This week’s update highlights the most significant changes to detection rules from 5 of the 50+ monitored GitHub repositories. Between Dec 29 and Jan 5, 2025, contributors added 7 new rules and updated 23 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New YARA rules were added for VMware ESXi exploit payloads and the CoralWave loader. The ESXi rules identify the Windows MAESTRO payload and the Linux VSOCKpuppet payload based on file headers and unique strings. A separate rule detects the CoralWave loader, which masquerades as a Lenovo DLL to drop Remcos RAT. (RussianPanda95/Yara-Rules, Neo23x0/signature-base)

• A broad set of Fibratus rules targeting credential access, MS Office attack chains, and defense evasion were updated. The modifications correct process context and event correlation logic across multiple rules. This improves detection accuracy for techniques like LSASS dumping, malicious macro execution, and abuse of trusted system binaries. (rabbitstack/fibratus)

• A new higher-order rule from Elastic correlates multiple distinct EDR alerts originating from the same process tree on one host. It triggers when two or more alert types involve at least three unique process IDs. This logic groups related malicious activities for analyst review. (elastic/detection-rules)

🚀 Make updates from this digest operational →

All detection rules from this digest are available in CTIChef’s MISP and STIX/TAXII feeds ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (1)

  • elastic/detection-rules (+1, ✎1)

• Personal repositories (4)

  • benscha/KQLAdvancedHunting (+1)

  • RussianPanda95/Yara-Rules (+3)

  • rabbitstack/fibratus (+1, ✎22)

  • Neo23x0/signature-base (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (1)

elastic/detection-rules (+1, ✎1)

+ New rules

A new higher-order rule correlates multiple distinct Elastic Defend EDR alerts, such as ‘malicious_file’ or ‘shellcode_thread’, originating from the same process tree on a single host. It triggers when at least three unique process IDs are involved in two or more different alert types, identifying coordinated activity for analyst triage. (Multiple Elastic Defend Alerts from a Single Process Tree)

✎ Modified rules

The web shell detection rule was updated to include ‘ArcSOC.exe’ as a parent process. This change extends coverage to identify command-line interpreters spawned from ESRI ArcGIS Server, a common indicator of web shell execution. (Web Shell Detection: Script Process Child of Common Web Processes)

Personal repositories (4)

benscha/KQLAdvancedHunting (+1)

+ New rules

A new KQL query adds human-readable descriptions for Azure AD sign-in error codes. It enriches AADSignInEventsBeta table events with an ‘ErrorDescription’ field from an external lookup, simplifying investigation of authentication failures. (Enrich AADSTS Error Code Description)

RussianPanda95/Yara-Rules (+3)

+ New rules

Three new YARA rules detect malware payloads used in VMware ESXi exploitation. The rules identify the Windows-based MAESTRO payload and ‘MyDriver.sys’ driver, along with the Linux-based VSOCKpuppet payload. Detection logic is based on file headers (PE and ELF) and unique strings within the binaries related to commands, system information, and error handling. (MAESTRO, VSOCKpuppet, MyDriverSys)

rabbitstack/fibratus (+1, ✎22)

+ New rules

A new rule detects when an unprivileged process spawns a child process with a protected integrity level. This is anomalous and often indicates malware attempting to tamper with or disable endpoint security products by creating a process that is difficult to terminate or inspect. (Suspicious protected process execution)

✎ Modified rules

Multiple rules for detecting credential access techniques were updated to correct process context logic. These rules target LSASS dumping via WerFault and process cloning, SAM hive access, and credential theft from the Windows Credential Manager. The modifications correct field references for parent, child, and current processes, improving detection accuracy. (Credential discovery via VaultCmd tool, Potential SAM hive dumping, Suspicious Vault client DLL load, Credentials access from backups via Rundll32, LSASS process clone creation via reflection, LSASS memory dump via Windows Error Reporting)

Detections for attack chains starting from Microsoft Office applications were improved. These rules identify malicious macro execution, payload dropping, and defense evasion using WMI. Updates focused on refining the parent-child process logic to correctly identify the Office application as the source of subsequent malicious activity. (Macro execution via script interpreter, Process spawned from macro-enabled Microsoft Office document, Suspicious execution via WMI from a Microsoft Office process, Microsoft Office file execution via WMI, Microsoft Office file execution via script interpreter, Execution via Microsoft Office process)

Rules targeting defense evasion via trusted Windows system binaries were updated. Detections cover malicious script execution using mshta.exe, regsvr32.exe, wmic.exe, and rundll32.exe, along with persistence via Netsh Helper DLLs. The changes align rule logic with event schema updates by correcting process attribute fields. (Regsvr32 scriptlet execution, Suspicious XSL script execution, Suspicious HTML Application script execution, System Binary Proxy Execution via Rundll32, Suspicious Netsh Helper DLL execution)

Detection logic for several advanced evasion and injection techniques was refined. This includes rules for Process Doppelganging (T1055.013), CLR-based code injection, and module proxying. The updates improve event correlation within sequences, for example, by more accurately linking file creation events to subsequent process spawns. (Suspicious access to the hosts file, DLL loaded via a callback function, Potential injection via .NET debugging, Potential Process Doppelganging, Potential ClickFix infection chain via Run window)

Neo23x0/signature-base (+1)

+ New rules

A new YARA rule detects the CoralWave loader. The rule identifies the malware through its masquerading as a Lenovo audio DLL, using hardcoded stub strings and fake export function names. It also detects artifacts of its payload, the Remcos RAT, including a specific mutex and filenames. (MAL_CoralWave_LenovoSPKVOL_RemcosMicDrop)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.