Description:
The feed offers a continuous stream of newly published detection rules, sourced from over 40 public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.
Use cases:
- Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
- Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
- Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.
Rules:
anvilogic: 72elastic-edr: 136elastic-siem: 164fibratus: 12kql: 97osquery: 6sentinel: 1sigma: 129splunk: 204sublime: 3sublime-security: 117yara: 54
Entities:
Identity: 52 Indicator: 995
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
STIX2 bundle ↗This rule detects brand impersonation of Fastway Couriers, a delivery services company. It triggers on inbound emails where the sender's display name contains 'fastway' or is a close Levenshtein distance match to 'fastway couriers'. To reduce false positives, the rule excludes emails from legitimate Fastway root domains, ignores messages from high-trust domains that pass DMARC, and filters out senders previously associated with benign or solicited correspondence. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1598
name: "Brand impersonation: Fastway" description: | Impersonation of Fastway Couriers, a delivery services company in Ireland and South Africa. type: "rule" severity: "medium" source: | type.inbound and ( strings.ilike(sender.display_name, '*fastway*') or strings.ilevenshtein(sender.display_name, 'fastway couriers') <= 1 ) and sender.email.domain.root_domain not in~ ('fastway.co.za', 'fastway.com.au', 'fastway.ie') // negate highly trusted sender domains unless they fail DMARC authentication and ( ( sender.email.domain.root_domain in $high_trust_sender_root_domains and not headers.auth_summary.dmarc.pass ) or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) // and no false positives and not solicited and ( not profile.by_sender().any_messages_benign and not profile.by_sender().solicited ) attack_types: - "Credential Phishing" tactics_and_techniques: - "Impersonation: Brand" - "Lookalike dom...credential-access malicious-activity TA0001 T1566 T1598 MIT License
This KQL query hunts for potentially malicious network activity originating from airport locations. It monitors `DeviceNetworkEvents` for connections initiated by scripting tools like `powershell.exe`, `curl.exe`, or `wget.exe` to web resources over HTTP/HTTPS. The core detection logic correlates the device's local IP address with a list of known airport geographical coordinates to identify suspicious behavior that could indicate a user connected to a spoofed Wi-Fi hotspot or fell victim to a click-fix attack. Relevant MITRE ATT&CK tactics: TA0001, TA0002 Relevant MITRE ATT&CK techniques: T1557, T1204, T1059.001
let Airport_Data = externaldata(AirportName:string, maxLatitude: decimal, minLatitude:decimal, maxLongitude:decimal, minLongitude:decimal,iata:string, country: string,maxlatindicator:int)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/Airport_polygon.csv"] with (format="csv", ignoreFirstRecord=True); DeviceNetworkEvents | where InitiatingProcessFileName has_any("powershell.exe", "curl.exe", "wget.exe", "Invoke-WebRequest") | where RemoteUrl has_any(".png", ".html", ".htm") or RemotePort == 443 or RemotePort == 80 | extend geo = geo_info_from_ip_address(LocalIP) | extend Country = tostring(geo.country), Latitude = tostring(geo.latitude),Longitude = tostring(geo.longitude) | extend Latitude0 = todecimal(Latitude), Longitude0 = todecimal(Longitude) | extend IntegerPart = toint(Latitude0) | join kind=inner (Airport_Data) on $left.IntegerPart == $right.maxlatindicator | where Latitude0 < minLatitude and Latitude0 < maxLatitude...network-security malicious-activity execution TA0001 TA0002 T1557 T1204 T1059.001
This rule identifies PowerShell scripts that utilize the 'Set-MpPreference' cmdlet with specific parameters to disable or modify Windows Defender security features. Such actions are a common defense evasion technique used by attackers to weaken endpoint protection before executing malicious payloads, thereby avoiding detection. Relevant MITRE ATT&CK tactics: TA0005, TA0002 Relevant MITRE ATT&CK techniques: T1562, T1562.001, T1059, T1059.001
[metadata] creation_date = "2024/09/11" integration = ["windows"] maturity = "production" updated_date = "2025/09/03" [rule] author = ["Elastic"] description = """ Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Windows Defender Tampering Capabilities" risk_score = 21 rule_id = "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` Steps to implement the logging policy via registry: ...defense-evasion endpoint-security execution TA0005 TA0002 T1562 T1562.001 T1059 T1059.001 Elastic License 2.0
Detects impersonation of Squarespace by analyzing sender display names. The rule triggers when a display name is an exact match or has a Levenshtein distance of less than 2 from 'squarespace', while the sender's domain is not a legitimate Squarespace or Shipstation domain, or if it is, it fails DMARC authentication. It also excludes emails from highly trusted domains that pass DMARC. Relevant MITRE ATT&CK tactics: TA0001, TA0005 Relevant MITRE ATT&CK techniques: T1566, T1036
name: "Brand impersonation: Squarespace" description: "Detects impersonation of Squarespace through sender display name or subject line similarity, where the sender is not from legitimate Squarespace domains or fails authentication checks." type: "rule" severity: "medium" source: | type.inbound and ( strings.icontains(sender.display_name, "squarespace") or strings.ilevenshtein(sender.display_name, "squarespace") < 2 ) // and the sender is not in org_domains or from Squarespace domains and passes auth and not ( sender.email.domain.root_domain in $org_domains or ( sender.email.domain.root_domain in ( "squarespace.com", "squarespace.info", "shipstation.com" ) and headers.auth_summary.dmarc.pass ) ) // negate highly trusted sender domains unless they fail DMARC authentication and not ( sender.email.domain.root_domain in $high_trust_sender_root_domains and coalesce(headers.auth_summary.dmarc.pass, false) ...malicious-activity credential-access defense-evasion TA0001 TA0005 T1566 T1036 MIT License
This YARA rule detects the VIPKeyLogger malware payload. The detection logic identifies files that begin with the MZ header (a standard for Windows executables) and contain specific wide strings such as "/ VIP Recovery \\", "Clipboard Logs ID", and "Keylogger". The presence of all these strings within a PE file is indicative of the VIPKeyLogger. Relevant MITRE ATT&CK tactics: TA0009, TA0006 Relevant MITRE ATT&CK techniques: T1056.001, T1056.002
rule VIPKeyLogger { meta: author = "kevoreilly" description = "Detects VIPKeyLogger Keylogger" cape_type = "VIPKeyLogger Payload" packed = "edaba79c3d43a416a86003f336d879ed3a513aa24dd401340584615647ed6da2" strings: $s1 = "/ VIP Recovery \\" wide $s2 = "Clipboard Logs ID" wide $s3 = "Keylogger" wide condition: uint16(0) == 0x5a4d and all of them }malicious-activity endpoint-security TA0009 TA0006 T1056.001 T1056.002 GNU General Public License v3.0
This KQL query detects the addition of a custom security attribute definition within an attribute set in Microsoft Entra ID. The detection queries the `AADCustomSecurityAttributeAuditLogs` for the specific `OperationName`. Monitoring this activity is important as custom security attributes can be used to manage authorization and access control, and their modification could indicate privilege escalation or persistence attempts. Relevant MITRE ATT&CK tactics: TA0004, TA0003 Relevant MITRE ATT&CK techniques: T1098
AADCustomSecurityAttributeAuditLogs | where OperationName == "Add custom security attribute definition in an attribute set" //Custom Atribute Diagnostic log must be enabled. this can only be done by the Attribute Log Administrator Role (global admin is NOT able to perform this)privilege-escalation persistence TA0004 TA0003 T1098 MIT License
This KQL query detects suspicious Multi-Factor Authentication (MFA) registration activity by identifying users who register or modify their security information from an IP address not seen in their sign-in history over the past 30 days. The query correlates recent MFA-related audit logs with historical sign-in data from Azure AD. It specifically filters out activity from new user accounts (created within the last 60 days) and from IP addresses belonging to a predefined internal range to reduce false positives. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1556
// Analyze historical login data, calculating the number of unique days an IP address has been seen per user. let OwnIPRangeStart = "xx.xx"; let IpHistory = AADSignInEventsBeta | where ErrorCode == 0 | where Timestamp >= ago(30d) | summarize DaysSeen = dcount(startofday(Timestamp)) by AccountUpn, IPAddress; // Get recent MFA-related events from the last 24 hours. let RecentMfaEvents = AuditLogs | where TimeGenerated between (ago(1d) .. now()) | where OperationName in ( "User registered security info", "Register security info", "Add phone authentication method", "StrongAuthenticationMethodChanged" ) | extend InitiatedByJson = parse_json(InitiatedBy) | extend ActorIp = tostring(InitiatedByJson.user.ipAddress), Actor = tostring(InitiatedByJson.user.userPrincipalName) | where ActorIp !startswith (OwnIPRangeStart) and isnotempty(ActorIp) | where AADOperationType != "ServiceApi" //use the following line only if Email is not allowed as a 2nd factor | where ResultDescription != "User...This YARA rule detects the GodRAT malware on Windows systems. The detection logic is based on three conditions: the presence of the string "C++/WinRT version" combined with a specific import hash; a pattern matching a generic SSE-optimized XOR decryption routine that uses specific NT API names like NtCreateSection; or a distinct import hash associated with an AES-encrypted variant of the malware. Relevant MITRE ATT&CK tactics: TA0005, TA0002 Relevant MITRE ATT&CK techniques: T1027, T1055, T1219
rule MAL_CRIME_RAT_WIN_PE_GodRat_Aug25: GodRAT { meta: description = "Detects GodRAT malware targeting Windows systems" author = "Arda Buyukkaya" date = "2025-08-23" family = "GodRAT" reference = "https://securelist.com/godrat/117119/" tags = "RAT, Windows, GodRAT, Gh0st RAT, GETGOD" victims = "Financial services" sha256 = "154e800ed1719dbdcb188c00d5822444717c2a89017f2d12b8511eeeda0c2f41" strings: // WinRT version string $winrt_txt = "C++/WinRT version" ascii wide nocase // API function names blob $api_blob = { 4E 74 43 72 65 61 74 65 53 65 63 74 69 6F 6E 00 // NtCreateSection 4E 74 4D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 00 // NtMapViewOfSection 4E 74 55 6E 6D 61 70 56 69 65 77 4F 66 53 65 63 74 69 6F 6E 00 00 00 00 // NtUnmapViewOfSection } // Generic XOR decryption routine pattern using SSE instructions // Comm...malicious-activity endpoint-security TA0005 TA0002 T1027 T1055 T1219 Detection Rule License (DRL) 1.1
This KQL query collects Windows Defender Application Control (WDAC) events from Microsoft Defender for Endpoint. It filters the 'DeviceEvents' table for actions related to code integrity, blocked scripts, and audited scripts, providing visibility into application control policy enforcement and potential violations. Relevant MITRE ATT&CK tactics: TA0005, TA0002 Relevant MITRE ATT&CK techniques: T1059, T1204
DeviceEvents | where ActionType startswith "AppControlCodeIntegrity" or ActionType startswith "AppControlCIScriptBlocked" or ActionType startswith "AppControlCIScriptAudited" //See https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Use-Microsoft-Defender-for-Endpoint-Advanced-Hunting-With-WDAC-App-Control#collecting-the-data-from-mde-advanced-huntingendpoint-security compliance TA0005 TA0002 T1059 T1204 MIT License
This rule detects post-exploitation activity on macOS systems. It identifies sequences where a process is initiated by an SSH service (`ssh`, `sshd`, or `sshd-session`) and is either a common interpreter like `curl` or `wget`, or is an unsigned/untrusted binary. The detection is triggered if this process execution is followed by an outbound network connection within 15 seconds, indicating potential data exfiltration or command and control communication. Relevant MITRE ATT&CK tactics: TA0002, TA0011 Relevant MITRE ATT&CK techniques: T1059, T1059.004, T1021.004, T1105
[rule] description = """ Detects SSH sessions executing suspicious binaries followed by outbound network connections. This pattern indicates potential post-exploitation activity via compromised SSH access. """ id = "050a7053-a119-43fc-ad14-9a0c4944a9b8" license = "Elastic License v2" name = "Suspicious Binary Execution via SSH" os_list = ["macos"] version = "1.0.6" query = ''' sequence by process.entity_id with maxspan=15s [process where event.type == "start" and event.action == "exec" and process.parent.name in ("ssh", "sshd", "sshd-session") and (process.name like~ ("osascript", "curl", "nscurl", "wget", "perl", "node") or (process.code_signature.exists == false or process.code_signature.trusted == false)) and not process.executable like~ ("/opt/homebrew/Cellar/*", "/usr/local/Cellar/*", "/Users/*/homebrew/Cellar/*", "/usr/local/libexec/ssh-sk-helper")] [network where event.type == "start" and not cidrmatch(destination.ip, "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/...execution command-and-control endpoint-security TA0002 TA0011 T1059 T1059.004 T1021.004 T1105 Elastic License 2.0
