New Detection Rules Feed

Description:

The feed offers a continuous stream of newly published detection rules, sourced from over 40 public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.

Contents:

Identity: 39 Indicator: 540

Application:

Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.

STIX/TAXII endpoints:

API root:

https://dispatch.ctichef.com/

Collection:

e97dd0b0-382d-453d-9782-719297394960

Content preview:

Latest 10 entities:

Type	Details	Created At
	Credential phishing: Email delivery failure impersonation Sublime-Security New rule STIX2 This rule detects phishing emails that impersonate email system notifications regarding delivery failures or other email system issues. It identifies emails that request users to take action to 'fix' or 'recover' their email functionality, which typically leads to credential harvesting portals. The rule analyzes email content, sender information, and links to identify potential phishing attempts. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1598, T1598.007 credential-access phishing TA0001 TA0006 T1566 T1566.002 T1598 T1598.007	Jun 6, 2025
	Open Redirect: bananaguide.com Sublime-Security New rule STIX2 This rule detects the use of the bananaguide.com redirect with a URL parameter in messages, which has been exploited in the wild. The rule checks for inbound message types containing links where the domain is bananaguide.com, the path is /thru.php, and the URL parameter is present and not redirecting back to bananaguide.com. It also negates trusted sender domains unless they fail DMARC authentication and excludes messages from bananaguide.com. Relevant MITRE ATT&CK tactics: TA0001, TA0009 Relevant MITRE ATT&CK techniques: T1598, T1189, T1204, T1566 credential-access malicious-activity TA0001 TA0009 T1598 T1189 T1204 T1566	Jun 6, 2025
	ANY.RUN Obfuscated BAT Dropper Delivers NetSupport RAT post Kql New rule STIX2 This KQL query detects the execution of an obfuscated BAT dropper that delivers the NetSupport RAT. It identifies instances where cmd.exe initiates a .bat file, which in turn executes PowerShell with hidden window style and Invoke-WebRequest, followed by registry modifications to add client32.exe to the Run key. Relevant MITRE ATT&CK tactics: TA0005, TA0003 Relevant MITRE ATT&CK techniques: T1059.003, T1566.001, T1547.001 malicious-activity TA0005 TA0003 T1059.003 T1566.001 T1547.001	Jun 6, 2025
	Native API Call from Unsigned Module Elastic-Edr New rule STIX2 Identifies suspicious calls to Windows Native APIs from a unsigned module. This may indicate an attempt to bypass Kernelbase APIs hooking. Relevant MITRE ATT&CK tactics: TA0002, TA0005, TA0004 Relevant MITRE ATT&CK techniques: T1106, T1620, T1027, T1027.001 defense-evasion TA0002 TA0005 TA0004 T1106 T1620 T1027 T1027.001	Jun 5, 2025
	LSASS Memory Read via PPL Bypass Elastic-Edr New rule STIX2 Identifies attempts to access the Local Security Authority Subsystem Service (LSASS) running as a Protected Process and from a non Protected Process. Adversaries may exploit vulnerabilities or leverage vulnerable drivers to bypass LSA protection. Relevant MITRE ATT&CK tactics: TA0005, TA0006 Relevant MITRE ATT&CK techniques: T1211, T1003, T1003.001 credential-access TA0005 TA0006 T1211 T1003 T1003.001	Jun 5, 2025
	Unusual SSH Child Network Connection Elastic-Edr New rule STIX2 This rule detects unusual network connections initiated by a child process of SSH. Attackers may backdoor SSH sessions, shell profiles or PAM configurations to establish persistence or exfiltrate data. The rule identifies processes spawned by SSH or SSHD that execute from suspicious directories (like /tmp or /dev/shm) and initiate network connections to destinations outside of common private address ranges. Relevant MITRE ATT&CK tactics: TA0003, TA0006, TA0008 Relevant MITRE ATT&CK techniques: T1037, T1554, T1556, T1021, T1021.004, T1563, T1563.001 persistence network-security endpoint-security credential-access lateral-movement TA0003 TA0006 TA0008 T1037 T1554 T1556 T1021 T1021.004 T1563 T1563.001	Jun 5, 2025
	Unusual SSH Parent/Child Execution Elastic-Edr New rule STIX2 This rule detects the execution of a process from an unusual location, immediately after an SSH process is started. This could indicate an attacker attempting to execute a malicious process in the context of an SSH session, or a succesfully planted backdoor within a user shell configuration. Relevant MITRE ATT&CK tactics: TA0003, TA0006, TA0008 Relevant MITRE ATT&CK techniques: T1037, T1554, T1556, T1021, T1021.004, T1563, T1563.001 persistence credential-access lateral-movement TA0003 TA0006 TA0008 T1037 T1554 T1556 T1021 T1021.004 T1563 T1563.001	Jun 5, 2025
	Background Task Execution via a Hidden Process Elastic-Edr New rule STIX2 This rule detects the execution of a background task via a hidden process on Linux systems. Attackers may use hidden processes to evade detection and establish persistence or execute post-exploitation commands on a target system. The rule identifies processes that start with a parent or name matching any character and arguments matching '&', indicating background execution. Relevant MITRE ATT&CK tactics: TA0002, TA0005, TA0011 Relevant MITRE ATT&CK techniques: T1059, T1059.004, T1564, T1564.001, T1071 execution persistence defense-evasion TA0002 TA0005 TA0011 T1059 T1059.004 T1564 T1564.001 T1071	Jun 5, 2025
	SimpleHelp Remote Access Tool Service Installation Anvilogic New rule STIX2 Detects the installation of Windows services associated with SimpleHelp or JWrapper Remote Access tools, which are often abused by threat actors for persistent remote access. The rule identifies Windows service installation events (4697 or 7045) where the service binary path matches patterns indicative of SimpleHelp or JWrapper installations, potentially revealing unauthorized remote access setup. It covers Windows Server versions 2008 R2 and 7, 2012 R2 and 8.1, and 2016 and 10. The rule references the LOLRMM project. Relevant MITRE ATT&CK tactics: TA0005, TA0003, TA0011 Relevant MITRE ATT&CK techniques: T1569.002, T1543, T1219, T1543.003, T1059.001 remote-access persistence endpoint-security TA0005 TA0003 TA0011 T1569.002 T1543 T1219 T1543.003 T1059.001	Jun 5, 2025
	System Info Discovery via Sysinfo Syscall Sigma New rule STIX2 Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes. Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target. Relevant MITRE ATT&CK tactics: TA0007, TA0009 Relevant MITRE ATT&CK techniques: T1057, T1082 discovery TA0007 TA0009 T1057 T1082	Jun 5, 2025