This week’s update highlights the most significant changes to detection rules from 9 of the 50+ monitored GitHub repositories. Between Jan 12 and Jan 19, 2026, contributors added 30 new rules and updated 38 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New detections target identity attacks in cloud environments, focusing on OAuth phishing in Microsoft Entra ID and M365. The rules identify suspicious authorization flows common in ConsentFix attacks. Other rules correlate Entra ID risk events with high-privilege actions like PIM elevation and device code authentication. (elastic/detection-rules, HybridBrothers/Hunting-Queries-Detection-Rules, benscha/KQLAdvancedHunting)

• Windows endpoint coverage is growing with rules for defense evasion and persistence. New detections identify manipulation of Chrome security features, such as disabling updates or bypassing extension policies. Other rules target persistence via scheduled tasks created by unsigned executables and privilege escalation using known vulnerable drivers. (splunk/security_content, HybridBrothers/Hunting-Queries-Detection-Rules, elastic/detection-rules)

• YARA rules were updated for specific malware families including Agent Tesla, MintsLoader, and ModeloRAT. Concurrently, behavioral rules for Cobalt Strike TTPs were refined. These rules now detect system processes like dllhost.exe or rundll32.exe executing without command-line arguments followed by a network connection. (kevoreilly/CAPEv2, RussianPanda95/Yara-Rules, splunk/security_content)

• Email threat detection is shifting to include content analysis and post-delivery activity. New rules detect callback scam language, brand impersonation, and suspicious recipient patterns in RFQ scams. Another rule correlates a user clicking a phishing link with a subsequent suspicious sign-in from a new IP address. (sublime-security/sublime-rules, benscha/KQLAdvancedHunting, Sergio-Albea-Git/Threat-Hunting-KQL-Queries)

🤖 Make updates from this digest operational →

All detection rules from this digest are available in CTIChef’s MISP, STIX/TAXII and RSS feeds, ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (3)

  • splunk/security_content (+4, ✎6)

  • elastic/detection-rules (+5, ✎22)

  • sublime-security/sublime-rules (+5, ✎2)

• Personal repositories (6)

  • HybridBrothers/Hunting-Queries-Detection-Rules (+9)

  • benscha/KQLAdvancedHunting (+3, ✎2)

  • jkerai1/KQL-Queries (✎1)

  • kevoreilly/CAPEv2 (✎5)

  • RussianPanda95/Yara-Rules (+2)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+2)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (3)

splunk/security_content (+4, ✎6)

+ New rules

A new set of rules detects manipulation of Google Chrome security features on Windows. Three rules identify attempts to bypass extension policies by monitoring for command-line flags, such as ‘--load-extension’, or modifications to the ‘ExtensionInstallAllowlist’ registry key. A fourth rule detects the disabling of automatic browser updates via registry changes, a defense evasion technique. (Windows Chrome Enable Extension Loading via Command-Line, Windows Chromium Process Loaded Extension via Command-Line, Windows Chrome Extension Allowed Registry Modification, Windows Chrome Auto-Update Disabled via Registry)

✎ Modified rules

Detection for Cobalt Strike-related TTPs was improved across three rules targeting anomalous behavior of system processes. The rules for searchprotocolhost.exe, dllhost.exe, and rundll32.exe were updated to detect executions without command-line arguments followed by network connections. The Splunk queries now check both process_name and original_file_name fields and use more direct IN clauses instead of regex, improving query performance and detection reliability. (SearchProtocolHost with no Command Line with Network, DLLHost with no Command Line Arguments with Network, Rundll32 with no Command Line Arguments with Network)

Rules detecting defense evasion via path and process name manipulation were updated. A rule for LOLBAS execution from non-standard paths now has an expanded exclusion list to reduce false positives. Detection for single-character executables now uses a predefined list for better query performance and coverage. A hunting query for path traversal in command lines, related to CVE-2022-30190, is now optimized to filter events earlier in the search. (Windows LOLBAS Executed Outside Expected Path, Single Letter Process On Endpoint, Windows Command and Scripting Interpreter Hunting Path Traversal)

elastic/detection-rules (+5, ✎22)

+ New rules

Three new rules detect OAuth phishing attacks, such as ConsentFix. They target suspicious authorization flows in Microsoft Entra ID and Microsoft 365 where trusted first-party applications or developer tools access Microsoft Graph and legacy Azure AD resources. This pattern is a known tactic for stealing authorization codes to gain access. (Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource, M365 Identity OAuth Phishing via First-Party Microsoft Application, Entra ID OAuth Phishing via First-Party Microsoft Application)

A new rule detects external network connections to Ollama LLM servers. The detection logic flags connections from non-private IP addresses to the default ‘ollama’ process port, 11434. This identifies instances exposed to unauthorized access, as Ollama has no built-in authentication. (Ollama API Accessed from External Network)

A new correlation rule identifies hosts with multiple security alerts sharing the same ATT&CK tactic. It groups alerts by tactic on a single host within a set time, helping to prioritize hosts that show signs of active intrusion. (Multiple Alerts in Same ATT&CK Tactic by Host)

✎ Modified rules

Eight stateful Windows endpoint detections had their lookback windows shortened, mostly from 14 to 5 days. This change makes the rules more sensitive to recent, novel behaviors for techniques like reconnaissance, persistence via scheduled tasks, and defense evasion with MSBuild or unexpected PowerShell engine loading. (Unusual Discovery Signal Alert with Unusual Process Executable, Microsoft Build Engine Started an Unusual Process, Microsoft Build Engine Started by a Script Process, Unusual Scheduled Task Update, Unusual Discovery Signal Alert with Unusual Process Command Line, Suspicious PowerShell Engine ImageLoad, Svchost spawning Cmd, Enumeration of Privileged Local Groups Membership)

Detections for identity attacks in cloud environments were improved. A rule for Okta was changed to a new_terms type to find previously unseen third-party Identity Providers. Rules for Microsoft Graph and Azure AD were refined to better detect potential OAuth token theft by shortening lookback windows and expanding application coverage. (Microsoft Graph Request Email Access by Unusual User and Client, M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs, Okta Sign-In Events via Third-Party IdP, Microsoft Graph Request User Impersonation by Unusual Client)

Multiple rules covering GitHub threats (bulk clones, force pushes, disabled secret scanning), SSH password spraying, and Linux account deletion were updated with detailed investigation guides. These guides provide structured steps for triage, analysis, and remediation. (GitHub Secret Scanning Disabled, GitHub Exfiltration via High Number of Repository Clones by User, Several Failed Protected Branch Force Pushes by User, High Number of Protected Branch Force Pushes by User, Potential Password Spraying Attack via SSH, Linux User or Group Deletion)

The logic for two detections was improved for accuracy. The rule for Alternate Data Stream (ADS) creation was rebuilt to target script interpreters, increasing its risk score from low to high. The internal port scanning rule was corrected to accurately count distinct sensitive ports. (Unusual File Creation - Alternate Data Stream, Potential Network Scan Detected)

The rule for Print Spooler vulnerabilities, including CVE-2020-1048, was updated. Alert suppression now uses file.name instead of file.path and the suppression window was shortened to 5 days. This alters how repeat alerts are generated for the same malicious filename in different locations. (Suspicious PrintSpooler Service Executable File Creation)

sublime-security/sublime-rules (+5, ✎2)

+ New rules

New rules detect various phishing and spam lures in inbound emails. Detection logic targets specific bracketed subject line patterns from automated systems, giveaway spam indicators like certain domains and keywords, and URL shorteners such as ‘breely.com’ disguised as PDF documents. (Subject: Suspicious bracketed reference, Spam: Commonly observed formatting of unauthorized free giveaways, Link: Breely link masquerading as PDF)

Detection is added for threats that abuse or impersonate legitimate business services. One rule uses an NLU classifier to identify callback scam language in emails sent from the GetAccept platform. Another detects Xodo Sign impersonation for credential phishing by checking body content combined with sender authentication status. (Service abuse: GetAccept callback scam content, Brand impersonation: Xodo Sign)

✎ Modified rules

Email threat detection is improved with updates to two rules. One rule now better detects credential phishing links by checking for URL fragments in /.well-known/ paths. Another rule adds logic to identify RFQ/RFP scams that use specific recipient patterns, such as an empty ‘To’ field and a single ‘CC’ recipient who is also the sender, to hide the mailing list. (Link: Common hidden directory observed, Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (6)

HybridBrothers/Hunting-Queries-Detection-Rules (+9)

+ New rules

New detections correlate Microsoft Entra ID risk events with high-privilege actions. The rules identify device code authentications and Privileged Identity Management (PIM) escalations performed by accounts already flagged as risky, indicating potential account compromise. (Detect device code login with user risk, Detect PIM elevation with user risk (Defender XDR))

Two new rules detect persistence via Windows scheduled tasks using different methods. One identifies tasks created by unsigned, low-prevalence executables. The other establishes a baseline of normal schtasks creation to detect anomalous activity. (Detect Unsigned executable launch from scheduled task, Detect Rare scheduled task created)

New KQL rules detect lateral movement using low-prevalence process analysis. One rule monitors for uncommon processes making outbound connections over SMB or WinRM. Another rule detects rare processes executed by the WinRM service host (wsmprovhost.exe). (Detect Unknown process using SMB or WinRM, Detect Unknown process launched via WinRM)

A new rule detects the loading or creation of known vulnerable drivers. It uses a dynamic list of driver hashes from the LOLDrivers project and alerts when a matching driver is handled by an unsigned or low-prevalence process, indicating a potential privilege escalation attempt. (Detect LolDriver drop or load from unknown or unsigned process)

A new KQL rule detects system binary proxy execution using msiexec.exe. The detection identifies network connections originating from msiexec.exe when used with DLL registration flags (/y or /z), a technique for running malicious payloads. (Detect Msiexec executing DLL network connections)

benscha/KQLAdvancedHunting (+3, ✎2)

+ New rules

New rules target credential access on Windows systems. One rule detects suspicious process access to credential stores like the CloudAPCache for AzureAD. Another identifies certificate issuance to privileged Active Directory accounts by monitoring Windows Event ID 4886. (Suspicious Access to Credential Stores, Certificate Issued to Privileged User)

A new detection correlates email click events with subsequent sign-in logs. The rule identifies suspicious sign-ins from new or infrequent IP addresses that occur after a user interacts with a phishing email. (Suspicious Sign-in After Phishing Link Click)

✎ Modified rules

A KQL rule that detects certificate issuance to privileged Active Directory users was updated for Microsoft Sentinel. The query now enriches alerts with the requester’s machine name and other device context from the DeviceInfo table. More fields are also retained in the output for investigation. (Certificate Issued to Privileged User)

jkerai1/KQL-Queries (✎1)

✎ Modified rules

A KQL threat hunting query monitoring DLL loads was updated to include events for files without certificate data. The join logic was changed from inner to leftouter, providing a more complete dataset that includes potentially malicious, unsigned DLLs. (Monitor DLLs by Signer)

kevoreilly/CAPEv2 (✎5)

✎ Modified rules

Multiple YARA rules were added or modified to improve detection of the Agent Tesla infostealer. The rules identify different artifacts of the malware, including PE payloads for V2 and V3, a specific packed variant, and exfiltrated data logs. Detections are based on characteristic strings, function names, unique configuration blobs, specific byte sequences, and HTML formatting in log files. One rule was updated to detect configuration blobs in any file type, adding coverage for memory dumps and unpacked payloads. (agent_tesla, AgentTeslaV4)

RussianPanda95/Yara-Rules (+2)

+ New rules

New YARA rules were added to detect specific malware: one rule targets MintsLoader scripts by identifying PowerShell command fragments and C2 URI patterns, while another rule detects the ModeloRAT Python RAT by matching unique class and function names related to system discovery. (MintsLoader, ModeloRAT)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+2)

+ New rules

Two new KQL queries for Microsoft Defender XDR measure the value of public threat intelligence feeds. One query correlates file hash IOCs from sources like Bazaar Abuse.ch against email attachments, while the other correlates URL IOCs from feeds like Phishunt and Botvrij against email data. ([IA] - Threat Intelligence Feed Evaluation based on FileHashes IOCs, [IA] - Threat Intelligence Feed Evaluation based on URL IOCs)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.