Description:
The feed offers a continuous stream of newly published detection rules, sourced from 50+ public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.
Use cases:
- Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
- Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
- Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.
Rules:
anvilogic: 75elastic-edr: 199elastic-siem: 180fibratus: 12kql: 133osquery: 6sentinel: 1sigma: 242splunk: 242sublime: 3sublime-security: 156yara: 72
Entities:
Identity: 52 Indicator: 1321
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
STIX2 bundle ↗This detection identifies the spawning of a child process by `ComputerDefaults.exe`, a legitimate Windows binary. Attackers can abuse this process to bypass User Account Control (UAC) and execute arbitrary code with elevated privileges. The rule specifically monitors for process creation events where the parent process name is `ComputerDefaults.exe`, which is a strong indicator of the UAC bypass technique documented in MITRE ATT&CK T1548.002. Relevant MITRE ATT&CK tactics: TA0005, TA0004, TA0002 Relevant MITRE ATT&CK techniques: T1548.002, T1059
name: Windows ComputerDefaults Spawning a Process id: 697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6 version: 1 date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: TTP description: The following analytic detects the spawning of ComputerDefaults.exe, a Windows system process used to manage default application associations. While normally legitimate, this process can be exploited by attackers to bypass User Account Control (UAC) and execute unauthorized code with elevated privileges. Detection focuses on abnormal execution patterns, unusual parent-child process relationships, or deviations from standard paths. Such behavior may indicate attempts to modify system defaults or run malicious scripts undetected. Monitoring ComputerDefaults.exe is critical to identify potential security threats, prevent privilege escalation, and maintain system integrity by distinguishing normal operations from suspicious activity. data_source: - Sysmon EventID 1 search: '| tstats `security_c...privilege-escalation defense-evasion endpoint-security TA0005 TA0004 TA0002 T1548.002 T1059 Apache License 2.0
This analytic detects the execution of common web browser processes (chrome.exe, msedge.exe, brave.exe, firefox.exe) with unusual command-line flags such as '--mute-audio' and '--do-not-elevate'. The detection logic specifically looks for instances where the parent process is not a standard browser or explorer.exe and does not originate from typical system directories like 'C:\Program Files' or 'C:\Windows'. Such behavior can indicate malicious automation, testing environments, or attempts to operate the browser silently or with modified privileges, as observed with malware like Castle RAT. Relevant MITRE ATT&CK tactics: TA0002, TA0005 Relevant MITRE ATT&CK techniques: T1185, T1202, T1548
name: Windows Browser Process Launched with Unusual Flags id: 841e2abc-0442-4e7f-b445-b22680632a08 version: 1 date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations. data_source: - Sysmon EventID 1 search...endpoint-security execution defense-evasion TA0002 TA0005 T1185 T1202 T1548 Apache License 2.0
This Splunk analytic detects suspicious handle duplication activity targeting known Windows UAC-bypass utilities like ComputerDefaults.exe and eventvwr.exe. It leverages Sysmon Event ID 10 (ProcessAccess) to identify when a process from a non-standard location attempts to duplicate a handle into a trusted system binary, specifically checking for the PROCESS_DUP_HANDLE access right. This behavior is indicative of privilege escalation or UAC bypass techniques where an attacker injects an elevated token or handle to execute code with higher privileges. Relevant MITRE ATT&CK tactics: TA0004, TA0005 Relevant MITRE ATT&CK techniques: T1134.001
name: Windows Handle Duplication in Known UAC-Bypass Binaries id: d7369bf5-1315-4138-b927-2dd8bb8c1da7 version: 1 date: '2025-10-31' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects suspicious handle duplication activity targeting known Windows utilities such as ComputerDefaults.exe, Eventvwr.exe, and others. This technique is commonly used to escalate privileges or bypass UAC by inheriting or injecting elevated tokens or handles. The detection focuses on non-standard use of DuplicateHandle or token duplication where process, thread, or token handles are copied into the context of trusted, signed utilities. Such behavior may indicate attempts to execute with elevated rights without user consent. Alerts enable rapid triage using process trees, handle data, token attributes, command-lines, and binary hashes. data_source: - Sysmon EventID 10 search: '`sysmon` EventCode=10 TargetImage IN("*\\ComputerDefaults.exe", "*\\even...privilege-escalation defense-evasion endpoint-security TA0004 TA0005 T1134.001 Apache License 2.0
This YARA rule detects the RoningLoader trojan on Windows systems. The detection is based on a specific x86 binary signature or the co-occurrence of three strings indicating the creation of a Protected Process Light (PPL), the use of the legitimate Windows utility `ClipUp.exe`, and the execution of `regsvr32.exe /S`. The rule is designed for scanning both files and memory. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1218.010, T1548.002
rule Windows_Trojan_RoningLoader_a4e851ac { meta: author = "Elastic Security" id = "a4e851ac-7787-4f75-9aab-32c17c253c7a" fingerprint = "42d19ba97783f3807c096c1d1d5d17052530cc734d680c5baa8fc3c50cc10eee" creation_date = "2025-10-20" last_modified = "2025-11-03" threat_name = "Windows.Trojan.RoningLoader" reference_sample = "c84764a19543e9bdfe06263d3dd68bbf9df381bbe4d0c0da480bc4eddea293b6" severity = 100 arch_context = "x86" scan_context = "file, memory" license = "Elastic License v2" os = "windows" strings: $binary0 = { 48 89 45 80 8B 05 C5 E8 0C 00 48 0F 47 4C 24 70 66 89 04 51 48 8D 44 24 70 66 44 89 6C 51 02 } $str0 = "Successfully created PPL process with PID: " wide fullword $str1 = "C:\\Windows\\System32\\ClipUp.exe" wide fullword $str2 = "regsvr32.exe /S" condition: $binary0 or all of ($str*) }malicious-activity endpoint-security TA0005 T1218.010 T1548.002 Elastic License 2.0
This rule detects potential brand impersonation of Paperless Post in inbound emails. It triggers on messages containing two or more images hosted on 'ppassets.com' but fewer than two legitimate Paperless Post links (from 'links.paperlesspost.com' or with a '/go/' path). The logic is designed to filter out legitimate forwards or replies and messages from authenticated 'paperlesspost.com' domains with a passing DMARC record, focusing on emails that misuse brand assets for phishing. Relevant MITRE ATT&CK tactics: TA0001, TA0007 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1598.003
name: "Brand impersonation: Paperless Post" description: "Detects messages containing multiple images hosted on ppassets.com (Paperless Post's asset domain) but with fewer than 3 legitimate Paperless Post links, while excluding authentic forwards/replies and messages from verified Paperless Post domains with valid DMARC authentication." type: "rule" severity: "high" source: | type.inbound and strings.contains(body.html.raw, 'ppassets.com') and length(filter(html.xpath(body.html, '//img/@src').nodes, // calling parse_url allows url decoding to help us strings.parse_url(.raw).domain.root_domain == 'ppassets.com' ) ) >= 2 and length(filter(body.links, .href_url.domain.domain == "links.paperlesspost.com" or ( .href_url.domain.root_domain == "paperlesspost.com" and strings.istarts_with(.href_url.path, '/go/') ) ) ...malicious-activity defense-evasion credential-access TA0001 TA0007 T1566 T1566.002 T1598.003 MIT License
This rule detects the execution of the Windows utility `certreq.exe` with specific command-line flags (`-Post`, `-config`) and the presence of 'http' in the command line. This combination of parameters is indicative of an attacker abusing the legitimate `certreq` binary to download files, such as additional payloads or configuration files, from a remote server. The detection targets a known Living Off the Land Binaries and Scripts (LOLBAS) technique. Relevant MITRE ATT&CK tactics: TA0011, TA0005 Relevant MITRE ATT&CK techniques: T1105, T1218
title: Suspicious CertReq Command to Download id: 4480827a-9799-4232-b2c4-ccc6c4e9e12b status: experimental description: | Detects a suspicious CertReq execution downloading a file. This behavior is often used by attackers to download additional payloads or configuration files. Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes. references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ author: Christian Burkard (Nextron Systems) date: 2021-11-24 modified: 2025-10-29 tags: - attack.command-and-control - attack.t1105 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\certreq.exe' - OriginalFileName: 'CertReq.exe' selection_cli_flag_post: CommandLine|contains|windash: '-Post' selection_cli_flag_config: CommandLine|contain...command-and-control malicious-activity endpoint-security Kill Chain Phase: command-and-control TA0011 TA0005 T1105 T1218 Detection Rule License (DRL) 1.1
This rule detects inbound emails originating from the 'nifty.com' domain where the sender's local part (the part before the '@') matches either the local part of a recipient or a second-level domain (SLD) of the target organization. This pattern is indicative of credential phishing campaigns that abuse the nifty.com service for impersonation attacks. The rule further filters out legitimate emails by excluding messages classified as Japanese and those from senders with a history of benign or solicited communication. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1036
name: "Service Abuse: Nifty.com with impersonation" description: "Detects emails from nifty.com where the sender's local part matches a recipient's local part or organizational SLD, which has been observed in credential harvesting campaigns" type: "rule" severity: "medium" source: | type.inbound and sender.email.domain.root_domain == "nifty.com" and ( sender.email.local_part in map(recipients.to, .email.local_part) or sender.email.local_part in $org_slds ) and ml.nlu_classifier(body.current_thread.text).language != "japanese" // and no false positives and not solicited and not profile.by_sender_email().any_messages_benign and not profile.by_sender_email().solicited attack_types: - "Credential Phishing" tactics_and_techniques: - "Spoofing" detection_methods: - "Sender analysis" id: "370cfdac-4976-59a1-ae1f-7cd5594eb958"malicious-activity credential-access defense-evasion TA0001 TA0006 T1566 T1036 MIT License
This rule detects email messages containing indicators of the Gophish phishing framework. Specifically, it identifies inbound emails with a hidden HTML image tag (style='display: none') that includes a URL with the tracking parameter '/track?rid='. This technique is used by Gophish to track when a recipient has opened a phishing email, confirming the address is active and the user is susceptible. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Credential theft: Gophish abuse with hidden tracking image" description: "Detects messages containing hidden tracking images with display:none style and tracking parameters in the source URL, commonly used for user tracking and engagement monitoring." type: "rule" severity: "high" source: | type.inbound and ( strings.icontains(body.html.raw, '<img alt='''' style=''display: none'' src=''') or strings.icontains(body.html.raw, 'img alt="" style="display: none" src="') ) and strings.icontains(body.html.raw, '/track?rid=') attack_types: - "Spam" tactics_and_techniques: - "Evasion" - "Image as content" detection_methods: - "Content analysis" - "HTML analysis" id: "59915ceb-4d7c-56ba-a28e-ccda8d95b5e2"malicious-activity credential-access TA0001 T1566 MIT License
This rule detects the creation of RunMRU registry entries that contain an excessive number of various space characters. This technique, known as 'clickfix', is used in phishing attacks to obscure malicious commands within the Windows Run dialog, making them difficult for a user to identify visually before execution. Relevant MITRE ATT&CK tactics: TA0002, TA0005 Relevant MITRE ATT&CK techniques: T1204.004, T1027.010, T1204, T1027
title: Suspicious Space Characters in RunMRU Registry Path - ClickFix id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e related: - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8 type: similar status: experimental description: | Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes. references: - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ - https://github.com/JohnHammond/recaptcha-phish author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-11-04 tags: - attack.execution - attack.t1204.004 - attack.defense-evasion - attack.t1027.010 logsource: category: registry_set product: windows detection: selection_key: TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\' Details|contains: '#' selectio...malicious-activity execution defense-evasion endpoint-security TA0002 TA0005 T1204.004 T1027.010 T1204 T1027 Detection Rule License (DRL) 1.1
This rule detects the creation of an `explorer.exe` process where the command line contains extensive whitespace padding and a '#' character. This pattern is indicative of social engineering techniques like ClickFix or FileFix, where malicious commands are obscured from the user's view in the Windows Run dialog or File Explorer search bar by pushing them out of the visible area using various Unicode space characters. Relevant MITRE ATT&CK tactics: TA0002, TA0005 Relevant MITRE ATT&CK techniques: T1204.004, T1027.010
title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix id: 3ae9974a-eb09-4044-8e70-8980a50c12c8 related: - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e type: similar - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e type: similar status: experimental description: | Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view. references: - https...malicious-activity execution defense-evasion endpoint-security TA0002 TA0005 T1204.004 T1027.010 Detection Rule License (DRL) 1.1
