From 82db8bc43d205ede82f37142e69e37e49c08a11c Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Sun, 27 Aug 2023 21:13:08 +0000 Subject: [PATCH] Scheduled cleanup Removed 727 --- ...hment_html_smuggling_javascript_base64.yml | 39 ------------------- 1 file changed, 39 deletions(-) delete mode 100644 detection-rules/attachment_html_smuggling_javascript_base64.yml diff --git a/detection-rules/attachment_html_smuggling_javascript_base64.yml b/detection-rules/attachment_html_smuggling_javascript_base64.yml deleted file mode 100644 index 0f4165a2c5f..00000000000 --- a/detection-rules/attachment_html_smuggling_javascript_base64.yml +++ /dev/null @@ -1,39 +0,0 @@ -name: "Attachment: HTML smuggling with base64 encoded JavaScript function" -description: "This rule identifies attachments that either have an HTML extension, lack any file extension, or possess an unrecognized file type\nand are employing Base64 encoding to conceal JavaScript functions within HTML script tags with little to no other content. \nSuch obfuscation tactics have been frequently observed in credential phishing campaigns.\n" -type: "rule" -severity: "high" -source: | - type.inbound - and any(attachments, - ( - .file_extension in~ ("html", "htm", "shtml", "dhtml") - or ( - .file_extension is null - and .file_type == "unknown" - and .content_type == "application/octet-stream" - and .size < 100000000 - ) - or .file_extension in~ $file_extensions_common_archives - or .file_type == "html" - ) - and any(file.explode(.), - any(.scan.strings.strings, strings.contains(., "data:text/javascript;base64")) - // strings array is small - and length(.scan.strings.strings) < 10 - ) - ) -attack_types: - - "Credential Phishing" - - "Malware/Ransomware" -tactics_and_techniques: - - "HTML smuggling" - - "Scripting" -detection_methods: - - "Archive analysis" - - "Content analysis" - - "File analysis" - - "HTML analysis" - - "Javascript analysis" -id: "4e8a12ec-3dda-5f4e-8646-f147039662d1" -testing_pr: 727 -testing_sha: 38f96a2fdffcbdf0f80a1e58668d8e9acf33da21