This week’s update highlights the most significant changes to detection rules from 5 of the 50+ monitored GitHub repositories. Between Jan 5 and Jan 12, 2026, contributors added 27 new rules and updated 229 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Elastic published a major update for Linux detections, with a strong focus on reducing false positives in existing rules. Modifications for persistence, privilege escalation, and defense evasion add exclusions for common administrative and container tools. New rules cover techniques such as system discovery with ‘dmidecode’, data collection via audio-recording utilities, and persistence using the ‘trap’ command. (elastic/detection-rules)

• Email security rules were added to detect phishing attempts targeting legitimate services such as GoDaddy and SendGrid. Other new rules identify specific evasion tactics, including Unicode-based link obfuscation and suspicious PDFs generated by HeadlessChrome. Existing detections for brand impersonation, BEC, and the GoPhish framework were also refined. (sublime-security/sublime-rules)

• Coverage for advanced Windows evasion and persistence techniques was broadened. New rules detect Process Doppelganging via NTFS transaction events and AppDomain Manager hijacking by spotting related artifact creation. Detections for malicious and vulnerable driver loading (BYOVD) were updated with new file hashes and names. (splunk/security_content, magicsword-io/LOLDrivers, rabbitstack/fibratus)

• New higher-order rules correlate security alerts to find evidence of larger attacks. The logic links alerts across different hosts to identify potential lateral movement. Other rules flag hosts that generate multiple distinct EDR alerts or trigger a high-risk behavior alert for the first time. (elastic/detection-rules)

🚀 Make updates from this digest operational →

All detection rules from this digest are available in CTIChef’s MISP and STIX/TAXII feeds, ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (4)

  • sublime-security/sublime-rules (+4, ✎7)

  • elastic/detection-rules (+21, ✎213)

  • splunk/security_content (+1, ✎4)

  • magicsword-io/LOLDrivers (✎5)

• Personal repositories (1)

  • rabbitstack/fibratus (+1)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (4)

sublime-security/sublime-rules (+4, ✎7)

+ New rules

New rules target the abuse of legitimate email infrastructure for malicious campaigns. One rule detects phishing and extortion emails sent from authenticated GoDaddy services by analyzing link text and content. Another identifies potential SendGrid abuse by flagging emails from free providers routed through its infrastructure. (Service Abuse: GoDaddy infrastructure, Service abuse: Free provider with SendGrid routing)

Two new rules detect specific phishing and evasion tactics. One rule identifies link text obfuscation that uses Unicode right-to-left mark characters. The other rule detects potentially malicious PDFs created by HeadlessChrome by inspecting file metadata for indicative titles like ‘about:blank’ or MD5-like strings. (Link: Display text with excessive right-to-left mark characters, Attachment: PDF with suspicious HeadlessChrome metadata)

✎ Modified rules

Detection of brand-impersonation phishing was improved across multiple rules. Coverage now includes Adobe lures with embedded images, SharePoint notifications that threaten file deletion, and Twilio/SendGrid impersonation via service capacity warnings. Sender prevalence logic for SendGrid impersonation was also refined to reduce false negatives. (Service abuse: SendGrid impersonation via Sendgrid from new sender, Attachment: Adobe image lure in body or attachment with suspicious link, Brand impersonation: SendGrid, Brand impersonation: Sharepoint)

Two rules targeting Business Email Compromise (BEC) were updated for accuracy. The rule for fake email threads now excludes Mimecast secure messages, reducing false positives. The thread-hijacking rule was modified to more reliably identify new malicious participants by using structured header data rather than regular expressions. (Fake thread with suspicious indicators, Vendor impersonation: Thread hijacking with typosquat domain)

Detection for the GoPhish phishing framework was broadened. The rule now identifies tracking links using the ‘mid’ query parameter, a variant found in the evilgophish tool, in addition to the standard ‘rid’ parameter. (Link: GoPhish query param values)

elastic/detection-rules (+21, ✎213)

+ New rules

A set of new rules monitors GitHub audit logs for anomalous and malicious activities. Detections cover potential credential compromise via activity from new IP addresses, data exfiltration through mass repository cloning or by changing private repositories to public, persistence via new Personal Access Token creation, and disruptive or evasive actions such as disabling secret scanning, mass-closing of pull requests, and force pushes to protected branches. (High Number of Closed Pull Requests by User, Github Activity on a Private Repository from an Unusual IP, GitHub Exfiltration via High Number of Repository Clones by User, GitHub Private Repository Turned Public, New GitHub Personal Access Token (PAT) Added, High Number of Protected Branch Force Pushes by User, GitHub Secret Scanning Disabled, Several Failed Protected Branch Force Pushes by User)

New detections target adversary tactics on Linux and macOS systems. These rules identify system discovery using ‘dmidecode’, data collection via audio or video recording utilities launched by uncommon processes, persistence using the ‘trap’ command, exfiltration with ‘wget’, credential access through SSH password spraying, and defense evasion by deleting user accounts. (Trap Signals Execution, Linux Video Recording or Screenshot Activity Detected, Linux Audio Recording Activity Detected, Potential Password Spraying Attack via SSH, Linux User or Group Deletion, System Information Discovery via dmidecode from Parent Shell, Potential Data Exfiltration Through Wget)

New higher-order rules correlate security alerts to identify significant threats. Detections include potential lateral movement by linking alerts across different hosts, identifying hosts with multiple distinct EDR alerts from sources like CrowdStrike or SentinelOne, and flagging high-risk SIEM or Elastic Defend behavior alerts that are observed for the first time. (Suspected Lateral Movement from Compromised Host, Newly Observed Elastic Defend Behavior Alert, Multiple External EDR Alerts by Host, Newly Observed High Severity Detection Alert)

Two new rules detect adversary techniques for stealth and persistence. One rule identifies process execution with trailing spaces in filenames, a method used to disguise malicious executables on Linux and macOS. The other detects modifications to Windows mandatory user profile hives (NTUSER.MAN) made by non-SYSTEM processes to establish persistence. (Processes with Trailing Spaces, Potential Persistence via Mandatory User Profile)

✎ Modified rules

Multiple rules targeting Linux persistence mechanisms were updated, primarily to reduce false positives. These updates add extensive exclusions for legitimate processes related to package managers (apt, dpkg, rpm), container runtimes (docker, podman), configuration management (puppet, ansible), and system services. The changes refine detections for techniques such as cron job modification, service and boot script manipulation, user account backdooring via authorized_keys, and malicious use of package manager hooks. Some rules also had risk scores adjusted or data source support expanded. (Cron Job Created or Modified, Chkconfig Service Add, System V Init Script Created, GRUB Configuration Generation through Built-in Utilities, GRUB Configuration File Creation, rc.local/rc.common File Creation, Suspicious rc.local Error Message, etc)

Detections for various privilege escalation paths on Linux were refined. Updates address SUID/SGID binary abuse, sudoers file modification, and privilege escalation through Linux capabilities manipulation (setcap). Several rules targeting container escape and abuse, such as using nsenter, mounting from within a container, and running privileged containers, were tuned with new exclusions to improve accuracy. Risk scores for some of these high-impact activities were increased. (SUID/SGID Bit Set, Privilege Escalation via SUID/SGID, Potential Privilege Escalation via SUID/SGID Proxy Execution, Potential Privilege Escalation via Python cap_setuid, Sudoers File Activity, Process Capability Set via setcap Utility,etc)

A group of rules for network tunneling and traffic redirection on Linux was updated. Detections for tools like ProxyChains, EarthWorm, and Chisel, along with techniques such as SSH tunneling and IP forwarding, were improved. Changes focused on increasing risk scores to better reflect the threat and adding exclusions for legitimate administrative tools like Proxmox and Ansible to reduce false positives. (ProxyChains Activity, Suspicious Utility Launched via ProxyChains, Potential Linux Tunneling and/or Port Forwarding via SSH Option, Potential Protocol Tunneling via EarthWorm, Potential Protocol Tunneling via Chisel Client, IPv4/IPv6 Forwarding Activity)

Coverage for defense evasion on Linux and macOS was improved through numerous rule updates. Detections for disabling security services like syslog, auditd, firewalls, AppArmor, and SELinux were broadened. Rules targeting evidence removal, such as clearing shell history or the dmesg buffer, were tuned. Other updates focused on file manipulation techniques including timestomping with ‘touch’, setting file immutability with ‘chattr’, and payload obfuscation. The risk scores for many of these rules were raised. (Attempt to Disable Syslog Service, Attempt to Disable Auditd Service, Attempt to Disable IPTables or Firewall, Potential Disabling of AppArmor, Potential Disabling of SELinux, etc)

Detections for credential access, reconnaissance, and brute-force attacks saw significant updates. This includes improved detection for memory dumping tools, searching for credentials (SSH, AWS, Kubernetes secrets) within containers, and reconnaissance of system services. Brute-force rules for SSH, local user accounts (’su’), and Microsoft Entra ID were tuned by adjusting thresholds and time windows to improve accuracy. The severity and risk scores of many of these rules were increased to reflect a higher impact. (Potential Linux Credential Dumping via Unshadow, Potential Linux Credential Dumping via Proc Filesystem, Manual Memory Dumping via Proc Filesystem, Linux init (PID 1) Secret Dump via GDB, Potential Shadow File Read via Command Line Utilities, etc)

splunk/security_content (+1, ✎4)

+ New rules

A new rule detects AppDomain Manager hijacking. The detection identifies the creation of an executable, a configuration file, and a DLL in the same directory, particularly in temporary or public folders. It uses Sysmon file creation events (EventID 11) to find this pattern, which indicates an attempt to load a malicious assembly into a trusted application’s domain. (Windows Potential AppDomainManager Hijack Artifacts Creation)

✎ Modified rules

Detection of malicious Windows driver activity has been improved across three rules. Updates include monitoring a wider range of critical system directories for dropped extensionless files, broadening command-line checks for kernel driver installation via sc.exe, and refining logic to focus on drivers loaded from suspicious paths. (Windows File Without Extension In Critical Folder, Windows Service Create Kernel Mode Driver, Windows Suspicious Driver Loaded Path)

A rule detecting DNS queries to AI platform domains was updated to include api.openai.com. The logic was also refined to use a lookup to exclude queries from known browser processes, improving its accuracy. (Windows AI Platform DNS Query)

magicsword-io/LOLDrivers (✎5)

✎ Modified rules

Detection coverage for malicious and vulnerable driver loading was expanded across multiple rules. The updates synchronize lists of known bad driver filenames and file hashes with threat intelligence from the LOLDrivers project. This improves detection of privilege escalation techniques, such as Bring Your Own Vulnerable Driver (BYOVD). (Malicious Driver Load By Name, Vulnerable Driver Load By Name, Malicious Driver Load Despite HVCI, Malicious Driver Load, Vulnerable Driver Load Despite HVCI)

Personal repositories (1)

rabbitstack/fibratus (+1)

+ New rules

A new rule detects the Process Doppelganging technique. It identifies a sequence of events starting with a file creation within an NTFS transaction, followed by a process spawn in which the process name differs from its executable file’s base name. This targets adversary use of TxF APIs for evasion. (Process creation via NTFS transaction)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.