Description:
The feed offers a continuous stream of newly published detection rules, sourced from over 40 public GitHub repositories. It is designed for individual researchers, students, or security teams on a limited budget looking to track emerging detection trends and gain early visibility into new detection methods.
Application:
- Early threat awareness - observe new detection patterns that may correspond to novel attack techniques or malware variants.
- Research & learning - the feed is an excellent resource for understanding how different organizations and individuals approach threat detection.
- Idea generation - spark inspiration for developing your own custom detection rules by seeing what the industry does.
Entities:
Identity: 39 Indicator: 599
Rules:
anvilogic: 58elastic-edr: 65elastic-siem: 109fibratus: 11kql: 66osquery: 4sigma: 60splunk: 132sublime-security: 63yara: 31
STIX/TAXII endpoints:
Content preview:

Latest 10 entities:
Details | |
---|---|
Suspicious Microsoft OAuth Flow via Auth Broker to DRS elastic-siem New rule STIX2 This rule detects a potential OAuth phishing attack in Microsoft Entra ID. It identifies scenarios where two successful sign-in events share the same user principal and session ID but originate from different IP addresses within a five-minute window. The detection logic specifically targets OAuth flows where the client application is the Microsoft Authentication Broker (MAB) and the resource is the Device Registration Service (DRS), a pattern highly indicative of an attacker using a stolen authorization code to gain access. Relevant MITRE ATT&CK tactics: TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1566, T1566.002, T1528 initial-access credential-access cloud-security malicious-activity TA0001 TA0006 T1566 T1566.002 T1528 | |
Potential Kerberos Coercion via DNS-Based SPN Spoofing elastic-siem New rule STIX2 This rule detects the creation of a DNS record containing a specific base64-encoded pattern (`UWhRCA...BAAAA`), which corresponds to a marshaled `CREDENTIAL_TARGET_INFORMATION` structure. This activity is indicative of Kerberos coercion attacks that leverage DNS-based SPN spoofing. Adversaries use this technique to force systems to authenticate to attacker-controlled hosts, enabling reflective Kerberos relay attacks to gain privileged access, potentially as `NT AUTHORITY\SYSTEM`. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187 credential-access endpoint-security malicious-activity TA0006 T1557 T1557.001 T1187 | |
Potential Kerberos SPN Spoofing via Suspicious DNS Query elastic-siem New rule STIX2 This rule identifies DNS queries on Windows systems containing a specific Base64-encoded pattern (`*UWhRC*BAAAA*`). This pattern is indicative of a marshaled CREDENTIAL_TARGET_INFORMATION structure, which is a key component in Kerberos coercion attacks. Adversaries exploit this by creating malicious DNS records to spoof a Service Principal Name (SPN), tricking a victim system into authenticating to an attacker-controlled host. This technique facilitates credential theft, often through NTLM reflection. Relevant MITRE ATT&CK tactics: TA0006 Relevant MITRE ATT&CK techniques: T1557, T1557.001, T1187 credential-access malicious-activity endpoint-security TA0006 T1557 T1557.001 T1187 | |
Windows DNS Query Request To TinyUrl splunk New rule STIX2 This Splunk analytic detects DNS queries to `tinyurl.com` originating from processes running in potentially suspicious Windows directories, such as `AppData` or `Temp`. The rule leverages Sysmon Event ID 22 (DNS Query) to identify this behavior. Threat actors frequently use URL shorteners like TinyURL to obfuscate malicious destinations for command-and-control (C2) infrastructure or malware payloads, making DNS requests from non-browser applications in these locations highly suspicious. Relevant MITRE ATT&CK tactics: TA0011 Relevant MITRE ATT&CK techniques: T1105, T1071, T1102 command-and-control execution endpoint-security TA0011 T1105 T1071 T1102 | |
Windows Chromium Browser with Custom User Data Directory splunk New rule STIX2 This detection identifies the launch of a Chromium-based browser (Chrome, Edge, Brave, etc.) with the '--user-data-dir' command-line argument. This parameter specifies a custom user profile directory. While it has legitimate uses for testing or profile separation, threat actors and malware leverage it to create isolated browser environments for stealthy operations, credential harvesting, or evading detection by storing artifacts in non-standard locations. Relevant MITRE ATT&CK tactics: TA0005, TA0006 Relevant MITRE ATT&CK techniques: T1497, T1564.004 defense-evasion credential-access malicious-activity endpoint-security TA0005 TA0006 T1497 T1564.004 | |
Windows Disable Internet Explorer Addons splunk New rule STIX2 This rule detects the execution of Internet Explorer (iexplore.exe) with the -extoff flag, which disables all browser extensions. This behavior is often exploited by attackers to conduct operations that could evade security plugins like antivirus extensions or toolbars. The use of the -extoff flag, especially when initiated by applications like Office, PowerShell, or scheduled tasks, is informal and could signify potential phishing or command-and-control activities. Relevant MITRE ATT&CK tactics: TA0011, TA0005 Relevant MITRE ATT&CK techniques: T1176.001, T1071.001, T1070.004 malicious-activity command-and-control defense-evasion discovery TA0011 TA0005 T1176.001 T1071.001 T1070.004 | |
Windows Chromium Browser No Security Sandbox Process splunk New rule STIX2 This rule detects the execution of a Chromium-based browser process with the `--no-sandbox` command-line flag. This flag disables the browser's security sandbox, a critical defense mechanism that isolates browser processes from the underlying operating system. Threat actors commonly use this technique to facilitate malicious code execution, escape browser isolation for credential theft, or enable UI spoofing, often as part of a malware dropper or loader. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1497, T1497.001 malicious-activity defense-evasion endpoint-security TA0005 T1497 T1497.001 | |
AWS CloudTrail Log Evasion elastic-siem New rule STIX2 This rule identifies attempts to evade AWS CloudTrail logging for IAM policy actions. An adversary can pad an IAM policy document with excessive whitespace, causing it to exceed CloudTrail's logging size limits. This results in the policy details being omitted from the log, replaced by a "requestParameters too large" message. The detection logic specifically targets successful IAM events in CloudTrail logs where the `request_parameters` field indicates that details were omitted for this reason, effectively detecting efforts to obscure unauthorized policy modifications. Relevant MITRE ATT&CK tactics: TA0005 Relevant MITRE ATT&CK techniques: T1562, T1562.008 | |
External Attack Surface Monitoring (EASM) KQL kql New rule STIX2 This KQL query identifies internet-facing devices by querying the ExposureGraphNodes table for devices or virtual machines flagged as internet-facing. It then cross-references these devices with DeviceNetworkEvents from the last 30 days to find listening connections, excluding localhost. The query ultimately summarizes the number of unique exposed listening ports per device, providing a measure of the external attack surface for the MDE device fleet. Relevant MITRE ATT&CK tactics: TA0043 Relevant MITRE ATT&CK techniques: T1595, T1046 discovery network-security cloud-security TA0043 T1595 T1046 | |
Kubeconfig File Creation or Modification elastic-siem New rule STIX2 This rule detects the creation or modification of common Kubernetes configuration files (kubeconfig) on Linux systems. The detection logic, implemented in EQL, monitors specific file paths like `/root/.kube/config` and `/etc/kubernetes/*.conf` while excluding legitimate activities from processes such as `kubeadm` and `kubelet`. Such file activity may indicate an attacker's attempt to gain unauthorized access, move laterally within a Kubernetes cluster, or evade defenses by using alternate authentication materials. Relevant MITRE ATT&CK tactics: TA0008, TA0005, TA0001, TA0006 Relevant MITRE ATT&CK techniques: T1550, T1078, T1552.007 lateral-movement defense-evasion initial-access cloud-security endpoint-security TA0008 TA0005 TA0001 TA0006 T1550 T1078 T1552.007 |