This week’s update highlights the most significant changes to detection rules from 5 of the 50+ monitored GitHub repositories. Between Jan 19 and Jan 26, 2026, contributors added 33 new rules and updated 26 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• Cloud identity threat detections were refined for Azure and AWS. The Entra ID device code phishing rule now specifically finds concurrent sign-ins from multiple user agents in one session. A separate rule better detects unauthorized MFA device registration in O365 by monitoring additional audit properties. (elastic/detection-rules, splunk/security_content)

• A new detection strategy surfaces novel threats by identifying previously unobserved alerts from network security products. These ESQL rules find high-severity alerts from Palo Alto, FortiGate, and Suricata that have not occurred in the last five days. The logic prioritizes low-frequency events for threat discovery. (elastic/detection-rules)

• Coverage was added for specific exploits, tools, and malware. New rules detect post-exploitation activity on SAP NetWeaver systems, including web shell creation and execution. Detections were also added for OpenCanary honeypot reconnaissance, while new YARA rules identify OrcaC2 and the Pulsar RAT. (elastic/detection-rules, SigmaHQ/sigma, bartblaze/Yara-rules)

🤖 Make updates from this digest operational →

All detection rules from this digest are available in CTIChef’s MISP, STIX/TAXII and RSS feeds, ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (4)

  • elastic/detection-rules (+5, ✎8)

  • splunk/security_content (✎2)

  • sublime-security/sublime-rules (+10, ✎11)

  • SigmaHQ/sigma (+15, ✎5)

• Personal repositories (1)

  • bartblaze/Yara-rules (+3)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (4)

elastic/detection-rules (+5, ✎8)

+ New rules

Two new rules detect post-exploitation activity on SAP NetWeaver systems, related to CVE-2025-31324. One rule identifies suspicious Java file creation in IRJ directories, indicative of a web shell. The other detects command interpreter execution from the SAP application context, signaling command execution via a deployed webshell. (Potential SAP NetWeaver WebShell Creation, Potential SAP NetWeaver Exploitation)

A set of three ESQL rules identifies novel, high-severity alerts from network security products. The rules detect Palo Alto PAN-OS, FortiGate, and Suricata alerts that have not been observed in the last five days. The logic prioritizes low-frequency events to surface previously unknown threats. (Newly Observed Palo Alto Network Alert, Newly Observed FortiGate Alert, Newly Observed High Severity Suricata Alert)

✎ Modified rules

Two rules detecting AWS IAM privilege escalation were updated for a data schema change, replacing target.entity.id with entity.target.id. The rules identify suspicious updates to IAM role trust policies and the attachment of customer-managed policies to roles. (AWS IAM Assume Role Policy Update, AWS IAM Customer-Managed Policy Attached to Role by Rare User)

Detection for Microsoft Entra ID device code phishing was rewritten. The new logic specifically identifies a single authentication session containing multiple distinct user agents, a common pattern where an attacker’s script and a victim’s browser are active simultaneously. (Entra ID OAuth Device Code Flow with Concurrent Sign-ins)

A rule correlating Suricata network alerts with Elastic Defend endpoint events was tuned to reduce false positives. The maximum time span for correlation was shortened to 5 seconds, and exclusions were added for vulnerability scanners like Nessus and SCCM. (Suricata and Elastic Defend Network Correlation)

Detection for AppArmor defense evasion on Linux was refined to reduce false positives. The query now requires apparmor or apparmor.service as a process argument, preventing alerts from generic service management commands. (Potential Disabling of AppArmor)

The rule for detecting potential NTLM credential leakage via rare WebDAV connections was improved. The ESQL query’s grok pattern was updated for more reliable extraction of the destination server from the command line, and more domain exclusions were added. (Rare Connection to WebDAV Target)

splunk/security_content (✎2)

✎ Modified rules

Detection for a persistence technique in Office 365 was improved. The rule now monitors for changes to both ‘StrongAuthenticationMethod’ and ‘StrongAuthenticationPhoneAppDetail’ properties in Azure AD audit logs, providing better coverage for the registration of unauthorized MFA devices. (O365 New MFA Method Registered)

The detection for DNS tunneling via long queries has been updated. The core logic now aggregates by source (’src’) instead of ‘host’ to better identify the origin of the anomalous activity. The update also excludes ‘SOA’ and ‘SRV’ record types to reduce noise. (DNS Query Length With High Standard Deviation)

sublime-security/sublime-rules (+10, ✎11)

+ New rules

New rules detect impersonation and credential phishing attacks. These rules identify spoofing of services like AuthentiSign and file sharing platforms by analyzing sender data, HTML template artifacts, and logos. They also find phishing links in self-addressed emails and personal SharePoint sites. (Brand impersonation: AuthentiSign, Link: Self-sent message with quarterly document review request, Link: Personal SharePoint with invalid recipients and credential theft language, Brand impersonation: File sharing notification with template artifacts)

Several rules were added to detect malicious email attachments. Detection logic targets QR codes in attachments leading to phishing sites, specific combinations of invoice and W-9 PDFs used in Business Email Compromise, and password-protected PDFs matched by EXIF metadata and a YARA rule. (Attachment: QR code with recipient targeting and special characters, Attachment: Invoice and W-9 PDFs with suspicious creators, Attachment: Password-protected PDF with fake document indicators)

New detection for financial scams was added. One rule identifies job scams by searching for weekly salary patterns. Another detects callback scams distributed via the Microsoft Power BI service using a Natural Language Understanding classifier for intent. (Job scam with specific salary pattern, Service abuse: Microsoft Power BI callback scam)

A new rule detects an email delivery evasion tactic. It identifies messages masquerading as replies to non-existent conversations where the sender’s address contains multiple asterisks, a method used to bypass sender reputation filters. (Headers: Fake in-reply-to with wildcard sender and missing thread context)

✎ Modified rules

Detection for brand and service impersonation phishing was updated across several rules. Improvements target emails mimicking USPS, Blockchain.com, Dropbox, and generic voicemail or fax services. Changes include refined sender checks, new HTML attribute analysis for fake buttons, and expanded keyword lists. False positives are reduced through improved exclusion logic, including DMARC-aware checks and expanded legitimate domain lists. (Brand impersonation: USPS, Brand impersonation: Blockchain[.]com, Brand impersonation: Fake Fax, Fake voicemail notification (untrusted sender), Brand impersonation: Dropbox)

Rules targeting personalized and obfuscated phishing techniques were broadened. Detection now includes checks for the recipient’s email local-part in PDF attachment names, in addition to the domain. The scope for identifying malicious URLs containing the recipient’s email address was also expanded to cover the entire email body. A rule that finds Unicode obfuscation in links was updated to use a more standard HTML parsing method. (Link: Display text with excessive right-to-left mark characters, Attachment: PDF with recipient email in link, Link: Suspicious URL with recipient targeting and special characters)

Detection for the Impact Solutions Phishing-as-a-Service (PhaaS) kit was significantly expanded. The rule now recursively inspects nested EML attachments and uses a broader regular expression to match more JavaScript variables common to the kit. The URL pattern check was also made more specific to reduce false positives. (PhaaS: Impact Solutions (Impact Vector Suite))

The rule for detecting romance scams was updated with an additional detection path. The new logic helps identify simple scam attempts characterized by short messages from free email providers using ‘Firstname Lastname’ display names, broadening coverage against multiple scam variations. (BEC/Fraud: Romance scam)

The rule for detecting image-based spam has been disabled. This rule analyzed HTML content and sender reputation to find lures that use images to hide malicious content. (Spam: Image as content with hidden HTML element)

SigmaHQ/sigma (+15, ✎5)

+ New rules

A new set of rules detects network reconnaissance and RDP connection attempts targeting OpenCanary honeypots. These rules identify various NMAP scans—including SYN, OS, FIN, NULL, and Xmas—and RDP connections by monitoring for specific OpenCanary log type identifiers. This provides direct visibility into actors probing honeypot assets. (OpenCanary - Host Port Scan (SYN Scan), OpenCanary - NMAP OS Scan, OpenCanary - NMAP FIN Scan, OpenCanary - NMAP NULL Scan, OpenCanary - NMAP XMAS Scan, OpenCanary - RDP New Connection Attempt)

New detections target malicious MSIX/AppX package activity on Windows. The rules monitor AppXDeployment-Server event logs to identify unsigned package installations (Event ID 603), installations with full trust privileges (Event ID 400), and all successful installations (Event ID 854) for threat hunting. A separate rule detects the execution of suspicious Advanced Installer support stubs, a known application control bypass method. (Windows AppX Deployment Unsigned Package Installation, Successful MSIX/AppX Package Installation, Windows AppX Deployment Full Trust Package Installation, Windows MSIX Package Support Framework AI_STUBS Execution)

Multiple rules were added to detect persistence and UAC bypass techniques through registry modification. These rules identify phantom DLL hijacking via MSDTC service keys, protocol handler hijacking by altering ‘ms-settings’ commands, and file association abuse where ‘shell\open\command’ keys are pointed to executables in unusual locations. (Registry Modification for OCI DLL Redirection, Registry Modification of MS-settings Protocol Handler, Suspicious Shell Open Command Registry Modification)

New rules detect tools used for defense evasion and privilege escalation. One rule flags the use of devcon.exe to disable the VMware VMCI device, a behavior linked to ESXi exploits. Another detects the Kernel Driver Utility (KDU), which is used to bypass driver signature enforcement and load malicious kernel drivers. (Devcon Execution Disabling VMware VMCI Device, PUA - Kernel Driver Utility (KDU) Execution)

✎ Modified rules

Two rules for detecting Phantom DLL Hijacking were updated to cover five new DLL filenames: ‘axeonoffhelper.dll’, ‘cdpsgshims.dll’, ‘oci.dll’, ‘offdmpsvc.dll’, and ‘shellchromeapi.dll’. One rule detects the creation of these files, while the other detects them being loaded by a process. (Creation Of Non-Existent System DLL, Potential DLL Sideloading Of Non-Existent DLLs From System Folders)

Detection for malicious wmic.exe usage to execute XSL scripts was improved. The updates add new IMPHASH values to identify wmic.exe variants and expand command-line detection to better identify remote script execution (SquiblyTwo) from various protocols and UNC paths. (XSL Script Execution Via WMIC.EXE, Potential Remote SquiblyTwo Technique Execution)

Detection for DNS queries to Out-of-Band Application Security Testing (OAST) services was refined. The logic was changed from contains to endswith for greater precision. New domains, including .digimg.store and .instances.httpworkbench.com, were added to the watchlist. (DNS Query to External Service Interaction Domains)

Cyber OSINT Overview is a free weekly newsletter by CTIChef.com that summarizes updates from 80+ sources (government orgs, cybersecurity vendors, threat intel teams, security researchers, and cybersecurity communities) into one overview.

Read the latest issue

Personal repositories (1)

bartblaze/Yara-rules (+3)

+ New rules

New YARA rules were added to detect the OrcaC2 C2 framework and the Pulsar Remote Access Trojan. Detection for OrcaC2 components is based on unique development paths and User-Agent strings. The Pulsar RAT rule identifies specific internal strings like ‘costura.pulsar’ and ‘Pulsar.Client’. (Orca_Puppet, Orca_Stub, Pulsar_RAT)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.