Description:
A full collection of new rules and rule modifications. Rules are pre-processed and are shipped with extracted key observables (IPs, hashes, etc.) for direct use in SIEM/TIP platforms. The feed is designed for SOC teams and detection engineers who need reliable, actionable data for direct use in SIEM/TIP platforms and for CTI correlation. The inclusion of rule updates also aids teams in maintaining and refining their own detection logic by observing community best practices.
Use cases:
- Informed detection engineering - reduce the significant manual effort of discovering, collecting, parsing, normalizing, and extracting value from public rule repositories.
- Direct SIEM/TIP/SOAR integration - the structured format with explicit observables (STIX 2.1 or MISP) allows for straightforward ingestion and use in your existing security platforms.
- Improved threat hunting - leverage detection logic and extracted observables for proactive threat hunting exercises.
- Improved coverage and performance - the information about new rules and the details on rule modifications helps your team to maintain and tune their existing rules easier.
- CTI correlation - match observables against your other threat intelligence feeds, internal logs, and CTI databases to uncover related activity and inform your detection priorisation.
Rules:
anvilogic: 75elastic-edr: 732elastic-siem: 941fibratus: 82kql: 216osquery: 100sentinel: 3sigma: 1738splunk: 1974sublime: 3sublime-security: 426wazuh: 1yara: 443
Entities:
Identity: 52 Indicator: 12853 Directory: 6266Domain-Name: 2124Email-Addr: 40File: 10819Ipv4-Addr: 145Ipv6-Addr: 65Process: 11334Relationship: 60252Windows-Registry-Key: 1356
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
- elastic-siem
This rule identifies attempts to masquerade as the legitimate Windows Service Host process, `svchost.exe`. It detects processes named `svchost.exe` that are executing from a location other than the standard system directories (`C:\Windows\System32` or `C:\Windows\SysWOW64`). Such behavior is a common defense evasion technique used by adversaries to blend in with normal system activity. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1036, T1036.005
[metadata] creation_date = "2025/11/12" integration = ["endpoint", "windows", "system"] maturity = "production" updated_date = "2025/12/09" min_stack_version = "9.1.0" min_stack_comments = "The esql match operator was introduced in version 9.1.0" [rule] author = ["Elastic"] description = """ Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with normal system activity. """ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" name = "Potential Masquerading as Svchost" note = """ ## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. ### Investigating Potential Masquerading as Svchost svchost.exe is a legitimate Windows s...defense-evasion malicious-activity endpoint-security TA0005 T1036 T1036.005 Elastic License 2.0
relationship--e2a94887-8341-49c9-9835-9b15b6375daarelationship--d8cea947-9b25-4355-8fff-bdca7f3d97a3- sublime-security
This rule detects emails that mimic a reply or forward to create a fake thread, a common tactic in Business Email Compromise (BEC) and phishing attacks. It identifies messages with reply/forward subjects or specific keywords (from, to, sent, etc.) in the body that are not actual replies. The detection triggers if the email is unsolicited and exhibits at least four other high-risk indicators, such as urgency, financial requests, credential theft language, suspicious links, or sender anomalies. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1598
name: "Fake thread with suspicious indicators" description: "Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes." type: "rule" severity: "medium" source: | type.inbound // fake thread check and (length(headers.references) == 0 or headers.in_reply_to is null) and ( subject.is_reply or subject.is_forward // fake thread, but no indication in the subject line // current_thread pulls the recent thread, but the full body contains the fake "original" email or ( not (subject.is_reply or subject.is_forward) and any([body.current_thread.text, body.html.display_text, body.plain.raw], 3 of ( strings.icontains(., "from:"), strings.icontains(., "to:"), strings.icontains(., "sent:"), strings.icontains(., "date:"), strings.icontains(., "cc:"), strings.icontains(., "subject:") ...malicious-activity credential-access impact TA0001 T1566 T1598 MIT License
This YARA rule detects a specific variant of the Kaiji malware, known as Ares, which has been observed in connection with React2Shell exploitation. The rule identifies Linux ELF binaries by checking for the magic number 0x464c457f. Detection is confirmed by the presence of at least two out of three specific strings, including a hardcoded source code path "C:/src/client/linux/ares_tcp.go" and two distinct hex patterns. Relevant MITRE ATT&CK tactics: TA0040 Relevant MITRE ATT&CK techniques: T1498
rule Kaiji_Ares { meta: description = "Detects a Variant of Kaiji (Ares) observed during React2Shell exploitation" author = "RussianPanda" date = "2025-12-8" hash = "c79fcb6c433d8a613f25b9b4c81c1c2514ac97e9aaae7c7c84a432b2476b5e4e" strings: $s1 = "C:/src/client/linux/ares_tcp.go" $s2 = {E5 BC BA E5 88 B6 55 64 70} $s3 = {B0 81 E5 8C 85} condition: uint32(0) == 0x464c457f and 2 of them }
file--42188e39-340c-5a58-9f1f-5f0424f6d7c7relationship--fbd80c6a-19f9-4d93-841d-9bf14a1ebb36This YARA rule detects the ZinFoq implant on Linux systems. It identifies the malware by searching for three specific strings: "_FlAg_UuId;;;;;;", "interactive_shell", and "explorer_download". The rule also confirms that the file is an ELF binary by checking for the corresponding magic bytes (0x7fELF) at the beginning of the file. Relevant MITRE ATT&CK tactics: TA0011, TA0005 Relevant MITRE ATT&CK techniques: T1059, T1105
rule ZinFoq { meta: description = "Detects ZinFoq implant" author = "RussianPanda" date = "2025-12-8" hash = "0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce" strings: $s1 = "_FlAg_UuId;;;;;;" $s2 = "interactive_shell" $s3 = "explorer_download" condition: uint32(0) == 0x464c457f and all of them }malicious-activity endpoint-security TA0011 TA0005 T1059 T1105
This rule detects PowerShell processes initiated by a LOLBAS binary that subsequently establish an outbound network connection to a public IP address. It leverages an external LOLBAS JSON data source to identify suspicious parent processes. This behavior could indicate an adversary using a Living Off The Land Binary or Script (LOLBAS) to execute PowerShell for malicious purposes, such as command and control or data exfiltration. Relevant MITRE ATT&CK tactics: TA0002, TA0005 Relevant MITRE ATT&CK techniques: T1059.001, T1218
let timeWindow = 2m; // Load LOLBAS JSON from external source let lolbas = externaldata(Name:string, Category:string, Description:string, Commands:string) [@"https://lolbas-project.github.io/api/lolbas.json"] with(format="multijson"); // Join DeviceProcessEvents with LOLBAS list let suspiciousProcesses = DeviceProcessEvents | where FileName in ("powershell.exe","pwsh.exe","pwsh.dll") | join kind=inner (lolbas) on $left.InitiatingProcessFileName == $right.Name | project Timestamp, DeviceId, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, LOLBAS_Category = Category, LOLBAS_Description = Description, TimeWindowStart = Timestamp - timeWindow, TimeWindowEnd = Timestamp + timeWindow, SHA1; suspiciousProcesses | join kind=inner ( DeviceNetworkEvents | project NetworkTimestamp = Timestamp, DeviceId, InitiatingProcessId,RemoteIP, RemotePort, RemoteUrl, Protocol, ActionType, LocalIP, LocalPort, RemoteIPType, R...defense-evasion execution command-and-control TA0002 TA0005 T1059.001 T1218
domain-name--36c7961b-48bb-5f93-893c-950dd6fdaf32
