Description:
The feed offers a continuous stream of newly published detection rules, sourced from 50+ public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.
Use cases:
- Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
- Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
- Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.
Rules:
anvilogic: 75elastic-edr: 198elastic-siem: 179fibratus: 12kql: 131osquery: 6sentinel: 1sigma: 233splunk: 239sublime: 3sublime-security: 150yara: 68
Entities:
Identity: 52 Indicator: 1295
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
STIX2 bundle ↗This rule detects unsolicited inbound emails that claim to have identified errors on a recipient's website. It analyzes email content for keywords like 'error', 'report', 'issues', and 'screenshot' in the subject and body, in conjunction with common salutations. The detection logic is structured to handle single-thread messages (with or without an unsubscribe link) and multi-thread conversations by evaluating message length, link/attachment counts, and specific keyword combinations. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Spam: Website errors solicitation" description: "This rule detects messages claiming to have identified errors on a website. The messages typically offer to send pricing or information upon request." type: "rule" severity: "low" source: | type.inbound and ( sender.email.email not in $recipient_emails or not profile.by_sender().solicited ) and 1 of ( // Single thread message groups ( length(attachments) == 0 and length(body.links) == 0 and length(body.previous_threads) == 0 and 20 < length(body.current_thread.text) < 500 and regex.icontains(body.current_thread.text, "screenshot") and regex.icontains(body.current_thread.text, '.*(hi|hello|hey)') and regex.icontains(body.current_thread.text, ".*(error|report|issues)") and regex.icontains(subject.subject, ".*(proposal|cost|report|error|audit|screenshot)") ), // Single thread message groups but with 1 unsubscribe link ( length(attachments) == ...This rule detects inbound emails that use social engineering to deceive recipients about an attachment. The detection logic identifies messages that reference an attachment (e.g., 'see attached') but contain none. It specifically looks for links pointing to the 'fliphtml5.com' domain and leverages a Natural Language Understanding (NLU) classifier to confirm the presence of high-confidence credential theft language. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566.002
name: "Service abuse: FlipHTML5 with attachment deception and credential theft language" description: "Detects messages that reference attachments without including any, contain links to FlipHTML5 services, and exhibit high-confidence credential theft language patterns." type: "rule" severity: "medium" source: | type.inbound // messages contain wording to "see attached" but contains no attachments and ( regex.icontains(body.current_thread.text, "attached|see.*attached|find.*attached|please{0,10}attached" ) and length(attachments) == 0 ) // and the link goes to fliphtml5 and contains suspect "click me" language and any(body.links, .href_url.domain.root_domain == "fliphtml5.com" ) // and we have confidence its cred theft and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "cred_theft" and .confidence != "low" ) attack_types: - "Credential Phishing" tactics_and_techniques: - "Social engineering"...malicious-activity credential-access TA0001 TA0006 T1566.002 MIT License
This KQL query detects modifications to the Windows Security Audit Policy by monitoring for registry value data that begins with 'auditpol'. This activity can indicate an attacker's attempt to alter security logging configurations to evade detection prior to executing further malicious actions, such as ransomware deployment. The detection focuses on the `DeviceRegistryEvents` table, looking for evidence of `auditpol.exe` usage. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562
DeviceRegistryEvents | where RegistryValueData startswith "auditpol"This rule detects inbound emails that contain command and control information related to SMTP and SOCKS5 proxies within the message body. The detection logic specifically targets emails with no attachments, a low link count (between 2 and 4), and body text matching patterns like ':socks5:' or references to localhost proxy configurations on port 1080. This is indicative of spam or malicious campaigns attempting to deliver C2 instructions. Relevant MITRE ATT&CK tactics: TA0001, TA0011 Relevant MITRE ATT&CK techniques: T1566, T1071
name: "Spam: SMTP & Proxy Communications in Email Body" description: | An email containing SMTP and Proxy (socks5) command and control information within the body of the message. type: "rule" severity: "medium" source: | type.inbound and length(attachments) == 0 and 1 < length(body.links) < 5 and regex.icontains(body.current_thread.text, ":socks5:|::127.0.0.1:1080|:0:127.0.0.1:1080" ) attack_types: - "Spam" tactics_and_techniques: - "Free email provider" detection_methods: - "Content analysis" id: "2bdc6a3b-1239-5644-b4bc-d31666ded22e"malicious-activity command-and-control TA0001 TA0011 T1566 T1071 MIT License
This rule detects the creation of any child process by the Windows Speech Runtime executable, `SpeechRuntime.exe`. Such behavior is suspicious and could indicate an adversary is hijacking COM and DCOM to execute arbitrary code for lateral movement, as `SpeechRuntime.exe` is not expected to spawn child processes during normal operation. Relevant MITRE ATT&CK tactics: TA0005, TA0008, TA0004 Relevant MITRE ATT&CK techniques: T1021.003, T1218, T1548.002
title: Suspicious Speech Runtime Binary Child Process id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d status: experimental description: | Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking. references: - https://github.com/rtecCyberSec/SpeechRuntimeMove author: andrewdanis date: 2025-10-23 logsource: category: process_creation product: windows tags: - attack.defense-evasion - attack.lateral-movement - attack.t1021.003 - attack.t1218 detection: selection: ParentImage|endswith: '\SpeechRuntime.exe' condition: selection falsepositives: - Unlikely. level: highendpoint-security defense-evasion lateral-movement TA0005 TA0008 TA0004 T1021.003 T1218 T1548.002 Detection Rule License (DRL) 1.1
This rule detects the execution of TruffleHog, an open-source tool for scanning secrets and sensitive information, within an AWS environment. The detection is based on the presence of 'TruffleHog' in the user agent string of AWS CloudTrail logs. While it can be used legitimately by security teams, its presence may indicate unauthorized credential harvesting activities by threat actors. Relevant MITRE ATT&CK tactics: TA0006, TA0007 Relevant MITRE ATT&CK techniques: T1555, T1003, T1552
title: PUA - AWS TruffleHog Execution id: a840e606-7c8c-4684-9bc1-eb6b6155127f status: experimental description: | Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment. It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious. references: - https://github.com/trufflesecurity/trufflehog - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-10-21 tags: - attack.credential-access - attack.t1555 - attack.t1003 logsource: product: aws service: cloudtrail detection: selection: userAgent: 'TruffleHog' condition: selection falsepositives: - Legitimate use of TruffleHog by securi...credential-access cloud-security TA0006 TA0007 T1555 T1003 T1552 Detection Rule License (DRL) 1.1
This rule detects the creation of Personal Information Exchange (.pfx) files. Since PFX files bundle private keys and certificates, they are valuable targets for attackers looking to exfiltrate credentials for impersonation, code signing, or establishing certificate-based persistence. The detection logic identifies file creation events where the target filename ends with '.pfx' and excludes common legitimate sources like Microsoft OneDrive, Visual Studio, and CMake to reduce false positives. Relevant MITRE ATT&CK tactics: TA0006, TA0005 Relevant MITRE ATT&CK techniques: T1552.004, T1555
title: PFX File Creation id: dca1b3e8-e043-4ec8-85d7-867f334b5724 status: test description: | Detects the creation of PFX files (Personal Information Exchange format). PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: - Exfiltrate digital certificates for impersonation or signing malicious code - Establish persistent access through certificate-based authentication - Bypass security controls that rely on certificate validation Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments. references: - https://github.com/OTRF/detection-hackathon-apt29/issues/14 - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-43...credential-access endpoint-security TA0006 TA0005 T1552.004 T1555 Detection Rule License (DRL) 1.1
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. The detection triggers on explicit local connections (e.g., to localhost or 127.0.0.1) or when remote connection parameters are omitted, which defaults to local execution. Relevant MITRE ATT&CK tactics: TA0008, TA0005, TA0002 Relevant MITRE ATT&CK techniques: T1021.006, T1218, T1202
title: Winrs Local Command Execution id: bcfece3d-56fe-4545-9931-3b8e92927db1 status: experimental description: | Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement. references: - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/ - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs author: Liran Ravich, Nasreddine Bencherchali date: 2025-10-22 tags: - attack.lateral-movement - attack.defense-evasion - attack.t1021.006 - attack.t1218 logsource: category: process_creation product: windows detection: selection_img: # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe - Image|endswith: '\winrs.exe' - OriginalFileName: 'winrs.exe' ...defense-evasion execution lateral-movement endpoint-security TA0008 TA0005 TA0002 T1021.006 T1218 T1202 Detection Rule License (DRL) 1.1
This rule detects the creation of a child process by 'winrshost.exe', a host process for the Windows Remote Shell (WinRs) service. This activity suggests that a command has been executed remotely on the machine via WinRM. While this can be legitimate administrative activity, it is also a common technique used by attackers for lateral movement and remote code execution. Relevant MITRE ATT&CK tactics: TA0008, TA0002 Relevant MITRE ATT&CK techniques: T1021.006, T1059
title: Potential Lateral Movement via Windows Remote Shell id: 79df3f68-dccb-48e9-9171-b75cbc37c51d status: experimental description: | Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity. references: - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/ - https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement author: Liran Ravich date: 2025-10-22 tags: - attack.lateral-movement - attack.t1021.006 logsource: category: process_creation product: windows detection: selection: # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell ParentImage|endswith: '\winrshost.exe' filter_main_conhost: Image: 'C:\Windows\System32\conhost.exe' condition: selection and not 1 of filter_main_* fal...lateral-movement execution endpoint-security TA0008 TA0002 T1021.006 T1059 Detection Rule License (DRL) 1.1
This rule detects the execution of Python's built-in web server modules, such as `http.server` or `SimpleHTTPServer`, from the command line on Linux systems. Adversaries often use this technique for post-exploitation activities, like file exfiltration or staging tools, because it allows them to quickly establish an HTTP server without installing additional software. The detection logic identifies process creation events where the image path indicates a Python executable and the command line contains the specific web server module names. Relevant MITRE ATT&CK tactics: TA0010, TA0011 Relevant MITRE ATT&CK techniques: T1048.003, T1105, T1071.001
title: Python WebServer Execution - Linux id: 3f0f5957-04f8-4792-ad89-192b0303bde6 status: experimental description: | Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems. references: - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver - https://docs.python.org/3/library/http.server.html - https://docs.python.org/2/library/simplehttpserver.html author: Mohamed LAKRI date: 2025-10-17 tags: - attack.exfiltration - attack.t1048.003 logsource: product: linux category: process_creation detection: selection_img: - Image|endsw...malicious-activity exfiltration endpoint-security TA0010 TA0011 T1048.003 T1105 T1071.001 Detection Rule License (DRL) 1.1
