Home

Awesome

Detections

This repo serves as a home for detection content developed by the delivr.to team.

All rules present in this repo have corresponding payloads (linked in references and shown below) that can be used to test detection content.

The repo currently holds the following types of detections:

Sublime Rules

Below is the list of rules for Sublime Security, organised into General and Threat Intel specific folders.

You can also integrate delivr.to directly with Sublime as mentioned here and documented here.

Rule NameTypePayload
Body: Img Element Exploiting CVE-2024-38021 (Unsolicited)Threat Intel
Link: PIF File from Suspicious Source (AgentTesla)Threat Intel
Attachment: HTML with search-ms URI protocol handler (DarkGate)Threat Intel
Attachment: HTML with Meta Tag Refresh and File Protocol Handler (Pikabot)Threat Intel
Attachment: PDF Link with Microsoft OneDrive Branding (Pikabot)Threat Intel
Attachment: ZIP Containing LNK Minimized One-Liner (Unsolicited)Threat Intel
Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited)Threat Intel
Attachment: PDF with embedded MHT using ActiveMime objects (Unsolicited)Threat Intel
Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)Threat Intel
Attachment: PDF with Auto-Open Embedded Smuggling FileThreat Intel
Attachment: OneNote file with Suspicious StringsThreat Intel
Link: Zipped OneNote file with Document Download Lure (QakBot)Threat Intel
Attachment: OneNote containing HTA with VBScript and JavaScript content (QakBot)Threat Intel
Attachment: WSF File With Certificate Content (QakBot)Threat Intel
Attachment: PDF with Document Download LureThreat Intel
Attachment: PDF with Embedded Google Firebase Storage Link (Bumblebee)Threat Intel
Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited)Threat Intel
Attachment: HTML smuggling with Google Web Toolkit (GWT)General
Attachment: HTML smuggling with WebAssembly (Wasm)General
Attachment: ZPAQ Archive (Unsolicited)General
Attachment: Microsoft-branded HTML File (Unsolicited)General
Attachment: HTML file without HTML element (Unsolicited)General
Attachment: SVG file with Onerror or Onload (Unsolicited)General
Attachment: SVG file with Script Tags (Unsolicited)General
Attachment: HTML file with eval function and long byte string (Unsolicited)General
Attachment: HTML File Containing Recipient Email Address (Unsolicited)General
Attachment: Extended HTML File Format (Unsolicited)General
Attachment: Microsoft Script Encoding ContentGeneral
Link: Zipped OneNote fileGeneral
Link: OneNote fileGeneral
Link: Brand Impersonation Phishing SiteGeneral
Link: Zipped Script File (Unsolicited)General
Attachment: Remote Template InjectionGeneral
Attachment: HTML Smuggling with msSaveOrOpenBlobGeneral
Attachment: AutoIt Script File (Unsolicited)General
Attachment: Microsoft Word SMB-hosted Remote Template InjectionGeneral

Yara Rules

Below is the list of Yara rules in the repo.

Rule NameTypePayload
SUSP_HTML_WASM_SmugglingGeneral
SUSP_HTML_B64_WASM_BlobGeneral
SUSP_ZPAQ_Archive_Nov23General
SUSP_PDF_MHT_ActiveMime_Sept23General
SUSP_SVG_Onload_Onerror_Jul23General
SUSP_OneNote_Repeated_FileDataReference_Feb23Threat Intel
SUSP_OneNote_RTLO_Character_Feb23Threat Intel
SUSP_OneNote_Win_Script_Encoding_Feb23Threat Intel
SUSP_msg_CVE_2023_23397_Mar23Threat Intel
SUSP_CONCAT_ZIP_Nov24Threat Intel

Sigma Rules

Below is the list of Sigma rules in the repo.

Rule NameTypePayload
PDF HTML SmugglingThreat Intel