Description:
A full collection of new rules and rule modifications. Rules are pre-processed and are shipped with extracted key observables (IPs, hashes, etc.) for direct use in SIEM/TIP platforms. The feed is designed for SOC teams and detection engineers who need reliable, actionable data for direct use in SIEM/TIP platforms and for CTI correlation. The inclusion of rule updates also aids teams in maintaining and refining their own detection logic by observing community best practices.
Use cases:
- Informed detection engineering - reduce the significant manual effort of discovering, collecting, parsing, normalizing, and extracting value from public rule repositories.
- Direct SIEM/TIP/SOAR integration - the structured format with explicit observables (STIX 2.1 or MISP) allows for straightforward ingestion and use in your existing security platforms.
- Improved threat hunting - leverage detection logic and extracted observables for proactive threat hunting exercises.
- Improved coverage and performance - the information about new rules and the details on rule modifications helps your team to maintain and tune their existing rules easier.
- CTI correlation - match observables against your other threat intelligence feeds, internal logs, and CTI databases to uncover related activity and inform your detection priorisation.
Rules:
anvilogic: 75elastic-edr: 684elastic-siem: 779fibratus: 82kql: 181osquery: 100sentinel: 3sigma: 1676splunk: 1939sublime: 3sublime-security: 363wazuh: 1yara: 417
Entities:
Identity: 52 Indicator: 12087 Directory: 6101Domain-Name: 1992Email-Addr: 38File: 10339Ipv4-Addr: 145Ipv6-Addr: 65Process: 10931Relationship: 56780Windows-Registry-Key: 1279
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
This rule detects unsolicited inbound emails that claim to have identified errors on a recipient's website. It analyzes email content for keywords like 'error', 'report', 'issues', and 'screenshot' in the subject and body, in conjunction with common salutations. The detection logic is structured to handle single-thread messages (with or without an unsubscribe link) and multi-thread conversations by evaluating message length, link/attachment counts, and specific keyword combinations. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Spam: Website errors solicitation" description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request." type: "rule" severity: "low" source: | type.inbound and ( sender.email.email not in $recipient_emails or not profile.by_sender().solicited ) and 1 of ( // Single thread message groups ( length(attachments) == 0 and length(body.links) == 0 and length(body.previous_threads) == 0 and 20 < length(body.current_thread.text) < 500 and regex.icontains(body.current_thread.text, "screenshot") and regex.icontains(body.current_thread.text, '.*(hi|hello|hey)') and regex.icontains(body.current_thread.text, ".*(error|report|issues)") and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit|screenshot)") ), // Single thread message groups but with 1 unsubscribe link ( length(attachments) == ...- sublime-security
This rule detects credential phishing emails that masquerade as voicemail notifications. The detection logic analyzes the subject, display name, and body for voicemail-related keywords and regular expressions. It correlates these findings with sender reputation data, such as first-time or unsolicited senders, and uses Natural Language Understanding (NLU) to identify a 'cred_theft' intent. The rule also inspects attachments and links for patterns commonly associated with this phishing vector. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Fake voicemail notification (untrusted sender)" description: | This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve. The rule looks for voicemail verbiage in the display name, body, subject or a combination of those elements with emojis or a medium to high credential theft NLU Intent from first-time + unsolicited sender. type: "rule" severity: "medium" source: | type.inbound // contains links or attachments and ( (0 < length(body.links) <= 25 or 0 < length(distinct(attachments, .md5)) <= 3) and 0 <= length(distinct(attachments, .md5)) <= 8 ) // the subject or display_name need some keywords which are voicemail related and ( any([subject.subject, sender.display_name], regex.icontains(., // split phrases that occur within 3 words between or only punctuation between them '(?:v[nm](\b|[[:punct:]])?|\bv...credential-access malicious-activity TA0001 T1566 MIT License
- sublime-security New rule
This rule detects inbound emails that use social engineering to deceive recipients about an attachment. The detection logic identifies messages that reference an attachment (e.g., 'see attached') but contain none. It specifically looks for links pointing to the 'fliphtml5.com' domain and leverages a Natural Language Understanding (NLU) classifier to confirm the presence of high-confidence credential theft language. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566.002
name: "Service abuse: FlipHTML5 with attachment deception and credential theft language" description: "Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns." type: "rule" severity: "medium" source: | type.inbound // messages contain wording to "see attached" but contains no attachments and ( regex.icontains(body.current_thread.text, "attached|see.*attached|find.*attached|please{0,10}attached" ) and length(attachments) == 0 ) // and the link goes to fliphtml5 and contains suspect "click me" language and any(body.links, .href_url.domain.root_domain == "fliphtml5.com" ) // and we have confidence its cred theft and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence != "low" ) attack_types: - "Credential Phishing" tactics_and_techniques: - "Social engineering"...malicious-activity credential-access TA0001 TA0006 T1566.002 MIT License
domain-name--b350dabc-e831-573a-b509-70bb4f6ddb8d
relationship--7c0605e0-b64a-4749-860d-2aa71744b51f- sublime-security
This rule detects brand impersonation of Meta and its subsidiaries (Facebook, Instagram) by analyzing inbound email. It inspects sender display names for suspicious keywords using regex and Levenshtein distance, and examines email bodies for phishing indicators. The rule leverages machine learning for logo detection and Natural Language Understanding (NLU) to classify intent (e.g., credential theft) and topics (e.g., advertising), while also checking for deceptive links and excluding known legitimate domains. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Brand impersonation: Meta and subsidiaries" description: | Impersonation of Meta or Meta's subsidiaries Facebook and Instagram. references: - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/" type: "rule" severity: "low" source: | type.inbound and ( // sender display name is a strong enough indicator // that it can be used without any other impersonation logic ( regex.icontains(sender.display_name, 'facebook ?ads', 'facebook ?business', 'meta ?account', 'meta ?help', 'meta ?support', 'meta ?business', 'meta ?for ?business', 'meta ?policy', 'page ?ads ?support', 'Instagram ?Not', 'Instagram ?Policies', 'Instagram ?Report', ...malicious-activity credential-access TA0001 T1566 MIT License
domain-name--4bd288c1-69cc-5c70-bb3b-b17bfea7f093relationship--9e7dab50-537b-4ca1-9175-b96d0279e0ca- sublime-security
This rule detects email-based brand impersonation of TikTok. It identifies potential threats by checking for sender display names similar to 'TikTok', the presence of the TikTok logo in screenshots, or sender domains ending in '-tiktok.com'. The detection is strengthened by looking for verification-related keywords and analyzing the message content for security themes or credential theft intent using Natural Language Understanding (NLU), while excluding legitimate communications from authenticated TikTok domains. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002
name: "Brand impersonation: TikTok" description: "Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. Excludes legitimate TikTok communications and trusted senders." type: "rule" severity: "medium" source: | type.inbound and ( // TikTok Brand Detection ( // display name contains tiktok strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*') // levenshtein distance similar to tiktok or strings.ilevenshtein(strings.replace_confusables(sender.display_name), 'tiktok' ) <= 1 or ( length(ml.logo_detect(file.message_screenshot()).brands) == 1 and any(ml.logo_detect(file.message_screenshot()).brands, .name == "TikTok" and .confidence == "high" ) ) // hyphenated sender domain contains tiktok or strings.iends_with(sender.email.domain.root_do...malicious-activity credential-access TA0001 TA0006 T1566 T1566.002 MIT License
This KQL query detects modifications to the Windows Security Audit Policy by monitoring for registry value data that begins with 'auditpol'. This activity can indicate an attacker's attempt to alter security logging configurations to evade detection prior to executing further malicious actions, such as ransomware deployment. The detection focuses on the `DeviceRegistryEvents` table, looking for evidence of `auditpol.exe` usage. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562
DeviceRegistryEvents | where RegistryValueData startswith "auditpol"
