Description:
The feed offers a continuous stream of newly published detection rules, sourced from 50+ public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.
Use cases:
- Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
- Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
- Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.
Rules:
anvilogic: 75elastic-edr: 236elastic-siem: 264fibratus: 14kql: 167osquery: 6sentinel: 1sigma: 269splunk: 278sublime: 3sublime-security: 209yara: 95
Entities:
Identity: 52 Indicator: 1617
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
STIX2 bundle ↗This YARA rule identifies the OrcaC2 stub, a component of a multi-functional C2 framework. Detection is based on a unique User-Agent string ('orca/1.0'), specific PDB file paths from the development environment, and a collection of status and error messages related to its WinHTTP communication and file handling functions. Relevant MITRE ATT&CK tactics: TA0011 Relevant MITRE ATT&CK techniques: T1071.001
rule Orca_Stub { meta: id = "27EhdBiud2OfMZ6utV5eGz" fingerprint = "v1_sha256_b331bc0db41c6a16677eb01ee24f59f44e2fd277c33422e16e1ab1ff38597667" version = "1.0" date = "2026-01-19" modified = "2026-01-19" status = "RELEASED" sharing = "TLP:CLEAR" source = "BARTBLAZE" author = "@bartblaze" description = "Identifies OrcaC2, a multi-functional C&C framework based on WebSocket encrypted communication." category = "MALWARE" malware_type = "HACKTOOL" reference = "https://github.com/Ptkatz/OrcaC2" tool = "ORCAC2" strings: $ua = "orca/1.0" fullword $pdb_a = "C:\\Users\\blood\\Desktop\\C_Shot\\Release\\C_Shot.pdb" $pdb_b = "C:\\Users\\blood\\source\\repos\\Dll1\\Release\\Dll1.pdb" $msg_a = "[+] Read %d bytes" $msg_b = "[+] Current size: %d, To Read: %d" $msg_c = "[+] About to fill buffer" $msg_d = "[+] Finished reading file" $msg_e = "[-] Error %u in checking bytes left" $msg_f = "[-] Error %u in WinHttpReadData." $msg_g = "[-] Failed to connect to server" $msg_h = "[-...malicious-activity command-and-control TA0011 T1071.001 MIT License
This YARA rule identifies the OrcaC2 Puppet component, a multi-functional C2 framework. The detection logic is based on the presence of hardcoded development paths and strings specific to the Puppet module, such as 'C:/Users/blood/Desktop/AAA/OrcaC2/', 'Orca_Puppet/pkg/', and 'OrcaC2_0H'. Relevant MITRE ATT&CK tactics: TA0011 Relevant MITRE ATT&CK techniques: T1071
rule Orca_Puppet { meta: id = "s2PjsAb7LnZvcnL4CcpTL" fingerprint = "v1_sha256_f57fd21665cb3e75a5f56b3d3c5eb00d827bf5b5e96cb79f1cb775b300884837" version = "1.0" date = "2026-01-19" modified = "2026-01-19" status = "RELEASED" sharing = "TLP:CLEAR" source = "BARTBLAZE" author = "@bartblaze" description = "Identifies OrcaC2, a multi-functional C&C framework based on WebSocket encrypted communication." category = "MALWARE" malware_type = "HACKTOOL" reference = "https://github.com/Ptkatz/OrcaC2" tool = "ORCAC2" strings: $ = "C:/Users/blood/Desktop/AAA/OrcaC2/" $ = "Orca_Puppet/pkg/" $ = "Orca_Puppet/cli/" $ = "Orca_Puppet/stager" $ = "OrcaC2_0H" fullword condition: any of them }malicious-activity command-and-control TA0011 T1071 MIT License
This KQL query evaluates the effectiveness of multiple open-source URL-based threat intelligence feeds. It ingests and unifies IOCs from sources like Botvrij, Monty Security, Phishunt, C2IntelFeeds, and others. The query then correlates these IOCs against EmailUrlInfo and EmailEvents data from the last 30 days to identify matches, helping to measure the real-world value and hit rate of each intelligence feed within the environment. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566.002
//Sergio Albea 12-01-2026 TIFCE https://zenodo.org/records/18208974 let BotvrijRAW = externaldata(Url: string)[@'https://www.botvrij.eu/data/ioclist.domain']| extend Url = substring(Url, 0, indexof(Url, '#'))| where isnotempty(Url) or Url != ''| project TIFeed= 'BotvrijRAW',IOC= Url,Reference = 'https://www.botvrij.eu/data/ioclist.domain'; let montysecurity =externaldata(URLS:string)[@'https://raw.githubusercontent.com/montysecurity/C2-Tracker/refs/heads/main/data/all.txt'] with (format='csv') | project TIFeed= 'montysecurity',IOC= URLS,Reference = 'C2IntelFeeds'; let PhishuntURLs = externaldata (Url: string) ['https://phishunt.io/feed.txt']| where Url !in ('https://www.google.com/chrome/','https://www.microsoft.com/en-us/microsoft-teams/log-in')| project TIFeed= 'PhishuntURLs',IOC= Url,Reference = 'https://hole.cert.pl/domains/v2/domains.txt'; let C2IntelFeeds =externaldata(URLS:string)[@'https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/refs/heads/master/feeds/domainC2swithURLw...This KQL query evaluates the utility of threat intelligence feeds by correlating file hash IOCs with email attachments observed in the environment. It dynamically ingests SHA256 hashes from three public repositories: Bazaar Abuse.ch, botvrij.eu, and TweetFeed. The collected IOCs are then joined against EmailAttachmentInfo and EmailEvents tables in Microsoft Defender XDR to identify instances of known malicious files being delivered via email. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566.001
//Sergio Albea 12-01-2026 TIFCE https://zenodo.org/records/18208974 //TI Feeds Repositories let MispHashes = externaldata(HashValue: string)['https://bazaar.abuse.ch/export/txt/sha256/recent/']with (format = 'csv',ignoreFirstRecord = true) | where HashValue !startswith '#' | project TIFeed= 'bazaar.abuse.ch',IOC= HashValue,Reference = 'https://bazaar.abuse.ch/export/txt/sha256/recent/'; let botvrij = externaldata(HashValue: string)['https://www.botvrij.eu/data/ioclist.sha256']with (format = 'csv',ignoreFirstRecord = true) | where HashValue !startswith '#' | extend Parts = split(HashValue, " ") | extend SHA256 = tostring(Parts[0])| project TIFeed= 'botvrij',IOC= SHA256,Reference = 'https://www.botvrij.eu/data/ioclist.sha256'; let FH_TweetFeedYear =externaldata(DateUTC: datetime,SourceUser: string,Type: string,Value: string,Tags: string,Tweet: string)['https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv']with (format='csv') | where Type has 'sha256' | project TIFe...malicious-activity endpoint-security Kill Chain Phase: delivery TA0001 T1566.001
This YARA rule detects the ModeloRAT Python RAT, reportedly used by the KongTuke threat actor. The detection logic is based on the presence of three specific strings within a file. These strings include a unique cryptographic class name, 'UnnecessarilyProlongedCryptographicMechanismImplementationClass', and two function names, '_enumerate_executing_processes' and '_enumerate_network_connections', which indicate discovery capabilities. Relevant MITRE ATT&CK tactics: TA0007, TA0011 Relevant MITRE ATT&CK techniques: T1057, T1049
rule ModeloRAT { meta: author = "RussianPanda" description = "Detects ModeloRAT Python RAT used by KongTuke" date = "01/16/2026" hash = "c15f44d6abb3a2a882ffdc9b90f7bb5d1a233c0aa183eb765aa8bfba5832c8c6" reference = "KongTuke CrashFix Campaign" strings: $s1 = "UnnecessarilyProlongedCryptographicMechanismImplementationClass" $s2 = "_enumerate_executing_processes" $s3 = "_enumerate_network_connections" condition: all of them }malicious-activity endpoint-security TA0007 TA0011 T1057 T1049
This YARA rule detects MintsLoader scripts by identifying a combination of characteristic strings. The logic targets scripts containing patterns such as the PowerShell command fragment 'Get-Date).DayOfYear', a common C2 URI structure ending in '.php?id=$', the use of '.top' top-level domains, and the '$global' variable string. A match is triggered if at least three of these four indicators are present, indicating the likely presence of the MintsLoader malware. Relevant MITRE ATT&CK tactics: TA0002, TA0011 Relevant MITRE ATT&CK techniques: T1059.001, T1071.001, T1105
rule MintsLoader { meta: author = "RussianPanda" description = "Detects MintsLoader scripts" date = "01/16/2026" strings: $s1 = "Get-Date).DayOfYear" ascii wide nocase $s2 = ".php?id=$" ascii wide nocase $s3 = ".top" ascii wide $s4 = "$global" ascii wide condition: 3 of them }malicious-activity endpoint-security TA0002 TA0011 T1059.001 T1071.001 T1105
This rule detects inbound email messages containing exactly one link to the 'breely.com' URL shortening service. The detection specifically triggers when the link's display text contains '.pdf', indicating an attempt to disguise a potentially malicious redirect as a PDF document to entice a user to click. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566.002
name: "Link: Breely link masquerading as PDF" description: "Detects messages containing a single Breely link that displays as a PDF file. Typically, redirects to a different destination for malicious purposes." type: "rule" severity: "high" source: | type.inbound and length(filter(body.links, .href_url.domain.root_domain == "breely.com")) == 1 and any(body.links, .href_url.domain.root_domain == "breely.com" and strings.icontains(.display_text, ".pdf") ) attack_types: - "BEC/Fraud" - "Credential Phishing" tactics_and_techniques: - "Free subdomain host" - "Social engineering" detection_methods: - "Content analysis" - "URL analysis" id: "4a498c21-2f8a-5b54-84f5-c3c4ad3ee8e9"malicious-activity credential-access TA0001 T1566.002 MIT License
Detects inbound emails impersonating the Xodo Sign service. The rule triggers on messages containing the string 'processed by xodo sign' in the body, while also ensuring the sender is not from the legitimate 'eversign.com' root domain or that DMARC authentication has failed, to identify credential phishing attempts. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Brand impersonation: Xodo Sign" description: "Detects messages impersonating Xodo Sign with 'Processed by Xodo Sign' text from unauthorized senders that fail DMARC authentication." type: "rule" severity: "medium" source: | type.inbound and strings.icontains(body.current_thread.text, "processed by xodo sign") and not ( sender.email.domain.root_domain == "eversign.com" and headers.auth_summary.dmarc.pass ) attack_types: - "Credential Phishing" tactics_and_techniques: - "Impersonation: Brand" - "Social engineering" detection_methods: - "Content analysis" - "Header analysis" - "Sender analysis" id: "e6139052-6ec8-5d3c-91e1-13ab1ae2d536"malicious-activity credential-access TA0001 T1566 MIT License
This rule detects callback scam language in inbound emails originating from the legitimate GetAccept service infrastructure. It leverages a Natural Language Understanding (NLU) classifier to identify intents associated with callback scams within the email body, flagging potential abuse of the GetAccept platform for fraudulent activities. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1566.003
name: "Service abuse: GetAccept callback scam content" description: "Detects callback scam language in messages sent through legitimate GetAccept infrastructure, indicating potential abuse of the service for fraudulent solicitation." type: "rule" severity: "medium" source: | type.inbound // Legitimate GetAccept sending infrastructure and sender.email.domain.root_domain == 'getaccept.com' and any(ml.nlu_classifier(body.current_thread.text).intents, .name == "callback_scam" ) attack_types: - "Callback Phishing" tactics_and_techniques: - "Out of band pivot" - "Social engineering" detection_methods: - "Content analysis" - "Natural Language Understanding" - "Sender analysis" id: "7ec2f70b-06e5-51bb-9ceb-a17cbe1e7ad5"This query detects suspicious sign-in activity from a user who has recently clicked on a phishing link. It correlates email click events with sign-in logs, identifying sign-ins from new or infrequent IP addresses after a user has interacted with a suspicious email. The rule uses configurable parameters for sender email addresses, sender domains, and subject keywords to identify phishing emails. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1078
// Parameter let CampaignStartUtc = datetime(2026-01-13T00:00:00Z); let LookbackHistory = 29d; let HistoryStart = CampaignStartUtc - LookbackHistory; // Filter options - populate these as needed let SenderEmailAddresses = dynamic([]); // e.g., ["[email protected]", "[email protected]"] let SenderDomains = dynamic([]); // e.g., ["evil.com", "badactor.net"] let SubjectKeywords = dynamic([ "bring me some beers", "craft beer please", "i prefer a juicy New England IPA ;-)" ]); // Use and Logic for SenderEmailAddresses, SenderDomains and SubjectKeywords let UseAndLogic = false; // true = ALL criteria must match, false = AT LEAST ONE must match let ExcludedApps = dynamic(["TestAppTEST1", "TestAppTEST2"]); // Affected Users let PhishClicks = materialize( EmailEvents | where TimeGenerated >= CampaignStartUtc | extend // We check if a filter is active (not empty) EmailFilterActive = array_length(SenderEmailAddresses) > 0, Domai...credential-access initial-access malicious-activity TA0001 TA0006 T1566 T1078
