Skip to content

This repo contains all my personal Sublime Security detection rules.

Notifications You must be signed in to change notification settings

padey/Sublime-Detection-Rules

Repository files navigation

Sublime Detection Rules

   _____       __    ___                   _____                      _ __         
  / ___/__  __/ /_  / (_)___ ___  ___     / ___/___  _______  _______(_) /___  __  
  \__ \/ / / / __ \/ / / __ `__ \/ _ \    \__ \/ _ \/ ___/ / / / ___/ / __/ / / /  
 ___/ / /_/ / /_/ / / / / / / / /  __/   ___/ /  __/ /__/ /_/ / /  / / /_/ /_/ /   
/____/\__,_/_.___/_/_/_/ /_/ /_/\___/   /____/\___/\___/\__,_/_/  /_/\__/\__, /    
                  _________         ____       __            __  _      /____/     
   _  __   ____ _/ __/ __(_)__     / __ \___  / /____  _____/ /_(_)___  ____  _____
  | |/_/  / __ `/ /_/ /_/ / _ \   / / / / _ \/ __/ _ \/ ___/ __/ / __ \/ __ \/ ___/
 _>  <   / /_/ / __/ __/ /  __/  / /_/ /  __/ /_/  __/ /__/ /_/ / /_/ / / / (__  ) 
/_/|_|   \__,_/_/ /_/_/ /\___/  /_____/\___/\__/\___/\___/\__/_/\____/_/ /_/____/  
                   /___/                                                         

Hi.

My detection rules concentrate on recognising very recent attacks such as those we are currently observing… for exmaple: PikaBot. Since they change their attack patterns quite often lately, I have different detection rules here, which of course sometimes generate false positives. My motto here is "better safe than sorry". Some of the rules refer to the German/European area, which may lead to false positives in other countries. For this reason, please always check the rules beforehand or observe whether there are any false positives.

Everything is a work in progress and should be reviewed before use in production. All these rules are in production use on our Sublime.

Detection Feeds

So there are two detection feeds in my repo.

  1. 'detection-rules' = These rules focus mostly generic phishing/spam and cve's. Very low false positive rate!
  2. 'emerging-threats-rules' = These rules will focus on emerging threats. Rules are aggressive so it may produce more false positives.

Detection Rule Overview

Rule Name Rule Description Rule Classification Rule Severity
abuse_onmicrosoft_domain.yml Creating a new tenant on Entra will creates an "onmicrosoft.com" Domain. Now imagine, that there is a company called "abccorp", the attacker now creates a new tenant "abcorp" and uses this one for phishing. These emails are now come from "[email protected] instead of "[email protected] Spam / Phishing Medium
attachment_pdf_pikabot.yml PikaBot uses PDF attachments which are generated by “ReportLab” and contains a specific url pattern. Malware High
attachment_pikabot_malicious_office_doc.yml Office docs weaponized by PikaBot to smuggle SMB links that executes directly .js / .vbs etc. Malware Critical
cve_outlook_ntlm_hash_CVE-2023-35636.yml Maybe outdated, leaks NTLM Hash High
info_cisco_esa_bulk_mail.yml The Cisco ESA (Email Security Appliance) classifies emails according to bulk, marketing, social media and spam. This classification helps to recognise emails and their meaning. This rule is only used for classification within Sublime Automation. :) Info Low
info_cisco_esa_bulk_spam.yml The Cisco ESA (Email Security Appliance) classifies emails according to bulk, marketing, social media and spam. This classification helps to recognise emails and their meaning. This rule is only used for classification within Sublime Automation. :) Info Low
info_cisco_esa_marketing_mail.yml The Cisco ESA (Email Security Appliance) classifies emails according to bulk, marketing, social media and spam. This classification helps to recognise emails and their meaning. This rule is only used for classification within Sublime Automation. :) Info Low
link_adclick_doubleclick_abuse.yml The Google Adclick network is generally an advertising network. Attackers use Adclick links to achieve a redirect to a malicious URL. Spam / Phishing Medium
link_body_link_redirect.yml Often Ad Services are used to smuggle a phishing url to the victim. Spam / Phishing Low
link_pikabot_dec23.yml PikaBot December 23 URL pattern Malware High
link_smb_zip.yml PikaBot is using a link to SMB share in emails to bypass the warning message about running a potentially malicious file. Downloads a zip file containing a exe file. Malware High
phishing_abuse_azure_communication_service.yml We have observed a recent phishing campaign that abuses Azure Communication Services to redirect to phishing URLs. Spam / Phishing Medium
phishing_new_sender_pdf_password_protected.yml A current method of phishing attack is to send password-protected PDF files as attachments. The password can be found in the email body. Phishing Medium
phishing_qr_not_trusted.yml This rule analyses image attachments and a screenshot of an email for QR codes that contain URLs from root domains that are not highly trusted and from first-time senders. Spam / Phishing Medium
phishing_Storm_0539.yml Microsoft has observed a significant surge in activity associated with the threat actor Storm-0539, known to target retail organizations for gift card fraud and theft using highly sophisticated email and SMS phishing during the holiday shopping season. ATP / Phishing High
scam_booking-com.yml WORK IN PROGRESS, False-Positive possible! A gang of cyber crooks is apparently behind the scam, systematically infecting hotels with malware and then abusing their internal access to the Booking platform. This allows the criminals to fish out payment data much more efficiently than with untargeted emails: not only do they have access to real booking data, but they can also use the booking provider's trusted messaging system. Scam / Phishing Low
scattered_spider.yml Scattered Spider uses separate domains for each victim. These domains can currently be found quite easily using regex. The attack pattern can of course also change. See CISA recommendation on Scattered Spider. ATP / Phishing High
spam_europol_fake.yml Attackers posing as "EUROPOL" are mainly active in Europe. Low
sublime_edited_docusign_impersonation.yml Edited Sublime Rule without the Sender Profile. High
suspicious_parcel_pickup_notification.yml Phishing with fake pickup notifications Medium

Contribution

If you have a suggestion for improving a detection or have found a bug, simply open a PR with your change or create an issue. Thank you very much! :)

About

This repo contains all my personal Sublime Security detection rules.

Resources

Stars

Watchers

Forks

Contributors 3

  •  
  •  
  •  

Languages