Description:
Premium feed that expands "Detection Rules Pro" Feed with analysis and guidance. The feed includes rule change analysis with impact guidance, correlation to active CVEs and threat campaigns, and a weekly detection engineering brief, all designed to support strategic decision-making, prioritization of efforts, and a robust, proactive detection posture. The feed is best suited for mature security operations centers, threat intelligence teams, and proactive detection engineers requiring advanced context.
Use cases:
- Risk-based prioritization - focus your team's efforts on deploying and tuning detections that address the most current and impactful threats.
- Improved situational awareness - gain a deeper understanding of how community detections align with the evolving threat landscape, active vulnerabilities, and adversary TTPs.
- Proactive detection posture management - move beyond reactive alerting to strategically curating and maintaining your detection capabilities based on actionable intelligence.
- Reduced fatigue and improved resource allocation - maximize the impact of your detection engineering by providing decision support with tactical and strategic intelligence about threat detection landscape.
Rules:
anvilogic: 75elastic-edr: 732elastic-siem: 941fibratus: 82kql: 216osquery: 100sentinel: 3sigma: 1738splunk: 1974sublime: 3sublime-security: 426wazuh: 1yara: 443
Entities:
Identity: 52 Indicator: 12853 Note: 10900 Report: 26 Directory: 6266Domain-Name: 2124Email-Addr: 40File: 10819Ipv4-Addr: 145Ipv6-Addr: 65Process: 11334Relationship: 60252Windows-Registry-Key: 1356
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
- elastic-siem
This rule identifies attempts to masquerade as the legitimate Windows Service Host process, `svchost.exe`. It detects processes named `svchost.exe` that are executing from a location other than the standard system directories (`C:\Windows\System32` or `C:\Windows\SysWOW64`). Such behavior is a common defense evasion technique used by adversaries to blend in with normal system activity. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1036, T1036.005
[metadata] creation_date = "2025/11/12" integration = ["endpoint", "windows", "system"] maturity = "production" updated_date = "2025/12/09" min_stack_version = "9.1.0" min_stack_comments = "The esql match operator was introduced in version 9.1.0" [rule] author = ["Elastic"] description = """ Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with normal system activity. """ from = "now-9m" interval = "8m" language = "esql" license = "Elastic License v2" name = "Potential Masquerading as Svchost" note = """ ## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. ### Investigating Potential Masquerading as Svchost svchost.exe is a legitimate Windows s...defense-evasion malicious-activity endpoint-security TA0005 T1036 T1036.005 Elastic License 2.0
[Impact: medium][Scope: coverage] Update to "Potential Masquerading as Svchost" rule
The rule's query was updated to be case-insensitive by applying the `to_lower()` function to the `process.executable` field during comparison. This change prevents bypasses that use mixed-case path names (e.g., `C:\WINDOWS\...`). Additionally, the query output was expanded to include the `_id`, `_version`, and `_index` metadata fields.
relationship--e2a94887-8341-49c9-9835-9b15b6375daarelationship--d8cea947-9b25-4355-8fff-bdca7f3d97a3- sublime-security
This rule detects emails that mimic a reply or forward to create a fake thread, a common tactic in Business Email Compromise (BEC) and phishing attacks. It identifies messages with reply/forward subjects or specific keywords (from, to, sent, etc.) in the body that are not actual replies. The detection triggers if the email is unsolicited and exhibits at least four other high-risk indicators, such as urgency, financial requests, credential theft language, suspicious links, or sender anomalies. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1598
name: "Fake thread with suspicious indicators" description: "Fake thread contains suspicious indicators, which can lead to BEC, credential phishing, and other undesirable outcomes." type: "rule" severity: "medium" source: | type.inbound // fake thread check and (length(headers.references) == 0 or headers.in_reply_to is null) and ( subject.is_reply or subject.is_forward // fake thread, but no indication in the subject line // current_thread pulls the recent thread, but the full body contains the fake "original" email or ( not (subject.is_reply or subject.is_forward) and any([body.current_thread.text, body.html.display_text, body.plain.raw], 3 of ( strings.icontains(., "from:"), strings.icontains(., "to:"), strings.icontains(., "sent:"), strings.icontains(., "date:"), strings.icontains(., "cc:"), strings.icontains(., "subject:") ...malicious-activity credential-access impact TA0001 T1566 T1598 MIT License
[Impact: medium][Scope: coverage] Update to "Fake thread with suspicious indicators" rule
The rule's detection logic was updated to better handle emails lacking an HTML body. The `coalesce` function was introduced to use the raw plain text body (`body.plain.raw`) for length comparison if the HTML display text (`body.html.display_text`) is not available. This change expands the rule's applicability to plain-text emails, preventing potential false negatives.
This YARA rule detects a specific variant of the Kaiji malware, known as Ares, which has been observed in connection with React2Shell exploitation. The rule identifies Linux ELF binaries by checking for the magic number 0x464c457f. Detection is confirmed by the presence of at least two out of three specific strings, including a hardcoded source code path "C:/src/client/linux/ares_tcp.go" and two distinct hex patterns. Relevant MITRE ATT&CK tactics: TA0040 Relevant MITRE ATT&CK techniques: T1498
rule Kaiji_Ares { meta: description = "Detects a Variant of Kaiji (Ares) observed during React2Shell exploitation" author = "RussianPanda" date = "2025-12-8" hash = "c79fcb6c433d8a613f25b9b4c81c1c2514ac97e9aaae7c7c84a432b2476b5e4e" strings: $s1 = "C:/src/client/linux/ares_tcp.go" $s2 = {E5 BC BA E5 88 B6 55 64 70} $s3 = {B0 81 E5 8C 85} condition: uint32(0) == 0x464c457f and 2 of them }
file--42188e39-340c-5a58-9f1f-5f0424f6d7c7relationship--fbd80c6a-19f9-4d93-841d-9bf14a1ebb36This YARA rule detects the ZinFoq implant on Linux systems. It identifies the malware by searching for three specific strings: "_FlAg_UuId;;;;;;", "interactive_shell", and "explorer_download". The rule also confirms that the file is an ELF binary by checking for the corresponding magic bytes (0x7fELF) at the beginning of the file. Relevant MITRE ATT&CK tactics: TA0011, TA0005 Relevant MITRE ATT&CK techniques: T1059, T1105
rule ZinFoq { meta: description = "Detects ZinFoq implant" author = "RussianPanda" date = "2025-12-8" hash = "0f0f9c339fcc267ec3d560c7168c56f607232cbeb158cb02a0818720a54e72ce" strings: $s1 = "_FlAg_UuId;;;;;;" $s2 = "interactive_shell" $s3 = "explorer_download" condition: uint32(0) == 0x464c457f and all of them }malicious-activity endpoint-security TA0011 TA0005 T1059 T1105
