This week’s update highlights the most significant changes to detection rules from 9 of the 50+ monitored GitHub repositories. Between Nov 17 and Nov 24, 2025, contributors added 53 new rules and updated 37 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Multiple repositories added coverage for Windows defense evasion and credential access. Both elastic/detection-rules and SigmaHQ/sigma introduced rules to detect svchost.exe process masquerading. Kerberoasting detection was added or tuned in SigmaHQ/sigma and elastic/protections-artifacts to find specific .NET class usage or LDAP and Kerberos event correlation. Other rules target GPO manipulation and registry modifications via VBScript. (elastic/detection-rules, SigmaHQ/sigma, elastic/protections-artifacts, splunk/security_content)

• New and modified rules improve phishing detection, focusing on specific campaigns and generic TTPs. New logic identifies the Mamba 2FA phishing kit via URL redirects and Facebook business impersonation lures. BEC detection was updated to find reply-to domain mismatches and more sender display names like ‘Coordinator’. Brand impersonation rules now use OCR on image attachments for fake Google Drive notifications. (sublime-security/sublime-rules)

• Detections for Cisco ASA devices were added in response to recent vulnerabilities and adversary techniques. Sigma added a rule for exploitation attempts against CVE-2025-20333 and CVE-2025-20362. Splunk added a broad set of rules to monitor ASA syslog events for reconnaissance, configuration exfiltration, log tampering, and user account manipulation. (SigmaHQ/sigma, splunk/security_content)

• Detection logic was created for several recently disclosed vulnerabilities. Splunk added four rules for DNS-based Kerberos coercion (CVE-2025-33073) using AD, network, and endpoint telemetry. The elastic/protections-artifacts repo added a rule for a sudo privilege escalation vulnerability (CVE-2025-32463). Another rule targets potential WSUS exploitation related to CVE-2025-59287. (splunk/security_content, elastic/protections-artifacts)

• Cloud identity and access management is a focus of recent rule updates. Elastic tuned multiple AWS IAM rules to better find persistence and privilege escalation via anomalous MFA device activity and SAML provider changes. In parallel, new KQL queries were published to audit OAuth application permissions in Entra ID and detect suspicious MFA registrations from new IP addresses. (elastic/detection-rules, benscha/KQLAdvancedHunting, alexverboon/Hunting-Queries-Detection-Rules)

💥 Promo: Free access to CTIChef.com CTI feeds until 2026 💥

We’ve made our threat detection CTI feeds available to you for free for the rest of the year. They contain all new and updated rules from the digests, with update descriptions and extracted observables. The feeds are available through MISP and STIX/TAXII endpoints, ready for direct integration into your SIEM, TIP, or SOAR solution.

Request Access

Table Of Contents

• Corporate repositories (5)

  • sublime-security/sublime-rules (+5, ✎10)

  • elastic/detection-rules (+1, ✎8)

  • SigmaHQ/sigma (+10, ✎4)

  • splunk/security_content (+18, ✎2)

  • elastic/protections-artifacts (+13, ✎11)

• Personal repositories (4)

  • benscha/KQLAdvancedHunting (+1, ✎1)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

  • bartblaze/Yara-rules (+2)

  • alexverboon/Hunting-Queries-Detection-Rules (+2, ✎1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (5)

sublime-security/sublime-rules (+5, ✎10)

+ New rules

New rules target specific credential phishing campaigns. One identifies Facebook business impersonation emails by looking for social engineering phrases combined with suspicious links. Another detects the Mamba 2FA phishing kit by inspecting URL redirects for known Base64-encoded indicators. (Service abuse: Facebook business with action required subject, Link: Mamba 2FA phishing kit)

New detections for social engineering and Business Email Compromise (BEC) are added. One rule flags fraudulent credit card offers that use attachments to harvest personal data via WhatsApp. Another identifies potential BEC attacks by detecting reply-to domain mismatches from low-prevalence senders. (Attachment: Credit card application with WhatsApp contact, Headers: Invalid recipient domain with mismatched reply-to from new sender)

A new rule detects HTML attachments used to hide malicious files. The logic finds base64-encoded ZIP or Office files alongside JavaScript decoding functions intended to reconstruct the payload on the client side. (Attachment: HTML smuggling with base64 encoded ZIP file)

✎ Modified rules

Detection for brand impersonation phishing was updated across several rules. Improvements include better validation of Proofpoint secure message redirect chains, new logic for Social Security Administration ‘Digital Statement’ lures, and OCR on image attachments for fake Google Drive notifications. Rules targeting DocuSign and generic e-signature phishing were updated to find obfuscated link text and keywords. (Brand impersonation: Proofpoint secure messaging without legitimate indicators, Impersonation: Social Security Administration (SSA), Credential phishing: DocuSign embedded image lure with no DocuSign domains in links, Brand impersonation: Google Drive fake file share, Credential phishing: Suspicious e-sign agreement document notification)

Rules targeting Business Email Compromise (BEC) and related scams were refined. The rule for financial BEC now matches more sender display names, including roles like ‘Coordinator’ and ‘Manager’. The callback phishing rule detects shorter lure messages and more phone number formats. Another rule now checks for invisible Unicode characters used to hide malicious links in fake email threads. (Suspicious request for financial information, Fake thread with suspicious indicators, Callback phishing in body or attachment (untrusted sender))

Coverage for job scams and spam solicitations was improved. The job scam rule has new logic to identify fraudulent indicators from email content and sender behavior. The rule for unsolicited website error reports was updated with broader keyword matching and a requirement that the body mentions ‘site’ or ‘website’ to refine its focus. (BEC/Fraud: Job scam fake thread or plaintext pivot to freemail, Spam: Website errors solicitation)

elastic/detection-rules (+1, ✎8)

+ New rules

A new rule detects process masquerading where adversaries use the svchost.exe name. The logic identifies svchost.exe process executions originating from file paths outside the standard C:\Windows\System32 and C:\Windows\SysWOW64 directories, a common defense evasion technique. (Potential Masquerading as Svchost)

✎ Modified rules

Multiple rules targeting AWS Identity and Access Management (IAM) were updated to better detect persistence and privilege escalation. The changes focus on anomalous MFA device activity, abuse of EC2 instance credentials for console login, and unauthorized SAML provider modifications. Updates include query logic refinements, improved filtering to reduce false positives, and expanded analyst investigation guides. (AWS IAM Virtual MFA Device Registration Attempt with Session Token, AWS IAM Deactivation of MFA Device, AWS EC2 Instance Console Login via Assumed Role, AWS IAM SAML Provider Updated)

A rule detecting lateral movement on Windows via PowerShell and the Task Scheduler COM DLL was tuned. The update improves accuracy by using a CIDR-based exclusion for all loopback network traffic, reducing false positives from local RPC activity. (Outbound Scheduled Task Activity via PowerShell)

The rule for detecting malicious file staging in world-writable Linux directories was updated. An exception was added for temporary files created by Ansible to reduce alerts from legitimate automation. (Remote File Creation in World Writeable Directory)

Two rules related to AWS ElastiCache security groups were marked as deprecated. These rules are now intended for historical analysis of legacy CloudTrail logs following the retirement of EC2-Classic services. (Deprecated - AWS ElastiCache Security Group Created, Deprecated - AWS ElastiCache Security Group Modified or Deleted)

SigmaHQ/sigma (+10, ✎4)

+ New rules

Three new rules detect registry modifications performed by scripting engines. The detections identify the use of VBScript objects like Wscript.shell within PowerShell or via command-line execution, and direct registry changes by processes like wscript.exe and cscript.exe. This targets adversary techniques for persistence and defense evasion that avoid standard registry utilities. (Registry Modification Attempt Via VBScript - PowerShell, Registry Modification Attempt Via VBScript, Registry Tampering by Potentially Suspicious Processes)

Two rules now detect modifications to the Default Domain and Default Domain Controllers Group Policy Objects. Detection is based on monitoring process command-line arguments for mmc.exe containing the policy GUIDs, and on Windows Security Event ID 5136, providing coverage across different telemetry for this high-impact adversary technique. (Windows Default Domain GPO Modification via GPME, Windows Default Domain GPO Modification)

New detections target adversary use of PowerShell for credential access and remote access preparation. One rule identifies Kerberos ticket requests for Kerberoasting attacks by spotting the use of the KerberosRequestorSecurityToken .NET class. Another rule detects the enabling of RDP via WMI or PowerShell commands. (RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class, Suspicious Kerberos Ticket Request via CLI)

A new rule detects exploitation attempts against Cisco ASA vulnerabilities CVE-2025-20333 and CVE-2025-20362. The detection identifies suspicious GET requests to known malicious WebVPN URI paths in proxy logs. (Cisco ASA Exploitation Activity - Proxy)

Coverage for Windows execution and defense evasion is expanded. A new rule identifies svchost.exe process masquerading by flagging uncommon command-line parameters. Another rule detects ClickFix and FileFix social engineering attacks by monitoring for suspicious commands containing a ‘#’ character spawned from explorer.exe. (Uncommon Svchost Command Line Parameter, Suspicious ClickFix/FileFix Execution Pattern)

✎ Modified rules

Detection for RDP configuration tampering was improved across two rules. Both now monitor modifications to the SecurityLayer registry key, a common defense evasion technique. A filter was also added to both rules to ignore legitimate changes that set the security layer to use TLS, reducing false positives. (Potential Tampering With RDP Related Registry Keys Via Reg.EXE, RDP Sensitive Settings Changed)

A rule detecting malicious NTFS symbolic link modification via ‘fsutil.exe’ was updated. Detection now covers proxy execution through ‘cmd.exe’ and ‘powershell.exe’. The logic was also made more specific by targeting commands that enable remote-to-local and remote-to-remote link evaluation, a technique used by ransomware. (Potentially Suspicious NTFS Symlink Behavior Modification)

The rule for detecting PowerShell-based Kerberoasting was refined for higher accuracy. The logic now requires both the .NET class ‘System.IdentityModel.Tokens.KerberosRequestorSecurityToken’ and the ‘.GetRequest()’ method to be present, making the detection more specific to the attack technique. (Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock)

splunk/security_content (+18, ✎2)

+ New rules

Four new rules provide detection for DNS-based Kerberos coercion attacks (CVE-2025-33073). Detection methods include monitoring for rapid DNS object creation and deletion in Active Directory, searching for credential structures in DNS queries from Suricata or Sysmon logs, and inspecting Sysmon process command lines and AD object events for specific Base64-encoded patterns. (Windows Short Lived DNS Record, DNS Kerberos Coercion, Windows Kerberos Coercion via DNS, Windows Credential Target Information Structure in Commandline)

A new set of rules monitors Cisco ASA syslog events to detect adversary activity on network devices. Detections target reconnaissance through packet captures and bulk ‘show’ commands, exfiltration of configuration files, and defense evasion via log tampering. (Cisco ASA - Packet Capture Activity, Cisco ASA - Device File Copy to Remote Location, Cisco ASA - Device File Copy Activity, Cisco ASA - Logging Filters Configuration Tampering, Cisco ASA - Logging Message Suppression, Cisco ASA - Reconnaissance Command Activity)

New rules were added to detect account and policy manipulation on Cisco ASA devices. The rules monitor specific syslog events for the creation, deletion, or privilege escalation of local user accounts, modifications to AAA security policies, and account lockouts indicative of brute-force attempts. (Cisco ASA - AAA Policy Tampering, Cisco ASA - New Local User Account Created, Cisco ASA - User Account Lockout Threshold Exceeded, Cisco ASA - User Account Deleted From Local Database, Cisco ASA - User Privilege Level Change)

Two rules were added to detect Windows defense evasion techniques using Sysmon data. One identifies executables masquerading as benign file types by monitoring File Block events (EventID 29). The other detects the clearing of command execution history by monitoring for the deletion of RunMRU registry keys. (Windows Executable Masquerading as Benign File Types, Windows RunMRU Registry Key or Value Deleted)

A new rule detects the misuse of NetSupport Remote Manager software as a Remote Access Trojan (RAT). The detection identifies the loading of specific NetSupport DLLs from non-standard file paths, a common indicator of malicious use of the legitimate tool. (Windows NetSupport RMM DLL Loaded By Uncommon Process)

✎ Modified rules

Two rules targeting defense evasion on Cisco ASA devices were refined. One rule, detecting explicit logging disablement commands, was updated for better performance by using pre-parsed fields instead of regex. The other, which identifies potential log suppression (CVE-2025-20333, CVE-2025-20362) by monitoring for a drop in syslog volume, had its Splunk query optimized. These changes improve detection of attempts to manipulate logging on these network devices. (Cisco ASA - Core Syslog Message Volume Drop, Cisco ASA - Logging Disabled via CLI)

elastic/protections-artifacts (+13, ✎11)

+ New rules

New rules for macOS detect suspicious scripting activity. They identify Python processes accessing multiple files, which indicates stealer malware, Python loading non-standard libraries from user directories, and the creation of Perl scripts in temporary locations by untrusted processes. (Potential Python Stealer, Perl Script File Creation or Modification, Unusual Library Load via Python)

Two new rules cover Linux privilege escalation and command and control. One rule detects attempts to exploit a sudo vulnerability (CVE-2025-32463) by monitoring for specific command-line options. The other identifies the creation of an OpenSSL reverse shell that uses named pipes for C2 communication. (Potential CVE-2025-32463 Sudo Chroot Execution Attempt, OpenSSL Reverse Shell Activity via Named Pipe)

Coverage for Windows post-exploitation is extended. New rules detect suspicious child processes from IIS (w3wp.exe) and WSUS, with the latter possibly related to CVE-2025-59287. Another rule identifies shells spawned by processes with command-line arguments typical of Netcat listeners. (Potential Shell Execution via NetCat, Suspicious Microsoft IIS Child Process, Suspicious Windows Server Update Service Child Process)

Added detections for Windows credential access techniques. One rule identifies potential Kerberoasting by flagging LDAP searches followed by Kerberos traffic from unusual processes. Another rule detects common scripting engines accessing credential store files of Chrome and Edge browsers. (LDAP Search followed by Kerberos Connection, Web Browser Credential Access via Scripting Utility)

New rules focus on Windows defense evasion tactics. They detect activity concealment by identifying processes running in unusual or hidden desktops. Another rule detects attempts to bypass AMSI by monitoring for memory modification API calls targeting amsi.dll from unsigned modules. (Browser Process Started in a Hidden Desktop, Process Started in a Hidden Desktop, AMSI Bypass from Suspicious Module)

✎ Modified rules

macOS detections were refined. Coverage for curl-based external IP discovery was broadened by relaxing command argument checks. Concurrently, rules for curl-based data exfiltration and unauthorized Telegram data access were updated with new process and code-signing exclusions to reduce false positives. (Telegram Data Accessed by Unsigned or Untrusted Process, Potential Data Exfiltration via Curl, External IP address discovery via Curl)

Detection coverage for in-memory threats on Windows was expanded. One rule adds new byte patterns to identify shellcode from tools like DANTE and AdC2. Another rule improves module stomping detection by matching on Read-Write-Execute memory protection in the call stack. (Potential Module Stomping with Network Activity, Execution from Suspicious Stack Trailing Bytes)

Rules for common Windows adversary techniques were tuned. Coverage for malicious PowerShell was extended to include execution from node.exe. Detections for process suspension, msiexec abuse, and hiding executables in the registry received new exceptions for Nessus, SCCM, and WerFault.exe to lower false positives. (Potential Executable Stored in the Registry, Remote File Execution via MSIEXEC, Suspicious PowerShell Execution via Windows Scripts, Suspicious Remote Process Suspend Activity)

Two rules targeting common Linux adversary techniques were tuned to reduce false positives. The rule for reverse shells via device files now excludes activity from Splunk, Oracle, and Consul agents. The rule for delayed execution using the sleep command now ignores patterns associated with Ansible playbooks. (Sleep Execution from Suspicious Process Path, Potential Reverse Shell Activity via Terminal)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (4)

benscha/KQLAdvancedHunting (+1, ✎1)

+ New rules

A new KQL rule detects a macOS persistence technique. It monitors for the creation or modification of .plist files within Launch Agent and Launch Daemon directories. The rule filters file modifications from legitimate system installers to reduce false positives. (macOS Launch Agent/Daemon .plist File Creation or Modification)

✎ Modified rules

A KQL query that detects suspicious Multi-Factor Authentication registrations from new IP addresses was updated. A hardcoded corporate IP range was replaced with a placeholder, making the rule a template. Users must now add their own network information to filter legitimate activity and reduce false positives. (Suspicious_MFA_Registration)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new KQL query detects network connections to known Tor exit nodes. The rule analyzes Microsoft Defender XDR DeviceNetworkEvents against a dynamic list of Tor IP addresses to identify potential anonymization or command-and-control activity. ([IC] -Tor Exit Browser hunting based on Device Events)

bartblaze/Yara-rules (+2)

+ New rules

New YARA rules detect specific malware artifacts. One rule identifies a backdoor loader used by a China-nexus APT group by matching two distinct PDB path strings. A second rule detects the Adaptix hacking tool’s beacon through its unique function names and internal strings. (Autumn_Backdoor_Loader, Adaptix_Beacon)

alexverboon/Hunting-Queries-Detection-Rules (+2, ✎1)

+ New rules

A new KQL query lists external OAuth applications by filtering the OAuthAppInfo table. This is for auditing third-party application permissions and origins within Microsoft Entra ID. (External OAuth Apps and their external Tenant ID information)

A new KQL query detects modifications to Windows audit policies by monitoring ‘AuditPolicyModification’ actions in DeviceEvents. The query decodes policy GUIDs to detail changes, which helps track Defender for Identity sensor configurations. (Defender for Identity - Automatic Windows auditing configuration)

✎ Modified rules

A new KQL query audits OAuth applications in Microsoft Entra ID. It identifies potentially over-privileged applications by analyzing and categorizing their permissions, prioritizing those with high-privilege access. (List relevant information from the OAutahAppInfo Table and count the permissions by Permission Level)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.