This week’s update highlights the most significant changes to detection rules from 6 of the 50+ monitored GitHub repositories. Between Oct 27 and Nov 3, 2025, contributors added 26 new rules and updated 11 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New email security rules target BEC and phishing attacks that use file hosting services like SendThisFile and FlipHTML5. Detections for HR-themed lures, such as compensation reviews, were updated with new keywords and file type checks. Brand impersonation logic for ShareFile, TikTok, and Meta was also improved. (sublime-security/sublime-rules)

• Multiple rules were added to detect Windows post-exploitation and lateral movement. The detections cover remote execution using Winrs/WinRM and unauthorized modification of ‘Default.rdp’ files. New rules also identify COM hijacking via SpeechRuntime.exe and the use of sacrificial processes for code injection. (SigmaHQ/sigma, splunk/security_content, benscha/KQLAdvancedHunting)

• Coverage for defense evasion tactics on Windows and Linux systems was expanded. New detections identify attempts to disable security tools by directly modifying Windows Filtering Platform filters in the registry or altering the audit policy with auditpol.exe. For Linux, rules now spot the deletion of audit rules via auditctl and the disabling of the Kaspersky agent. (SigmaHQ/sigma, Sergio-Albea-Git/Threat-Hunting-KQL-Queries)

• New cloud security rules target suspicious activities in AWS and GitHub. Detections identify potential ransomware preparation through AWS KMS key material imports and credential scanning via TruffleHog execution. For GitHub, rules now monitor for unauthorized repository archiving and the public exposure of Pages sites. (SigmaHQ/sigma)

• New detections target specific emerging threats and obfuscation techniques. Two rules detect exploitation of a WSUS RCE vulnerability, CVE-2025-59287, via logs and child processes. Other rules identify command line obfuscation using non-ASCII characters and Bi-Directional control codes in URLs. (SigmaHQ/sigma, benscha/KQLAdvancedHunting)

💥 The Morris Worm Promo: Free access to CTIChef.com feeds until 2026

On November 2, 1988, the Morris Worm showed the world what automated, network-aware threats looked like. To mark the anniversary, we’re making our CTIChef Feeds available to you for free for the rest of the year.

The feeds contain all detection rules from the digests and are available as MISP and STIX/TAXII feeds, ready for direct integration into your SIEM, TIP, or SOAR solution.

Get access

Table Of Contents

• Corporate repositories (3)

  • sublime-security/sublime-rules (+5, ✎6)

  • splunk/security_content (+1)

  • SigmaHQ/sigma (+15, ✎5)

• Personal repositories (3)

  • benscha/KQLAdvancedHunting (+3)

  • bartblaze/Yara-rules (+1)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (3)

sublime-security/sublime-rules (+5, ✎6)

+ New rules

New rules detect Business Email Compromise (BEC) and credential phishing attacks. The rules target social engineering lures in inbound emails that involve file hosting services, including sendthisfile.com and fliphtml5.com. Detection logic combines Natural Language Understanding (NLU) classifiers, analysis of links to low-reputation domains, and suspicious sender patterns. (Service abuse: SendThisFile with credential theft and financial language, Service abuse: FlipHTML5 with attachment deception and credential theft language, Link: File sharing impersonation with suspicious language and sending patterns)

A new rule detects command and control (C2) information delivered in email bodies. The detection logic searches for text patterns indicating SMTP and SOCKS5 proxy configurations, targeting a specific malware delivery vector. (Spam: SMTP & Proxy Communications in Email Body)

A new rule detects a social engineering campaign pretext. It identifies unsolicited inbound emails that falsely claim to have found errors on the recipient’s website, using keyword analysis in the subject and body to spot the lure. (Spam: Website errors solicitation)

✎ Modified rules

Detection for phishing emails with compensation and HR-themed lures was improved. Two rules were updated with new keywords like ‘salary increment’, ‘earnings’, and ‘notification’ in subject lines and attachment names. One rule was also modified to identify PDF attachments by file type, improving detection of mislabeled malicious files. (Attachment: Compensation review lure with QR code, Attachment: Suspicious employee policy update document lure)

Brand impersonation detection was updated for ShareFile, TikTok, and Meta. Changes include identifying single PDF attachments in ShareFile lures, new sender domain patterns for TikTok impersonation, and specific link analysis for a Meta/Coursera phishing campaign. Two rules also replaced a beta NLU function with its production version. (Brand Impersonation: ShareFile, Brand impersonation: TikTok, Brand impersonation: Meta and subsidiaries)

A rule detecting voicemail-themed credential phishing was updated. It now includes a new regular expression to match more lure variations in the subject and display name. It also adds a condition to check for blank or null sender email addresses. (Fake voicemail notification (untrusted sender))

splunk/security_content (+1)

+ New rules

A new rule detects the creation or modification of the ‘Default.rdp’ file by processes other than ‘mstsc.exe’. Since this file stores RDP session settings, its unauthorized alteration can indicate attacker-controlled remote sessions or lateral movement. (Windows Default RDP File Creation By Non MSTSC Process)

SigmaHQ/sigma (+15, ✎5)

+ New rules

Two rules detect exploitation of WSUS RCE vulnerability CVE-2025-59287. One identifies specific deserialization exception messages in application logs, while the other detects shell processes spawned by WSUS services, indicating successful post-exploitation. (Exploitation Activity of CVE-2025-59287 - WSUS Deserialization, Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process)

New detections monitor for suspicious activities in AWS and GitHub environments. The rules identify potential ransomware actions via AWS KMS key modifications, credential scanning with TruffleHog, unauthorized GitHub repository archiving, and public exposure of GitHub Pages sites. (GitHub Repository Archive Status Changed, AWS KMS Imported Key Material Usage, GitHub Repository Pages Site Changed to Public, PUA - AWS TruffleHog Execution)

Multiple rules target Windows post-exploitation and defense evasion. Detections identify adversary use of Winrs/WinRM for execution, creation of sacrificial processes for code injection, COM hijacking via SpeechRuntime.exe, and direct registry modification of WFP filters to disable security tools. (WFP Filter Added via Registry, Potential Executable Run Itself As Sacrificial Process, Suspicious Speech Runtime Binary Child Process, Potential Lateral Movement via Windows Remote Shell, Winrs Local Command Execution)

Detection coverage for Linux systems is expanded. New rules detect defense evasion via deletion of audit rules with ‘auditctl’ or by stopping the Kaspersky agent. Another rule identifies the use of Python’s built-in web server modules for data staging or exfiltration. (Audit Rules Deleted Via Auditctl, Kaspersky Endpoint Security Stopped Via CommandLine - Linux, Python WebServer Execution - Linux)

A new rule detects the creation of Personal Information Exchange (.pfx) files. This action is monitored because attackers target these files to exfiltrate bundled private keys and certificates for impersonation or persistence. (PFX File Creation)

✎ Modified rules

Detection for command-line activity associated with Turla, Dtrack RAT, and general network discovery was made more robust. Several rules were updated to use regular expressions instead of simple string matching, which better handles variations in command whitespace and reduces evasion possibilities. (Turla Group Commands May 2020, Potential Dtrack RAT Activity, Suspicious Network Command)

Detection for Linux syslog clearing techniques was expanded. The rule now identifies a wider range of methods, including the use of tools like ‘shred’ and ‘journalctl’, and various shell redirection patterns used to erase or overwrite log files. The logic targets specific process images and arguments for better accuracy. (Syslog Clearing or Removal Via System Utilities)

The rule for detecting potential Kerberoasting activity was tuned to reduce false positives. A new filter was added to exclude Kerberos service ticket requests (Event ID 4769) that originate from machine accounts, improving the accuracy of the detection. (Kerberoasting Activity - Initial Query)

Personal repositories (3)

benscha/KQLAdvancedHunting (+3)

+ New rules

New rules detect obfuscation techniques. One rule identifies non-ASCII characters in script interpreter command lines, while another finds percent-encoded Bi-Directional control characters in URLs to uncover hidden malicious activity. (Script Interpreter Executing Commands with Non-ASCII Characters, BiDi Swap URL in DeviceNetworkEvents)

A new rule detects COM CLSID hijacking, a persistence and privilege escalation technique related to CVE-2025-2783. It monitors for registry modifications where the InProcServer32 key points to a DLL in a non-standard directory. (CLSID override)

bartblaze/Yara-rules (+1)

+ New rules

A new YARA rule detects the Earth Estries loader. The detection targets a specific hexadecimal byte pattern associated with code that loads a resource named ‘RES.RC’, a known malware indicator. (EE_Loader)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new KQL rule detects modifications to the Windows Security Audit Policy. The detection monitors the DeviceRegistryEvents table for registry values indicating auditpol.exe usage, a common defense evasion tactic to alter security logging. (Detecting Modification of Windows Security Audit Policy (Auditpol.exe))

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.