Description:
The feed offers a continuous stream of newly published detection rules, sourced from over 40 public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.
Use cases:
- Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
- Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
- Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.
Rules:
anvilogic: 62elastic-edr: 85elastic-siem: 131fibratus: 12kql: 77osquery: 6sigma: 107splunk: 177sublime: 1sublime-security: 80yara: 40
Entities:
Identity: 46 Indicator: 778
MISP feed:
STIX/TAXII feed:
Content preview:
Latest 10 entities:
STIX2 bundle ↗This rule detects attempts to modify or delete critical Windows forensic artifacts, specifically the Amcache.hve file and the SYSTEM hive. The Amcache.hve file logs program execution details, while the SYSTEM hive contains the Shimcache, which tracks historical program activity. The query monitors for file events targeting `Amcache.hve` or the `SYSTEM` file within `C:\Windows\System32\config\`, as attackers may tamper with these files to erase evidence of their presence and actions on a compromised system. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1070, T1070.004
DeviceFileEvents | where (FileName contains "SYSTEM" and FolderPath contains "C:\\Windows\\System32\\config\\") or (FileName has "Amcache.hve") | project Timestamp, DeviceName,DeviceId, FileName, FolderPath, ActionType, InitiatingProcessFileName, ReportIdDetects the creation of files with potentially malicious extensions (e.g., .cpl, .hta, .iso, .rdp, .svg, .vbs) in specific temporary directories associated with Microsoft Outlook. This activity is a strong indicator of a user opening a malicious attachment from a spear-phishing email, as Outlook saves attachments to these locations before they are handled by other applications. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566.001
title: Suspicious File Created in Outlook Temporary Directory id: fabb0e80-030c-4e3e-a104-d09676991ac3 related: - id: f748c45a-f8d3-4e6f-b617-fe176f695b8f type: obsolete status: experimental description: | Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code. references: - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/ - https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/ - https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/ author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-22 tags: - attack.initial-access - attack.t1566.001 logsource: product: ...malicious-activity initial-access endpoint-security TA0001 T1566.001 Detection Rule License (DRL) 1.1
This rule detects suspicious file creation events within specific SharePoint `TEMPLATE/LAYOUTS` directories. It identifies when processes like `cmd.exe`, `powershell.exe`, or the IIS worker process (`w3wp.exe`) write files with extensions commonly associated with web shells (e.g., .aspx, .ashx, .php). This activity is indicative of post-exploitation behavior, specifically the placement of a web shell for persistence, following the successful exploitation of vulnerabilities like CVE-2025-49704, CVE-2025-49706, or CVE-2025-53770. Relevant MITRE ATT&CK tactics: TA0001, TA0003 Relevant MITRE ATT&CK techniques: T1190, T1505.003
title: Suspicious File Write to SharePoint Layouts Directory id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c status: experimental description: | Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770. references: - https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/ - https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/ author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-24 tags: - attack.initial-access - attack.t1190 - attack.persistence - attack.t1505.003 logsource: product: windows category: file_event detection: selection: Image|endswith: - '\cmd.exe' - '\powershell_i...malicious-activity persistence initial-access endpoint-security TA0001 TA0003 T1190 T1505.003 CVE-2025-49704 CVE-2025-49706 CVE-2025-53770 Detection Rule License (DRL) 1.1
This YARA rule detects a webshell designed to extract the MachineKey configuration from a Microsoft SharePoint server. The detection logic searches for files containing specific .NET class names like `HttpContext` and `MachineKeySection` which are used to access configuration data. It also triggers on known malicious .NET GUIDs used by this tool or a combination of system reconnaissance strings, making it effective at identifying this specific threat. Relevant MITRE ATT&CK tactics: TA0003, TA0009 Relevant MITRE ATT&CK techniques: T1505.003, T1552.001, T1005
import "dotnet" rule Extract_MachineKey_SharePoint { meta: id = "5rgC2cpznLmamBSQ9etlFh" fingerprint = "v1_sha256_267976231782f0458c369172e8d922508daf670089ef3c91ad2570fe3600d6c4" version = "1.0" date = "2025-07-25" modified = "2025-07-25" status = "RELEASED" sharing = "TLP:WHITE" source = "BARTBLAZE" author = "@bartblaze" description = "Identifies webshell that extracts SharePoint's MachineKey configuration." category = "TOOL" tool = "WEBSHELL" reference = "https://x.com/Gi7w0rm/status/1948027800591466773" hash = "3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997" strings: $xml = "<?xml" nocase $httpcontext = "HttpContext" fullword $validation = "MachineKeyValidation" $mks_a = "MachineKeySection" $mks_b = "System.Web.Configuration.MachineKeySection" $str_a = "-------------------- .NET Properties ----...malicious-activity endpoint-security collection TA0003 TA0009 T1505.003 T1552.001 T1005 MIT License
This rule detects inbound, unsolicited emails from the `signfree.io` domain that have characteristics of callback phishing. The logic requires the email body or an embedded image (analyzed via OCR) to contain at least one well-known brand name (such as PayPal, McAfee, or Norton), a phone number, and at least three keywords associated with financial transactions or support requests (e.g., 'purchase', 'invoice', 'refund', 'call'). This detection is specifically tailored to identify phishing attempts that abuse the legitimate SignFree e-signature service for malicious purposes. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566, T1656
name: "Callback Phishing via SignFree E-Signature Request" description: "This rule inspects messages originating from legitimate SignFree infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number." type: "rule" severity: "high" source: | type.inbound and length(attachments) == 0 and ( not beta.profile.by_reply_to().solicited or ( beta.profile.by_reply_to().any_messages_malicious_or_spam and not beta.profile.by_reply_to().any_messages_benign ) ) // Legitimate SignFree sending infratructure and sender.email.domain.root_domain == 'signfree.io' and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass) and ( // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml regex.icontains(strings.replace_confusables(body.current_thread.text), '(p...malicious-activity social-engineering TA0001 T1566 T1656 MIT License
This rule detects inbound emails promoting cryptocurrency airdrops, token claims, or wallet-related rewards, which are common tactics in spam and phishing campaigns. The detection logic identifies emails classified under the 'Financial Communications' topic but excludes newsletters. It specifically searches for keywords like 'airdrop', 'claim your allocation', and names of popular crypto platforms like 'metamask', 'binance', and 'solana', while excluding legitimate emails from verified domains such as gemini.com and binance.com that pass DMARC authentication. Relevant MITRE ATT&CK tactics: TA0001 Relevant MITRE ATT&CK techniques: T1566
name: "Spam: Cryptocurrency Airdrop/Giveaway" description: "Detects messages promoting cryptocurrency airdrops, token claims, or wallet-related rewards." type: "rule" severity: "low" source: | type.inbound and any(beta.ml_topic(body.current_thread.text).topics, .name in ("Financial Communications") ) and not any(beta.ml_topic(body.current_thread.text).topics, .name in ('Newsletters and Digests', 'News and Current Events') ) // action word and ( strings.like(body.current_thread.text, '*airdrop*') or strings.ilike(subject.base, '*airdrop*') or regex.icontains(body.current_thread.text, 'receive \$\d{2,5} worth') or regex.icontains(body.current_thread.text, 'claim your (allocation|airdrop|bonus|share|\$\d{2,5})') ) and not regex.icontains(body.current_thread.text, '\$\d{2,4} (off|cash)') and ( // crypto keyword regex.icontains(body.current_thread.text, '\bmetamask\b', '\bethereum\b',...This rule detects callback phishing emails that use an e-signature service theme. It targets inbound, attachment-free messages where the reply-to address originates from a free email provider. The detection logic uses machine learning to identify e-signature topics, scans for keywords related to brand impersonation (e.g., PayPal, Norton) and financial transactions, and requires the presence of a phone number in the email body or an embedded screenshot analyzed via OCR. Relevant MITRE ATT&CK tactics: TA0001, TA0011 Relevant MITRE ATT&CK techniques: T1566, T1204
name: "Callback Phishing Via E-Signature Service" description: "Detects messages containing e-signature topics combined with tech support keywords and phone numbers. Message includes brand impersonation (PayPal, Norton, McAfee, etc.) and transaction-related language, with no attachments and reply-to addresses from free email providers." type: "rule" severity: "high" source: | type.inbound and length(attachments) == 0 and any(headers.reply_to, .email.domain.root_domain in $free_email_providers) and any(beta.ml_topic(body.current_thread.text).topics, .name == "E-Signature") and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass) and ( // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml regex.icontains(strings.replace_confusables(body.current_thread.text), '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure a...malicious-activity command-and-control Kill Chain Phase: delivery Kill Chain Phase: command-and-control TA0001 TA0011 T1566 T1204 MIT License
This rule detects the unloading of Windows Defender kernel-mode drivers, such as `WdFilter.sys` or `WdBoot.sys`, by matching specific driver image paths. This action is a strong indicator of an adversary attempting to impair or disable antivirus protections like real-time scanning or Early Launch Anti-Malware (ELAM). As legitimate unloads of these critical drivers are rare, alerts likely signify defense evasion or post-exploitation activity that requires investigation. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.001
name: Windows Defender driver unloading id: c9b93fbc-8845-4f39-a74b-26862615432c version: 1.0.0 description: | Detects the unloading of Windows Defender kernel-mode drivers, such as WdFilter.sys or WdBoot.sys, which may indicate an attempt to impair or disable antivirus protections. Adversaries may unload these drivers to bypass or disable real-time scanning, file system filtering, or ELAM (Early Launch Anti-Malware) protections. Legitimate driver unloads are rare and should be investigated to rule out malicious tampering or post-exploitation activity. labels: tactic.id: TA0005 tactic.name: Defense Evasion tactic.ref: https://attack.mitre.org/tactics/TA0005/ technique.id: T1562 technique.name: Impair Defenses technique.ref: https://attack.mitre.org/techniques/T1562/ subtechnique.id: T1562.001 subtechnique.name: Disable or Modify Tools subtechnique.ref: https://attack.mitre.org/techniques/T1562/001 condition: > unload_driver and image.path imatches ('?:...defense-evasion malicious-activity endpoint-security TA0005 T1562 T1562.001 Apache License 2.0
This YARA rule identifies the StormDNS malware, a DNS shell. Detection logic is based on finding at least eight specific strings related to its operation, such as error messages and command execution templates (e.g., 'cmd.exe /c %s 2>&1'), or the presence of specific PDB file paths like 'C:\\Users\\Administrator\\Desktop\\work\\tools\\ak47c2\\dnsclinet-c\\dnsclient\\x64\\Release\\dnsclient.pdb', which indicate its development environment. Relevant MITRE ATT&CK tactics: TA0011, TA0002 Relevant MITRE ATT&CK techniques: T1071.004, T1059.003
rule StormDNS { meta: id = "75nX2TPCk53RAhU55yBeFd" fingerprint = "v1_sha256_542a8af37bd4bc18218190cd82495146a4daa5d01db24804b9ff16ff04023a5a" version = "1.0" date = "2025-07-24" modified = "2025-07-24" status = "RELEASED" sharing = "TLP:WHITE" source = "BARTBLAZE" author = "@bartblaze" description = "Identifies StormDNS, a DNS shell used by Storm-260 to receive and execute commands from a C2." category = "MALWARE" malware = "STORMDNS" malware_type = "WEBSHELL" reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities" hash = "1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192" strings: $str_a = "Slept for %d seconds" $str_b = "Failed to allocate memory" $str_c = "cmd.exe /c %s 2>&1" $str_d = "Failed to execute command" $s...malicious-activity command-and-control TA0011 TA0002 T1071.004 T1059.003 MIT License
This YARA rule identifies the SharpAdidnsdump tool, which is used to dump DNS records from Active Directory. Detection logic relies on the presence of multiple .NET class names like 'DirectorySearcher' and 'IPHostEntry', specific clear text strings such as 'Running enumeration against', the tool's name 'SharpAdidnsdump', or a unique assembly GUID '8f985494-906c-485c-b3b3-0e90aa7d3ca7'. This tool is used for reconnaissance and is associated with threat actors like Storm-2603. Relevant MITRE ATT&CK tactics: TA0007 Relevant MITRE ATT&CK techniques: T1087.002, T1016
import "dotnet" rule SharpAdidnsdump { meta: id = "6rWYf0SwQzWanysjEs2F3h" fingerprint = "v1_sha256_81a0841b64b31da7c8e6f601913eaabbcf2d03868c46b6d5acf2da532964c200" version = "1.0" date = "2025-07-24" modified = "2025-07-24" status = "RELEASED" sharing = "TLP:WHITE" source = "BARTBLAZE" author = "@bartblaze" description = "Identifies SharpAdidnsdump, which allows for AD integrated DNS dumping and also abused by attackers such as Storm-2603." category = "TOOL" tool = "SHARPAPIDNSDUMP" reference = "https://github.com/b4rtik/SharpAdidnsdump" reference = "https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities" hash = "f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574" strings: $str_a = "IPAddress" $str_b = "DirectorySearcher" $str_c = "SearchResult" ...malicious-activity discovery endpoint-security TA0007 T1087.002 T1016 MIT License
