This week’s update highlights the most significant changes to detection rules from 7 of the 50+ monitored GitHub repositories. Between Nov 10 and Nov 17, 2025, contributors added 12 new rules and updated 70 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Cloud threat detection was updated for AWS and Azure. New rules detect Azure disk snapshot deletion to spot evidence destruction and AWS EC2 instance export for data exfiltration. Numerous existing AWS detections were updated with better investigation guides and structured fields. An Azure rule for diagnostic settings deletion was converted to a stateful query to lower false positives. (elastic/detection-rules)

• Linux coverage expanded with new detections and a wider data source integration. One new rule identifies SSH password grabbing by monitoring strace execution after an sshd process terminates. A large set of existing Linux rules were updated to ingest CrowdStrike Falcon Data Replicator logs, extending detection for C2, persistence, and container escapes. (elastic/detection-rules)

• Multiple repositories refined detections for Windows persistence and LOLBAS abuse. Sigma rules for persistence via registry keys and scheduled tasks were tuned to filter legitimate system activity. Detections for wmic, robocopy, and rpcping were also updated to reduce false positives and improve logic. A new KQL query identifies unsigned executables running from user-writable locations. (SigmaHQ/sigma, benscha/KQLAdvancedHunting, splunk/security_content)

• Phishing detections were updated to counter impersonation and deceptive links. New rules identify Microsoft Purview impersonation in PDF attachments and track the GoPhish framework via URL parameters. Existing rules for brand impersonation were refined with more specific sender and content checks, including regex and ML conditions. Logic to find Punycode links was simplified for direct identification. (sublime-security/sublime-rules)

• New rules target initial access and payload delivery methods. One cross-platform rule detects first-time use of USB storage devices by tracking unique serial numbers per host. A new YARA ruleset identifies malicious LNK files by finding embedded scripts, executables, or archives. A new KQL query hunts for exposed credentials on devices where Credential Guard is disabled. (elastic/detection-rules, bartblaze/Yara-rules, HybridBrothers/Hunting-Queries-Detection-Rules)

💥 Promo: Free access to CTIChef.com CTI feeds until 2026 💥

We’ve made our threat detection CTI feeds available to you for free for the rest of the year. They contain all new and updated rules from the digests, with update descriptions and extracted observables. The feeds are available as MISP and STIX/TAXII feeds, ready for direct integration into your SIEM, TIP, or SOAR solution.

Request Access

Table Of Contents

• Corporate repositories (4)

  • elastic/detection-rules (+8, ✎45)

  • sublime-security/sublime-rules (+2, ✎6)

  • SigmaHQ/sigma (✎14)

  • splunk/security_content (✎1)

• Personal repositories (3)

  • HybridBrothers/Hunting-Queries-Detection-Rules (+1)

  • benscha/KQLAdvancedHunting (+1)

  • bartblaze/Yara-rules (✎4)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (4)

elastic/detection-rules (+8, ✎45)

+ New rules

Two rules detect the deletion of Azure disk snapshots, a technique to inhibit system recovery or destroy evidence. One rule identifies a single identity deleting multiple snapshots. The other flags a user deleting a snapshot within a resource group where they have not previously performed this action. (Azure Compute Snapshot Deletions by User, Azure Compute Snapshot Deletion by Unusual User and Resource Group)

New detections for Linux and macOS focus on credential access and code execution. One rule identifies SSH password grabbing by spotting strace execution immediately after an sshd process terminates. Another detects exploitation of CVE-2025-48384 in Git by monitoring for a git clone command that spawns a shell. (Potential SSH Password Grabbing via strace, Potential Git CVE-2025-48384 Exploitation)

Coverage for Windows post-exploitation is improved. One rule detects suspicious child processes spawned from the Windows Server Update Service (WSUS), indicating potential webshell activity. Another rule identifies command-line evasion by detecting Unicode modifier letters used to obfuscate arguments. (Windows Server Update Service Spawning Suspicious Processes, Command Obfuscation via Unicode Modifier Letters)

A new rule detects potential data exfiltration from AWS by monitoring CloudTrail logs. It identifies successful API calls, such as CreateInstanceExportTask, used to export entire EC2 virtual machine instances or images to an off-account location. (AWS EC2 Export Task)

A rule was added to detect initial access or data exfiltration attempts using removable media on Windows and macOS. The detection logic identifies the first-time use of a device by tracking unique serial number and host ID combinations from mount events. (New USB Storage Device Mounted)

✎ Modified rules

A large set of Linux threat detection rules now ingests CrowdStrike Falcon Data Replicator (FDR) logs, expanding coverage without requiring new logic. This update affects rules detecting techniques such as C2 via Telegram, Node.js payload execution, persistence via Git hooks, container escapes, and exploitation of CUPS vulnerabilities including CVE-2024-47176. (AWS CLI Command with Custom Endpoint URL, Curl or Wget Spawned via Node.js, IPv4/IPv6 Forwarding Activity, Suspicious Kernel Feature Activity, GitHub Authentication Token Access via Node.js, Kubectl Permission Discovery, Potential Hex Payload Execution via Command-Line, Printer User (lp) Shell Execution, Linux Telegram API Request, Virtual Machine Fingerprinting, Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments, Interactive Terminal Spawned via Perl, etc)

Numerous AWS threat detection rules for CloudTrail and IAM were updated to improve analyst workflow. Changes include rewritten investigation guides, the addition of structured investigation fields, and refined query logic. The rules detect defense evasion like manipulating CloudTrail logs, data collection via EC2 traffic mirroring, and exfiltration through public EBS snapshot sharing. (AWS EC2 Encryption Disabled, AWS S3 Bucket Server Access Logging Disabled, AWS EC2 Full Network Packet Capture Detected, AWS S3 Bucket Expiration Lifecycle Configuration Added, AWS EC2 EBS Snapshot Shared or Made Public, AWS EC2 EBS Snapshot Access Removed, AWS CloudTrail Log Created, AWS CloudTrail Log Deleted, AWS IAM User Addition to Group, AWS CloudTrail Log Suspended, AWS IAM Group Creation, AWS IAM Group Deletion, AWS CloudTrail Log Updated)

Detection logic for Microsoft cloud services was updated. The rule for M365 ‘Global Administrator’ role assignment was broadened to cover all target types. The rule for Azure diagnostic setting deletion was converted to a stateful query to reduce false positives from routine administration. (Microsoft 365 Global Administrator Role Assigned, Azure Diagnostic Settings Deletion)

Detection logic for ransomware and agent activity was tuned. An ESQL-based rule for potential ransom note creation via SMB was updated to add more user and host context to alerts. A separate rule for agent ID mismatches was updated to exclude agentless hostnames to reduce false positives. (Agent Spoofing - Mismatched Agent ID, Potential Ransomware Behavior - Note Files by System)

sublime-security/sublime-rules (+2, ✎6)

+ New rules

Two new rules detect phishing attacks. One rule identifies Microsoft Purview impersonation by using OCR and NLU to analyze PDF attachments for secure message notifications. The second rule detects links from the GoPhish framework by matching a specific 7-character ‘rid’ query parameter. (Attachment: PDF with Microsoft Purview message impersonation, Link: GoPhish default rid value)

✎ Modified rules

Detection for brand impersonation phishing was updated across four rules. The changes improve identification of Twitter/X, Quickbooks, Proofpoint, and fax service impersonation by adding more specific checks on sender display names, domains, and email body content. The updates include new regex patterns, analysis of sender email local-parts, and additional machine learning conditions. (Brand impersonation: Twitter, Brand impersonation: Fake Fax, Brand impersonation: Proofpoint secure messaging without legitimate indicators, Brand impersonation: Quickbooks)

Two rules were updated to better detect deceptive phishing links. One rule now directly identifies any link domain using the xn-- Punycode prefix, simplifying its logic. Another rule was changed to detect phishing links hosted on domains associated with self-service creation platforms. (Link to a domain with punycode characters, Link: Display text matches subject line)

SigmaHQ/sigma (✎14)

✎ Modified rules

Multiple rules for detecting persistence via registry modifications and scheduled tasks were updated. These changes primarily reduce false positives by adding filters for legitimate system processes, application updaters, and null registry values. Techniques covered include modifications to ASEP, Application Shim, and Task Scheduler cache keys. Coverage for COM hijacking was also broadened by adding a new CLSID to monitor. (Modification of IE Registry Settings, Classes Autorun Keys Modification, Potential Persistence Via Shim Database Modification, COM Object Hijacking Via Modification Of Default System CLSID Default Value, Scheduled TaskCache Change by Uncommon Program, Scheduled Task Creation Via Schtasks.EXE)

Detections for abuse of native Windows binaries for reconnaissance and lateral movement were improved. Updates refine command-line matching for remote wmic.exe execution and robocopy/xcopy operations to administrative shares. False positives are reduced in wmic.exe software discovery by filtering legitimate install/uninstall commands. The detection logic for Rpcping.exe credential capture was also refactored for clarity. (Potential Product Reconnaissance Via Wmic.EXE, WMIC Remote Command Execution, Capture Credentials with Rpcping.exe, Copy From Or To Admin Share Or Sysvol Folder)

Two rules targeting defense evasion techniques were refined for better precision. Detection of 8.3 short name path obfuscation now filters legitimate activity from the .NET C# compiler. The rule for detecting command execution via explorer.exe to break the process tree was refactored for improved logic clarity. (Use Short Name Path in Command Line, Explorer Process Tree Break)

Targeted updates were made to a rule for an initial access technique and another for a specific malware family. The severity for detecting newly created macro-enabled Office files was lowered. Detection for the Dtrack RAT was made more precise by refining the regular expression that identifies its unique ping command-line pattern. (Office Macro File Download, Potential Dtrack RAT Activity)

splunk/security_content (✎1)

✎ Modified rules

A rule detecting anomalous svchost.exe parent processes was updated to reflect a failing unit test. The failure is caused by a Sysmon parsing issue in a recent Windows Technology Add-on version. The change adds a manual test tag for operational awareness. (Windows Svchost.exe Parent Process Anomaly)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (3)

HybridBrothers/Hunting-Queries-Detection-Rules (+1)

+ New rules

A new KQL query for Microsoft Defender XDR identifies devices where Credential Guard is disabled and critical user credentials are present. The detection uses ExposureGraph tables to map vulnerable devices to specific high-value accounts, exposing credential access risks. (Hunt for critical credentials on non Credential Guard enabled devices)

benscha/KQLAdvancedHunting (+1)

+ New rules

A new KQL rule detects the execution of unsigned or invalidly signed executables from user-writable locations like \Users\ or \ProgramData. The detection logic identifies processes with an invalid signature status, low global prevalence, and an unsigned state to find potentially malicious software. (Suspicious unsigned File executed in User writeable Folder)

bartblaze/Yara-rules (✎4)

✎ Modified rules

A set of YARA rules was introduced to detect malicious Windows Shortcut (LNK) files. The rules identify embedded scripting artifacts like PowerShell, JScript, and VBScript, as well as signs of embedded executables and archive files used for payload delivery. The PowerShell detection logic was refined to require at least two indicators, reducing potential false positives. (PS_in_LNK, Script_in_LNK, EXE_in_LNK, Archive_in_LNK)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.