Detection content
Sigma Rules
Hand-authored Sigma rules covering specific TTPs surfaced by the ThreatPipeline corpus — quality over volume. For bulk IOC distribution see Intel Feeds. Rules are experimental: review before production use.
Subscribe: GET /sigma/manifest.json for the catalog.
- Rules
- 1
- Total indicators
- 0
- Last refreshed
- June 10, 2026
- Manifest
/sigma/manifest.json
Available rules
| Rule | Source | IOC type | Indicators | YAML |
|---|---|---|---|---|
| T1566.002 Spearphishing Link — Luxembourg Hospitality SMS Phishing Campaign Smishing campaign targeting hotel customers in Luxembourg. The CIRCL MISP event lists six SMS sender phone numbers (NL/UK/ID country codes) that delivered the lure linking to a credential-harvesting page. This rule fires on SMS or mobile-threat-defense telemetry showing inbound messages from any of those senders. Source IOCs are sender numbers only — the source event does not publish the lure URL or landing domain, so URL/DNS coverage is left as a follow-up if those indicators surface. Tagged T1566.002 (Phishing: Spearphishing Link); the SMS delivery angle maps to MISP galaxy "phishing:techniques=sms-phishing". | hand-authored | medium | 0 | t1566-002-luxembourg-hospitality-sms-phish.yml |
Subscription
Internal pipelines: poll /sigma/manifest.json daily; compare generated_at per
rule against your last-pulled timestamp; fetch any rules whose generated_at is newer. All URLs are
stable across emissions — the same rule's YAML is rewritten in place when the indicator set updates.