Skip to content

Commit

Permalink
Merge branch 'main' into bfilar.nlu_signals
Browse files Browse the repository at this point in the history
  • Loading branch information
@bfilar
bfilar authored Sep 12, 2023
2 parents 38346cb + c4b4232 commit 795932e
Show file tree
Hide file tree
Showing 248 changed files with 4,488 additions and 3,783 deletions.
40 changes: 40 additions & 0 deletions .github/workflows/mql-mimic-tests.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: MQL Mimic Tests

on:
push:
branches: [ "**" ]

concurrency:
group: ${{ github.ref }}
cancel-in-progress: true

jobs:
trigger-via-zapier:
name: Trigger Test Run
runs-on: ubuntu-20.04
permissions:
checks: write

steps:

- name: "Trigger MQL Mimic Tests"
env:
trigger_url: '${{ secrets.MQL_MOCK_TRIGGER }}'
branch: '${{ github.ref_name }}'
repo: '${{ github.repository }}'
token: '${{ secrets.GITHUB_TOKEN }}'
sha: '${{ github.sha }}'
run: |
curl -X POST $trigger_url \
-H 'Content-Type: application/json' \
-d '{"branch":"'$branch'","repo":"'$repo'","token":"'$token'","sha":"'$sha'"}'
- name: Wait for check to be completed
uses: fountainhead/[email protected]
id: wait-for-build
# Wait for results so that the token remains valid while the test suite is executing and posting a check here.
with:
token: ${{ secrets.GITHUB_TOKEN }}
checkName: "MQL Mimic Tests"
ref: ${{ github.sha }}
timeoutSeconds: 3600
35 changes: 20 additions & 15 deletions detection-rules/attachment_adobe_image_lure_fts.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,30 @@ type: "rule"
severity: "medium"
source: |
type.inbound
and length(filter(attachments, .file_type not in~ ('png', 'jpeg', 'jpg', 'bmp'))) == 0
and length(body.links) >0
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and length(body.links) > 0
and all(body.links, .display_text is null)
and any(attachments,
any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
and any(file.explode(.),
any(.scan.strings.strings, strings.ilike(.,
"*review*", "*sign*", "*view*", "*completed document*", "*open agreement*"))
)
any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*review*",
"*sign*",
"*view*",
"*completed document*",
"*open agreement*"
)
)
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
)
attack_types:
- "Malware/Ransomware"
Expand Down
21 changes: 10 additions & 11 deletions detection-rules/attachment_any_html_in_archive_unsolicited.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,18 @@ severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .depth > 0
and .file_extension in~ ("html", "htm"))
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
)
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
tags:
- "Attack surface reduction"
Expand Down
21 changes: 9 additions & 12 deletions detection-rules/attachment_any_html_new_sender.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,18 @@ type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ ('htm', 'html') or
.file_type == "html"
)
and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
// first-time sender
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $sender_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $sender_domains
)
)
tags:
- "Attack surface reduction"
Expand Down
21 changes: 9 additions & 12 deletions detection-rules/attachment_any_html_unsolicited.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,21 +10,18 @@ type: "rule"
severity: "low"
source: |
type.inbound
and any(attachments,
.file_extension in~ ('htm', 'html') or
.file_type == "html"
)
and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html")
// unsolicited
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
tags:
- "Attack surface reduction"
Expand Down
5 changes: 3 additions & 2 deletions detection-rules/attachment_archive_with_chm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments, .file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "chm")
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "chm")
)
attack_types:
- "Malware/Ransomware"
Expand Down
7 changes: 3 additions & 4 deletions detection-rules/attachment_archive_with_exe.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,9 @@ type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments, .file_extension in~ $file_extensions_common_archives
and any(file.explode(.),
any(.flavors.yara, . == "mz_file")
)
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), any(.flavors.yara, . == "mz_file"))
)
attack_types:
- "Malware/Ransomware"
Expand Down
14 changes: 9 additions & 5 deletions detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@ severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and length(distinct(filter(file.explode(.), .depth == 1
and .flavors.mime in~ ("application/pdf", "text/plain")),
.flavors.mime)) == 2
and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
.file_extension in~ $file_extensions_common_archives
and length(distinct(filter(file.explode(.),
.depth == 1
and .flavors.mime in~ ("application/pdf", "text/plain")
),
.flavors.mime
)
) == 2
and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
)
tags:
- "Malfam: QakBot"
Expand Down
81 changes: 41 additions & 40 deletions detection-rules/attachment_callback_phish_with_img.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,48 +10,49 @@ severity: "high"
source: |
type.inbound
and (
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
(
sender.email.domain.root_domain in $free_email_providers
and sender.email.email not in $recipient_emails
)
or (
sender.email.domain.root_domain not in $free_email_providers
and sender.email.domain.domain not in $recipient_domains
)
)
and sender.email.domain.root_domain in $free_email_providers
and any(attachments, .file_extension in~ ('png', 'jpg', 'jpeg')
and any(file.explode(.),
length(filter(.scan.strings.strings, strings.ilike(.,
"*purchase*",
"*subscription*",
"*antivirus*",
"*order*",
"*support*",
"*receipt*",
"*amount*",
"*charged*",
"*invoice*",
"*call*",
"*cancel*",
"*renew*",
"*refund*",
"*+1*"
))) >= 4)
and any(file.explode(.),
length(filter(.scan.strings.strings, strings.ilike(.,
"*geek squad*",
"*lifelock*",
"*best buy*",
"*mcafee*",
"*norton*",
"*ebay*",
"*paypal*",
"*secure anywhere*"
))) >=1)
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "charged"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "+1")
)
)
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*geek squad*",
"*lifelock*",
"*best buy*",
"*mcafee*",
"*norton*",
"*ebay*",
"*paypal*",
"*secure anywhere*"
)
)
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
Expand Down
Loading

0 comments on commit 795932e

Please sign in to comment.