Detections Digest #20251208
The issue highlights key updates from 10 repos, including 58 new and 62 modified Sigma, Splunk, YARA, KQL, Elastic, and Sublime Security detection rules.
This week’s update highlights the most significant changes to detection rules from 10 of the 50+ monitored GitHub repositories. Between Dec 1 and Dec 8, 2025, contributors added 58 new rules and updated 62 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Multiple repositories added detections for the React Server RCE (CVE-2025-55182, CVE-2025-66478). Coverage includes network-based exploitation attempts and suspicious child processes spawned by React servers. YARA rules were also added to detect exploit PoCs, payloads using ‘child_process’, and related error logs. (
elastic/detection-rules,Neo23x0/signature-base)New detections target the abuse of GitHub Actions self-hosted runners for supply chain attacks. The rules identify unauthorized runner registration, tampering with environment variables, and command execution by the runner process. SigmaHQ linked this activity to the Shai-Hulud npm worm. (
elastic/detection-rules,SigmaHQ/sigma)Phishing detections now identify more complex evasion and service abuse tactics. New rules detect URL obfuscation via split HTML anchors and callback phishing using Google Meet invites. Other detections target the use of legitimate services like SharePoint, OneNote, and Sendgrid to deliver malicious links. (
sublime-security/sublime-rules)Linux file integrity monitoring and persistence detection was improved. Splunk rules were updated to correlate Linux Auditd PATH and CWD events, which gives a reliable full path for modified files like /etc/sudoers. Elastic rules expanded coverage for persistence via ‘at’ jobs and shell command aliases. (
splunk/security_content,elastic/detection-rules)New rules focus on threats to emerging technology stacks. Detections now identify malicious use of Generative AI tools for data exfiltration, C2, and credential access. Other rules detect container escape attempts and privilege escalation through the creation of privileged containers mounting host directories. (
elastic/detection-rules)
💥 Free access to CTIChef.com CTI feeds until 2026 💥
We’ve made our threat detection CTI feeds available to you for free for the rest of the year. They contain all new and updated detection rules, with update descriptions and extracted observables. The feeds are available through MISP and STIX/TAXII endpoints, ready for direct integration into your SIEM, TIP, or SOAR.
Table Of Contents
sublime-security/sublime-rules (+17, ✎13)
elastic/detection-rules (+24, ✎32)
SigmaHQ/sigma (+2)
jkerai1/KQL-Queries (+5)
ep3p/Sentinel_KQL (✎1)
Neo23x0/signature-base (+7, ✎4)
Corporate repositories (4)
sublime-security/sublime-rules (+17, ✎13)
+ New rules
New rules detect brand and department impersonation phishing. Detections target emails spoofing AARP, Zoom, Purdue ePlanroom, Google Workspace, and HR departments. The logic analyzes sender display names, body keywords, and suspicious link destinations to identify credential phishing attempts. (Brand impersonation: AARP, Fake Zoom meeting invite with suspicious link, Brand impersonation: Purdue ePlanroom with suspicious links, Brand impersonation: Google Workspace alert notification, Link: HR impersonation with suspicious domain indicators and credential theft)
Multiple rules were added to detect abuse of legitimate cloud and communication services. These rules identify callback phishing via Google Meet, malicious links in SharePoint and OneNote URLs, fraudulent Firebase password resets, and phishing emails sent through Sendgrid, Roomsy.com, and Alibaba Cloud. Detections use sender patterns, service-specific URL paths, and sender reputation. (Service abuse: Roomsy with unrelated body content, Spam: Firebase password reset from suspicious sender, Fraudulent order confirmation/shipping notification from Chinese sender domain, Callback phishing via Google Meet, Attachment: PDF with personal Microsoft OneNote URL, Service abuse: Sendgrid credential theft with personalized request targeting single recipient)
Two new rules target email security control evasion techniques. One rule detects email headers embedded within the message’s plain text body. The other identifies URLs where the ‘http’ scheme is split across two separate HTML anchor tags to bypass URL scanners. (Body: Embedded email headers indicative of thread hijacking/abuse, Link: URL scheme obfuscation via split HTML anchors)
Detection capabilities are added for the Tycoon2FA phishing kit and cryptocurrency scams. The Tycoon2FA rule identifies the kit’s specific DOM structure and CDN patterns. The cryptocurrency rule detects financial lures with links pointing to fraudulent or newly registered domains. (Link: Cryptocurrency fraud with suspicious links, Link: Tycoon2FA phishing kit (non-exhaustive))
New heuristic detections identify phishing through suspicious email structure and sender behavior. One rule targets messages from new freemail senders using abnormal recipient patterns and all-caps link text. Another rule detects emails with short bodies and PDF attachments from suspicious creators that contain malicious links. (Attachment: Legal themed message or PDF with suspicious indicators, Link abuse: Self-service creation platform link with suspicious recipient behavior)
✎ Modified rules
Detection for brand and government impersonation attacks was improved across multiple rules. Updates target Social Security Administration phishing by inspecting document attachments and HTML titles. DHL impersonation detection now uses a machine learning topic model and expanded subject line checks. United Healthcare lures are identified by specific body content and sender local-part analysis. Google Drive phishing detection was updated to find more notification keywords and obfuscated text. (Impersonation: Social Security Administration (SSA), Brand impersonation: DHL, Brand impersonation: United Healthcare, Brand impersonation: Google Drive fake file share)
Several rules were updated to better detect common phishing themes. Detection for invoice-related phishing now covers more subject line variations and specific link text patterns. A rule targeting fake email threads was improved to identify malicious links disguised as files. Another rule now finds a wider variety of password delivery phrases for encrypted PDF attachments. (Suspicious invoice reference with missing or image-only attachments, Fake thread with suspicious indicators, Attachment: Encrypted PDF with credential theft body)
Detection logic was added for attacker evasion techniques. A rule for HTML smuggling now inspects SVG files and identifies more ROT13 obfuscation patterns, including encoded URL prefixes. QR code phishing detection was updated to spot links leading to anti-bot pages used to block analysis. A rule for JotForm abuse was updated with a more accurate regex for parsing form data. (Attachment: HTML smuggling with ROT13, Link: QR code in EML attachment with credential phishing indicators, Link: Multistage landing - JotForm abuse)
Two rules targeting reconnaissance emails received updates. The detection logic now incorporates a machine learning model to identify Business Email Compromise intent in short messages. Adjustments were made to body and subject length limits, and new exclusions were added for existing email threads and common signatures to reduce false positives. (Reconnaissance: Short generic greeting message, Reconnaissance: All recipients cc/bcc’d or undisclosed)
elastic/detection-rules (+24, ✎32)
+ New rules
A new set of rules targets malicious use of Generative AI tools. Detections identify adversary actions such as modifying AI tool configurations for persistence, exfiltrating data through encoding and network connections, communicating with suspicious domains, accessing sensitive files like credentials, and using local AI models to compile malicious code. (Unusual Process Modifying GenAI Configuration File, GenAI Process Performing Encoding/Chunking Prior to Network Activity, GenAI Process Connection to Unusual Domain, GenAI Process Connection to Suspicious Top Level Domain, GenAI Process Accessing Sensitive Files, GenAI Process Compiling or Generating Executables)
New detections focus on adversaries abusing GitHub Actions self-hosted runners for supply chain attacks. These rules identify the initial setup of unauthorized runners, tampering with runner tracking environment variables for defense evasion, and the execution of dangerous commands spawned by the runner process on the host system. (New GitHub Self Hosted Action Runner, Remote GitHub Actions Runner Registration, Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners, Execution via GitHub Actions Runner)
Several new rules detect web application and server exploitation. Detections identify web shell uploads by correlating network and file events, Remote File Inclusion attempts, and HTTP downgrade attacks. Specific coverage is added for React server vulnerabilities, including CVE-2025-55182 and CVE-2025-66478, by detecting prototype pollution patterns and suspicious child processes. (Unusual Web Server Command Execution, Potential HTTP Downgrade Attack, Initial Access via File Upload Followed by GET Request, Suspicious React Server Child Process, Web Server Potential Remote File Inclusion Activity, React2Shell (CVE-2025-55182) Exploitation Attempt)
Detection coverage for cloud-native threats is expanded across AWS and Azure. This includes identifying AWS IAM role enumeration, data destruction through AWS EFS deletion, and remote execution using LOLBins via AWS SSM. Other rules detect multi-cloud secret harvesting and Entra ID session hijacking through OAuth phishing. (AWS EFS File System Deleted, Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode, AWS IAM Principal Enumeration via UpdateAssumeRolePolicy, Multiple Cloud Secrets Accessed by Source Address, AWS EC2 LOLBin Execution via SSM SendCommand)
New rules address container security and local discovery techniques. Detections identify container escape and privilege escalation attempts through the creation of privileged containers that mount host directories. Another rule detects persistence attempts within containers via suspicious command execution. Coverage also includes the use of the Gitleaks tool to scan for secrets in code repositories. (Potential Secret Scanning via Gitleaks, Privileged Container Creation with Host Directory Mount, Pod or Container Creation with Suspicious Command-Line)
✎ Modified rules
Multiple AWS detection rules, mainly for RDS and S3, received metadata updates including detailed investigation guides and ATT&CK mappings. These rules cover data exfiltration, destruction, persistence, and privilege escalation. Another rule for detecting mass file downloads from OneDrive was updated with more precise aggregation logic to better identify data exfiltration. (AWS RDS Snapshot Export, AWS RDS DB Instance or Cluster Deletion Protection Disabled, AWS RDS DB Instance or Cluster Deleted, etc)
Detection for PowerShell-based attacks was improved. Coverage was expanded to identify additional obfuscated arguments and new functions from offensive tooling. Other rules were tuned to reduce false positives by excluding legitimate processes like the Docker installer and filtering activity from common module directories. (Suspicious Windows Powershell Arguments, Suspicious PowerShell Engine ImageLoad, Potential PowerShell HackTool Script by Function Names, Potential PowerShell Obfuscated Script)
Several Windows detection rules for persistence and privilege escalation were tuned to reduce false positives. Updates added exclusions for legitimate system processes like tiworker.exe, common software installers, and popular Firefox browser extensions. These changes improve signal quality for detections covering boot file modification, SeDebugPrivilege abuse, application shimming, and persistence via msiexec. (Potential System Tampering via File Modification, SeDebugPrivilege Enabled by a Suspicious Process, Browser Extension Install, Persistence via a Windows Installer, Potential Application Shimming via Sdbinst)
Detection coverage for Linux systems was expanded. One rule now monitors an additional directory for persistence using at jobs. Another rule was updated to detect persistence through shell and AWS CLI command aliases. Detection for the shred command was also broadened to identify more argument variations used for defense evasion. (At Job Created or Modified, File Deletion via Shred, Potential Persistence via File Modification)
A rule for React server RCE post-exploitation (CVE-2025-55182, CVE-2025-66478) was greatly expanded to detect more reverse shell and interactive session techniques. The rule detecting the TruffleHog secrets scanner now has broader data source coverage and a higher risk score. A host compromise correlation rule was refined to require an endpoint alert, improving its accuracy. (Suspicious React Server Child Process, Credential Access via TruffleHog Execution, Elastic Defend and Network Security Alerts Correlation)
splunk/security_content (✎8)
✎ Modified rules
A group of rules detecting tampering with critical Linux configuration files was updated for greater accuracy. These rules cover modifications to files like /etc/sudoers, cronjobs, shell profiles, ld.so.preload, and others often targeted for persistence or privilege escalation. The detection logic in each was rewritten to correlate Linux Auditd PATH and CWD events via audit_id, allowing reliable reconstruction of full file paths from relative path usage. (Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File, Linux Auditd Possible Access To Sudoers File, Linux Auditd Unix Shell Configuration Modification, Linux Auditd Doas Conf File Creation, Linux Auditd Possible Access Or Modification Of Sshd Config File, Linux Magic SysRq Key Abuse, Linux Auditd Preload Hijack Via Preload File)
The rule for detecting internal horizontal port scanning was updated for performance and alerting fidelity. The Splunk query was refactored by consolidating aggregation logic. Its Risk Based Alerting configuration was modified to set the src_ip as the primary risk object, providing better attribution for scanning activity. (Internal Horizontal Port Scan NMAP Top 20)
SigmaHQ/sigma (+2)
+ New rules
A new rule detects the execution of GitHub self-hosted runner components, Runner.Worker.exe and Runner.Listener.exe. This activity is linked to abuse of CI/CD infrastructure for persistence and code execution, as observed with the Shai-Hulud npm supply chain worm. The detection targets process creation events with specific command-line arguments. (Github Self-Hosted Runner Execution)
A new rule identifies a common phishing technique where a web browser opens an HTML file from the user’s Downloads folder. This detection targets command lines of browser processes that point to .htm files in the Downloads directory, indicating a user may have opened a malicious attachment. (HTML File Opened From Download Folder)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (6)
jkerai1/KQL-Queries (+5)
+ New rules
Four new KQL queries monitor Microsoft Entra ID AuditLogs for key account and group management events. The detections cover user deletion, account disablement, password changes or resets, and modifications to group membership and ownership. This group of rules provides visibility into the identity lifecycle to spot potentially malicious administrative actions. (Entra Account Disabled, Entra Group Changes, Entra Password Resets, User Deleted from Entra)
A new KQL query scans the Azure Resource Graph to find Azure API Management instances with basic authentication enabled on their developer portals. This detection identifies an insecure default configuration that may expose the service to account-related vulnerabilities. (Azure Resource Graph - APIM with basic auth enabled)
alexverboon/Hunting-Queries-Detection-Rules (+3, ✎2)
+ New rules
New KQL queries detect changes to the email auto-forwarding policy in Microsoft Defender for Office 365. The detection targets modifications to the AutoForwardingMode setting, a tactic used for data collection. Coverage is provided by querying both OfficeActivity and CloudAppEvents logs. (M365 Outbound Anti-Spam AutoForwardingMode Policy Change (CloudAppEvents))
A new KQL snippet assesses password age across an environment. It categorizes accounts by the time since their last password change and renders the data as a column chart for security posture review. (Password Age Visualization)
✎ Modified rules
Two KQL queries for assessing Active Directory password security in Microsoft Defender XDR were updated. Both queries were optimized with a 30-day time filter to improve performance and now include the account Type in their output for better context. The query targeting high-risk accounts was also broadened to detect ‘ADSync’ service accounts. (Active Directory - Password Security Posture Assessment, High-Risk Account Password Posture Assessment)
ep3p/Sentinel_KQL (✎1)
✎ Modified rules
A KQL rule detecting high-volume access to sensitive Active Directory attributes is now more sensitive to reconnaissance techniques like DCSync. The update adds access masks for directory replication (0x10, %%7684) and reduces the default access threshold from 10 objects to 5. (Suspicious AD attributes accessed from unexpected source)
benscha/KQLAdvancedHunting (✎1)
✎ Modified rules
A rule detecting suspicious scheduled tasks executing from the AppData\Local directory was updated. Its whitelist of legitimate application paths was reduced, removing exclusions for common software like OneDrive, Dropbox, and various web browsers. This change increases the rule’s sensitivity to persistence techniques using this folder. (Suspicious Scheduled Tasks from %LOCALAPPDATA%)
Neo23x0/signature-base (+7, ✎4)
+ New rules
A set of new YARA rules provides detection coverage for the React Server RCE vulnerability, CVE-2025-55182. The rules identify various attack indicators including PoC exploit code, in-the-wild payloads executing commands via ‘child_process’, specific scanner tool artifacts, and exploitation-related error tracebacks in Next.js applications, which are also tracked as CVE-2025-66478. (EXPL_React_Server_CVE_2025_55182_POC_Dec25, EXPL_RCE_React_Server_Next_JS_CVE_2025_66478_Errors_Dec25, EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25, EXPL_SUSP_JS_Exploitation_Payloads_Dec25)
A new YARA rule detects generic webshell activity by searching logs for common reconnaissance commands such as ‘ls’ or ‘whoami’ within web request URIs. (SUSP_WEBSHELL_LOG_Signatures_Dec25)
✎ Modified rules
Multiple rules add detection for webshells and remote code execution, focusing on the React Server RCE vulnerability (CVE-2025-55182). Detections identify in-memory webshell indicators, JavaScript PoC code using ‘child_process’, and generic webshell access patterns in logs. (EXPL_React_Server_CVE_2025_55182_POC_Dec25, SUSP_WEBSHELL_LOG_Signatures_Dec25, EXPL_SUSP_JS_POC_Dec25)
A new rule detects supply chain compromises within NPM packages. It finds code fragments that download external tools from GitHub or exfiltrate data using curl commands to webhook services and base64 encoding. (MAL_JS_NPM_SupplyChain_Compromise_Sep25)
RussianPanda95/Yara-Rules (✎1)
✎ Modified rules
The YARA rule for the PeerBlight Linux backdoor was updated to detect a newer variant by changing a string identifier to “softirq”. The condition was also broadened, now requiring 5 of 6 strings to match, making the detection more resilient to minor malware changes. (PeerBlight)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We’d be happy to help — contact us.