From 387dacd0480c5b2af1be0dadae7d03f80047ab1d Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Tue, 21 Nov 2023 15:25:42 +0000 Subject: [PATCH] Sync from PR#679 Adding extension-less Office file snippet by @aidenmitchell https://github.com/sublime-security/sublime-rules/pull/679 Source SHA 762894502b2b43e0f80c2f49fe85b09fa3c4c304 Triggered by @morriscode --- .../attachment_cve_2023_21716_rtf_fonts.yml | 39 ++++++++++++ .../attachment_encrypted_ole_unsolicited.yml | 43 +++++++++++++ .../attachment_office_file_with_vsto.yml | 61 +++++++++++++++++++ .../attachment_office_remote_doc_template.yml | 37 +++++++++++ ...tential_sandbox_evasion_in_office_file.yml | 45 ++++++++++++++ ...shellbrowserwindow_com_object_in_macro.yml | 40 ++++++++++++ .../attachment_soliciting_enable_macros.yml | 46 ++++++++++++++ ...suspicious_vba_macro_first_time_sender.yml | 38 ++++++++++++ ...chment_vba_macro_auto_exec_unsolicited.yml | 50 +++++++++++++++ ...chment_vba_macro_auto_open_unsolicited.yml | 41 +++++++++++++ ...ttachment_vba_macro_calling_executable.yml | 35 +++++++++++ ...hment_vba_macro_employee_impersonation.yml | 43 +++++++++++++ .../attachment_vba_macro_high_risk.yml | 40 ++++++++++++ .../cve_2021_40444_external_relationship.yml | 34 +++++++++++ ...personation_wise_suspicious_attachment.yml | 37 +++++++++++ 15 files changed, 629 insertions(+) create mode 100644 detection-rules/attachment_cve_2023_21716_rtf_fonts.yml create mode 100644 detection-rules/attachment_encrypted_ole_unsolicited.yml create mode 100644 detection-rules/attachment_office_file_with_vsto.yml create mode 100644 detection-rules/attachment_office_remote_doc_template.yml create mode 100644 detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml create mode 100644 detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml create mode 100644 detection-rules/attachment_soliciting_enable_macros.yml create mode 100644 detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml create mode 100644 detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml create mode 100644 detection-rules/attachment_vba_macro_auto_open_unsolicited.yml create mode 100644 detection-rules/attachment_vba_macro_calling_executable.yml create mode 100644 detection-rules/attachment_vba_macro_employee_impersonation.yml create mode 100644 detection-rules/attachment_vba_macro_high_risk.yml create mode 100644 detection-rules/cve_2021_40444_external_relationship.yml create mode 100644 detection-rules/impersonation_wise_suspicious_attachment.yml diff --git a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml new file mode 100644 index 00000000000..0db020632fd --- /dev/null +++ b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml @@ -0,0 +1,39 @@ +name: "Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability" +description: | + Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716. +references: + - "https://delivr.to/payloads?id=0a465e03-82a7-42c1-9ded-b0b6b046c86d" + - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716" + - "https://twitter.com/jduck/status/1632471544935923712" + - "https://github.com/gyaansastra/CVE-2023-21716" +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("rtf", "doc", "docx") + or .file_extension in~ $file_extensions_common_archives + or .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), + any(.scan.strings.strings, strings.ilike(., '*\fonttbl*')) + and length(filter(.scan.strings.strings, strings.ilike(., '{\f*;}'))) > 10000 + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Exploit" +detection_methods: + - "Content analysis" + - "File analysis" +id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml new file mode 100644 index 00000000000..bdccf8c4edb --- /dev/null +++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml @@ -0,0 +1,43 @@ +name: "Attachment: Encrypted Microsoft Office file (unsolicited)" +description: | + Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products. + Use if receiving encrypted attachments is not normal behavior in your environment. +references: + - "https://www.cyren.com/blog/articles/anatomy-of-an-attack-password-protected-files-attached-to-emails" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and file.oletools(.).indicators.encryption.exists + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Macros" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "OLE analysis" + - "Sender analysis" +id: "1e47e953-576c-5ba9-b84e-b72a1a89de87" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_office_file_with_vsto.yml b/detection-rules/attachment_office_file_with_vsto.yml new file mode 100644 index 00000000000..508480540ae --- /dev/null +++ b/detection-rules/attachment_office_file_with_vsto.yml @@ -0,0 +1,61 @@ +name: "Attachment: Office Document with VSTO Add-in" +description: | + Recursively scans files and archives to detect Office documents with VSTO Add-ins. +type: "rule" +references: + - "https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010" +severity: "high" +authors: + - twitter: "vector_sec" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), + .file_extension in~ ( + "doc", + "docm", + "docx", + "dot", + "dotm", + "xls", + "xlsx", + "xlsm", + "xlm", + "xlsb", + "xlt", + "xltm", + "ppt", + "pptx", + "pptm", + "ppsm" + ) + and any(.scan.exiftool.fields, + .key == "Tag_AssemblyLocation" and strings.ilike(.value, "*.vsto*") + and not strings.ilike(.value, 'C:\Program Files*') + ) + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "Exif analysis" + - "File analysis" + - "Sender analysis" + - "URL analysis" +id: "27afa730-6dd5-58ec-9deb-ed5170de210d" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_office_remote_doc_template.yml b/detection-rules/attachment_office_remote_doc_template.yml new file mode 100644 index 00000000000..1adf71028ec --- /dev/null +++ b/detection-rules/attachment_office_remote_doc_template.yml @@ -0,0 +1,37 @@ +name: "Attachment: Office document loads remote document template" +description: | + Recursively scans archives and Office documents to detect remote document template injection. +references: + - "https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + ( + ( + // office files + .file_extension in~ $file_extensions_macros + or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), + .flavors.mime == "text/xml" + and any(.scan.strings.strings, regex.icontains(., ".*Target.*http.*dotm.*")) + ) + ) + ) +attack_types: + - "Malware/Ransomware" +detection_methods: + - "Archive analysis" + - "File analysis" + - "URL analysis" +id: "d9601104-c330-5995-9fae-4d30b969c081" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml new file mode 100644 index 00000000000..7942901d3e6 --- /dev/null +++ b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml @@ -0,0 +1,45 @@ +name: "Attachment: Potential Sandbox Evasion in Office File" +description: | + Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks. + + Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload. +references: + - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/tree/main/src/SandBoxEvasion" + - "https://delivr.to/payloads?id=6e8d282b-7608-4720-9277-fd4ba750aa9c" +type: "rule" +authors: + - twitter: "ajpc500" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), + 1 of ( + any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")), + any(.scan.strings.strings, strings.ilike(., "*Win32_LogicalDisk*")), + any(.scan.strings.strings, strings.ilike(., "*Win32_ComputerSystem*")), + any(.scan.strings.strings, strings.ilike(., "*Win32_Process*")), + any(.scan.strings.strings, strings.ilike(., "*LDAP://RootDSE*")) + ) + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Macros" +detection_methods: + - "File analysis" + - "Macro analysis" +id: "1c591681-3f02-5d1e-be08-fc1e6793c68b" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml new file mode 100644 index 00000000000..50db06d3b65 --- /dev/null +++ b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml @@ -0,0 +1,40 @@ +name: "Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation" +description: | + Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls. +references: + - "https://blog.f-secure.com/dechaining-macros-and-evading-edr/" + - "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec" +type: "rule" +authors: + - twitter: "ajpc500" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), + any(.scan.strings.strings, + strings.ilike(., "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*") + ) + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" + - "Scripting" +detection_methods: + - "Content analysis" + - "File analysis" + - "Macro analysis" +id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml new file mode 100644 index 00000000000..7b4dbfa8bc8 --- /dev/null +++ b/detection-rules/attachment_soliciting_enable_macros.yml @@ -0,0 +1,46 @@ +name: "Attachment soliciting user to enable macros" +description: | + Recursively scans files and archives to detect documents that ask the + user to enable macros, including if that text appears within an embedded image. +references: + - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document" +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), + strings.ilike(.scan.ocr.raw, "*please*enable*macros") + or any(.scan.strings.strings, strings.ilike(., "*please enable macros*")) + ) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "Optical Character Recognition" + - "Sender analysis" +id: "e9d75515-8d64-531d-8ccb-9153150d0ee3" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml new file mode 100644 index 00000000000..9d7c61e62bd --- /dev/null +++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml @@ -0,0 +1,38 @@ +name: "Attachment: Suspicious VBA macros from first-time sender" +description: | + Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and ml.macro_classifier(.).malicious + and ml.macro_classifier(.).confidence in ("high") + ) + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" +detection_methods: + - "File analysis" + - "Macro analysis" + - "Sender analysis" +id: "37cec120-2757-5e99-a489-1315780dae08" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml new file mode 100644 index 00000000000..385292cc02a --- /dev/null +++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml @@ -0,0 +1,50 @@ +name: "Attachment with auto-executing macro (unsolicited)" +description: | + Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened. + + Macros are a common phishing technique used to deploy malware. +references: + - "https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.oletools(.).macros.keywords, .type =~ "autoexec") + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" +detection_methods: + - "Archive analysis" + - "Header analysis" + - "File analysis" + - "Macro analysis" + - "OLE analysis" + - "Sender analysis" +id: "af6624c3-2a28-5fbb-8936-fb29e55dd29d" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml new file mode 100644 index 00000000000..4d96724701f --- /dev/null +++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml @@ -0,0 +1,41 @@ +name: "Attachment with auto-opening VBA macro (unsolicited)" +description: | + Recursively scans files and archives to detect embedded VBA files with an auto open exec. +references: + - "https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen")) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "Sender analysis" +id: "d48b3e53-dee4-546b-b81a-0c781929fdfb" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_vba_macro_calling_executable.yml b/detection-rules/attachment_vba_macro_calling_executable.yml new file mode 100644 index 00000000000..d757b883029 --- /dev/null +++ b/detection-rules/attachment_vba_macro_calling_executable.yml @@ -0,0 +1,35 @@ +name: "Attachment with macro calling executable" +description: | + Recursively scans files and archives to detect embedded VBA files + with an encoded hex string referencing an exe. + + This may be an attempt to heavily obfuscate an execution through + Microsoft document. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*"))) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Macros" +detection_methods: + - "Archive analysis" + - "File analysis" +id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml new file mode 100644 index 00000000000..7fb5f245e5e --- /dev/null +++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml @@ -0,0 +1,43 @@ +name: "Attachment with VBA macros from employee impersonation (unsolicited)" +description: "Attachment contains a VBA macro from a sender your organization has never sent an email to.\n\nSender is using a display name that matches the display name of someone in \nyour organization.\n\nVBA macros are a common phishing technique used to deploy malware.\n" +references: + - "https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/" +type: "rule" +severity: "high" +source: | + type.inbound + and sender.display_name in $org_display_names + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and file.oletools(.).indicators.vba_macros.exists + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Employee" + - "Macros" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "Sender analysis" +id: "9b262123-9010-5245-89a7-9ebd75333b2a" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml new file mode 100644 index 00000000000..8d668f7d687 --- /dev/null +++ b/detection-rules/attachment_vba_macro_high_risk.yml @@ -0,0 +1,40 @@ +name: "Attachment with high risk VBA macro (unsolicited)" +description: | + Potentially malicious attachment containing a VBA macro. Oletools categorizes the macro risk as 'high'. +references: + - "https://threatpost.com/microsoft-outlook-users-targeted-by-gamaredons-new-vba-macro/156484/" +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and file.oletools(.).indicators.vba_macros.risk == "high" + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" +detection_methods: + - "File analysis" + - "Macro analysis" + - "OLE analysis" + - "Sender analysis" +id: "a2b20e16-b363-50f1-92a5-ee6c41012118" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/cve_2021_40444_external_relationship.yml b/detection-rules/cve_2021_40444_external_relationship.yml new file mode 100644 index 00000000000..cb19c63a157 --- /dev/null +++ b/detection-rules/cve_2021_40444_external_relationship.yml @@ -0,0 +1,34 @@ +name: "Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability" +description: | + Attachment contains an external relationship that attempts to load a remote OLE object, consistent with use in CVE-2021-40444. + + On September 7, 2021, Microsoft released details about a zero day RCE vulnerability in MSHTML that affects Microsoft Windows. + + According to Microsoft: "we are aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine." +references: + - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444" + - "https://twitter.com/buffaloverflow/status/1436261107329642522" + - "https://twitter.com/jroosen/status/1435792491899494402" + - "https://twitter.com/decalage2/status/1436433067619622916" + - "https://www.reddit.com/r/crowdstrike/comments/pkb9wi/situational_awareness_cve202140444_mshtml_remote/" + - "https://twitter.com/aaaddress1/status/1436393045939814400" +type: "rule" +severity: "critical" +source: "type.inbound\nand any(attachments,\n (\n (\n .file_extension in~ $file_extensions_macros \n or .file_extension =~ \"rtf\"\n or (\n .file_extension is null\n and .file_type == \"unknown\"\n and .content_type == \"application/octet-stream\"\n and .size < 100000000\n )\n )\n and any(file.oletools(.).relationships, regex.icontains(.target, \".*html:http.*\"))\n )\n or (\n .file_extension in~ $file_extensions_common_archives\n and any(file.explode(.),\n .flavors.mime == \"text/xml\"\n and any(.scan.strings.strings, regex.icontains(., \".*oleObject.*mhtml.*http.*\"))\n )\n )\n)\n" +tags: + - "CVE-2021-40444" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Exploit" + - "Macros" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Macro analysis" + - "OLE analysis" +id: "8cefcf7f-2a48-5102-9b09-8db995759223" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304 diff --git a/detection-rules/impersonation_wise_suspicious_attachment.yml b/detection-rules/impersonation_wise_suspicious_attachment.yml new file mode 100644 index 00000000000..c06fb7026b3 --- /dev/null +++ b/detection-rules/impersonation_wise_suspicious_attachment.yml @@ -0,0 +1,37 @@ +name: "Brand impersonation: Wise with suspicious attachment" +description: | + Impersonating Wise Financial, as confirmed by NLU, and contains a suspicious attachment type. +type: "rule" +severity: "high" +source: | + type.inbound + and ( + strings.ilike(sender.display_name, '*wise*') + or strings.ilike(sender.email.domain.domain, '*wise*') + ) + and any(ml.nlu_classifier(body.current_thread.text).tags, .name in ("payment", "invoice")) + and any(attachments, + .file_type in $file_extensions_common_archives + or .file_type in $file_extensions_executables + or .file_type in $file_extensions_macros + or .file_type in ("lz") + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) + and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs') +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "Sender analysis" +id: "01480f95-dc1e-5b9a-a360-96bfee663c39" +testing_pr: 679 +testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304