Detections

This repo serves as a home for detection content developed by the delivr.to team.

All rules present in this repo have corresponding payloads (linked in references and shown below) that can be used to test detection content.

The repo currently holds the following types of detections:

• Sublime Rules
• Yara Rules

Sublime Rules

Below is the list of rules for Sublime Security, organised into General and Threat Intel specific folders.

You can also integrate delivr.to directly with Sublime as mentioned here and documented here.

Rule Name	Type	Payload
Attachment: HTML file without HTML element (Unsolicited)	General
Attachment: SVG file with Script Tags (Unsolicited)	General
Attachment: HTML file with eval function and long byte string (Unsolicited)	General
Attachment: HTML File Containing Recipient Email Address (Unsolicited)	General
Attachment: Extended HTML File Format (Unsolicited)	General
Attachment: Microsoft Script Encoding Content	General
Link: Zipped OneNote file	General
Link: OneNote file	General
Link: Brand Impersonation Phishing Site	General
Attachment: Remote Template Injection	General
Attachment: HTML Smuggling with msSaveOrOpenBlob	General
Attachment: OneNote file with Suspicious Strings	Threat Intel
Link: Zipped OneNote file with Document Download Lure (QakBot)	Threat Intel
Attachment: OneNote containing HTA with VBScript and JavaScript content (QakBot)	Threat Intel
Attachment: WSF File With Certificate Content (QakBot)	Threat Intel
Attachment: PDF with Document Download Lure	Threat Intel
Attachment: PDF with Embedded Google Firebase Storage Link (Bumblebee)	Threat Intel
Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited)	Threat Intel

Yara Rules

Below is the list of Yara rules in the repo.

Rule Name	Type	Payload
SUSP_OneNote_Repeated_FileDataReference_Feb23	Threat Intel
SUSP_OneNote_RTLO_Character_Feb23	Threat Intel
SUSP_OneNote_Win_Script_Encoding_Feb23	Threat Intel
SUSP_msg_CVE_2023_23397_Mar23	Threat Intel