Detections Digest #20251222
The issue highlights key updates from 9 repos, including 19 new and 87 modified Sigma, Splunk, YARA, KQL, Elastic, and Sublime Security detection rules.
This week’s update highlights the most significant changes to detection rules from 9 of the 50+ monitored GitHub repositories. Between Dec 15 and Dec 22, 2025, contributors added 19 new rules and updated 87 existing ones.
Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.
Key Takeaways
Phishing detections were expanded to counter abuse of legitimate services like Monday.com and SendGrid. New rules identify obfuscation in calendar attachments and metadata from specific PDF generation tools. Existing rules for Microsoft Teams and Google Drive impersonation were broadened to include more attack vectors. (
sublime-security/sublime-rules)Detections for defense evasion using legitimate Windows processes were widely updated. Rules now better identify anomalous execution of .NET compilers, regsvcs, and DLLHost. Separately, the risk scores for several PowerShell obfuscation techniques, such as backtick escaping and string concatenation, were increased. (
splunk/security_content,elastic/detection-rules)Multiple AWS threat detection rules were tuned to be more sensitive to recent activity. Lookback windows for ‘new terms’ detections were shortened for IAM, STS, and S3 events. For Azure, new and modified rules target Primary Refresh Token abuse on unmanaged devices and anomalous sign-ins indicative of password spray attacks. (
elastic/detection-rules,ep3p/Sentinel_KQL)New higher-order rules correlate security alerts from multiple products to identify complex attacks. These rules pivot on common entities like user or IP address to link otherwise separate events. Another new rule connects Suricata network alerts directly to the responsible host process using endpoint data. (
elastic/detection-rules)New rules target specific exploits and backdoors. Detections were added for shell execution via the XZ backdoor (CVE-2024-3094) and post-exploitation on Esri ArcGIS servers. New YARA rules identify malware components like the GrimResource backdoor and a malicious Node.js package. (
elastic/detection-rules,SigmaHQ/sigma,bartblaze/Yara-rules,Neo23x0/signature-base)
💥 Free access to CTIChef.com CTI feeds until 2026 💥
We’ve made our threat detection CTI feeds available to you for free for the rest of the year. All new and updated rules from the digests, with update descriptions and extracted observables, available through MISP and STIX/TAXII endpoints, ready for direct integration into your SIEM, TIP, or SOAR solution.
Table Of Contents
sublime-security/sublime-rules (+5, ✎8)
elastic/detection-rules (+7, ✎44)
splunk/security_content (✎31)
SigmaHQ/sigma (+2)
Corporate repositories (4)
sublime-security/sublime-rules (+5, ✎8)
+ New rules
New rules detect phishing campaigns abusing legitimate services including Monday.com, SendGrid, and Formester. Detections identify suspicious links, sender impersonation, and other indicators of abuse from unauthenticated or new senders to find malicious activity that exploits the reputation of trusted platforms. (Service abuse: Monday.com infrastructure with phishing intent, Service abuse: SendGrid impersonation via Sendgrid from new sender, Service abuse: Formester with suspicious link behavior)
Two new rules target malicious email attachments. One detects the use of invisible Unicode characters for obfuscation in calendar (.ics) files. The other identifies PDFs created by the ‘wkhtmltopdf’ tool by inspecting file metadata, a common tactic in phishing campaigns. (Attachment: Calendar file with invisible Unicode characters, Attachment: PDF generated with wkhtmltopdf tool and default title)
✎ Modified rules
Detection of phishing emails impersonating popular services was broadened. Updates target Microsoft Teams and Google Drive invitation patterns, include callback scams from ‘invites@microsoft.com‘, and remove previous exclusions for ‘sites.google.com’ links and solicited emails to cover more attack vectors. (Brand impersonation: Microsoft Teams invitation, Callback phishing via Microsoft comment, Service Abuse: Nifty.com with impersonation, Brand impersonation: Google Drive fake file share)
Coverage for specific credential phishing techniques was improved. This includes adding detection for ‘self-sender’ attacks in Dropbox-themed lures, broadening detection of fake PDF links by removing restrictive domain checks, and identifying the Mamba 2FA phishing kit through a new iCloud calendar invite vector. (Deceptive Dropbox mention, Self-sent fake PDF attachment with misleading link, Link: Mamba 2FA phishing kit)
The rule for detecting extortion and sextortion was refined to reduce false positives. New logic filters out legitimate bounce-back messages, email threads, and legal phrasing. Detection patterns for payment timeframes and cryptocurrency terms were also expanded. (Extortion / sextortion (untrusted sender))
elastic/detection-rules (+7, ✎44)
+ New rules
New higher-order rules correlate security alerts from distinct integrations to identify complex attacks. Detections pivot on common entities like user, source IP, and destination IP to surface multi-stage compromises. A separate rule links Suricata network alerts directly to the responsible host process using endpoint data, connecting network-level threats to process activity. (Alerts From Multiple Integrations by User Name, Alerts From Multiple Integrations by Destination Address, Alerts From Multiple Integrations by Source Address, Suricata and Elastic Defend Network Correlation)
Two new rules target network-based threats. One detects command-and-control tunneling on Linux systems by identifying command-line patterns with multiple IP address and port pairs. The other rule detects exploitation attempts of a remote code execution vulnerability (CVE-2025-55182) by aggregating alerts from Cisco, Fortinet, Palo Alto, and Suricata products. (Potential Linux Tunneling and/or Port Forwarding via Command Line, React2Shell Network Security Alert)
A new rule detects potential supply chain attacks within GitHub CI/CD environments. It identifies when the ‘github-actions[bot]’ user pushes code to a repository for the first time, a behavior that may indicate a compromised workflow is modifying repository content. (GitHub Actions Unusual Bot Push to Repository)
✎ Modified rules
Multiple AWS threat detection rules were tuned to be more sensitive to recent, novel activities. The lookback windows for ‘new terms’ detections were shortened for rules monitoring IAM, STS, S3, and secrets access. Additionally, coverage for defense evasion was improved, with updates to rules detecting deletion of WAF rules, Route 53 logs, and AWS Config resources. Several rules also received expanded investigation guides and more precise ATT&CK mappings. (AWS Systems Manager SecureString Parameter Request with Decryption Flag, AWS EC2 User Data Retrieval for EC2 Instance, First Time Seen AWS Secret Value Accessed in Secrets Manager, AWS S3 Unauthenticated Bucket Access by Rare Source, Unusual AWS S3 Object Encryption with SSE-C, AWS SNS Rare Protocol Subscription by User, AWS IAM Customer-Managed Policy Attached to Role by Rare User, etc)
The perceived threat of several PowerShell obfuscation techniques was re-evaluated, resulting in increased severity and risk scores for detections of backtick escaping, character arrays, and string concatenation. Other PowerShell rules were tuned for accuracy by adjusting detection thresholds for numeric character ratios and invalid escape patterns, and by adding exclusions for known benign software. (Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion, Potential PowerShell Obfuscation via Character Array Reconstruction, Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation, Potential PowerShell Obfuscation via High Numeric Character Proportion, Potential PowerShell Obfuscation via Invalid Escape Sequences)
Detections for Linux threats were broadened. This includes a new rule to detect shell execution via compromised SSH daemons, targeting the XZ backdoor (CVE-2024-3094). Other rules were updated to better identify network tunneling tools, persistence via shell profile modification, creation of malicious shared objects, and suspicious egress network connections from web server processes. (Potential Linux Tunneling and/or Port Forwarding, Bash Shell Profile Modification, Potential Execution via XZBackdoor, Uncommon Destination Port Connection by Web Server, Shared Object Created or Changed by Previously Unknown Process)
Windows process-based detections were tuned to reduce false positives. Rules using the ‘ProblemChild’ machine learning model and a rule detecting suspicious commands from web servers received numerous new exceptions. These changes filter out legitimate activity from system accounts, common parent processes, and specific applications, improving the fidelity of these alerts. (Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score, Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score, Web Shell Detection: Script Process Child of Common Web Processes)
Detection logic for Azure Entra ID identity threats was refined. Updates focus on identifying Primary Refresh Token (PRT) abuse specifically on unmanaged devices and detecting rare non-interactive sign-ins by adding exclusions for common applications. These changes improve accuracy for spotting token-based attacks and malicious device registration. (Entra ID User Sign-in with Unusual Client, Entra ID OAuth PRT Issuance to Non-Managed Device Detected)
splunk/security_content (✎31)
✎ Modified rules
Detections for defense evasion techniques that abuse legitimate Windows processes were updated. The rules target anomalous executions, such as .NET compilers (csc.exe, microsoft.workflow.compiler.exe) for proxy execution and utilities like regsvcs.exe, regasm.exe, gpupdate.exe, and DLLHost.exe running without arguments. Other rules detect DiskShadow.exe scripting, verclsid.exe abuse, and system or .NET binaries running from non-standard file paths. (CSC Net On The Fly Compilation, Detect Regsvcs with No Command Line Arguments, Detect Regasm with no Command Line Arguments, Suspicious microsoft workflow compiler usage, Verclsid CLSID Execution, Suspicious DLLHost no Command Line Arguments, Suspicious GPUpdate no Command Line Arguments, Windows Diskshadow Proxy Execution, System Processes Run From Unexpected Locations, Windows DotNet Binary in Non Standard Path)
Rules for detecting credential dumping and privilege escalation were refined. Detections now identify procdump.exe targeting the LSASS process, esentutl.exe accessing ntds.dit or the SAM hive, and reg.exe or regedit.exe exporting sensitive registry hives. The updates also cover runas.exe used to execute commands as an administrator. (Dump LSASS via procdump, Esentutl SAM Copy, Windows Sensitive Registry Hive Dump Via CommandLine, Runas Execution in CommandLine)
Detection coverage for reconnaissance using native Windows utilities was updated. The rules identify the use of nltest.exe for domain controller and trust discovery, route.exe for mapping network tables, and dxdiag.exe for system information gathering. Detections for sqlcmd.exe reconnaissance and staging sensitive files with copy.exe or xcopy.exe were also improved. (Domain Controller Discovery with Nltest, NLTest Domain Trust Discovery, Network Discovery Using Route Windows App, System Info Gathering Using Dxdiag Application, Windows SQLCMD Execution, Windows File Collection Via Copy Utilities)
Several rules targeting persistence and impact tactics were updated. Detections for persistence now cover schtasks.exe creating tasks from XML or running as the SYSTEM user, and wbadmin.exe restoring files. Impact-focused rules detect wbadmin.exe deleting system backups, sdelete.exe for indicator removal, ransomware note creation, and PsExec.exe execution for lateral movement. (Common Ransomware Notes, Detect PsExec With accepteula Flag, Sdelete Application Execution, WBAdmin Delete System Backups, Windows Scheduled Task Created Via XML, Windows Schtasks Create Run As System, Windows WBAdmin File Recovery From Backup)
Detections for initial access and network-based threats were updated. One rule adds coverage for pwsh.exe as a suspicious child process of Microsoft Office applications, targeting malicious macro execution (CVE-2023-21716, CVE-2023-36884). Other rules were modified to use lookups for identifying suspicious email attachments, DNS queries to dynamic DNS providers for C2, and web requests to potential brand impersonation domains. (Detect hosts connecting to dynamic domain providers, Windows Office Product Spawned Uncommon Process, Suspicious Email Attachment Extensions, Monitor Web Traffic For Brand Abuse)
SigmaHQ/sigma (+2)
+ New rules
Two new rules detect post-exploitation activity on Esri ArcGIS Servers. The detection logic monitors the ArcSOC.exe process for suspicious file creation events, such as .exe or .aspx files, and for suspicious child processes like script interpreters. These rules help identify web shell deployment and remote code execution after a server compromise. (Suspicious File Created by ArcSOC.exe, Suspicious ArcSOC.exe Child Process)
Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.
Personal repositories (5)
bartblaze/Yara-rules (+1)
+ New rules
A new YARA rule detects the GrimResource backdoor by identifying specific string combinations. The rule targets malicious Microsoft Management Console files using strings like “MMC_ConsoleFile” and “.loadXML(”, or scripted XML files containing “ActiveXObject” and “ms:script”. (GrimResource)
Neo23x0/signature-base (+1)
+ New rules
A new YARA rule detects a malicious binary component from the ‘Etoroloro’ Node.js package. The rule identifies the Portable Executable file based on specific strings related to DLL sideloading or a unique x86 instruction sequence. (MAL_Etoroloro_Malicious_NodePackage_Dec25)
ep3p/Sentinel_KQL (+1)
+ New rules
A new rule detects an anomalous authentication pattern in Azure AD SigninLogs. The detection identifies when the CorrelationId matches a tenant ID field, a behavior reportedly used by attackers in password spray campaigns. (correlation id equals tenant id in peculiar password spray)
kevoreilly/CAPEv2 (✎2)
✎ Modified rules
YARA detection for Rhadamanthys malware was updated. One rule identifies the main payload via byte sequences for its RC4 implementation, config data, and anti-analysis checks. This rule was also tuned to exclude CAPE sandbox files, reducing false positives. Another rule targets the malware’s loader component by identifying its ntdll-related operations. (RhadamanthysLoader)
alexverboon/Hunting-Queries-Detection-Rules (+2, ✎2)
+ New rules
Two new KQL queries support Microsoft Defender for Endpoint device management. One query summarizes device onboarding status across machine groups, while the other identifies onboarded devices that have not been assigned to a specific group. These help administrators assess deployment health and find misconfigured endpoints. (Device group overview with count on OnboardingStatus, Detailed device information about unassigned onboarded devices)
✎ Modified rules
Two Microsoft Defender for Endpoint KQL queries for device inventory were updated. The change removes a filter that limited results to Windows 10 and 11, broadening the scope to include all operating systems. This results in more complete device inventory reports, one providing an aggregated count by machine group and the other a detailed device list. (Total Devices by OS per Device Group, Detailed list of devices and device groups.)
Feedback
Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.
Disclaimer
The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.
Powered by
This digest is built with BlackStork.
Looking for a customized version of this newsletter? We’d be happy to help — contact us.