Giters

delivr-to / detections

A home for detection content developed by the delivr.to team

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Detections

This repo serves as a home for detection content developed by the delivr.to team.

All rules present in this repo have corresponding payloads (linked in references and shown below) that can be used to test detection content.

The repo currently holds the following types of detections:

Sublime Rules

Below is the list of rules for Sublime Security, organised into General and Threat Intel specific folders.

You can also integrate delivr.to directly with Sublime as mentioned here and documented here.

Rule Name Type Payload
Attachment: HTML with search-ms URI protocol handler (DarkGate) Threat Intel
Attachment: HTML with Meta Tag Refresh and File Protocol Handler (Pikabot) Threat Intel
Attachment: PDF Link with Microsoft OneDrive Branding (Pikabot) Threat Intel
Attachment: ZIP Containing LNK Minimized One-Liner (Unsolicited) Threat Intel
Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited) Threat Intel
Attachment: PDF with embedded MHT using ActiveMime objects (Unsolicited) Threat Intel
Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited) Threat Intel
Attachment: PDF with Auto-Open Embedded Smuggling File Threat Intel
Attachment: OneNote file with Suspicious Strings Threat Intel
Link: Zipped OneNote file with Document Download Lure (QakBot) Threat Intel
Attachment: OneNote containing HTA with VBScript and JavaScript content (QakBot) Threat Intel
Attachment: WSF File With Certificate Content (QakBot) Threat Intel
Attachment: PDF with Document Download Lure Threat Intel
Attachment: PDF with Embedded Google Firebase Storage Link (Bumblebee) Threat Intel
Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited) Threat Intel
Attachment: ZPAQ Archive (Unsolicited) General
Attachment: Microsoft-branded HTML File (Unsolicited) General
Attachment: HTML file without HTML element (Unsolicited) General
Attachment: SVG file with Onerror or Onload (Unsolicited) General
Attachment: SVG file with Script Tags (Unsolicited) General
Attachment: HTML file with eval function and long byte string (Unsolicited) General
Attachment: HTML File Containing Recipient Email Address (Unsolicited) General
Attachment: Extended HTML File Format (Unsolicited) General
Attachment: Microsoft Script Encoding Content General
Link: Zipped OneNote file General
Link: OneNote file General
Link: Brand Impersonation Phishing Site General
Link: Zipped Script File (Unsolicited) General
Attachment: Remote Template Injection General
Attachment: HTML Smuggling with msSaveOrOpenBlob General
Attachment: AutoIt Script File (Unsolicited) General
Attachment: Microsoft Word SMB-hosted Remote Template Injection General

Yara Rules

Below is the list of Yara rules in the repo.

Rule Name Type Payload
SUSP_ZPAQ_Archive_Nov23 General
SUSP_PDF_MHT_ActiveMime_Sept23 General
SUSP_SVG_Onload_Onerror_Jul23 General
SUSP_OneNote_Repeated_FileDataReference_Feb23 Threat Intel
SUSP_OneNote_RTLO_Character_Feb23 Threat Intel
SUSP_OneNote_Win_Script_Encoding_Feb23 Threat Intel
SUSP_msg_CVE_2023_23397_Mar23 Threat Intel

Sigma Rules

Below is the list of Sigma rules in the repo.

Rule Name Type Payload
PDF HTML Smuggling Threat Intel

About

A home for detection content developed by the delivr.to team

Languages

Language:YARA 100.0%