Skip to content

Commit

Permalink
Update attachment_qr_code_suspicious_components.yml
Browse files Browse the repository at this point in the history
  • Loading branch information
@morriscode
morriscode authored Sep 28, 2023
1 parent c3bd2a1 commit 9d70b9b
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions detection-rules/attachment_qr_code_suspicious_components.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,27 +17,35 @@ source: |
// pass the QR URL to LinkAnalysis
any([beta.linkanalysis(.scan.qr.url)],
.credphish.disposition == "phishing"
// any routing traverses via $suspicious_tld list
or any(.redirect_history, .domain.tld in $suspicious_tlds)
// effective destination in $suspicious_tld list
or .effective_url.domain.tld in $suspicious_tlds
// or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
// or any files downloaded are zips or executables
or any(.files_downloaded,
.file_extension in $file_extensions_common_archives
or .file_extension in $file_extensions_executables
)
)
or (
// or the QR code's root domain is a url_shortener
.scan.qr.url.domain.root_domain in $url_shorteners
// exclude google maps
and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
)
// the QR code url is a bing open redirect
or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
or (
// usap-dc open redirect
.scan.qr.url.domain.root_domain == "usap-dc.org"
and .scan.qr.url.path =~ "/tracker"
Expand Down

0 comments on commit 9d70b9b

Please sign in to comment.