ID application usage, which can indicate MFA bypass, now excludes 16 common applications to lower noise. Another rule for IMDS API access was updated to target specific high-risk endpoints and add granular exclusions for legitimate cloud-init and agent processes. (Azure Entra ID Rare App ID for Principal Authentication, Unusual Instance Metadata Service (IMDS) API Request)
The detection rule for TruffleHog, a credential scanning tool, was updated with a comprehensive investigation guide. The new note provides structured steps for triage, analysis, and remediation for analysts responding to alerts. (Credential Access via TruffleHog Execution)
Yamato-Security/hayabusa-rules (+2)
+ New rules
Two new rules detect the deletion of Internet Information Services (IIS) log files, a common defense evasion technique. They monitor for command-line shells executing file deletion commands targeting the \inetpub\logs\ directory. The rules use different telemetry sources for this detection: one uses Sysmon process creation events (Event ID 1) and the other uses Windows Security process creation events (Event ID 4688). (IIS WebServer Log Deletion via CommandLine Utilities, IIS WebServer Log Deletion via CommandLine Utilities)
SigmaHQ/sigma (+2, ✎48)
+ New rules
A new rule detects attempts to delete Internet Information Services (IIS) log files. It monitors command line activity for file deletion commands like ‘del’ or ‘remove-item’ targeting the default ‘\inetpub\logs’ directory, a common defense evasion tactic. (IIS WebServer Log Deletion via CommandLine Utilities)
A new rule identifies the use of short name file paths, such as ‘PROGRA~1’, in command-line arguments. This detection targets a path obfuscation technique used by adversaries to bypass security controls, while filtering for common legitimate processes. (Use Short Name Path in Command Line)
✎ Modified rules
A broad set of rules for defense evasion and LOLBIN abuse were tuned to reduce false positives. Updates improve detections for DLL sideloading, shadow copy deletion, and masquerading system binaries. Other changes refine detection for disabling security features like AMSI, ETW, and Defender components by filtering legitimate system activity. (Amsi.DLL Loaded Via LOLBIN Process, Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load, Suspicious Volume Shadow Copy Vssapi.dll Load, Potential Goopdate.DLL Sideloading, Potential Antivirus Software DLL Sideloading, Potential JLI.dll Side-Loading, Windows Binaries Write Suspicious Extensions, Unsigned DLL Loaded by Windows Utility, Filter Driver Unloaded Via Fltmc.EXE, Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE, Files With System Process Name In Unsuspected Locations, etc)
Detection for persistence techniques was refined across numerous rules targeting registry modifications and scheduled tasks. Updates focus on adding filters for legitimate software installers and updaters, such as Avira and various Office components. This improves accuracy for detections targeting ASEP registry keys, service creation, and Office add-in installations. (Uncommon New Firewall Rule Added In Windows Firewall Exception List, Potential Privileged System Service Operation - SeLoadDriverPrivilege, New Kernel Driver Via SC.EXE, Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE, Direct Autorun Keys Modification, Service Binary in Suspicious Folder, Office Autorun Keys Modification, etc)
Multiple rules detecting malicious PowerShell activity were tuned to reduce false positives. Updates add specific filters for legitimate scripts, module loading, and alternate hosts like PowerShell Preview. This improves the reliability of detections for persistence, defense evasion, and execution techniques. (PSScriptPolicyTest Creation By Uncommon Process, Powershell Create Scheduled Task, PowerShell Deleted Mounted Share, Suspicious Eventlog Clear, PowerShell Core DLL Loaded By Non PowerShell Process, Alternate PowerShell Hosts Pipe, Change PowerShell Policies to an Insecure Level)
Detections for specific adversary tools and tactics were improved. The rule for the LaZagne credential dumper was hardened by requiring spaces around command-line arguments. Other rules covering discovery via findstr, initial access via phishing links, and execution via headless browsers or Python were tuned with new filters to reduce noise. (File Download with Headless Browser, Recon Command Output Piped To Findstr.EXE, Python Inline Command Execution, HackTool - LaZagne Execution, Potential Suspicious Browser Launch From Document Reader Process)
splunk/security_content (+1, ✎1)
+ New rules
A new rule detects DNS queries from the Visual Basic Command Line Compiler (vbc.exe) using Sysmon Event ID 22. Since vbc.exe is a local compiler and rarely needs network access, such queries are highly suspect. This activity may indicate a malicious process masquerading as vbc.exe for command and control or data exfiltration. (Windows Visual Basic Commandline Compiler DNSQuery)
✎ Modified rules
Detection for executable modules loaded via Sysmon EventID 7 is now more accurate. The logic was changed from targeting ‘*.exe’ files to any unsigned file that is not a DLL. This modification broadens detection of malware like NjRAT and Lokibot while reducing false positives. (Windows Executable in Loaded Modules)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (3)
ep3p/Sentinel_KQL (✎8)
✎ Modified rules
Eight KQL queries for Microsoft Entra ID risk events were updated to improve alert enrichment. The rules, which detect threats like password sprays, leaked credentials, and sign-ins from malicious IPs, now parse the AdditionalInfo field from AADUserRiskEvents. This change dynamically extracts MITRE ATT&CK techniques and creates fallback fields for alert details. The use of coalesce makes contextual information present even when a corresponding SecurityAlert is not found, resulting in more consistently detailed alerts. (Multiple-Leaked credentials, Multiple-Anonymous IP address, Multiple-Malicious IP address, Multiple-Atypical travel, Multiple-Suspicious API Traffic, Multiple-Verified threat actor IP, Multiple-Microsoft Entra threat intelligence, Multiple-Password Spray)
benscha/KQLAdvancedHunting (+4)
+ New rules
New rules target Windows persistence techniques. One rule detects malicious services pointing to executables in unusual locations like temp directories, a method seen in ‘Bring Your Own Vulnerable Driver’ attacks. Another identifies scheduled tasks that run unsigned binaries with low global prevalence. (ValleyRAT Exploiting BYOVD, Scheduled Tasks with unsigned Binaries)
A new rule detects a malware execution chain involving obfuscated PowerShell commands. The logic identifies PowerShell processes with obfuscation patterns that follow the creation of a .LNK file within a five-minute window. (Pure malware family Behavior Detection)
This rule detects suspicious rundll32.exe activity. It finds rundll32.exe invocations with obfuscated ordinal numbers and also identifies its attempts to create a memory dump of the ‘comsvcs’ process to steal LSASS credentials. (LSASS Dump via comsvcs.dll)
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)
+ New rules
A new KQL query for Microsoft Defender XDR detects user sign-in attempts from IP addresses associated with known malicious Autonomous System Numbers. The rule joins identity logon events with external threat intelligence from SpamHaus’s asndrop list to flag high-risk logins. (Identities Bad Reputation ASN activities)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We’d be happy to help — contact us.