This week’s update highlights the most significant changes to detection rules from 12 of the 50+ monitored GitHub repositories. Between Jan 26 and Feb 2, 2026, contributors added 115 new rules and updated 140 existing ones.

Stay informed about the latest changes in detection engineering to improve your threat detection coverage and operational efficiency.

Key Takeaways

• New detections identify tampering with Windows virtualization-based security features like Credential Guard and HVCI through registry modifications. Additional rules target the disabling of AMSI and the Vulnerable Driver Blocklist. Concurrently, new behavioral rules detect advanced defense evasion techniques, including API call obfuscation using ROP gadgets, indirect callbacks, and process injection preparation. These provide layered coverage against adversaries weakening system defenses. (SigmaHQ/sigma, elastic/protections-artifacts)

• A large set of new rules targets the attack lifecycle within Kubernetes environments. Detections cover discovery of services and environment variables inside containers. The rules also find credential access attempts on K8s service account tokens and subsequent execution via direct interaction with the Kubernetes API. This coverage uses a combination of container process events and Kubernetes audit logs. (elastic/detection-rules)

• Multiple repositories added detections for Linux post-exploitation activities. New rules identify credential dumping using tools like Mimipenguin and direct access to the /proc filesystem. Other detections cover fileless execution with memfd, reverse shells from Java, and a telnet authentication bypass. YARA rules were also added for Linux backdoors like Tiny Shell and SLAPSTICK. (elastic/protections-artifacts, splunk/security_content, Neo23x0/signature-base)

🤖 All new and modified rules in your TIP / SIEM / SOAR →

All detection rules from this digest are available in CTIChef’s MISP, STIX/TAXII and RSS feeds, ready for direct integration into your SIEM, TIP, or SOAR solution, boosting your automated threat detection and enriching your existing intel.

Explore the feeds

Table Of Contents

• Corporate repositories (6)

  • sublime-security/sublime-rules (+14, ✎8)

  • SigmaHQ/sigma (+10, ✎4)

  • elastic/detection-rules (+27, ✎30)

  • elastic/protections-artifacts (+53, ✎49)

  • splunk/security_content (+1, ✎8)

  • magicsword-io/LOLDrivers (✎4)

• Personal repositories (6)

  • kevoreilly/CAPEv2 (+1)

  • HybridBrothers/Hunting-Queries-Detection-Rules (+1)

  • Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

  • rabbitstack/fibratus (✎37)

  • bartblaze/Yara-rules (+4)

  • Neo23x0/signature-base (+3)

• Feedback

• Disclaimer

• Powered by

Corporate repositories (6)

sublime-security/sublime-rules (+14, ✎8)

+ New rules

Multiple rules were added to detect credential phishing through specific URL structures. These rules identify evasive links by inspecting query parameters, URL fragments, and subdomains for patterns like personalized recipient data, repeating hexadecimal characters, unique binary strings, and indicators of the 9WOLF phishing-as-a-service platform. (Link: Recipient email address in ‘eta’ parameter, Link: HTML file with suspicious binary fragment ending pattern, Link: Base64 encoded recipient address in URL fragment with hex subdomain, Link: URL fragment with hexadecimal pattern obfuscation, Link: 9WOLF phishkit initial landing URI)

New rules target various Business Email Compromise and impersonation tactics. Detections cover a specific BEC campaign identified by attachment EXIF metadata, reconnaissance emails impersonating hotel inquiries, VIP impersonation for W-2 theft, and executive impersonation from free email accounts using common naming patterns. (Attachment: Fake lawyer & sports agent identities, Reconnaissance: Hotel booking reply-to redirect, VIP impersonation with w2 request, Impersonation: Executive using numbered local part)

Coverage for malicious email attachments is extended with three new rules. They detect a specific PowerPoint phishing lure, ICS calendar files containing embedded SVGs with suspicious JavaScript, and Excel macro files created with the Go Excelize library that use social engineering language. (Attachment: Employment contract update with suspicious file naming, Attachment: ICS with embedded Javascript in SVG file, Attachment: Excel file with document sharing lure created by Go Excelize)

Two new rules detect callback scams that abuse legitimate third-party notification services. The rules analyze emails from Monday.com and WeTransfer, using natural language understanding to identify content indicative of a callback scam. (Service abuse: Monday.com callback scam, Service abuse: WeTransfer callback scam)

✎ Modified rules

Detection of brand impersonation was improved for Netflix and Saudi Aramco. The Netflix rule adds NLU classifiers for credential theft, OCR analysis for logos combined with suspension keywords, and stronger DMARC validation. The Aramco rule now checks for newly registered sender domains and free email providers in reply-to headers to identify attacks. (Brand impersonation: Netflix, Brand impersonation: Aramco)

Coverage for credential phishing URLs was expanded. Detection for the Mamba 2FA phishing kit is now more flexible, using a regular expression for base64-encoded parameters instead of a static string. Another rule was updated to better identify targeted phishing by adding checks for new URL path terminators and specific alphanumeric patterns in both the subdomain and URL path. (Link: Mamba 2FA phishing kit, Link: Suspicious URL with recipient targeting and special characters)

Several rules were updated to better detect social engineering lures. One rule now identifies reconnaissance emails with bodies containing only digits. Another rule targeting gmail.com senders was refined to require specific display name keywords and no links or attachments. A third rule improves detection of macro-based threats by broadening its search for click instructions and adding more email disclaimer phrases to its OCR analysis. (Reconnaissance: Short generic greeting message, Suspicious display name: Gmail sender with engaging languages, Attachment: Office file with document sharing and browser instruction lures)

SigmaHQ/sigma (+10, ✎4)

+ New rules

Multiple new rules detect tampering with Windows virtualization-based security features, including Credential Guard and HVCI. Detections target defense evasion attempts via command-line tools altering registry keys or direct modification of registry values within DeviceGuard and LSA paths. (Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine, Windows Credential Guard Registry Tampering Via CommandLine, Windows Credential Guard Disabled - Registry, Windows Credential Guard Related Registry Value Deleted - Registry)

Two rules were added to detect the disabling of the Windows Vulnerable Driver Blocklist. One rule monitors command-line tools (reg.exe, PowerShell) modifying the setting, while the other detects the direct registry value change that deactivates the feature. (Windows Vulnerable Driver Blocklist Disabled, Vulnerable Driver Blocklist Registry Tampering Via CommandLine)

New coverage identifies attempts to disable the Anti-Malware Scan Interface (AMSI). Two rules work in concert: one detects command-line modification of the ‘AmsiEnable’ registry key, and the other detects when the key’s value is set to zero. (Windows AMSI Related Registry Tampering Via CommandLine, AMSI Disabled via Registry Modification)

A new rule detects when legitimate Windows applications and LOLBins, such as certutil.exe, write files to uncommon system locations. This rule monitors file creation events in user profile directories and temporary folders to spot payload download or drop activity. (Legitimate Application Writing Files In Uncommon Location)

A new rule detects a persistence technique using ‘User Shell Folders’ and ‘Shell Folders’ registry modifications. It monitors for command-line tools altering these keys to execute malicious programs at user logon. (User Shell Folders Registry Modification via CommandLine)

✎ Modified rules

Coverage for ingress tool transfer (T1105) using bitsadmin.exe is improved. One rule update adds more suspicious destination directories to its logic, while another adds ‘github.com’ to its list of monitored source domains for downloads. (File Download Via Bitsadmin To A Suspicious Target Folder, Suspicious Download From File-Sharing Website Via Bitsadmin)

Detections for registry-based persistence techniques are tuned. One rule refines its logic for reg.exe modifications by removing a high-volume autorun key to reduce false positives. Another rule, which targets startup folder path modifications, adds filters for legitimate paths and expands its scope to an additional registry key. (Direct Autorun Keys Modification, Modify User Shell Folders Startup Value)

elastic/detection-rules (+27, ✎30)

+ New rules

A large set of new rules detects adversary discovery, credential access, and execution within Linux containers and Kubernetes. Detections target reconnaissance via commands like env, which, and DNS enumeration of K8s services. The rules also identify access to K8s service account tokens, installation of networking tools, and direct interaction with the Kubernetes API, often by correlating process events with K8s audit logs. (Direct Interactive Kubernetes API Request by Common Utilities, Service Account Token or Certificate Read Detected via Defend for Containers, Direct Interactive Kubernetes API Request by Unusual Utilities, etc)

Multiple new rules target post-exploitation activity on FortiGate devices, with several specific to CVE-2026-24858. Detections identify persistence techniques like creating privileged administrator accounts, especially following a FortiCloud SSO login from a new source IP. Other rules find defense evasion, such as creating ‘allow all’ firewall policies, and reconnaissance actions like downloading the device configuration. (FortiGate Administrator Login from Multiple IP Addresses, First-Time FortiGate Administrator Login, FortiGate Super Admin Account Creation, FortiGate SSO Login Followed by Administrator Account Creation, etc)

New higher-order rules correlate disparate events to identify suspicious behavior. Several rules join security alerts with high process CPU utilization metrics to detect potential resource abuse like cryptomining. Other rules identify newly observed source IPs or Windows user accounts that trigger multiple distinct lateral movement detections, indicating a targeted attack. (Detection Alert on a Process Exhibiting CPU Spike, Lateral Movement Alerts from a Newly Observed Source Address, Lateral Movement Alerts from a Newly Observed User, Multiple Alerts on a Host Exhibiting CPU Spike, Newly Observed Process Exhibiting High CPU Usage)

A new rule uses Wiz data to identify assets with a poor security posture. It triggers on hosts with a high total count of vulnerabilities or multiple exploitable vulnerabilities of high or critical severity, helping to prioritize remediation efforts. (Multiple Vulnerabilities by Asset via Wiz)

✎ Modified rules

A large set of PowerShell rules for credential access, data collection, and surveillance were updated. These changes include expanded detection logic for keylogging and audio capture, new exceptions to reduce noise, and significant updates to investigation guides for techniques like Mimikatz, Kerberoasting, and AMSI bypass. (PowerShell Suspicious Script with Screenshot Capabilities, PowerShell Suspicious Script with Clipboard Retrieval Capabilities, PowerShell Keylogging Script, PowerShell Mailbox Collection Script, PowerShell Invoke-NinjaCopy script, Exchange Mailbox Export via PowerShell, PowerShell Kerberos Ticket Dump, etc)

Several rules monitoring for lateral movement, reconnaissance, and alert correlation were modified to improve alert usability. Their ESQL queries now populate top-level ECS fields like host.id and source.ip from aggregated data. This standardizes alert formats, which simplifies analysis and the creation of exceptions. (Newly Observed Elastic Defend Behavior Alert, Elastic Defend and Network Security Alerts Correlation, Suspected Lateral Movement from Compromised Host, Potential Port Scanning Activity from Compromised Host, Potential Subnet Scanning Activity from Compromised Host)

Detection capabilities for Kubernetes and container environments were improved. A rule for Kubernetes pod access via ‘exec’ now has broader coverage by monitoring additional audit event stages. Other rules targeting reconnaissance inside containers, such as enumerating tools or credentials, received comprehensive investigation guides. (Kubernetes User Exec into Pod, Direct Interactive Kubernetes API Request by Unusual Utilities, Environment Variable Enumeration Detected via Defend for Containers, Tool Enumeration Detected via Defend for Containers)

Multiple rules were tuned for accuracy and performance. These changes include adding process exclusions to the hosts file modification rule, refining logic for detecting WebDAV NTLM credential leaks, narrowing scope in a ransomware note detection, and optimizing a multi-cloud secret access rule by targeting specific log sources. (Multiple Cloud Secrets Accessed by Source Address, Entra ID OAuth Phishing via First-Party Microsoft Application, External Alerts, Rare Connection to WebDAV Target, Potential Ransomware Behavior - Note Files by System, Hosts File Modified)

elastic/protections-artifacts (+53, ✎49)

+ New rules

A large set of new rules targets Windows defense evasion, persistence, and privilege escalation. Detections focus on API and call stack obfuscation using ROP or indirect callbacks, process injection preparation, and thread context manipulation. The rules also identify attempts to disable security tools via AppLocker or Firewall rules, establish persistence with services from unsigned processes, and escalate privileges by enabling SeDebugPrivilege from unexpected binaries. (Keystroke Capture by Unsigned Process, DLL Loaded via a CallBack Function, Endpoint Security Evasion via Malicious AppLocker Deny Rules, Command Obfuscation via Unicode Modifier Letters, Early Remote Memory Allocation, etc)

New rules detect threats within NodeJS environments, targeting supply chain compromises. Detections identify malicious packages downloading payloads with curl, scanning for credentials with tools like TruffleHog, exfiltrating data via npm scripts, and hijacking legitimate applications by modifying their JavaScript files. This covers activity on Windows, macOS, and Linux. (Suspicious Curl Execution via NodeJS, Suspicious TruffleHog Execution via NodeJS, Egress Network Connection from Node.js Descendant, Suspicious Curl Execution via NodeJS, etc)

Multiple rules improve detection of Linux-based credential dumping and evasion. This includes two rules for the Mimipenguin script (CVE-2018-20781), process memory dumping via the /proc filesystem, and fileless execution using memfd. The set also adds coverage for reverse shells from Java and xterm, download-and-execute sequences, and container escape using privileged Docker mounts. (Potential Linux Credential Dumping via Mimipenguin, Potential Linux Credential Dumping via Proc Filesystem, Potential Memory Dumping via dd, etc)

New rules target common adversary techniques on macOS for initial access and execution. This includes detecting the download of a DMG and its subsequent mounting via hdiutil, execution of payloads from newly mounted devices, and fileless execution by piping curl output to a script interpreter. Credential theft of the Keychain file via Osascript is also now detected. (Suspicious Curl File Download and Execution, User Keychain copied via Script Interpreter, Decoy file Open via Preview App, Suspicious Perl File Modification, File Download Piped to Script Interpreter, Disk Image Download and Mount via Hdiutil, Suspicious Script or Process Execution from Mounted Device)

New rules address threats in modern development tools. Several rules detect malicious activity from Generative AI utilities, including accessing credential files for cloud services and browsers, and modifying system persistence locations. Coverage is also added for CI/CD pipeline abuse by detecting attempts to disable GitHub Actions Runner telemetry and for exploitation of a Git RCE vulnerability (CVE-2025-48384) during clone operations. (Suspicious Credential Access via GenAI Tool, Credential Access via GenAI Tool Descendant, Persistence via GenAI Tool, GitHub Actions Runner with Disabled Telemetry, Potential Git CVE-2025-48384 Exploitation)

✎ Modified rules

Multiple rules detecting post-exploitation activity from web servers on Linux were updated. The changes improve identification of parent web server processes by adding names like php-fpm, checking for web root working directories like /var/www/*, and targeting Java processes in specific Oracle application paths. These refinements increase detection accuracy for techniques such as payload downloads, reverse shells, and command execution following a web compromise. (Java XSL Template Creation Followed by Shell Execution, File Downloaded and Piped to Interpreter by Web Server, Suspicious Python Shell Execution, etc)

Numerous rules for detecting in-memory threats on Windows were refined. Updates focus on process injection, shellcode execution, call stack spoofing, and Return-Oriented Programming (ROP) gadgets. Changes include adding new hexadecimal signatures for malicious call stacks, expanding logic to detect more API call variations, and adding exceptions for legitimate software behavior from tools like ConnectWise, Tenable, and various .NET components. These updates improve detection of advanced defense evasion techniques. (API Call via Jump ROP Gadget, Execution from Suspicious Stack Trailing Bytes, Internet Activity from Suspicious Unbacked Memory, Potential Library Load via ROP Gadgets, etc)

A large set of Linux detection rules for defense evasion and post-exploitation was updated to reduce false positives. These rules cover techniques such as disabling auditd, executing from memory, using LD_PRELOAD, creating reverse shells, and using hidden processes. The updates add exceptions for common administrative tools like Ansible and Podman, package managers, development environments, and other legitimate system activities to improve signal quality. (Kill Command Executed from a Hidden Process, Auditctl Disabled via Shell Process, Execution of In-Memory File via Interactive Session, Shared Object Injection via Process Environment Variable, Kill Command Executed from Binary in Unusual Location, etc)

Rules detecting common Windows execution and persistence techniques were tuned to reduce false positives. The updates address masquerading, DLL search order hijacking, and suspicious command-line or PowerShell arguments. Exceptions were added for legitimate software including Visual Studio, Toad, and JetBrains IDEs. The DLL hijacking rule was also expanded to monitor explorer.exe and other common processes. (Binary Masquerading via Untrusted Path, Potential Initial Access via DLL Search Order Hijacking, Suspicious Windows Command Shell Execution, Suspicious PowerShell Execution, Suspicious Windows Schedule Child Process)

Detections for suspicious Python activity on macOS were tuned for better accuracy. Updates focus on reducing false positives from legitimate network connections and development work. Changes include excluding private IP ranges from network connection alerts, ignoring connections to Elastic Cloud services, and adding path exclusions for Python libraries managed by pyenv. (Python Script Execution via Shell and Remote Network Connection, Unusual Library Load via Python, Suspicious Python Script Execution and Network Connection)

splunk/security_content (+1, ✎8)

+ New rules

A new rule detects a telnet authentication bypass vulnerability, CVE-2026-24061. The detection identifies when the telnetd process spawns a login process with command-line arguments containing both “-p” and “-f root”, indicating an attempt to gain root access. (Linux Telnet Authentication Bypass)

✎ Modified rules

Detection for payload staging on Windows was improved across multiple rules. These rules monitor for the creation of executables, scripts, and .lnk files in temporary, non-standard, or suspicious user profile locations. The updates refine accuracy by adding specific exclusions for legitimate files and narrowing the scope of monitored paths to reduce false positives. (Executables Or Script Creation In Temp Path, Process Creating LNK file in Suspicious Location, Executables Or Script Creation In Suspicious Path)

Two rules that detect malicious use of the curl utility were updated. Coverage was broadened to include curl.exe on Windows and wildcard matching for s3.amazonaws.com domains. For Linux, the query performance was improved for detecting downloads based on command-line switches. (Suspicious Curl Network Connection, Linux Ingress Tool Transfer with Curl)

Detection for scheduled task hiding, a technique used by malware like Tarrask, was made more specific. The rule now targets only the deletion of the ‘SD’ registry key or value, which reduces false positives and focuses on this specific defense evasion method. (Windows Registry Delete Task SD)

A rule detecting outlook.exe writing a .zip file to disk was refactored for accuracy. The query now joins process and file events using process_guid and specifically checks user profile and temporary directories, improving detection of potential email-based payload delivery or data exfiltration. (Detect Outlook exe writing a zip file)

The rule for detecting external exploitation attempts against PaperCut NG servers (CVE-2023-27350) was updated. The search query’s IP address filtering was improved with a more comprehensive list of private and reserved IP ranges to better isolate threats originating from public sources. (PaperCut NG Remote Web Access Attempt)

magicsword-io/LOLDrivers (✎4)

✎ Modified rules

Four rules that detect malicious and vulnerable driver loading on Windows were updated. These rules monitor for privilege escalation attempts by matching driver filenames, file hashes (MD5, SHA1, SHA256), and import hashes. The indicator lists were refreshed with current data, including additions from the LOLDrivers project. (Malicious Driver Load By Name, Vulnerable Driver Load By Name, Malicious Driver Load Despite HVCI, Malicious Driver Load)

Personal repositories (6)

kevoreilly/CAPEv2 (+1)

+ New rules

A new YARA rule detects the HijackLoader malware loader. The rule identifies the loader’s executable stub by searching for a combination of two specific byte sequences and the wide-character string ‘\app-’ within a file. (HijackLoaderStub)

HybridBrothers/Hunting-Queries-Detection-Rules (+1)

+ New rules

A new KQL query identifies user accounts with leaked credentials by querying the Microsoft Defender Exposure Management ExposureGraphNodes table. It specifically looks for accounts flagged with hasAdLeakedCredentials to surface compromised identities. (Hunt for accounts with leaked credentials)

Sergio-Albea-Git/Threat-Hunting-KQL-Queries (+1)

+ New rules

A new KQL query identifies devices vulnerable to the Microsoft Office security feature bypass, CVE-2026-21509. The query checks the DeviceTvmSoftwareInventory table for Microsoft Office 2016 and 2019 versions that are below the required patch level. (Microsoft Office Security Feature Bypass Vulnerability CVE-2026-21509)

rabbitstack/fibratus (✎37)

✎ Modified rules

Numerous rules detecting defense evasion via LOLBINs and script hosts received syntax corrections. The changes update the process executable field from pe.file.name to ps.pe.file.name, restoring detection logic for tools like rundll32, mshta, regsvr32, wmic, netsh, and VaultCmd. (Credentials access from backups via Rundll32, Suspicious HTML Application script execution, Credential discovery via VaultCmd tool, Regsvr32 scriptlet execution, Suspicious XSL script execution, System Binary Proxy Execution via Rundll32, Suspicious Netsh Helper DLL execution)

Detections for DLL side-loading, injection, and hijacking were refined. Several rules were updated to use more precise signature validation, such as checking the running process signature or the loaded module’s trusted status. Others were corrected to use proper dll.path or module.path fields, fixing logic for injection and phantom DLL hijacking techniques. (DLL Side-Loading via a copied binary, DLL Side-Loading via Microsoft Office dropped file, Unsigned DLL injection via remote thread, Potential privilege escalation via phantom DLL hijacking)

Rules targeting persistence and privilege escalation were updated to align with the current Fibratus schema. The primary change updates process signature checks from deprecated pe.* fields to ps.signature.* fields. This affects detections for registry key modification, startup folder abuse, LSASS injection, and symbolic link creation. (Suspicious object symbolic link creation, Suspicious Windows Defender exclusions registry modification, Suspicious persistence via registry modification, Script interpreter host or untrusted process persistence, Remote thread creation into LSASS, Network connection via startup folder executable or script)

Rules for in-memory threats and .NET abuse were updated for correctness. Detections for loading .NET assemblies into unmanaged processes and AppDomainManager hijacking were fixed by correcting field names (e.g., to ps.pe.is_dotnet). Other rules for process hollowing, self-deleting binaries, and module proxying were corrected to reference module or dll contexts instead of the generic image context. (.NET assembly loaded by unmanaged process, AppDomain Manager injection via CLR search order hijacking, Image load via NTFS transaction, DLL loaded via APC queue, Process execution from a self-deleting binary, Process execution from hollowed memory section, DLL loaded via a callback function)

A group of rules for system integrity threats received syntax updates. Detections for malicious driver loading, WMI abuse via Office applications, unsigned Office add-ins, and malicious DLLs loaded by svchost were corrected. The changes align field references for loaded modules from the generic image context to the more specific module or dll context. (Suspicious execution via WMI from a Microsoft Office process, Suspicious Vault client DLL load, Windows Defender driver unloading, Suspicious Microsoft Office add-in loaded, Vulnerable or malicious driver loaded, Executable file dropped by an unsigned service DLL)

bartblaze/Yara-rules (+4)

+ New rules

New YARA rules detect the Mythic C2 framework and its Apollo agent. The rules identify key strings related to C2 communication, agent-specific classes, built-in commands, and internal manager classes of the .NET version of the Apollo agent. (Mythic, Mythic_Apollo_Net)

Neo23x0/signature-base (+3)

+ New rules

New YARA rules detect malware targeting Linux and UNIX systems. Two definitions target the Tiny Shell backdoor, including a SPARC variant, by matching byte patterns, XOR sequences, and system call names in ELF files. Another rule detects SLAPSTICK malware from UNC2891 by identifying specific format string sequences within ELF executables. (EXT_HKTL_MAL_TinyShell_Backdoor_SPARC, EXT_APT_UNC2891_SLAPSTICK)

Feedback

Your input helps us improve! If you spot any issues, mistakes, or omissions in this digest issue, or have any other suggestions, we’d love to hear from you. Contact us at team@rulecheck.io - we value your feedback and are committed to improving the content we produce.

Disclaimer

The summaries in this brief are generated by LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

Powered by

This digest is built with BlackStork.

Looking for a customized version of this newsletter? We’d be happy to help — contact us.