This week’s update highlights the most significant changes to detection rules from 11 of the 50+ monitored GitHub repositories. Between Dec 8 and Dec 15, 2025, contributors added 31 new rules and updated 77 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New Sigma rules detect the ‘EDR-Freeze’ technique, which abuses debugging libraries like dbgcore.dll to suspend security processes. The detections monitor for WerFaultSecure.exe loading these DLLs or accessing EDR processes. This set also covers LSASS credential dumping that uses the same libraries. (SigmaHQ/sigma)

• Detection for server-side application exploits was expanded. New rules detect suspicious child processes spawned from Node.js, React, or Next.js servers on both Windows and Linux. Other rules target Java template injection by identifying XSLT file creation followed by shell execution. (splunk/security_content, elastic/protections-artifacts)

• A new set of detections targets malicious named pipe activity using Sysmon events 17 and 18. The rules identify pipes associated with Remote Management and Monitoring tools, C2 channels, and other unwanted applications. This provides coverage for a common persistence and lateral movement vector. (splunk/security_content)

• Multiple repositories added or refined detections for Linux threats. New YARA rules identify ELF binaries for malware like ZinFoq, Kaiji, and CowTunnel. Concurrently, many behavioral rules for reverse shells, web server command injection, and script execution were tuned to reduce false positives in container and development environments. (RussianPanda95/Yara-Rules, Neo23x0/signature-base, elastic/protections-artifacts, SigmaHQ/sigma)

• Email security rules were added to detect specific phishing campaigns and service abuse. Detections now identify the ‘Impact Solutions’ Phishing-as-a-Service platform via unique URL and attachment patterns. Other rules target callback phishing schemes that use Microsoft Teams invites and brand impersonation of services like Adobe Sign. (sublime-security/sublime-rules)

Table Of Contents

• Corporate repositories (5)

  • SigmaHQ/sigma (+4, ✎20)

  • splunk/security_content (+7)

  • elastic/detection-rules (+1, ✎33)

  • sublime-security/sublime-rules (+6, ✎7)

  • elastic/protections-artifacts (+3, ✎15)

• Personal repositories (6)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

  • alexverboon/Hunting-Queries-Detection-Rules (+4)

  • RussianPanda95/Yara-Rules (+2)

  • benscha/KQLAdvancedHunting (✎1)

  • Cloud-Architekt/AzureSentinel (✎1)

  • Neo23x0/signature-base (+3)

• Feedback

• Disclaimer

• Powered by

💥 Free access to CTIChef.com CTI feeds until 2026 💥

We’ve made our threat detection CTI feeds available to you for free for the rest of the year. They contain all new and updated rules from the digests, with update descriptions and extracted observables. The feeds are available through MISP and STIX/TAXII endpoints, ready for direct integration into your SIEM, TIP, or SOAR solution.

Request Free Access

Corporate repositories (5)

SigmaHQ/sigma (+4, ✎20)

+ New rules

A set of new rules detects the abuse of debugging libraries, dbgcore.dll and dbghelp.dll, for both EDR evasion and credential dumping. The rules identify the ‘EDR-Freeze’ technique by monitoring WerFaultSecure.exe as it loads these DLLs to suspend security processes like MsMpEng.exe. Other rules in this set target LSASS credential dumping by detecting suspicious access originating from uncommon locations or when these specific DLLs are present in the call trace. (WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze, Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location, Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs, Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze)

✎ Modified rules

Five rules were updated to detect the ‘Invoke-DNSExfiltrator’ PowerShell cmdlet and script. This adds coverage for DNS-based data exfiltration techniques across process creation, command line arguments, and script block logging telemetry. (Malicious PowerShell Commandlets - ProcessCreation, Malicious PowerShell Commandlets - PoshModule, Malicious PowerShell Commandlets - ScriptBlock, Malicious PowerShell Scripts - PoshModule, Malicious PowerShell Scripts - FileCreation)

Multiple Windows defense evasion rules were tuned to reduce false positives. Updates include adding exclusions for Windows Update components (TiWorker.exe, wuaucltcore.exe), the Recovery Environment, and refining path matching logic. The changes impact detections for DLL sideloading, process masquerading, persistence, and raw disk access. (Uncommon AppX Package Locations, Startup Folder File Write, Load Of RstrtMgr.DLL By An Uncommon Process, Rare Remote Thread Creation By Uncommon Source Image, Potential Defense Evasion Via Raw Disk Access By Uncommon Tools, Renamed Office Binary Execution, Files With System Process Name In Unsuspected Locations, Potential System DLL Sideloading From Non System Locations)

Two Linux Auditd rules for detecting audio capture and ASLR disabling were corrected. The logic was updated to use the ‘SYSCALL’ field name instead of ‘syscall’, aligning with the auditd schema and restoring detection function. (Audio Capture, ASLR Disabled Via Sysctl or Direct Syscall - Linux)

Detection coverage was expanded for several distinct threats. The AWS SSM rule now identifies successful command execution by checking the ‘errorCode’ field. The EDR-Freeze hacktool rule was updated with a new executable name and IMPHASH values. The Windows log query rule now detects searches for RDP-related event IDs. (Potential Malicious Usage of CloudTrail System Manager, Potentially Suspicious EventLog Recon Activity Using Log Query Utilities, Hacktool - EDR-Freeze Execution)

Two rules detecting network connections from suspicious Windows directories were updated. One rule expanded detection by adding ‘github.com’ to its monitored domain list. The other added ‘github.com’ as an exclusion and expanded the list of suspicious source directories to improve accuracy. (Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder, Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location)

splunk/security_content (+7)

+ New rules

A new set of rules uses Sysmon events 17 (Pipe Created) and 18 (Pipe Connected) to detect suspicious named pipe activity. Coverage includes pipes associated with RMM tools, Potentially Unwanted Applications (PUAs), C2 channels, and other malicious software often used for persistence and lateral movement. (Windows RMM Named Pipe, Windows Suspicious C2 Named Pipe, Windows PUA Named Pipe, Windows Suspicious Named Pipe)

New rules provide multi-layered detection for vulnerabilities in React and Next.js applications, such as CVE-2025-55182. One rule identifies network exploitation attempts via a specific Cisco firewall Snort signature. Two other rules detect post-exploitation behavior by identifying suspicious child processes spawned from Node.js servers on both Windows and Linux systems. (Linux Suspicious React or Next.js Child Process, Cisco Secure Firewall - React Server Components RCE Attempt, Windows Suspicious React or Next.js Child Process)

elastic/detection-rules (+1, ✎33)

+ New rules

A new rule detects potential AWS reconnaissance. It monitors CloudTrail logs for a single identity making more than five distinct read-only discovery API calls, such as Describe*, List*, or Get*, within a 10-second window. This pattern can indicate an adversary mapping a compromised cloud environment. (AWS Discovery API Calls via CLI from a Single Resource)

✎ Modified rules

Several rules detecting web server exploits, anomalous Azure activity, and suspicious container commands received new investigation guides. These guides provide structured steps for triage, analysis, and response, improving their operational value for security analysts. (Initial Access via File Upload Followed by GET Request, Spike in Azure Activity Logs Failed Messages, Web Server Potential Remote File Inclusion Activity, Web Server Local File Inclusion Activity, Unusual Country for an Azure Activity Logs Event, Unusual City for an Azure Activity Logs Event, AWS RDS DB Snapshot Shared with Another Account, Pod or Container Creation with Suspicious Command-Line)

Cloud threat detection was broadened and refined across multiple platforms. For AWS, rules for S3 data exfiltration, KMS key deletion, and Secrets Manager access were tuned for accuracy. Coverage now includes alerts from Wiz Defend. For GitHub, detection of self-hosted runners was expanded to repository and organization scopes. For Entra-ID, correlation of malicious IPs with sign-ins was made more reliable. (AWS S3 Bucket Policy Added to Share with External Account, AWS S3 Bucket Replicated to Another Account, AWS KMS Customer Managed Key Disabled or Scheduled for Deletion, First Time Seen AWS Secret Value Accessed in Secrets Manager, External Alerts, M365 or Entra ID Identity Sign-in from a Suspicious Source, New GitHub Self Hosted Action Runner)

Detections for Linux persistence and evasion techniques were improved. Rules for PAM modification, hosts file changes, systemd-spawned reverse shells, and shell breakouts received new exceptions to reduce false positives. A rule for unusual command execution by web servers was refined to target specific PHP processes and also received an investigation guide. (Creation or Modification of Pluggable Authentication Module or Configuration, Hosts File Modified, Suspicious Network Connection via systemd, Linux Restricted Shell Breakout via Linux Binary(s), Unusual Web Server Command Execution)

Multiple Windows endpoint rules for detecting credential access and defense evasion were tuned. The NTLM relay attack detection risk score was raised. The svchost.exe masquerading rule was made case-insensitive and its data sources were expanded. LSASS access detection was migrated to ESQL using statistical rarity instead of static blocklists. Other rules had exclusions added for system accounts and legitimate software. (Potential Computer Account NTLM Relay Activity, Potential Masquerading as Svchost, LSASS Process Access via Windows API, Suspicious Service was Installed in the System, Suspicious Execution via Scheduled Task, Command Execution via ForFiles, Remote File Copy to a Hidden Share, Suspicious Kerberos Authentication Ticket Request, Renamed Utility Executed with Short Program Name)

Two rules for detecting Windows brute-force attacks were migrated from EQL to ESQL. The detection logic was changed from a sequence-based approach to a more scalable statistical aggregation. The rules now trigger on a higher volume of failures over a 60-second window and include additional noisy failure codes in their exclusion lists for better accuracy. (Privileged Account Brute Force, Multiple Logon Failure from the same Source Address)

sublime-security/sublime-rules (+6, ✎7)

+ New rules

Two rules were added to detect credential phishing attacks where emails are sent from and to the same address. One rule identifies general indicators like a new external sender and credential theft language. The other targets a specific variant using a fake PDF icon hosted on a CDN and links with deceptive display text. (Link: Self-sender with sender org in subject and credential theft indicator, Self-sent fake PDF attachment with misleading link)

New rules detect phishing that abuses trusted services. One identifies Adobe Sign impersonation by checking for brand elements in emails from unofficial domains. Another targets callback phishing schemes that use legitimate Microsoft Teams invites as a delivery mechanism, searching for phone numbers and impersonated brand names in the email body. (Brand impersonation: Adobe Sign with suspicious indicators, Service abuse: Callback phishing via Microsoft Teams invite)

Two rules were added to detect distinct phishing methods. One rule targets the “Impact Solutions” Phishing-as-a-Service platform by identifying unique patterns in HTML attachments and URLs. The second rule detects a technique involving a shared alphanumeric string between the email subject and a URL, which also contains a Base64-encoded version of the recipient’s address. (PhaaS: Impact Solutions (Impact Vector Suite), Link: Base64 encoded recipient address in URL fragment with subject hash)

✎ Modified rules

Detections for multiple brand impersonation attacks were improved. The Dropbox rule now identifies obfuscated file sharing phrases and links to free hosting services. The LinkedIn rule uses a more precise regular expression for Message-ID headers to better exclude legitimate mail. The Adobe rule was updated for an API change and adds recipient validity checks to reduce false positives. (Brand impersonation: Dropbox, Brand impersonation: LinkedIn, Attachment: Adobe image lure in body or attachment with suspicious link)

Several rules targeting general phishing and scam tactics received coverage updates. Detections for document-sharing credential phishing and website error solicitation spam were updated with new regular expressions and keywords. The rule for giveaway scams now has an increased body length limit and new attacker phrases. Fake thread detection was modified to process plain-text emails, expanding its scope. (Credential phishing: Generic document sharing, Spam: Website errors solicitation, Scam: Piano giveaway, Fake thread with suspicious indicators)

elastic/protections-artifacts (+3, ✎15)

+ New rules

Two new rules detect command execution from server-side application runtimes on Linux. One rule identifies shell processes spawned from Node.js. The other detects a pattern indicative of Java template injection (CVE-2025-61882), where a Java process creates an XSL/XSLT file and subsequently spawns a shell. (Suspicious Shell Command Execution via Node.js Parent, Java XSL Template Creation Followed by Shell Execution)

A new rule detects a malware technique on Windows involving memory manipulation. It identifies attempts to use the ‘VirtualProtect’ API to change a read-only memory region to be executable, a common method for running injected or unpacked code within a legitimate process. (Memory Protection from Read to Execute)

✎ Modified rules

Multiple rules for Linux post-exploitation and defense evasion were tuned to reduce false positives. Updates apply to detections for reverse shells (socat, /dev/tcp), suspicious scripting (Python, Perl), web server command injection (curl/wget to shell), masquerading of system binaries, and execution via the dynamic linker (ld.so). New exceptions filter legitimate activity from containers, development tools, and system services. (Potential Reverse Shell Activity via Terminal, System Binary Proxy Execution via ld.so, System Binary Copied or Moved, Suspicious Perl Command Execution, Suspicious Python Command Execution, Socat Reverse Shell or Listener Activity, File Downloaded and Piped to Interpreter by Web Server, Reverse Shell Executed via Web Server, Suspicious Download and Redirect by Web Server)

Detections for Windows defense evasion techniques were refined. Updates reduce false positives for parent process spoofing, WMI enumeration by scripting hosts, and new logon session creation from suspicious processes. Exceptions were added for legitimate software vendors, system tools like msiexec.exe, and common administrative scripts. (NewCredential Logon by a Suspicious Process, Suspicious WMI Enumeration via Windows Scripts, Parent Process PID Spoofing)

Coverage for DLL search order hijacking on Windows was expanded. The rule now monitors for the creation of well_known_domains.dll and domain_actions.dll in application dependency folders, broadening detection of this persistence technique. (Potential Initial Access via DLL Search Order Hijacking)

The rule for suspicious shell execution from Java processes was tuned for Oracle environments. The update adds exceptions to ignore legitimate Oracle scheduler agent and WebLogic Server commands, lowering false positives in specific application contexts. (Shell Execution via Java Parent Process)

Detection for malicious AppleScript execution on macOS was tuned. An exception was added to the osascript monitoring rule to ignore legitimate commands related to asset checking, improving its accuracy. (Unusually Large Script Executed by Osascript)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (6)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new KQL query for Microsoft Defender XDR aids in threat hunting for phishing. It analyzes email event data to trace URL redirection chains, grouping them by a common ID. The query identifies suspicious patterns such as redirections across different countries or an excessive number of hops. ([IC] - KQL Techniques for Email URL Redirect Hunting)

alexverboon/Hunting-Queries-Detection-Rules (+4)

+ New rules

Four new KQL queries improve asset visibility in Microsoft Defender for Endpoint. The queries identify device inventory details, group assignments, and logged-on users. They also report on device activity, distinguishing between active and inactive endpoints to help with configuration audits and asset management. (Total Devices by OS per Device Group, Detailed list of devices and device groups., Defender for Endpoint - Inactive Devices, Defender for Endpoint - Active and Inactive Devices with State)

RussianPanda95/Yara-Rules (+2)

+ New rules

Two new YARA rules add detection for Linux malware. One rule targets the Ares variant of the Kaiji malware and the other detects the ZinFoq implant. Both rules identify ELF binaries and then match on unique hardcoded strings. (Kaiji_Ares, ZinFoq)

benscha/KQLAdvancedHunting (✎1)

✎ Modified rules

Detection for PowerShell launched by a LOLBAS binary is now more precise. The KQL query was changed to use an inner join, requiring a confirmed outbound network connection to a public IP for an alert to be generated. This refinement reduces noise by filtering out processes without corresponding network events. (PowerShell LOLBAS Execution with Public Network Connection)

Cloud-Architekt/AzureSentinel (✎1)

✎ Modified rules

The Microsoft Defender XDR identity parser now includes an ‘AccountStatus’ field. This change provides context on whether user and workload identities are enabled or disabled, which is useful during investigations. (UnifiedIdentityInfoXdr)

Neo23x0/signature-base (+3)

+ New rules

New YARA rules add detection for three distinct Linux threats: the ZinFoq implant, the CowTunnel reverse-proxy, and the PeerBlight backdoor. All three rules target ELF binaries and identify the malware by matching unique strings related to functionality, persistence, or debug messages. (MAL_ZinFoq_Dec25, HKTL_CowTunnel_Dec25, MAL_PeerBlight_Dec25)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.