_____ __ ___ _____ _ __
/ ___/__ __/ /_ / (_)___ ___ ___ / ___/___ _______ _______(_) /___ __
\__ \/ / / / __ \/ / / __ `__ \/ _ \ \__ \/ _ \/ ___/ / / / ___/ / __/ / / /
___/ / /_/ / /_/ / / / / / / / / __/ ___/ / __/ /__/ /_/ / / / / /_/ /_/ /
/____/\__,_/_.___/_/_/_/ /_/ /_/\___/ /____/\___/\___/\__,_/_/ /_/\__/\__, /
_________ ____ __ __ _ /____/
_ __ ____ _/ __/ __(_)__ / __ \___ / /____ _____/ /_(_)___ ____ _____
| |/_/ / __ `/ /_/ /_/ / _ \ / / / / _ \/ __/ _ \/ ___/ __/ / __ \/ __ \/ ___/
_> < / /_/ / __/ __/ / __/ / /_/ / __/ /_/ __/ /__/ /_/ / /_/ / / / (__ )
/_/|_| \__,_/_/ /_/_/ /\___/ /_____/\___/\__/\___/\___/\__/_/\____/_/ /_/____/
/___/
Hi.
My detection rules concentrate on recognising very recent attacks such as those we are currently observing… for exmaple: PikaBot. Since they change their attack patterns quite often lately, I have different detection rules here, which of course sometimes generate false positives. My motto here is "better safe than sorry". Some of the rules refer to the German/European area, which may lead to false positives in other countries. For this reason, please always check the rules beforehand or observe whether there are any false positives.
| Everything is a work in progress and should be reviewed before use in production. All these rules are in production use on our Sublime. |
|---|
So there are two detection feeds in my repo.
- 'detection-rules' = These rules focus mostly generic phishing/spam and cve's. Very low false positive rate!
- 'emerging-threats-rules' = These rules will focus on emerging threats. Rules are aggressive so it may produce more false positives.
| Rule Name | Rule Description | Rule Classification | Rule Severity |
|---|---|---|---|
| abuse_onmicrosoft_domain.yml | Creating a new tenant on Entra will creates an "onmicrosoft.com" Domain. Now imagine, that there is a company called "abccorp", the attacker now creates a new tenant "abcorp" and uses this one for phishing. These emails are now come from "[email protected] instead of "[email protected] | Spam / Phishing | Medium |
| attachment_pdf_pikabot.yml | PikaBot uses PDF attachments which are generated by “ReportLab” and contains a specific url pattern. | Malware | High |
| attachment_pikabot_malicious_office_doc.yml | Office docs weaponized by PikaBot to smuggle SMB links that executes directly .js / .vbs etc. | Malware | Critical |
| cve_outlook_ntlm_hash_CVE-2023-35636.yml | Maybe outdated, leaks NTLM Hash | High | |
| info_cisco_esa_bulk_mail.yml | The Cisco ESA (Email Security Appliance) classifies emails according to bulk, marketing, social media and spam. This classification helps to recognise emails and their meaning. This rule is only used for classification within Sublime Automation. :) | Info | Low |
| info_cisco_esa_bulk_spam.yml | The Cisco ESA (Email Security Appliance) classifies emails according to bulk, marketing, social media and spam. This classification helps to recognise emails and their meaning. This rule is only used for classification within Sublime Automation. :) | Info | Low |
| info_cisco_esa_marketing_mail.yml | The Cisco ESA (Email Security Appliance) classifies emails according to bulk, marketing, social media and spam. This classification helps to recognise emails and their meaning. This rule is only used for classification within Sublime Automation. :) | Info | Low |
| link_adclick_doubleclick_abuse.yml | The Google Adclick network is generally an advertising network. Attackers use Adclick links to achieve a redirect to a malicious URL. | Spam / Phishing | Medium |
| link_body_link_redirect.yml | Often Ad Services are used to smuggle a phishing url to the victim. | Spam / Phishing | Low |
| link_pikabot_dec23.yml | PikaBot December 23 URL pattern | Malware | High |
| link_smb_zip.yml | PikaBot is using a link to SMB share in emails to bypass the warning message about running a potentially malicious file. Downloads a zip file containing a exe file. | Malware | High |
| phishing_abuse_azure_communication_service.yml | We have observed a recent phishing campaign that abuses Azure Communication Services to redirect to phishing URLs. | Spam / Phishing | Medium |
| phishing_new_sender_pdf_password_protected.yml | A current method of phishing attack is to send password-protected PDF files as attachments. The password can be found in the email body. | Phishing | Medium |
| phishing_qr_not_trusted.yml | This rule analyses image attachments and a screenshot of an email for QR codes that contain URLs from root domains that are not highly trusted and from first-time senders. | Spam / Phishing | Medium |
| phishing_Storm_0539.yml | Microsoft has observed a significant surge in activity associated with the threat actor Storm-0539, known to target retail organizations for gift card fraud and theft using highly sophisticated email and SMS phishing during the holiday shopping season. | ATP / Phishing | High |
| scam_booking-com.yml | WORK IN PROGRESS, False-Positive possible! A gang of cyber crooks is apparently behind the scam, systematically infecting hotels with malware and then abusing their internal access to the Booking platform. This allows the criminals to fish out payment data much more efficiently than with untargeted emails: not only do they have access to real booking data, but they can also use the booking provider's trusted messaging system. | Scam / Phishing | Low |
| scattered_spider.yml | Scattered Spider uses separate domains for each victim. These domains can currently be found quite easily using regex. The attack pattern can of course also change. See CISA recommendation on Scattered Spider. | ATP / Phishing | High |
| spam_europol_fake.yml | Attackers posing as "EUROPOL" are mainly active in Europe. | Low | |
| sublime_edited_docusign_impersonation.yml | Edited Sublime Rule without the Sender Profile. | High | |
| suspicious_parcel_pickup_notification.yml | Phishing with fake pickup notifications | Medium |
If you have a suggestion for improving a detection or have found a bug, simply open a PR with your change or create an issue. Thank you very much! :)