Skip to content

Instantly share code, notes, and snippets.

@traut

traut/new-rules-20250407-rulecheck.stix2.json Secret

Last active April 6, 2025 18:57
Show Gist options
  • Save traut/ef8d506b44089f8c35e035d5ab1106fc to your computer and use it in GitHub Desktop.
Save traut/ef8d506b44089f8c35e035d5ab1106fc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
new-rules-20250407-rulecheck.stix2.json
{
"type": "bundle",
"id": "bundle--d33c44b9-b41d-49e6-9421-0ad2cf8fef1d",
"objects": [
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule monitors for the unusual occurrence of outbound network connections to suspicious top level domains. It aims to detect potentially malicious activity related to command and control operations on macOS systems by observing connections to domains commonly associated with suspicious activity. This detection helps in identifying compromised hosts that might be communicating with malicious actors over the network.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_connection_to_suspicious_top_level_domain.toml"
}
],
"id": "indicator--e9b68538-9f31-401d-a376-4c8f555566ac",
"indicator_types": [
"anomalous-activity",
"malicious-activity",
"command-and-control"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Unusual Network Connection to Suspicious Top Level Domain",
"pattern": "event.category : \"network\" and host.os.type : \"macos\" and event.type : \"start\" and destination.domain : (*.team or *.lol or *.kr or *.ke or *.nu or *.space or *.capital or *.in or *.cfd or *.online or *.ru or *.info or *.top or *.buzz or *.xyz or *.rest or *.ml or *.cf or *.gq or *.ga or *.onion or *.network or *.monster or *.marketing or *.cyou or *.quest or *.cc or *.bar or *.click or *.cam or *.surf or *.tk or *.shop or *.club or *.icu or *.pw or *.ws or *.hair or *.mom or *.beauty or *.boats or *.fun or *.life or *.store)",
"pattern_type": "kuery",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T19:22:41.000Z"
},
{
"contact_information": "https://github.com/elastic/detection-rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "elastic",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. It focuses on endpoints running macOS, looking for network connections initiated towards domains commonly associated with file sharing or known as potential exfiltration points. The rule uses domain matching and tracks new terms for host, process, and destination details to identify anomalies. The rule aligns with the Command and Control tactic under the MITRE ATT&CK framework.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml"
}
],
"id": "indicator--38a292c7-ecaa-410f-9a11-9b91f9611563",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Unusual Network Connection to Suspicious Web Service",
"pattern": "event.category : \"network\" and host.os.type : \"macos\" and event.type : \"start\" and\ndestination.domain : (\n pastebin.* or\n paste.ee or\n ghostbin.com or\n drive.google.com or\n ?.docs.live.net or\n api.dropboxapi.* or\n content.dropboxapi.* or\n *dl.dropboxusercontent.* or\n api.onedrive.com or\n *.onedrive.org or\n onedrive.live.com or\n filebin.net or\n *.ngrok.io or\n ngrok.com or\n *.portmap.* or\n *serveo.net or\n *localtunnel.me or\n *pagekite.me or\n *localxpose.io or\n *notabug.org or\n rawcdn.githack.* or\n paste.nrecom.net or\n zerobin.net or\n controlc.com or\n requestbin.net or\n api.slack.com or\n slack-redir.net or\n slack-files.com or\n cdn.discordapp.com or\n discordapp.com or\n discord.com or\n apis.azureedge.net or\n cdn.sql.gg or\n ?.top4top.io or\n top4top.io or\n uplooder.net or\n *.cdnmegafiles.com or\n transfer.sh or\n updates.peer2profit.com or\n api.telegram.org or\n t.me or\n meacz.gq or\n rwrd.org or\n *.publicvm.com or\n *.blogspot.com or\n api.mylnikov.org or\n script.google.com or\n script.googleusercontent.com or\n paste4btc.com or\n workupload.com or\n temp.sh or\n filetransfer.io or\n gofile.io or\n store?.gofile.io or\n tiny.one or\n api.notion.com or\n *.sharepoint.com or\n *upload.ee or\n bit.ly or\n t.ly or\n cutt.ly or\n mbasic.facebook.com or\n api.gofile.io or\n file.io or\n api.anonfiles.com or\n api.trello.com or\n gist.githubusercontent.com or\n dpaste.com or\n *azurewebsites.net or\n *.zulipchat.com or\n *.4shared.com or\n filecloud.me or\n i.ibb.co or\n files.catbox.moe or\n *.getmyip.com or\n mockbin.org or\n webhook.site or\n run.mocky.io or\n *infinityfreeapp.com or\n free.keep.sh or\n tinyurl.com or\n ftpupload.net or\n lobfile.com or\n *.ngrok-free.app or\n myexternalip.com or\n yandex.ru or\n *.yandex.ru or\n *.aternos.me or\n cdn??.space or\n *.pcloud.com or\n mediafire.zip or\n urlz.fr or\n rentry.co or\n *.b-cdn.net or\n pastecode.dev or\n i.imgur.com or\n the.earth.li or\n *.trycloudflare.com\n)",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T19:02:03.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may use homoglyph attacks by substituting characters in process names or commands with visually similar Unicode symbols to impersonate legitimate commands. This tactic is often used to evade string-based detection and confuse analysts during investigation. It detects Windows processes containing Unicode characters from homoglyph ranges.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/command_line_homoglyphs-windows/command_line_homoglyphs-windows-splunk-powershell.yml"
}
],
"id": "indicator--fffede35-ad02-4fa9-8df1-1af75be27b4a",
"indicator_types": [
"defense-evasion"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Command Line Homoglyphs - Windows",
"pattern": "`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4103) OR \"<EventID>4103<\" OR zTERM(EventCode=4104) OR \"<EventID>4104<\") | regex process=\"\\w+([Ѐ-ӿ]+|[Ͱ-Ͽ]+)\" | table _time, host, user, process, process_name, parent_process_name | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"contact_information": "https://github.com/anvilogic-forge/armory",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "anvilogic-forge",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may use homoglyph attacks by substituting visually similar Unicode symbols in process names or commands to impersonate legitimate commands, thus evading string-based detection and confusing analysts. This rule detects Windows processes containing Unicode characters from commonly abused homoglyph ranges, such as Cyrillic extended, Greek extended, and full-width Latin letters and digits.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/command_line_homoglyphs-windows/command_line_homoglyphs-windows-splunk-edr.yml"
}
],
"id": "indicator--6fd09f0b-c328-4802-8f77-09a2bb658b61",
"indicator_types": [
"defense-evasion"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Command Line Homoglyphs - Windows",
"pattern": "`get_endpoint_data` `get_endpoint_data_edr` | regex process=\"[Ѐ-ӿͰ-Ͽa-zA-Z0-9]\" | table _time, host, user, process, process_name, parent_process_name | bin span=1s | stats values(*) as * by _time, host",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may use homoglyph attacks by substituting characters in process names or commands with visually similar Unicode symbols to impersonate legitimate commands. This tactic is often used to evade string-based detection and confuse analysts during investigation. The rule detects Windows processes containing Unicode characters from commonly abused homoglyph ranges, including Cyrillic extended, Greek extended, and full-width Latin letters and digits.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/command_line_homoglyphs-windows/command_line_homoglyphs-windows-splunk-winevent.yml"
}
],
"id": "indicator--1ba6f972-c989-4472-849d-7fe6d50b150c",
"indicator_types": [
"defense-evasion"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Command Line Homoglyphs - Windows",
"pattern": "`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR \"<EventID>4688<\" OR Type=Process) | regex process=\"[Ѐ-ӿͰ-Ͽa-zA-Z0-9]\" | table _time, host, user, process, process_name, parent_process_name | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may use homoglyph attacks by substituting characters in process names or commands with visually similar Unicode symbols to impersonate legitimate commands. This tactic is used to evade string-based detection and confuse analysts. The rule detects Windows processes containing Unicode characters from commonly abused homoglyph ranges like Cyrillic, Greek, and full-width Latin letters and digits.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/command_line_homoglyphs-windows/command_line_homoglyphs-windows-splunk-sysmon.yml"
}
],
"id": "indicator--2e21acaf-9f38-4599-8cf6-94be16179362",
"indicator_types": [
"obfuscated files or information",
"defense-evasion",
"command obfuscation"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Command Line Homoglyphs - Windows",
"pattern": "`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR \"<EventID>1<\") | regex process=\"[Ѐ-ӿͰ-Ͽa-zA-Z0-9]\" | table _time, host, user, process, process_name, parent_process_name | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may exploit CVE-2024-1086, a Linux kernel privilege escalation vulnerability involving the nftables utility (nft), by executing it repeatedly as an unprivileged user. High-frequency nft executions in a short time window may indicate exploitation attempts aimed at gaining root access. Unprivileged user activity with nftables is unusual for most production systems. This use case detects more than five executions of nft within 10 seconds by a non-root user, which could signal malicious activity or abuse of the nft utility for privilege escalation.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/high-frequency_nft_executions_by_unprivileged_user/high-frequency_nft_executions_by_unprivileged_user-splunk-unix.yml"
}
],
"id": "indicator--efbfe15c-b473-4113-b432-778d5dfab6f5",
"indicator_types": [
"malicious-activity",
"privilege-escalation"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "High-Frequency nft Executions by Unprivileged User",
"pattern": "`get_endpoint_data` `get_endpoint_data_unix` (\"/usr/bin/nft\" OR \"/usr/sbin/nft\" OR \"nft\") | where (match(process_path, \"/usr/s?bin/nft\") or match(process, \"^nft\\s\")) and uid!=\"0\" | table _time, host, user, process, process_name, parent_process_name, user | bin span=10s | stats values(*) as * by _time, host | where event_count > 5",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. This rule detects when binaries are copied from /bin on Unix-based endpoints, which may indicate an attempt to evade detection.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/system_binary_copied-nix/system_binary_copied-nix-splunk-unix.yml"
}
],
"id": "indicator--91b8c1e5-a198-4e3a-afe5-99fe68cdd947",
"indicator_types": [
"defense-evasion"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "System Binary Copied - *nix",
"pattern": "`get_endpoint_data` `get_endpoint_data_unix` TERM(cp) TERM(bin) | regex process=\"(?i)cp\\s+\\/bin\\/.*\\s+\"| rex field=process \"(?i)cp\\s+\\/bin\\/.*\\s+(?<dest_process>.+$)\" | table _time, host, user signature_id, process, process_*, parent_*, dest_process | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2024-02-09T19:44:06.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may abuse command-line padding with whitespace or non-printable control characters to hide malicious commands beyond the UI-visible limit, often using LNK files to launch payloads via explorer.exe. This technique enables stealthy execution by concealing the true command from the user's view. This use case detects processes launched by explorer.exe where the command line contains excessive whitespace padding, suggesting hidden execution activity consistent with LNK-based attacks. Note: Due to command line logging normalization/sanitization in other log sources, Sysmon or EDR logging is recommended for detection. This logic was verified with CrowdStrike FDR logs; if your organization uses a different EDR vendor, it is strongly recommended to perform the test found in the Threat Examples to validate that your logging source is not removing the whitespace padding.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/explorer_child_process_with_suspicious_command_line_padding/explorer_child_process_with_suspicious_command_line_padding-splunk-sysmon.yml"
}
],
"id": "indicator--4f4c3077-dbbf-4841-b6dc-c04271fae48c",
"indicator_types": [
"malicious-activity",
"attribution"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Explorer Child Process with Suspicious Command Line Padding",
"pattern": " `get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR \"<EventID>1<\") (TERM(explorer) OR \"explorer.exe\") | where match(process, \"[\\x09\\x0A\\x0B\\x0C\\x0D\\x11\\x12\\x13]|(\\n){5,}\") and parent_process_name=\"explorer.exe\" | table _time, host, user, process, process_path, process_name, parent_process_name, parent_process | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "This rule detects attempts to evade security mechanisms by renaming or copying legitimate system utilities on Unix-based endpoints. It is specifically focused on cases where utilities are copied or moved out of their usual directories to evade detection by security tools monitoring non-standard paths. The detection logic targets binaries being copied from the /bin directory as part of potential defense evasion techniques.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/system_binary_copied-nix/system_binary_copied-nix-splunk-edr.yml"
}
],
"id": "indicator--0be4d3aa-6dcd-4b18-87b3-872b93a1c2d4",
"indicator_types": [
"defense-evasion",
"system binary proxy execution",
"masquerading"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "System Binary Copied - *nix",
"pattern": "`get_endpoint_data` `get_endpoint_data_edr` TERM(cp) TERM(bin) | regex process=\"(?i)cp\\s+\\/bin\\/.*\\s+\"| rex field=process \"(?i)cp\\s+\\/bin\\/.*\\s+(?<dest_process>.+$)\" | table _time, host, user signature_id, process, process_*, parent_*, dest_process | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2024-02-09T19:44:06.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may abuse command-line padding with whitespace or non-printable control characters to hide malicious commands beyond the UI-visible limit, often using LNK files to launch payloads via explorer.exe. This technique enables stealthy execution by concealing the true command from the user's view. This use case detects processes launched by explorer.exe where the command line contains excessive whitespace padding, suggesting hidden execution activity consistent with LNK-based attacks.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/explorer_child_process_with_suspicious_command_line_padding/explorer_child_process_with_suspicious_command_line_padding-splunk-edr.yml"
}
],
"id": "indicator--491042d8-5645-46f4-9d02-36989a680b67",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Explorer Child Process with Suspicious Command Line Padding",
"pattern": " `get_endpoint_data` `get_endpoint_data_edr` (TERM(explorer) OR \"explorer.exe\")\n | where match(process, \"[\\x09\\x0A\\x0B\\x0C\\x0D\\x11\\x12\\x13]|(\\n){5,}\") and parent_process_name=\"explorer.exe\"\n | table _time, host, user, process, process_path, process_name, parent_process_name,\n parent_process | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "This detection rule identifies high-frequency executions of the nftables utility by unprivileged users, which may indicate an exploitation attempt of CVE-2024-1086, a Linux kernel privilege escalation vulnerability. It specifically looks for more than five executions of nft within a 10-second window by non-root users, which is unusual behavior for production systems and could signal malicious activity.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/high-frequency_nft_executions_by_unprivileged_user/high-frequency_nft_executions_by_unprivileged_user-splunk-edr.yml"
}
],
"id": "indicator--02929175-b043-4a6b-a21f-888e315308da",
"indicator_types": [
"malicious-activity",
"privilege-escalation"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "High-Frequency nft Executions by Unprivileged User",
"pattern": "`get_endpoint_data` `get_endpoint_data_edr` (\"/usr/bin/nft\" OR \"/usr/sbin/nft\" OR \"nft\") | where (match(process_path, \"/usr/s?bin/nft\") or match(process, \"^nft\\s\")) and uid!=\"0\" | table _time, host, user, process, process_name, parent_process_name, user | bin span=10s | stats values(*) as * by _time, host | where event_count > 5 ",
"pattern_type": "spl",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "The rule detects when legitimate system processes that typically do not perform network functions are observed creating network connections. This anomaly can signify process injection or masquerading techniques by threat actors to blend malicious activities with normal system behavior. Commonly targeted processes include conhost.exe, lsass.exe, and wininit.exe.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/unexpected_network_connection_from_system_process/unexpected_network_connection_from_system_process-splunk-winevent.yml"
}
],
"id": "indicator--3699a431-0728-439b-966f-07e22286ceb6",
"indicator_types": [
"malicious-activity",
"defense-evasion"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Unexpected Network Connection from System Process",
"pattern": "`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=5156) OR \"<EventID>5156<\") (\"conhost.exe\" OR \"explorer.exe\" OR \"services.exe\" OR \"wininit.exe\" OR \"lsass.exe\" OR \"dwm.exe\" OR \"spoolsv.exe\" OR \"taskhost.exe\") | table _time, host, user, process, process_*, parent_* | bin span=1s | stats values(*) as * by _time, host ",
"pattern_type": "anvilogic",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--1f011897-8c5c-4dda-b42e-c881542e2abe",
"description": "Threat actors may abuse legitimate system processes that typically lack network functionality to perform malicious network activity, helping evade detection and blend in with normal system behavior. This technique is often associated with process injection or masquerading, where code is executed within trusted processes to establish command-and-control (C2) channels or exfiltrate data. This use case detects instances where non-networking system processes are observed initiating network connections, which may indicate process injection, covert C2 activity, or execution of malicious payloads under trusted process names.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/anvilogic-forge/armory/blob/main/detections/endpoint/unexpected_network_connection_from_system_process/unexpected_network_connection_from_system_process-splunk-sysmon.yml"
}
],
"id": "indicator--168a8703-119e-4bc2-a429-791995e00ade",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Unexpected Network Connection from System Process",
"pattern": "`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=3) OR \"<EventID>3<\")\n (\"conhost.exe\" OR \"explorer.exe\" OR \"services.exe\" OR \"wininit.exe\" OR \"lsass.exe\"\n OR \"dwm.exe\" OR \"spoolsv.exe\" OR \"taskhost.exe\") | table _time, host, user, process,\n process_*, parent_* | bin span=1s | stats values(*) as * by _time, host",
"pattern_type": "splunk",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:59:11.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "Detects the presence of the Windows Trojan: ShelbyLoader based on specific string patterns in file or memory contexts on Windows operating systems. It signals potential malicious activity by checking for unusual process patterns and specific code signatures for the trojan. The rule is created by Elastic Security to aid in identifying and mitigating threats posed by ShelbyLoader.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_ShelbyLoader.yar"
}
],
"id": "indicator--40f9312c-8b5d-4cb6-a020-386b27bd561f",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Windows_Trojan_ShelbyLoader_ca4d5de6",
"pattern": "rule Windows_Trojan_ShelbyLoader_ca4d5de6 {\n meta:\n author = \"Elastic Security\"\n id = \"ca4d5de6-1b4f-4c5b-97aa-1d432aa870f7\"\n fingerprint = \"95a2cf5388aa07c434ad23ed9e96cfa5c80a2eff030ccf48169142a28fbb63ee\"\n creation_date = \"2025-03-11\"\n last_modified = \"2025-03-25\"\n threat_name = \"Windows.Trojan.ShelbyLoader\"\n reference_sample = \"0354862d83a61c8e69adc3e65f6e5c921523eff829ef1b169e4f0f143b04091f\"\n severity = 100\n arch_context = \"x86\"\n scan_context = \"file, memory\"\n license = \"Elastic License v2\"\n os = \"windows\"\n strings:\n $a0 = \"[WARN] Unusual parent process detected: \"\n $a1 = \"[ERROR] Exception in CheckParentProcess:\" fullword\n $a2 = \"[INFO] Sandbox Not Detected by CheckParentProcess\" fullword\n $b0 = { 22 63 6F 6E 74 65 6E 74 22 3A 20 22 2E 2B 3F 22 }\n $b1 = { 22 73 68 61 22 3A 20 22 2E 2B 3F 22 }\n $b2 = \"Persist ID: \" fullword\n $b3 = \"https://api.github.com/repos/\" fullword\n condition:\n all of ($a*) or all of ($b*)\n}\n",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:44:39.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This YARA rule detects the Windows Trojan ShelbyC2. The rule checks for specific strings and byte patterns related to the trojan's operation, such as file upload indicators and specific command patterns. Created by Elastic Security, it targets Windows operating systems, focusing on x86 architecture and scanning both file and memory contexts.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_ShelbyC2.yar"
}
],
"id": "indicator--37a56dc5-ed62-4d55-9adb-a78f29e59e46",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Windows_Trojan_ShelbyC2_dae5bc1d",
"pattern": "rule Windows_Trojan_ShelbyC2_dae5bc1d {\n meta:\n author = \"Elastic Security\"\n id = \"dae5bc1d-2011-446e-9909-935c0ef51e37\"\n fingerprint = \"48013925624ad4572067e40b1751e181d678a96d894ec622470c7d65d33afbd6\"\n creation_date = \"2025-03-11\"\n last_modified = \"2025-03-25\"\n threat_name = \"Windows.Trojan.ShelbyC2\"\n reference_sample = \"fb8d4c24bcfd853edb15c5c4096723b239f03255f17cec42f2d881f5f31b6025\"\n severity = 100\n arch_context = \"x86\"\n scan_context = \"file, memory\"\n license = \"Elastic License v2\"\n os = \"windows\"\n strings:\n $a0 = \"File Uploaded Successfully\" fullword\n $a1 = \"/dlextract\" fullword\n $a2 = \"/evoke\" fullword\n $a4 = { 22 73 68 61 22 3A 20 22 2E 2B 3F 22 }\n $a5 = { 22 2C 22 73 68 61 22 3A 22 }\n condition:\n all of them\n}",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T15:44:39.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--0060850f-b5fd-410a-ba58-98493df347d8",
"description": "This rule detects the presence of the Windows Trojan known as Rhadamanthys by examining specific patterns in memory and file contexts. It includes various strings used by known variants of the Trojan, focusing on x86 architectures. The rule specifically targets characteristics associated with Rhadamanthys infections, such as certain sequences in system memory and likely file locations.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Rhadamanthys.yar"
}
],
"id": "indicator--e88a012b-82d7-4817-b44a-57dcb3d62ff5",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Windows_Trojan_Rhadamanthys_baba80fb",
"pattern": "rule Windows_Trojan_Rhadamanthys_baba80fb {\n meta:\n author = \"Elastic Security\"\n id = \"baba80fb-1d8a-424c-98e2-904c8f2e4f09\"\n fingerprint = \"71d9345d0288bfbbf7305962e5e316801d4a5cba332c5f4167f8e4f39cff6f61\"\n creation_date = \"2024-01-24\"\n last_modified = \"2025-02-23\"\n threat_name = \"Windows.Trojan.Rhadamanthys\"\n reference_sample = \"dd22cb2318d66fa30702368a7f06e445fba4b69daf9c45f8e83562d2c170a073\"\n severity = 50\n arch_context = \"x86\"\n scan_context = \"file, memory\"\n license = \"Elastic License v2\"\n os = \"windows\"\n strings:\n $a1 = { 83 EC 0C 8B 4D 0C 53 56 57 8B 59 20 8D 71 20 8B F9 89 75 FC 85 DB 89 7D 0C 75 05 8B 59 24 EB 0C 8D 41 24 89 45 F8 8B 00 85 C0 75 30 8B 51 28 8B 41 2C 85 DB 74 03 89 53 28 85 D2 74 15 }\n condition:\n all of them\n}\n",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-04-24T14:19:55.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--71847679-ee68-441f-a281-8dc38deece1d",
"description": "Detects the presence of the AMOS Stealer malware using unique string patterns and specific condition checks in binaries. The rule checks for specific byte sequences, as well as certain magic numbers at the beginning of the file which are indicative of AMOS Stealer. This rule is aimed at identifying malicious payloads through static analysis of PE files.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/RussianPanda95/Yara-Rules/blob/main/AMOS/win_mal_amos_stealer.yar"
}
],
"id": "indicator--6cd45799-221e-4900-aa36-50f02e04761f",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "AMOS_Stealer",
"pattern": "rule AMOS_Stealer\n{\n meta:\n description = \"Detects AMOS Stealer\"\n author = \"RussianPanda\"\n date = \"2025-03-31\"\n hash = \"55663778a8c593b77a82ea1be072c73dd6a1d7a9567bbfbfad7d3dec9f672996\"\n \n strings:\n $op1 = {E8 ?? ?? ?? ?? E9 00 00 00 00 48 8D}\n $op2 = {48 3B 85 68 FF FF FF 0F 83 03 01 00 00 C6 85 5F FF FF FF 00 C7 85 58 FF FF FF 00 00 00 00}\n \n condition:\n (\n uint32(0) == 0xfeedface or\n uint32(0) == 0xcefaedfe or \n uint32(0) == 0xfeedfacf or \n uint32(0) == 0xcffaedfe or \n uint32(0) == 0xcafebabe or \n uint32(0) == 0xbebafeca or\n uint32(0) == 0xcafebabf or\n uint32(0) == 0xbfbafeca\n ) and (#op1 > 5000 and $op2)\n}",
"pattern_type": "yara",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-01T04:03:22.000Z"
},
{
"contact_information": "https://github.com/RussianPanda95/Yara-Rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--71847679-ee68-441f-a281-8dc38deece1d",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "RussianPanda95",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "The rule identifies the creation of object symbolic links within the object manager namespace by processes that are untrusted or unusual. This activity may indicate exploitation attempts where adversaries use symbolic links to force system processes into executing harmful code.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/defense_evasion_suspicious_object_symbolic_link_creation.yml"
}
],
"id": "indicator--54aa5f85-b020-47b4-a73d-57addbc0fa4c",
"indicator_types": [
"suspicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Suspicious object symbolic link creation",
"pattern": "create_symbolic_link_object and kevt.pid != 4 and (pe.is_signed = false or pe.is_trusted = false or not ps.exe imatches ( '?:\\ProgramData\\Microsoft\\Windows Defender\\*\\MsMpEng.exe', '?:\\WINDOWS\\system32\\svchost.exe', '?:\\Program Files\\*', '?:\\Program Files (x86)\\*', '?:\\Windows\\System32\\vmwp.exe'))",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-19T17:54:21.000Z"
},
{
"contact_information": "https://github.com/rabbitstack/fibratus",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "rabbitstack",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies access to the Local Security Authority Subsystem Service (LSASS) process to dump the memory via MiniDumpWriteDump API. This detection rule is focused on recognizing unauthorized attempts to dump memory through specific DLLs and symbols, which could suggest credential dumping attempts. This activity is commonly related to attempts to extract sensitive information from process memory.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/credential_access_lsass_memory_dump_via_minidumpwritedump.yml"
}
],
"id": "indicator--1f41d5f6-9560-491c-9937-67ba00a788b5",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "LSASS memory dump via MiniDumpWriteDump",
"pattern": "((open_process) or (open_thread)) and kevt.arg[exe] imatches '?:\\\\Windows\\\\System32\\\\lsass.exe' and (thread.callstack.modules imatches ('*dbgcore.dll', '*comsvcs.dll') or thread.callstack.symbols imatches ('*MiniDumpWriteDump'))",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-23T19:13:40.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Detects the creation of symbolic link objects with a successful status, which can be used by adversaries to bypass security controls or manipulate file operations.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/macros/macros.yml"
}
],
"id": "indicator--e4203825-c6dc-4577-8223-fbfb0f796256",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "create_symbolic_link_object",
"pattern": "- macro: create_symbolic_link_object\n expr: kevt.name = 'CreateSymbolicLinkObject' and kevt.arg[status] = 'Success'",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2022-11-12T22:08:03.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies the loading of an unsigned DLL by the svchost process followed by creating an executable file. Adversaries may rely on Windows Services to repeatedly execute malicious payloads as part of persistence.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/persistence_executable_file_dropped_by_unsigned_service_dll.yml"
}
],
"id": "indicator--c51279cd-3235-41f9-b746-e12ec3e36aea",
"indicator_types": [
"malicious-activity",
"persistence"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Executable file dropped by an unsigned service DLL",
"pattern": "name: Executable file dropped by an unsigned service DLL\nid: 3e29da58-0fc4-44c0-91c0-0dfc6af87e9d\nversion: 1.0.0\ndescription: |\n Identifies the loading of an unsigned DLL by svchost process followed by creating an\n executable file. Adversaries may rely on Windows Services to repeatedly execute malicious \n payloads as part of persistence.\nlabels:\n tactic.id: TA0003\n tactic.name: Persistence\n tactic.ref: https://attack.mitre.org/tactics/TA0003/\n technique.id: T1543\n technique.name: Create or Modify System Process\n technique.ref: https://attack.mitre.org/techniques/T1543/\n subtechnique.id: T1543.003\n subtechnique.name: Windows Service\n subtechnique.ref: https://attack.mitre.org/techniques/T1543/003/\nreferences:\n - https://grzegorztworek.medium.com/persistence-with-windows-services-1b21579f0ff3\n - https://www.ired.team/offensive-security/persistence/persisting-in-svchost.exe-with-a-service-dll-servicemain\n\ncondition: >\n sequence\n maxspan 3m\n |load_unsigned_dll and ps.exe imatches ('?:\\\\Windows\\\\System32\\\\svchost.exe', '?:\\\\Windows\\\\SysWOW64\\\\svchost.exe')| as e1\n |create_file and kevt.pid != 4 and ps.exe imatches ('?:\\\\Windows\\\\System32\\\\svchost.exe', '?:\\\\Windows\\\\SysWOW64\\\\svchost.exe')\n and\n (file.extension iin ('.exe', '.dll', '.com', '.js', '.vbs', '.cmd', '.bat', '.vbe') or file.is_exec or file.is_dll or file.is_driver)\n and\n thread.callstack.symbols iin (concat($e1.image.name, '!ServiceMain'))\n |\n\noutput: >\n Service %1.ps.cmdline loaded an unsigned DLL %1.image.path and subsequently dropped an executable file %2.file.path\nseverity: high\n\nmin-engine-version: 2.2.0\n",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-04T21:57:24.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--557477bb-14ac-42d1-b651-9f92cb2a1f1a",
"description": "Identifies the execution of the process via the Run command dialog box followed by spawning of the potential infostealer process. This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing malicious commands under the guise of meeting pages or CAPTCHAs.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/rabbitstack/fibratus/blob/master/rules/initial_access_potential_clickfix_infection_chain_via_run_window.yml"
}
],
"id": "indicator--e7c89aaf-5b39-4e50-9fcf-af5ad77910f4",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Potential ClickFix infection chain via Run window",
"pattern": "name: Potential ClickFix infection chain via Run window\nid: ffe1fc54-2893-4760-ab50-51a83bd71d13\nversion: 1.0.0\ndescription: |\n Identifies the execution of the process via the Run command dialog box followed by spawning of the potential \n infostealer process. \n This could be indicative of the ClickFix deceptive tactic used by attackers to lure victims into executing \n malicious commands under the guise of meeting pages or CAPTCHAs.\nlabels:\n tactic.id: TA0001\n tactic.name: Initial Access\n tactic.ref: https://attack.mitre.org/tactics/TA0001/\n technique.id: T1566\n technique.name: Phishing\n technique.ref: https://attack.mitre.org/techniques/T1566/\nreferences:\n - https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/\n - https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/\n - https://detect.fyi/hunting-clickfix-initial-access-techniques-8c1b38d5ef9b\n\ncondition: >\n sequence\n maxspan 2m\n |spawn_process and ps.name ~= 'explorer.exe' and length(ps.child.args) >= 2\n and\n (thread.callstack.summary imatches \n (\n 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*',\n 'ntdll.dll|KernelBase.dll|kernel32.dll|windows.storage.dll|shell32.dll|windows.storage.dll|shell32.dll|user32.dll|shell32.dll|explorer.exe|SHCore.dll|*'\n )\n or\n (thread.callstack.summary imatches '*shell32.dll|explorer.exe|*' and thread.callstack.symbols imatches ('*shell32.dll!GetFileNameFromBrowse*'))\n )\n | by ps.child.uuid\n |spawn_process and not ps.child.exe imatches \n (\n '?:\\\\Program Files\\\\*.exe',\n '?:\\\\Program Files (x86)\\\\*.exe',\n '?:\\\\Windows\\\\System32\\\\*.exe'\n )\n | by ps.uuid\naction:\n - name: kill\n\noutput: >\n Potential infostealer process %2.ps.child.exe executed via the Run command window by %1.ps.child.cmdline\nseverity: high\n\nmin-engine-version: 2.2.0\n",
"pattern_type": "fibratus",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-25T19:06:34.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "This rule detects the usage of the whitefox.pl open redirect in email messages, a technique exploited in the wild to facilitate credential phishing or malware distribution. It scans inbound messages for specific patterns in URLs that indicate open redirection to \"demo.whitefox.pl\" while excluding trusted sender domains unless they fail DMARC authentication.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/open_redirect_whitefox.yml"
}
],
"id": "indicator--c4e70b27-1184-46ce-8cdd-62cdbc670c95",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Open Redirect: whitefox.pl",
"pattern": "type.inbound\nand any(body.links,\n .href_url.domain.domain == \"demo.whitefox.pl\"\n and strings.icontains(.href_url.path, '/Home/SetCulture')\n and strings.icontains(.href_url.query_params, 'cultureName=')\n and strings.icontains(.href_url.query_params, 'returnUrl=')\n and not regex.icontains(.href_url.query_params,\n 'returnUrl=(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*whitefox\\.pl(?:\\&|\\/|$|%2f)'\n )\n)\nand not sender.email.domain.root_domain == \"whitefox.pl\"\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-02T13:34:07.000Z"
},
{
"contact_information": "https://github.com/sublime-security/sublime-rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "sublime-security",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "This rule identifies messages containing CloudHQ share links from senders outside the CloudHQ domain who are impersonating DocuSign in either the subject line or display name. It focuses on analyzing headers, URLs, content, and sender details to detect impersonation attempts. This detection is tailored to catch credential phishing and BEC/Fraud attacks using brand impersonation and free file hosts.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/impersonation_docusign_via_cloudhq.yml"
}
],
"id": "indicator--43553cf1-90fd-4fd2-afa9-373ad1876a6f",
"indicator_types": [
"malicious-activity",
"impersonation"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "DocuSign Impersonation via CloudHQ Links",
"pattern": "type.inbound\nand any(body.links,\n .href_url.domain.root_domain == \"cloudhq.net\"\n and strings.starts_with(.href_url.path, \"/s/\")\n and sender.email.domain.root_domain != 'cloudhq.net'\n)\n\n// the subject or display_name includes docusign\nand (\n regex.icontains(strings.replace_confusables(subject.subject),\n '\\bdocu\\s*sign\\b'\n )\n or regex.icontains(strings.replace_confusables(sender.display_name),\n '\\bdocu\\s*sign\\b'\n )\n)\n\n// there is one unique cloudhq link in the message\nand length(distinct(filter(body.links,\n .href_url.domain.root_domain == \"cloudhq.net\"\n ),\n .href_url.url\n )\n) <= 1",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-04T16:03:31.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "The detection rule focuses on identifying emails impersonating the expense management provider Navan. It employs sender analysis, logo detection, natural language understanding, and content analysis to flag potential threats. This rule attempts to capture spoofed emails that do not originate from known Navan domains and are suspicious in nature based on various criteria.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/brand_impersonation_navan.yml"
}
],
"id": "indicator--3e5badba-98ec-461e-8b53-a9ff05be13d2",
"indicator_types": [
"malicious-activity",
"impersonation",
"phishing"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Brand Impersonation: Navan",
"pattern": "type.inbound\nand (\nregex.icontains(sender.display_name, '(?:The\\s+)?\\bNavan\\b(?:\\s+Team)?')\nor strings.ilike(sender.email.domain.domain, '*Navan*')\n)\nand (\nany(ml.logo_detect(beta.message_screenshot()).brands,\n.name == \"Navan\" and .confidence in (\"medium\", \"high\")\n)\nor (\nregex.icontains(subject.subject,\n\"(?:unrecognized|Unusual|suspicious|unknown) (?:log|sign).?[io]n attempt\",\n\"(?:important|urgent|attention|alert) account|accessed|[new|unrecognized|suspicious] location\"\n)\nor any(ml.nlu_classifier(body.current_thread.text).entities,\n.name == \"urgency\"\n)\nor any(ml.nlu_classifier(body.current_thread.text).intents,\n.name in (\"cred_theft\", \"steal_pii\")\n)\n)\n)\nand sender.email.domain.root_domain not in~ ('navan.com')\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n(\nsender.email.domain.root_domain in $high_trust_sender_root_domains\nand not headers.auth_summary.dmarc.pass\n)\nor sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\nand (\nnot profile.by_sender().solicited\nor (\nprofile.by_sender().any_messages_malicious_or_spam\nand not profile.by_sender().any_false_positives\n)\n)\nand not profile.by_sender().any_false_positives",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-04T15:55:10.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects HTML files under 100KB containing literary quotes or common sayings within comments, aiming to identify suspicious padding within HTML files. This rule targets duplicate or repeating patterns characteristic of attempts to obfuscate malicious HTML content. It employs regex to analyze the comments and detect patterns indicative of HTML smuggling and evasion techniques.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/attachment_html_suspicious_comments.yml"
}
],
"id": "indicator--ba131fc1-971b-4835-a061-11880f3a8ae9",
"indicator_types": [
"anomalous-activity",
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Attachment: HTML With Suspicious Comments",
"pattern": "type.inbound\n and any(attachments,\n (\n (\n .file_type == \"html\"\n or .file_extension in (\"html\", \"xhtml\", \"mhtml\")\n or .content_type == \"text/html\"\n )\n and .size < 100000\n )\n and (\n (\n regex.count(file.parse_text(.).text, '// [A-Z][ a-z ]+\\.') / \n length(distinct(regex.extract(file.parse_text(.).text,\n '// [A-Z][ a-z ]+\\.'\n ),\n .full_match\n )\n ) \n >= 2\n )\n or (\n regex.count(file.parse_text(.).text,\n '<!-- <[a-z]+> [A-Z][ a-z ]+\\. </[a-z]+> -->'\n )\n ) > 2\n )",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-02T15:36:15.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents. It focuses on detecting phishing attempts involving QR codes within email attachments, primarily targeting credential phishing using QR code technology.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/comp_review_qr_attached_eml.yml"
}
],
"id": "indicator--74ab7f8f-c605-415f-ae69-da3bf1d44944",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Compensation Review With QR Code in Attached EML",
"pattern": "type.inbound\n \n // the subject contains pay related items\n and (\n strings.icontains(subject.subject, 'salary')\n or strings.icontains(subject.subject, 'compensation')\n or regex.icontains(subject.subject, 'comp\\b')\n or regex.icontains(subject.subject, '\\bpay(?:roll|\\b)')\n or strings.icontains(subject.subject, 'bonus')\n or strings.icontains(subject.subject, 'incentive')\n or strings.icontains(subject.subject, 'merit')\n or strings.icontains(subject.subject, 'handbook')\n or strings.icontains(subject.subject, 'benefits')\n )\n // subjects include review/updates/changes\n and (\n strings.icontains(subject.subject, 'review')\n or strings.icontains(subject.subject, 'evaluation')\n or regex.icontains(subject.subject, 'eval\\b')\n or strings.icontains(subject.subject, 'assessment')\n or strings.icontains(subject.subject, 'appraisal')\n or strings.icontains(subject.subject, 'feedback')\n or strings.icontains(subject.subject, 'performance')\n or strings.icontains(subject.subject, 'adjustment')\n or strings.icontains(subject.subject, 'increase')\n or strings.icontains(subject.subject, 'raise')\n or strings.icontains(subject.subject, 'change')\n or strings.icontains(subject.subject, 'modification')\n or strings.icontains(subject.subject, 'distribution')\n or regex.icontains(subject.subject, 'revis(?:ed|ion)')\n or regex.icontains(subject.subject, 'amend(?:ed|ment)')\n or regex.icontains(subject.subject, 'update(?:d| to)')\n )\n and any(filter(attachments, .content_type == \"message/rfc822\"),\n any(file.parse_eml(.).attachments,\n any(file.explode(.),\n (\n regex.icontains(.scan.ocr.raw, 'scan|camera')\n and regex.icontains(.scan.ocr.raw, '\\bQR\\b|Q\\.R\\.|barcode')\n )\n or .scan.qr.type == \"url\" and .scan.qr.url.domain.valid\n )\n )\n )",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-03T16:35:58.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects inbound messages containing exactly one Squarespace tracking link but lacking authentic Squarespace email headers and sender patterns. The rule leverages URL and header analysis, focusing on messages that appear to mimic Squarespace but do not adhere to typical sender profiles. It helps identify credential phishing or spam attempts by analyzing the email's header and sender characteristics.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/link_squarespace_abuse.yml"
}
],
"id": "indicator--b7fdc6f2-e06e-42d4-8e05-aea8f1d3c723",
"indicator_types": [
"malicious-activity",
"impersonation"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Link: Squarespace Infrastructure Abuse",
"pattern": "type.inbound\n and any(body.links, .href_url.domain.domain == \"engage.squarespace-mail.com\")\n and length(body.links) < 10\n // there is one unique Squarespace Link in the message\n and length(distinct(filter(body.links,\n .href_url.domain.domain == \"engage.squarespace-mail.com\"\n ),\n .href_url.url\n )\n ) == 1\n and not headers.return_path.domain.root_domain == \"squarespace-mail.com\"\n and not any(headers.domains, .root_domain == \"squarespace-mail.com\")\n and profile.by_sender_email().prevalence != \"common\"",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-01T15:23:36.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects messages impersonating TikTok through similar display names or logo detection, combined with security-themed content and authentication failures. It excludes legitimate TikTok communications and trusted senders. The rule leverages natural language understanding and machine learning techniques to identify potential phishing attacks.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/brand_impersonation_tiktok.yml"
}
],
"id": "indicator--0147309f-c947-45f1-8553-5f442ed00c9d",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Brand Impersonation: TikTok",
"pattern": "type.inbound\n and (\n // display name contains tiktok\n (\n strings.ilike(strings.replace_confusables(sender.display_name), '*tiktok*')\n // levenshtein distance similar to tiktok\n or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n 'tiktok'\n ) <= 1\n or any(ml.logo_detect(beta.message_screenshot()).brands,\n .name == \"TikTok\" and .confidence == \"high\"\n )\n )\n )\n and (\n any(beta.ml_topic(body.current_thread.text).topics,\n .name in (\n \"Security and Authentication\",\n \"Secure Message\",\n \"Reminders and Notifications\"\n )\n and .confidence in (\"medium\", \"high\")\n )\n or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,\n .name in (\n \"Security and Authentication\",\n \"Secure Message\",\n \"Reminders and Notifications\"\n )\n and .confidence in (\"medium\", \"high\")\n and beta.ocr(beta.message_screenshot()).text != \"\"\n )\n or any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n )\n \n // and the sender is not in org_domains or from tiktok domains and passes auth\n and not (\n sender.email.domain.root_domain in $org_domains\n or (\n sender.email.domain.root_domain in (\"tiktok.com\", \"tiktokglobalshop.com\", \"bytedance.com\")\n and headers.auth_summary.dmarc.pass\n )\n )\n // and the sender is not from high trust sender root domains\n and (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n )\n and not profile.by_sender().solicited",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-18T15:48:09.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Detects inbound messages purporting to be from Vanguard by analyzing sender display names and domains. The rule avoids triggering on legitimate Vanguard communications by verifying domain authenticity and sender trust level. Utilizes natural language understanding and header analysis to detect potential phishing or fraud activities.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/brand_impersonation_vanguard.yml"
}
],
"id": "indicator--474a6412-f866-4839-adb1-bc7dc5370496",
"indicator_types": [
"malicious-activity",
"anomalous-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Brand Impersonation: Vanguard",
"pattern": "type.inbound\n and (\n // display name contains Vanguard\n (\n strings.ilike(strings.replace_confusables(sender.display_name),\n '*vanguard*'\n )\n // levenshtein distance similar to Vanguard\n or strings.ilevenshtein(strings.replace_confusables(sender.display_name),\n 'vanguard'\n ) <= 1\n // sender domain contains Vanguard\n or strings.ilike(strings.replace_confusables(sender.email.domain.domain),\n '*vanguard*'\n )\n )\n )\n and (\n (\n any(beta.ml_topic(body.current_thread.text).topics,\n .name in (\n \"Security and Authentication\",\n \"Secure Message\",\n \"Financial Communications\"\n )\n and .confidence == \"high\"\n )\n or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,\n .name in (\n \"Security and Authentication\",\n \"Secure Message\",\n \"Financial Communications\"\n )\n and .confidence == \"high\"\n )\n )\n and (\n any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,\n .name == \"cred_theft\" and .confidence == \"high\"\n )\n )\n )\n \n // and the sender is not in org_domains or from Vanguard domains and passes auth\n and not (\n sender.email.domain.root_domain in $org_domains\n or (\n sender.email.domain.root_domain in (\n \"vanguard.com\",\n \"vanguardcharitable.org\", // philanthropic giving arm\n \"vanguardmexico.com\",\n \"vanguardcanada.ca\",\n \"vanguard.co.uk\",\n \"vanguard.com.au\",\n \"vanguard.com.hk\",\n \"vanguardinvestor.co.uk\",\n \"vanguardretirement-mail.com\",\n \"e-vanguard.com\",\n \"feedback-vanguard.com\",\n \"m-vanguard.com\",\n \"investordelivery.com\",\n \"retsupport.com\"\n )\n and headers.auth_summary.dmarc.pass\n )\n )\n // and the sender is not from high trust sender root domains\n and (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n )\n and not profile.by_sender().solicited",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-31T15:48:55.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "Inbound message containing subject line and attachments related to handbook, compensation, or policy updates. Attachments are limited to Microsoft Word documents and match similar update-related terminology. This pattern has been observed used to delivery credential phishing via QR codes.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/attachment_sus_employee_doc.yml"
}
],
"id": "indicator--0f2279c4-4896-489b-8158-0085ca6aa936",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Attachment: Suspicious Employee Policy Update Document Lure",
"pattern": "type.inbound\n and (\n // the subject contains pay related items\n (\n strings.icontains(subject.subject, 'salary')\n or regex.icontains(subject.subject, '\\bpay(?:roll|\\b)')\n or strings.icontains(subject.subject, 'bonus')\n or strings.icontains(subject.subject, 'incentive')\n or strings.icontains(subject.subject, 'merit')\n or strings.icontains(subject.subject, 'handbook')\n or strings.icontains(subject.subject, 'benefits')\n )\n and (\n strings.icontains(subject.subject, 'review')\n or strings.icontains(subject.subject, 'evaluation')\n or regex.icontains(subject.subject, 'eval\\b')\n or strings.icontains(subject.subject, 'assessment')\n or strings.icontains(subject.subject, 'appraisal')\n or strings.icontains(subject.subject, 'feedback')\n or strings.icontains(subject.subject, 'performance')\n or strings.icontains(subject.subject, 'adjustment')\n or strings.icontains(subject.subject, 'increase')\n or strings.icontains(subject.subject, 'raise')\n or strings.icontains(subject.subject, 'change')\n or strings.icontains(subject.subject, 'modification')\n or strings.icontains(subject.subject, 'distribution')\n or regex.icontains(subject.subject, 'revis(?:ed|ion)')\n or regex.icontains(subject.subject, 'amend(?:ed|ment)')\n or regex.icontains(subject.subject, 'update(?:d| to)')\n )\n )\n and 0 < length(attachments) <= 3\n and any(attachments,\n .file_extension in (\"doc\", \"docx\", \"docm\")\n and (\n strings.icontains(.file_name, 'salary')\n or regex.icontains(.file_name, '\\bpay(?:roll|\\b)')\n or strings.icontains(.file_name, 'bonus')\n or strings.icontains(.file_name, 'incentive')\n or strings.icontains(.file_name, 'merit')\n or strings.icontains(.file_name, 'handbook')\n or strings.icontains(.file_name, 'benefits')\n )\n and (\n strings.icontains(.file_name, 'review')\n or strings.icontains(.file_name, 'evaluation')\n or regex.icontains(.file_name, 'eval\\b')\n or strings.icontains(.file_name, 'assessment')\n or strings.icontains(.file_name, 'appraisal')\n or strings.icontains(.file_name, 'feedback')\n or strings.icontains(.file_name, 'performance')\n or strings.icontains(.file_name, 'adjustment')\n or strings.icontains(.file_name, 'increase')\n or strings.icontains(.file_name, 'raise')\n or strings.icontains(.file_name, 'change')\n or strings.icontains(.file_name, 'modification')\n or strings.icontains(.file_name, 'distribution')\n or regex.icontains(.file_name, 'revis(?:ed|ion)')\n or regex.icontains(.file_name, 'amend(?:ed|ment)')\n or regex.icontains(.file_name, 'update(?:d| to)')\n )\n )\n and not (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and coalesce(headers.auth_summary.dmarc.pass, false)\n )",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-03-31T15:48:23.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--11461512-89f4-4d80-92d1-4b31616386fb",
"description": "This rule detects fraudulent invoices or receipts sent through Canva's design sharing feature, mainly incorporating social engineering and impersonation tactics. It analyzes inbound email messages from Canva's domain, searching for typical markers of fraud such as specific text patterns and phone numbers. The detection logic utilizes content analysis, sender analysis, and natural language understanding to identify fraudulent patterns.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/canva_infra_abuse.yml"
}
],
"id": "indicator--52297262-4af4-4b6f-b25b-4837e36fdb31",
"indicator_types": [
"malicious-activity",
"compromised"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Canva Infrastructure Abuse",
"pattern": " type.inbound\n and length(attachments) == 1\n and sender.email.domain.root_domain in (\"canva.com\")\n and strings.ilike(body.html.display_text, \"*take a look at the design*\")\n and (\n (\n // icontains a phone number\n (\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\\n'\n )\n or regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*\\n'\n )\n or // +12028001238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*\\n'\n )\n or // 202-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'\n )\n or // (202) 800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\([ilo0-9]{3}\\)\\s[ilo0-9]{3}-[ilo0-9]{4}.*\\n'\n )\n or // (202)-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'\n )\n or ( // 8123456789\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*8[ilo0-9]{9}.*\\n'\n )\n and regex.icontains(strings.replace_confusables(body.current_thread.text\n ),\n '\\+[1l]'\n )\n )\n )\n and (\n (\n 4 of (\n strings.ilike(body.html.inner_text, '*you did not*'),\n strings.ilike(body.html.inner_text, '*is not for*'),\n strings.ilike(body.html.inner_text, '*done by you*'),\n regex.icontains(body.html.inner_text, \"didn\\'t ma[kd]e this\"),\n strings.ilike(body.html.inner_text, '*Fruad Alert*'),\n strings.ilike(body.html.inner_text, '*Fraud Alert*'),\n strings.ilike(body.html.inner_text, '*fraudulent*'),\n strings.ilike(body.html.inner_text, '*using your PayPal*'),\n strings.ilike(body.html.inner_text, '*subscription*'),\n strings.ilike(body.html.inner_text, '*antivirus*'),\n strings.ilike(body.html.inner_text, '*order*'),\n strings.ilike(body.html.inner_text, '*support*'),\n strings.ilike(body.html.inner_text, '*sincerely apologize*'),\n strings.ilike(body.html.inner_text, '*receipt*'),\n strings.ilike(body.html.inner_text, '*invoice*'),\n strings.ilike(body.html.inner_text, '*Purchase*'),\n strings.ilike(body.html.inner_text, '*transaction*'),\n strings.ilike(body.html.inner_text, '*Market*Value*'),\n strings.ilike(body.html.inner_text, '*BTC*'),\n strings.ilike(body.html.inner_text, '*call*'),\n strings.ilike(body.html.inner_text, '*get in touch with our*'),\n strings.ilike(body.html.inner_text, '*quickly inform*'),\n strings.ilike(body.html.inner_text, '*quickly reach *'),\n strings.ilike(body.html.inner_text, '*detected unusual transactions*'),\n strings.ilike(body.html.inner_text, '*without your authorization*'),\n strings.ilike(body.html.inner_text, '*cancel*'),\n strings.ilike(body.html.inner_text, '*renew*'),\n strings.ilike(body.html.inner_text, '*refund*'),\n strings.ilike(body.html.inner_text, '*+1*'),\n regex.icontains(body.html.inner_text, 'help.{0,3}desk'),\n strings.ilike(body.html.inner_text, '* your funds*'),\n strings.ilike(body.html.inner_text, '* your checking*'),\n strings.ilike(body.html.inner_text, '* your saving*'),\n strings.ilike(body.html.inner_text, '*transfer*'),\n strings.ilike(body.html.inner_text, '*secure your account*'),\n strings.ilike(body.html.inner_text, '*recover your*'),\n strings.ilike(body.html.inner_text, '*unusual activity*'),\n strings.ilike(body.html.inner_text, '*suspicious transaction*'),\n strings.ilike(body.html.inner_text, '*transaction history*'),\n strings.ilike(body.html.inner_text, '*please ignore this*'),\n strings.ilike(body.html.inner_text, '*report activity*'),\n )\n )\n or regex.icontains(body.current_thread.text,\n 'note from.{0,50}(?:call|reach|contact|paypal)'\n )\n or any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"callback_scam\"\n )\n or (\n // Unicode confusables words obfuscated in note\n regex.icontains(body.html.inner_text,\n '\\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'\n )\n )\n or strings.ilike(body.html.inner_text, '*kindly*')\n )\n )\n )",
"pattern_type": "sublime",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-02-09T00:50:29.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--99f32fa6-70bd-4daa-b1ce-90234ee5a035",
"description": "This rule detects excessive document downloads from Google Workspace by examining 'download' events. It aims to identify potential data exfiltration activities by monitoring the number of documents accessed by an actor. The rule checks for download actions and extracts relevant actor and document information for alerting purposes.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/panther-labs/panther-analysis/blob/develop/rules/gsuite_activityevent_rules/google_workspace_many_docs_downloaded.py"
}
],
"id": "indicator--13dee56d-d58e-4c1f-8ed2-9a9fdbc7cfb6",
"indicator_types": [
"anomalous-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "google_workspace_many_docs_downloaded",
"pattern": "from panther_core import PantherEvent\n\n\ndef rule(event: PantherEvent) -> bool:\n return event.get(\"name\") == \"download\"\n\n\ndef title(event: PantherEvent) -> str:\n actor = event.deep_get(\"actor\", \"email\", default=\"<UNKNWON ACTOR>\")\n return f\"{actor} downloaded an escessive number of documents.\"\n\n\ndef alert_context(event: PantherEvent) -> dict:\n return {\n \"actor\": event.deep_get(\"actor\", \"email\", default=\"<UNKNOWN ACTOR>\"),\n \"document_name\": event.deep_get(\"parameters\", \"doc_title\", default=\"<UNKNOWN DOCUMENT>\"),\n }",
"pattern_type": "panther",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-04T14:20:49.000Z"
},
{
"contact_information": "https://github.com/panther-labs/panther-analysis",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--99f32fa6-70bd-4daa-b1ce-90234ee5a035",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "panther-labs",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--99f32fa6-70bd-4daa-b1ce-90234ee5a035",
"description": "Checks whether a user has downloaded a large number of documents from Google Drive within a 5-minute period. The rule uses a threshold to detect activities that deviate from the norm by tracking document downloads. It is useful for identifying potential data exfiltration activities.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/panther-labs/panther-analysis/blob/develop/rules/gsuite_activityevent_rules/google_workspace_many_docs_downloaded.yml"
}
],
"id": "indicator--0440aac2-dd61-47a6-bba0-a812c8a2f9d9",
"indicator_types": [
"anomalous-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Google Workspace Many Docs Downloaded",
"pattern": "AnalysisType: rule\nFilename: google_workspace_many_docs_downloaded.py\nRuleID: \"Google.Workspace.ManyDocsDownloaded\"\nDisplayName: Google Workspace Many Docs Downloaded\nEnabled: true\nLogTypes:\n - GSuite.ActivityEvent\nSeverity: Medium\nReports:\n MITRE ATT&CK:\n - TA0010:T1567\nDescription: >\n Checks whether a user has downloaded a large number of documents from Google Drive within a 5-minute period.\nDedupPeriodMinutes: 5\nThreshold: 20\nReference: >\n https://support.google.com/drive/answer/2423534?hl=en&co=GENIE.Platform%3DDesktop\nSummaryAttributes:\n - p_any_usernames\n - parameters:doc_title\nTags:\n - GSuite ActivityEvent\nTests:\n - Name: Document Downloaded\n ExpectedResult: true\n Log:\n {\n \"actor\": {\n \"email\": \"wiley.coyote@acme.com\",\n \"profileId\": \"112233445566778899001\"\n },\n \"id\": {\n \"applicationName\": \"drive\",\n \"customerId\": \"CUSTID\",\n \"time\": \"2025-03-21 21:29:49.364000000\",\n \"uniqueQualifier\": \"-1234567891234567890\"\n },\n \"ipAddress\": \"1.1.1.1\",\n \"kind\": \"admin#reports#activity\",\n \"name\": \"download\",\n \"parameters\": {\n \"billable\": true,\n \"doc_id\": \"123456789aBcDeFgHiJkLmNoPqRsTuVwXyZ0-a1B2c3D\",\n \"doc_title\": \"My Sensitive Document\",\n \"doc_type\": \"spreadsheet\",\n \"owner\": \"HR\",\n \"owner_is_shared_drive\": true,\n \"owner_is_team_drive\": true,\n \"owner_team_drive_id\": \"123456789aB_a1B2c3D\",\n \"primary_event\": true,\n \"shared_drive_id\": \"123456789aB_a1B2c3D\",\n \"team_drive_id\": \"123456789aB_a1B2c3D\",\n \"visibility\": \"shared_internally\"\n },\n \"type\": \"access\"\n }\n - Name: Document Viewed\n ExpectedResult: false\n Log:\n {\n \"actor\": {\n \"email\": \"wiley.coyote@acme.com\",\n \"profileId\": \"112233445566778899001\"\n },\n \"id\": {\n \"applicationName\": \"drive\",\n \"customerId\": \"CUSTID\",\n \"time\": \"2025-03-21 21:29:49.364000000\",\n \"uniqueQualifier\": \"-1234567891234567890\"\n },\n \"ipAddress\": \"1.1.1.1\",\n \"kind\": \"admin#reports#activity\",\n \"name\": \"view\",\n \"parameters\": {\n \"billable\": true,\n \"doc_id\": \"123456789aBcDeFgHiJkLmNoPqRsTuVwXyZ0-a1B2c3D\",\n \"doc_title\": \"My Sensitive Document\",\n \"doc_type\": \"spreadsheet\",\n \"owner\": \"HR\",\n \"owner_is_shared_drive\": true,\n \"owner_is_team_drive\": true,\n \"owner_team_drive_id\": \"123456789aB_a1B2c3D\",\n \"primary_event\": true,\n \"shared_drive_id\": \"123456789aB_a1B2c3D\",\n \"team_drive_id\": \"123456789aB_a1B2c3D\",\n \"visibility\": \"shared_internally\"\n },\n \"type\": \"access\"\n }",
"pattern_type": "panther",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-04T14:20:49.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "The rule identifies non-RFC compliant emails using Microsoft Defender for Office 365. It focuses on P2Sender addresses, i.e., the address that appears in the actual From: header of the message, looking for those that do not adhere to the standard RFC-like pattern. This helps in detecting phishing and email-based masquerading attacks.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Office%20365/MDO-Non-RFC%20Compliant%20Emails.md"
}
],
"id": "indicator--88fda190-4b9e-4e42-a9bc-24fede41dccc",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Defender for Office 365 - Identify Non-RFC Compliant Emails",
"pattern": "EmailEvents\n| where Timestamp >= ago(90d)\n| where not(SenderFromAddress matches regex @\"^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(\\.[a-zA-Z0-9-]+)*$\")\n| project Timestamp,\n SenderMailFromAddress,\n SenderFromAddress,\n Subject,\n RecipientEmailAddress,\n DeliveryAction,\n NetworkMessageId\n| order by Timestamp desc\n| summarize count() by SenderFromAddress",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-05T14:29:00.000Z"
},
{
"contact_information": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"identity_class": "individual",
"modified": "2025-04-06T16:27:59.769Z",
"name": "alexverboon",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "This rule retrieves Active Directory Service Accounts from the Defender for Identity Service Accounts inventory. It identifies accounts like gMSA, sMSA, and standard user accounts configured with 'Password never expires' and having a SPN. The rule uses Windows' password management to reduce administrative overhead, and classifies regular accounts as 'Service Accounts' based on certain configurations.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Identity/MDI-ServiceAccounts.md"
}
],
"id": "indicator--b0cea994-2689-4bb4-85cf-29d22d08da75",
"indicator_types": [
"benign",
"attribution",
"compromised"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Defender for Identity - Service Accounts",
"pattern": "IdentityInfo\n| where Timestamp > ago(30d)\n| where Type == @\"ServiceAccount\"\n| where SourceProvider == @\"ActiveDirectory\"\n| summarize arg_max(Timestamp,*) by OnPremSid",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-05T15:10:51.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "The rule uses KQL queries to detect blocked URLs and domains. It focuses on identifying the domains of URLs that were blocked by examining the Defender for Office 365 logs. It employs specific criteria such as action types and detection methods in URL click events and email events.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Office%20365/MDO-BlockedURLs.md"
}
],
"id": "indicator--66cedc42-f11f-4314-b01f-7e6c69b37903",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Defender for Office 365 - Blocked URLs",
"pattern": "UrlClickEvents\n| where TimeGenerated > ago(90d)\n| where ActionType == \"ClickBlocked\"\n| where DetectionMethods has_any (\"URL\")\n| extend Domain = extract(@\"[^.]+\\.[^.]+$\",0, extract(@\"^(?:https?://)?([^/]+)\",1,Url))\n| extend TLD = tostring(split(extract(@\"\\.([a-zA-Z]{2,}|[a-zA-Z]{2}\\.[a-zA-Z]{2})$\",0,Domain,typeof(string)),\".\")[1])\n| project TimeGenerated, TLD, Domain,IPAddress, ThreatTypes,DetectionMethods, IsClickedThrough,Url\n\nEmailEvents\n| where DeliveryAction == \"Blocked\"\n| where DetectionMethods has_any (\"URL\",\"domain\")\n| join EmailUrlInfo\non $left.NetworkMessageId == $right.NetworkMessageId\n| extend Domain = extract(@\"[^.]+\\.[^.]+$\",0, extract(@\"^(?:https?://)?([^/]+)\",1,Url))\n| extend TLD = tostring(split(extract(@\"\\.([a-zA-Z]{2,}|[a-zA-Z]{2}\\.[a-zA-Z]{2})$\",0,Domain,typeof(string)),\".\")[1])\n| project TimeGenerated,TLD, Domain, ThreatTypes, ThreatNames, DetectionMethods, SenderFromDomain, Url",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2023-06-04T11:22:51.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "This rule is used to detect portable applications across endpoints using Microsoft Defender for Endpoint. Portable apps can mimic legitimate software without installation, potentially allowing attackers to evade detection. The rule queries details related to files and processes indicative of portable app usage.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/MDE-PortableApps.md"
}
],
"id": "indicator--f510ee78-7ee2-4a8f-bf83-52327b8451a0",
"indicator_types": [
"detection",
"anomalous-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Defender for Endpoint - Identify Portable Apps",
"pattern": "DeviceProcessEvents\n| project TimeGenerated, FileName, FolderPath, AccountName, AccountUpn, ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName, ProcessVersionInfoProductName\n| where ProcessVersionInfoProductName has \"portable\"\nDeviceFileEvents\n| where parse_json( AdditionalFields).FileType has_any (\"PortableExecutable\")\n| extend FileExtension = parse_path(FolderPath).Extension\n| where FileExtension == \"exe\"\n| project FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, AdditionalFields\n| where isnotempty( FileOriginUrl)\nDeviceFileEvents\n| where FileOriginReferrerUrl == \"https://portableapps.com/\"\nDeviceFileEvents\n| where parse_json( AdditionalFields).FileType has_any (\"PortableExecutable\")\n| extend FileExtension = parse_path(FolderPath).Extension\n| where FileExtension == \"exe\"\n| project FileName, FolderPath, FileOriginUrl, FileOriginReferrerUrl, AdditionalFields\n| where isnotempty( FileOriginUrl)\n| summarize Files = make_set(FileName), count() by FileOriginReferrerUrl\nDeviceProcessEvents\n| where AccountName <> \"system\"\n| where FolderPath matches regex @\"^[A-Z]:\\\\.*$\" // Any drive letter\n or FolderPath startswith @\"\\\\\" // Network shares\n or FolderPath matches regex @\"^C:\\\\Users\\\\[^\\\\]+\\\\Downloads\\\\.*$\" // Include C:\\Users\\*\\Downloads\n or FolderPath matches regex @\"^C:\\\\Users\\\\[^\\\\]+\\\\Desktop\\\\.*$\" // Include C:\\Users\\*\\Desktop\n| where not(FolderPath matches regex @\"^C:\\\\Windows\\\\.*$\") // Exclude C:\\Windows and subfolders\n| where not(FolderPath matches regex @\"^C:\\\\Program Files( \\(x86\\))?\\\\.*$\") // Exclude C:\\Program Files and Program Files (x86)\n| where not(FolderPath matches regex @\"^C:\\\\ProgramData\\\\.*$\") // Exclude C:\\ProgramData\n| where not(AccountSid startswith \"S-1-5-18\") // Exclude Local System Account\n| where not(AccountSid startswith \"S-1-5-20\") // Exclude Network Service Account\n| project TimeGenerated, FileName, FolderPath, AccountName, AccountUpn, ProcessVersionInfoProductName",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-04-05T14:49:13.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "Identifies Windows 11 devices potentially affected by issues with updates from media installations containing October or November updates. All specified OS build revisions are checked to ensure full coverage and proper update status.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/TVM/MDE-Windows11-Issues-OS%20Build%2026100-2033.md"
}
],
"id": "indicator--443957fc-a20f-4fcf-9613-c278774dc1e5",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Log Analytics - Windows 11 Affected Devices Detection",
"pattern": "IntuneDevices \n| where OS == \"Windows\"\n| where OSVersion in (\"10.0.26100.2033\",\"10.0.26100.2161\",\"10.0.26100.2314\",\"10.0.26100.2454\",\"10.0.26100.863\",\"10.0.26100.1742\")",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-02-05T06:06:00.000Z"
},
{
"created": "2025-04-06T18:22:15.672Z",
"created_by_ref": "identity--df9847ba-426f-4fc9-bb79-411d70df3dbc",
"description": "Generates a report for Windows Update for Business to identify affected Windows 11 devices based on certain OS build revisions. This helps IT administrators quickly find and address devices with update issues arising from media installations.",
"external_references": [
{
"source_name": "rule_source",
"url": "https://github.com/alexverboon/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/TVM/MDE-Windows11-Issues-OS%20Build%2026100-2033.md"
}
],
"id": "indicator--b3aa84f2-d21f-4f54-91b4-5fe3e87c9eae",
"indicator_types": [
"malicious-activity"
],
"modified": "2025-04-06T18:22:15.672Z",
"name": "Windows Update for Business Report - Windows 11 Affected Devices",
"pattern": "UCClient \n| where OSVersion contains \"Windows 11\"\n| where OSRevisionNumber in (\"2033\",\"2161\",\"2314\",\"2454\",\"863\",\"1742\")\n| project AzureADDeviceId,DeviceName,OSVersion,OSBuild,OSRevisionNumber",
"pattern_type": "kql",
"revoked": false,
"spec_version": "2.1",
"type": "indicator",
"valid_from": "2025-02-05T06:06:00.000Z"
},
{
"contact_information": "https://rulecheck.io",
"created": "2025-04-06T16:27:59.769Z",
"created_by_ref": "identity--e026a301-104b-402e-ab7c-66718579227e",
"id": "identity--e026a301-104b-402e-ab7c-66718579227e",
"identity_class": "organization",
"modified": "2025-04-06T16:27:59.769Z",
"name": "RuleCheck.io",
"revoked": false,
"sectors": [
"technology"
],
"spec_version": "2.1",
"type": "identity"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment