FP fix: attachment_html_smuggling_atob.yml (#1125)

sublime-security · Dec 21, 2023 · 3368c44 · 3368c44
1 parent 4143b79
commit 3368c44
Showing 1 changed file with 21 additions and 2 deletions.
diff --git a/detection-rules/attachment_html_smuggling_atob.yml b/detection-rules/attachment_html_smuggling_atob.yml
@@ -1,6 +1,6 @@
 name: "Attachment: HTML smuggling with atob and high entropy"
 description: |
-  Recursively scans files and archives to detect HTML smuggling techniques.
+  Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
 references:
   - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
 type: "rule"
@@ -24,7 +24,13 @@ source: |
                     // usage: document['write'](atob)
                     or any(.scan.strings.strings, strings.ilike(., "*document*write*atob*"))
                     // usage: some_var = atob();
-                    or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
+                    or any(.scan.strings.strings, regex.icontains(., "=.?atob.*;"))
+                    // usage: atob(atob
+                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
+                    // usage: eval(atob)
+                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
+                      // usage: atob(_0x)
+                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
                     // usage: obfuscating "atob"
                     or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
                     // usage: document.head.insertAdjacentHTML("beforeend", atob(...
@@ -37,6 +43,19 @@ source: |
                   )
           )
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
 attack_types:
   - "Credential Phishing"
   - "Malware/Ransomware"