This week’s update highlights the most significant changes to detection rules from 8 of the 50+ monitored GitHub repositories. Between Nov 24 and Dec 1, 2025, contributors added 61 new rules and updated 36 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Detections for AWS defense evasion were added and refined across multiple repositories. New rules from SigmaHQ and Elastic target the deletion or disabling of AWS GuardDuty detectors. Elastic also improved rules for detecting the deletion of CloudWatch components and added filters to reduce false positives from internal AWS user agents. (SigmaHQ/sigma, elastic/detection-rules)

• Coverage for supply chain attacks was expanded, with a specific focus on the Shai-Hulud worm. Splunk added detections for malicious GitHub Actions workflow modifications and credential staging files. Concurrently, Neo23x0 introduced YARA rules for NPM supply chain attacks, including signatures for JavaScript worms and evasive preinstall scripts, with one also identifying ‘Sha1 Hulud’ artifacts. (splunk/security_content, Neo23x0/signature-base)

• Elastic introduced a set of higher-order rules designed to correlate alerts from multiple security products. These rules link Elastic Defend endpoint events with network alerts from Palo Alto Networks, Fortinet, and Suricata. Other correlation rules aggregate distinct alerts on a single host or combine endpoint and email alerts to identify compromised systems with greater confidence. (elastic/detection-rules)

• A large set of new behavioral rules for macOS was added to the protections-artifacts repository. These detections target a wide range of TTPs, including keychain exfiltration via curl, persistence through VSCode project file modification, and C2 communication using Google Calendar. Other rules identify payload execution using developer tools, osascript, and common interpreters like Perl and Node.js. (elastic/protections-artifacts)

• Phishing detection capabilities were improved with new rules for multiple attack vectors. New Sublime rules identify abused SendGrid links, spam-related WordPress password resets, and evasive links that block analysis tools. Additional rules target payment-themed lures using encrypted zip file attachments to bypass content scanning. (sublime-security/sublime-rules)

💥 Promo: Free access to CTIChef.com CTI feeds until 2026 💥

We’ve made our threat detection CTI feeds available to you for free for the rest of the year. They contain all new and updated rules from the digests, with update descriptions and extracted observables. The feeds are available through MISP and STIX/TAXII endpoints, ready for direct integration into your SIEM, TIP, or SOAR solution.

Request Free Access

Table Of Contents

• Corporate repositories (5)

  • sublime-security/sublime-rules (+4, ✎2)

  • SigmaHQ/sigma (+7, ✎7)

  • elastic/detection-rules (+15, ✎16)

  • splunk/security_content (+6, ✎2)

  • elastic/protections-artifacts (+23, ✎8)

• Personal repositories (3)

  • jkerai1/KQL-Queries (+2)

  • Neo23x0/signature-base (+4)

  • bartblaze/Yara-rules (✎1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (5)

sublime-security/sublime-rules (+4, ✎2)

+ New rules

Three new rules detect malicious links in inbound emails. The rules identify abused SendGrid links with compressed data, suspicious WordPress password reset links, and links to spam sites that block automated analysis. (Service abuse: SendGrid-formatted link with actor-controlled fragment, Spam: Unsolicited WordPress account creation or password reset request, Link: Spam website with evasion indicators)

A new rule detects payment-themed phishing emails that use encrypted zip file attachments. This technique is used to evade automated content scanning. (Attachment: Encrypted zip file with payment-related lure)

✎ Modified rules

Detection for document-themed credential phishing is improved through two rule updates. One rule, focused on SharePoint impersonation, adds checks for link display text such as ‘view document’ or ‘review and sign file’. A second rule for generic document sharing expands subject line analysis to include ‘complete agreement’ and adds detection for links from bulk mailer services. (Brand impersonation: Sharepoint, Credential phishing: Generic document sharing)

SigmaHQ/sigma (+7, ✎7)

+ New rules

New rules detect Linux malware techniques, including those used by VShell. The detections target file creation with unusually long filenames and filenames that embed Base64-encoded bash payloads to spot obfuscation and execution. (Potentially Suspicious Long Filename Pattern - Linux, Suspicious Filename with Embedded Base64 Commands)

Coverage for Windows threats is expanded. New rules detect C2 activity using finger.exe, persistence via renamed schtasks.exe binaries, and execution from social engineering attacks where browsers spawn suspicious child processes. (DNS Query by Finger Utility, Renamed Schtasks Execution, Suspicious FileFix Execution Pattern, Network Connection Initiated via Finger.EXE)

A new rule detects the deletion or disabling of an AWS GuardDuty detector. This addresses a defense evasion technique where an attacker attempts to stop security monitoring in a cloud environment. (AWS GuardDuty Detector Deleted Or Updated)

✎ Modified rules

Multiple rules targeting ClickFix and FileFix social engineering attacks were updated. The changes expand detection across process command lines, RunMRU registry keys, and browser TypedPaths history. Updates add more command-line utilities, social engineering keywords, and refine parent process logic to better identify these techniques. (Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix, FileFix - Command Evidence in TypedPaths, Potential ClickFix Execution Pattern - Registry)

Detection for defense evasion via LOLBIN copying was updated. Coverage now includes ie4uinit.exe. Logic for identifying system directories was also refined with more precise path matching to reduce false positives. (LOL-Binary Copied From System Directory, Suspicious Copy From or To System Directory)

The rule for detecting Linux container discovery via root directory inode checks was updated. Detection logic now uses regular expressions for command-line flags and the path argument, making it more flexible against variations of the ls command. (Potential Container Discovery Via Inodes Listing)

Detection for out-of-band RCE confirmation (CVE-2025-59287) was broadened. The rule adds more domains associated with external interaction services like Burp Collaborator. A filter for ‘polling.oastify.com’ was also added to lower false positives. (DNS Query to External Service Interaction Domains)

elastic/detection-rules (+15, ✎16)

+ New rules

New higher-order rules correlate events from multiple security products to identify compromised systems. These rules link Elastic Defend endpoint alerts with network events from Palo Alto Networks, Fortinet, and Suricata. Other rules correlate endpoint and email alerts by user, or aggregate multiple distinct alerts on a single host to prioritize threats. (PANW and Elastic Defend - Command and Control Correlation, Elastic Defend and Network Security Alerts Correlation, SOCKS Traffic from an Unusual Process, Elastic Defend and Email Alerts Correlation, Alerts in Different ATT&CK Tactics by Host, Multiple Elastic Defend Alerts by Agent)

A set of new rules targets web server reconnaissance and attack attempts. These detections identify high volumes of HTTP error codes (4xx, 5xx), command injection payloads in request URLs, and user-agent strings from common scanning tools like Nikto and sqlmap. This provides coverage for enumeration and fuzzing activities against various web servers. (Web Server Discovery or Fuzzing Activity, Potential Spike in Web Server Error Logs, Web Server Potential Spike in Error Response Codes, Web Server Potential Command Injection Request, Web Server Suspicious User Agent Requests)

New detections target Linux living-off-the-land techniques. One rule identifies shell execution where Busybox is the parent process. Another detects the use of curl or wget as GTFOBins for file download and execution, a common method for retrieving payloads. (Proxy Shell Execution via Busybox, Curl or Wget Egress Network Connection via LoLBin)

A new rule detects exploitation of the Apache Struts path traversal vulnerability, CVE-2023-50164. The detection logic identifies a sequence of a malicious POST request followed by JSP file creation in a Tomcat webapps directory, indicating a successful web shell upload. (Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation)

A new rule was added to detect Okta device token theft. It triggers when a single device token hash is associated with multiple operating systems, a strong indicator that the token was stolen and is being used from an attacker’s machine. (Okta Multiple OS Names Detected for a Single DT Hash)

✎ Modified rules

Multiple detections for AWS defense evasion were improved. These rules identify the deletion of GuardDuty detectors and various CloudWatch components, including alarms, log groups, and log streams. The updates refine detection logic by excluding internal AWS user agents to reduce false positives and add detailed investigation guides for analysts. (AWS GuardDuty Detector Deletion, AWS CloudWatch Alarm Deletion, AWS CloudWatch Log Group Deletion, AWS CloudWatch Log Stream Deletion)

Coverage for AWS credential access and persistence techniques was improved. The changes target bulk secret retrieval from Secrets Manager, sensitive IAM operations with temporary credentials, and the creation of IAM Roles Anywhere trust anchors and profiles. Updates focus on improving detection accuracy and providing analysts with more detailed triage and response steps. (AWS Secrets Manager Rapid Secrets Retrieval, AWS IAM API Calls via Temporary Session Tokens, AWS IAM Roles Anywhere Profile Creation, AWS IAM Roles Anywhere Trust Anchor Created with External CA)

Four rules related to legacy Amazon RDS operations were marked as deprecated. These rules, which detect the creation and deletion of RDS instances, clusters, and security groups, are now designated for historical analysis. Their descriptions clarify that modern, VPC-based RDS environments should be monitored using standard EC2 security group rules. (Deprecated - AWS RDS Security Group Deletion, Deprecated - AWS RDS Cluster Creation, Deprecated - AWS RDS Instance Creation, Deprecated - AWS RDS Security Group Creation)

Several identity and endpoint detections were refined for better accuracy and utility. The Microsoft Entra ID brute-force rule was re-engineered for better performance. A Kerberos-based detection was tuned with new process exclusions to reduce false positives. Coverage for the TruffleHog secrets scanner was expanded, and a new investigation guide was added to the rule for SSH password grabbing on Linux. (Microsoft Entra ID Excessive Account Lockouts Detected, Potential SSH Password Grabbing via strace, Credential Access via TruffleHog Execution, Suspicious Kerberos Authentication Ticket Request)

splunk/security_content (+6, ✎2)

+ New rules

New hunting queries detect unauthorized local Large Language Model (LLM) usage on Windows endpoints. The rules monitor for DNS queries to LLM model repositories, creation of common model file formats like ‘.gguf’ and ‘.safetensors’, and execution of LLM framework processes such as Ollama and LM Studio. This helps identify shadow AI deployments and potential data exfiltration channels. (Local LLM Framework DNS Query, LLM Model File Creation, Windows Local LLM Framework Execution)

New rules detect the Shai-Hulud supply chain worm on Windows and Linux systems. Detection logic monitors for malicious modifications to GitHub Actions workflow files within .github/workflows directories. It also identifies the creation of specific JSON files used by the malware to stage stolen cloud and development credentials for exfiltration. (GitHub Workflow File Creation or Modification, Shai-Hulud 2 Exfiltration Artifact Files, Shai-Hulud Workflow File Creation or Modification)

✎ Modified rules

Two rules monitoring GitHub Enterprise audit logs for repository destruction and archival events were updated. The changes associate these actions with supply chain compromise tactics (T1195), adding context for analysts investigating potential intellectual property theft or operational disruption. (GitHub Enterprise Repository Deleted, GitHub Enterprise Repository Archived)

elastic/protections-artifacts (+23, ✎8)

+ New rules

A large set of new rules covers various macOS threat behaviors. Detections target data collection with rsync, credential theft by exfiltrating the keychain database with curl, and payload execution using piped curl and osascript commands. Other rules identify C2 communication using Google Calendar, persistence by modifying VSCode project files (a known XCSSET TTP), and code execution through developer tools like Cursor and VSCode. Additional detections identify malicious use of Perl and Node.js for payload execution. (Sensitive File Access via Rsync, Hidden AppleScript Download via Curl, Suspicious Curl to Raw IP via Perl, Osascript Payload Drop and Execute, Google Calendar C2 via Script, Abnormally Large Javascript Evaluation via Nodejs, Abnormally Large Shell Script Execution via Perl, Cursor Arbitrary Code Execution via PHP, Curl Output Piped to Osascript, VScode Project File Infection via Osascript, User Keychain Exfiltration via Curl, Nodejs Initial Access via VSCode Auto-run Task)

New detections for Linux focus on post-exploitation and privilege escalation. Two rules target specific CVEs: sandbox escape in Redis (CVE-2025-49844) and privilege escalation in sudo (CVE-2025-32463). Other rules detect the creation of reverse shells from Node.js processes and suspicious shell execution spawned by Java processes or through the Busybox utility. (Potential RediShell (CVE-2025-49844) Exploitation, Suspicious Command Execution via Busybox Proxy, Reverse Shell via Node.js Descendant, Potential CVE-2025-32463 Nsswitch File Creation, Shell Execution via Java Parent Process, Javascript Reverse Shell via Node.js)

A group of new rules detects advanced defense evasion and execution hijacking techniques on Windows. Detections target DANTE commercial spyware via a unique call stack signature, abuse of bindflt.dll for folder redirection, and execution flow hijacking using thread debug registers. Other rules identify attempts to bypass Protected Process Light (PPL) protections and suspicious use of the OpenThread API to manipulate remote threads. (Potential DANTE Spyware Execution, BindFltApi Loaded by an Unusual Process, Potential Hardware Breakpoints Evasion, Protected Process from Unusual Parent, Suspicious Remote Process Thread Access)

✎ Modified rules

Multiple rules for Linux and macOS were tuned to reduce false positives. The updates add or refine exceptions for common legitimate software, scripts, and development environments like PHP, the APT package manager, and various containerization tools. This improves the accuracy of detections for reconnaissance, persistence, and suspicious script execution. (File Downloaded from Suspicious Source by Web Server, APT Package Manager Command Execution, External IP address discovery via Curl, Interpreter-Based Code Execution via Unusual Parent)

Several Windows rules were updated to reduce false positives. Exclusions were added for known benign DLLs loaded from network shares, a third-party product that could trigger process masquerading alerts, and legitimate node.exe activity that spawns PowerShell. These changes increase alert fidelity. (Potential Masquerading as Windows Error Manager, Suspicious Image Load from SMB Shares, Suspicious PowerShell Execution via Windows Scripts)

Detection coverage for Windows process injection and evasion was increased. A rule that monitors for indirect memory API calls was updated with new logic. The change targets specific call stack patterns associated with proxy calls to APIs like VirtualProtect and VirtualAlloc, better identifying attempts to obscure malicious memory operations. (Windows API via a CallBack Function)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (3)

jkerai1/KQL-Queries (+2)

+ New rules

A new KQL query for Azure Resource Graph Explorer detects changes to virtual machine SKU sizes. This rule audits cloud configurations by monitoring the ‘resourcechanges’ table for modifications and identifying the user responsible. (Azure Resource VM sku sizes)

A new KQL query for Microsoft Defender for Endpoint detects process execution from the user’s appdata\roaming directory. This rule targets a common adversary persistence and defense evasion technique by searching for suspicious file extensions like .exe and .ps1. (Executables in AppData Local Roaming)

Neo23x0/signature-base (+4)

+ New rules

A set of new YARA rules targets various NPM supply chain attack techniques. The rules detect specific JavaScript worms, including one designed to steal cloud credentials and another identified by unique artifact strings (’Sha1 Hulud’). Additional rules identify evasive setup scripts that perform environmental checks before execution and malicious preinstall hooks in package.json files used for initial code execution. (MAL_JS_NPM_SupplyChain_Attack_Nov25, SUSP_JS_NPM_Sha1_Hulud_Nov25, SUSP_JS_NPM_SetupScript_Nov25, MAL_NPM_SupplyChain_Attack_PreInstallScript_Nov25)

bartblaze/Yara-rules (✎1)

✎ Modified rules

The YARA rule for BroEx adware was tuned to reduce false positives. The detection logic now requires a generic byte sequence from a decoding function to be found with other specific indicators like mutexes or service names, improving the rule’s precision. (BroEx)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.