Skip to content

A home for detection content developed by the delivr.to team

Notifications You must be signed in to change notification settings

delivr-to/detections

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Detections

This repo serves as a home for detection content developed by the delivr.to team.

All rules present in this repo have corresponding payloads (linked in references and shown below) that can be used to test detection content.

The repo currently holds the following types of detections:

Sublime Rules

Below is the list of rules for Sublime Security, organised into General and Threat Intel specific folders.

You can also integrate delivr.to directly with Sublime as mentioned here and documented here.

Rule Name Type Payload
Body: Img Element Exploiting CVE-2024-38021 (Unsolicited) Threat Intel
Link: PIF File from Suspicious Source (AgentTesla) Threat Intel
Attachment: HTML with search-ms URI protocol handler (DarkGate) Threat Intel
Attachment: HTML with Meta Tag Refresh and File Protocol Handler (Pikabot) Threat Intel
Attachment: PDF Link with Microsoft OneDrive Branding (Pikabot) Threat Intel
Attachment: ZIP Containing LNK Minimized One-Liner (Unsolicited) Threat Intel
Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited) Threat Intel
Attachment: PDF with embedded MHT using ActiveMime objects (Unsolicited) Threat Intel
Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited) Threat Intel
Attachment: PDF with Auto-Open Embedded Smuggling File Threat Intel
Attachment: OneNote file with Suspicious Strings Threat Intel
Link: Zipped OneNote file with Document Download Lure (QakBot) Threat Intel
Attachment: OneNote containing HTA with VBScript and JavaScript content (QakBot) Threat Intel
Attachment: WSF File With Certificate Content (QakBot) Threat Intel
Attachment: PDF with Document Download Lure Threat Intel
Attachment: PDF with Embedded Google Firebase Storage Link (Bumblebee) Threat Intel
Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited) Threat Intel
Attachment: HTML smuggling with Google Web Toolkit (GWT) General
Attachment: HTML smuggling with WebAssembly (Wasm) General
Attachment: ZPAQ Archive (Unsolicited) General
Attachment: Microsoft-branded HTML File (Unsolicited) General
Attachment: HTML file without HTML element (Unsolicited) General
Attachment: SVG file with Onerror or Onload (Unsolicited) General
Attachment: SVG file with Script Tags (Unsolicited) General
Attachment: HTML file with eval function and long byte string (Unsolicited) General
Attachment: HTML File Containing Recipient Email Address (Unsolicited) General
Attachment: Extended HTML File Format (Unsolicited) General
Attachment: Microsoft Script Encoding Content General
Link: Zipped OneNote file General
Link: OneNote file General
Link: Brand Impersonation Phishing Site General
Link: Zipped Script File (Unsolicited) General
Attachment: Remote Template Injection General
Attachment: HTML Smuggling with msSaveOrOpenBlob General
Attachment: AutoIt Script File (Unsolicited) General
Attachment: Microsoft Word SMB-hosted Remote Template Injection General

Yara Rules

Below is the list of Yara rules in the repo.

Rule Name Type Payload
SUSP_HTML_WASM_Smuggling General
SUSP_HTML_B64_WASM_Blob General
SUSP_ZPAQ_Archive_Nov23 General
SUSP_PDF_MHT_ActiveMime_Sept23 General
SUSP_SVG_Onload_Onerror_Jul23 General
SUSP_OneNote_Repeated_FileDataReference_Feb23 Threat Intel
SUSP_OneNote_RTLO_Character_Feb23 Threat Intel
SUSP_OneNote_Win_Script_Encoding_Feb23 Threat Intel
SUSP_msg_CVE_2023_23397_Mar23 Threat Intel
SUSP_CONCAT_ZIP_Nov24 Threat Intel

Sigma Rules

Below is the list of Sigma rules in the repo.

Rule Name Type Payload
PDF HTML Smuggling Threat Intel

About

A home for detection content developed by the delivr.to team

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages