Detections

This repo serves as a home for detection content developed by the delivr.to team.

All rules present in this repo have corresponding payloads (linked in references and shown below) that can be used to test detection content.

The repo currently holds the following types of detections:

• Sublime Rules
• Yara Rules
• Sigma Rules

Sublime Rules

Below is the list of rules for Sublime Security, organised into General and Threat Intel specific folders.

You can also integrate delivr.to directly with Sublime as mentioned here and documented here.

| Rule Name | Type | Payload | |------------------------------------------------------|------------|---------- | | Attachment: Archive with Directory Traversal CVE-2025-6218 (Unsolicited) | Threat Intel | | | Attachment: Nested 7-Zip Archives CVE-2025-0411 (Unsolicited) | Threat Intel | | | Attachment: RTF with Embedded OLE Object (Unsolicited) | Threat Intel | | | Body: Img Element Exploiting CVE-2024-38021 (Unsolicited) | Threat Intel | | | Link: PIF File from Suspicious Source (AgentTesla) | Threat Intel | | | Attachment: HTML with search-ms URI protocol handler (DarkGate) | Threat Intel | | | Attachment: HTML with Meta Tag Refresh and File Protocol Handler (Pikabot) | Threat Intel | | | Attachment: PDF Link with Microsoft OneDrive Branding (Pikabot) | Threat Intel | | | Attachment: ZIP Containing LNK Minimized One-Liner (Unsolicited) | Threat Intel | | | Attachment: HTML Smuggling of Zip File with Evasion Indicators (Unsolicited) | Threat Intel | | | Attachment: PDF with embedded MHT using ActiveMime objects (Unsolicited) | Threat Intel | | | Attachment: Zip Exploiting CVE-2023-38831 (Unsolicited) | Threat Intel | | | Attachment: PDF with Auto-Open Embedded Smuggling File | Threat Intel | | | Attachment: OneNote file with Suspicious Strings | Threat Intel | | | Link: Zipped OneNote file with Document Download Lure (QakBot) | Threat Intel | | | Attachment: OneNote containing HTA with VBScript and JavaScript content (QakBot) | Threat Intel | | | Attachment: WSF File With Certificate Content (QakBot) | Threat Intel | | | Attachment: PDF with Document Download Lure | Threat Intel | | | Attachment: PDF with Embedded Google Firebase Storage Link (Bumblebee) | Threat Intel | | | Attachment: Office Document with Embedded RTF Referencing Remote Resources CVE-2023-36884 (Unsolicited) | Threat Intel | | | Attachment: HTML with Clipboard Copy | Threat Intel | | | Attachment: FileJacking Indicators (Unsolicited) | General | | | Link: FileJacking Indicators (Unsolicited) | General | | | Attachment: HTML smuggling with Google Web Toolkit (GWT) | General | | | Attachment: HTML smuggling with WebAssembly (Wasm) | General | | | Attachment: ZPAQ Archive (Unsolicited) | General | | | Attachment: Microsoft-branded HTML File (Unsolicited) | General | | | Attachment: HTML file without HTML element (Unsolicited) | General | | | Attachment: SVG file with Onerror or Onload (Unsolicited) | General | | | Attachment: SVG file with Script Tags (Unsolicited) | General | | | Attachment: HTML file with eval function and long byte string (Unsolicited) | General | | | Attachment: HTML File Containing Recipient Email Address (Unsolicited) | General | | | Attachment: Extended HTML File Format (Unsolicited) | General | | | Attachment: Microsoft Script Encoding Content | General | | | Link: Zipped OneNote file | General | | | [Link: OneNote file](sublime-rules/general/