Detections

This repo serves as a home for detection content developed by the delivr.to team.

All rules present in this repo have corresponding payloads (linked in references and shown below) that can be used to test detection content.

The repo currently holds the following types of detections:

• Sublime Rules
• Yara Rules
• Sigma Rules

Sublime Rules

Below is the list of rules for Sublime Security, organised into General and Threat Intel specific folders.

You can also integrate delivr.to directly with Sublime as mentioned here and documented here.

Rule Name	Type	Payload
Body: Img Element Exploiting CVE-2024-38021 (Unsolicited)	Threat Intel
Link: PIF File from Suspicious Source (AgentTesla)	Threat Intel
Attachment: HTML with search-ms URI protocol handler (DarkGate)	Threat Intel
Attachment: HTML with Meta Tag Refresh and File Protocol Handler (Pikabot)	Threat Intel
Attachment: PDF Link with Microsoft OneDrive Branding (Pikabot)	Threat Intel
Attachment: ZIP Containing LNK Minimized One-Liner (Unsolicited)	Threat Intel
Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited)	Threat Intel
Attachment: PDF with embedded MHT using ActiveMime objects (Unsolicited)	Threat Intel
Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited)	Threat Intel
Attachment: PDF with Auto-Open Embedded Smuggling File	Threat Intel
Attachment: OneNote file with Suspicious Strings	Threat Intel
Link: Zipped OneNote file with Document Download Lure (QakBot)	Threat Intel
Attachment: OneNote containing HTA with VBScript and JavaScript content (QakBot)	Threat Intel
Attachment: WSF File With Certificate Content (QakBot)	Threat Intel
Attachment: PDF with Document Download Lure	Threat Intel
Attachment: PDF with Embedded Google Firebase Storage Link (Bumblebee)	Threat Intel
Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited)	Threat Intel
Attachment: HTML smuggling with Google Web Toolkit (GWT)	General
Attachment: HTML smuggling with WebAssembly (Wasm)	General
Attachment: ZPAQ Archive (Unsolicited)	General
Attachment: Microsoft-branded HTML File (Unsolicited)	General
Attachment: HTML file without HTML element (Unsolicited)	General
Attachment: SVG file with Onerror or Onload (Unsolicited)	General
Attachment: SVG file with Script Tags (Unsolicited)	General
Attachment: HTML file with eval function and long byte string (Unsolicited)	General
Attachment: HTML File Containing Recipient Email Address (Unsolicited)	General
Attachment: Extended HTML File Format (Unsolicited)	General
Attachment: Microsoft Script Encoding Content	General
Link: Zipped OneNote file	General
Link: OneNote file	General
Link: Brand Impersonation Phishing Site	General
Link: Zipped Script File (Unsolicited)	General
Attachment: Remote Template Injection	General
Attachment: HTML Smuggling with msSaveOrOpenBlob	General
Attachment: AutoIt Script File (Unsolicited)	General
Attachment: Microsoft Word SMB-hosted Remote Template Injection	General

Yara Rules

Below is the list of Yara rules in the repo.

Rule Name	Type	Payload
SUSP_HTML_WASM_Smuggling	General
SUSP_HTML_B64_WASM_Blob	General
SUSP_ZPAQ_Archive_Nov23	General
SUSP_PDF_MHT_ActiveMime_Sept23	General
SUSP_SVG_Onload_Onerror_Jul23	General
SUSP_OneNote_Repeated_FileDataReference_Feb23	Threat Intel
SUSP_OneNote_RTLO_Character_Feb23	Threat Intel
SUSP_OneNote_Win_Script_Encoding_Feb23	Threat Intel
SUSP_msg_CVE_2023_23397_Mar23	Threat Intel

Sigma Rules

Below is the list of Sigma rules in the repo.

Rule Name	Type	Payload
PDF HTML Smuggling	Threat Intel