From 71409e95013155a29ec0461d209ba6dc1647968d Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 14:16:23 -0400 Subject: [PATCH 01/13] FP Negation: link_credential_phishing_voicemail_language.yml (#783) --- detection-rules/link_credential_phishing_voicemail_language.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 4a339606ac6..0df96e25fe3 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -25,7 +25,7 @@ source: | all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain and .href_url.domain.root_domain not in $org_domains - and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com") + and .href_url.domain.root_domain not in ("unitelvoice.com", "googleapis.com", "dialmycalls.com") ) ), ( From 0465b64954bdfe4808c38d837edbfe88187eb19d Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 8 Sep 2023 14:19:27 -0400 Subject: [PATCH 02/13] FP/FN Negation: callback_phishing_nlu_body_or_attachments.yml (#750) --- detection-rules/callback_phishing_nlu_body_or_attachments.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index d45d5fa596f..2eaa5c00728 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -15,7 +15,9 @@ source: | ) ) or any(ml.nlu_classifier(body.current_thread.text).intents, - .name in ("callback_scam") and .confidence == "high" + .name in ("callback_scam") + and .confidence == "high" + and length(body.current_thread.text) < 1500 ) ) and not ( From c3d3c689960c59657db25e9f796d108c6f7d9073 Mon Sep 17 00:00:00 2001 From: Ross Wolf <31489089+rw-access@users.noreply.github.com> Date: Mon, 11 Sep 2023 07:58:56 -0600 Subject: [PATCH 03/13] Update DLL macro attachment rule logic (#753) Co-authored-by: Cameron Dunn --- .../attachment_macro_dll_loader.yml | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/detection-rules/attachment_macro_dll_loader.yml b/detection-rules/attachment_macro_dll_loader.yml index 1e2ea545409..83c332c8869 100644 --- a/detection-rules/attachment_macro_dll_loader.yml +++ b/detection-rules/attachment_macro_dll_loader.yml @@ -8,17 +8,19 @@ severity: "high" source: | type.inbound and any(attachments, - .file_extension == "zip" - and ( - any(file.explode(.), - .scan.zip.encrypted == false - // zip contains a dll file - and any(.scan.zip.all_paths, strings.icontains(., "dll")) - ) - and any(file.explode(.), - // macro references a dll file - any(.flavors.yara, strings.like(., "vb_file")) - and any(.scan.strings.strings, strings.icontains(., "dll")) + ( + .file_extension == "zip" + and ( + any(file.explode(.), + .scan.zip.encrypted == false + // zip contains a dll file + and any(.scan.zip.all_paths, strings.icontains(., "dll")) + ) + and any(file.explode(.), + // macro references a dll file + any(.flavors.yara, strings.like(., "vb_file")) + and any(.scan.strings.strings, strings.icontains(., "dll")) + ) ) ) or any(file.explode(.), // fallback for encrypted zips @@ -27,13 +29,13 @@ source: | // zip contains a dll file and any(.scan.zip.all_paths, strings.icontains(., "dll")) ) - or any(attachments, - .file_extension in~ $file_extensions_common_archives - and any(file.explode(.), - any(.flavors.yara, strings.like(., "vb_file")) - and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*")) - ) - and any(file.explode(.), strings.ilike(.file_extension, "dll")) + or ( + .file_extension in~ $file_extensions_common_archives + and any(file.explode(.), + any(.flavors.yara, strings.like(., "vb_file")) + and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*")) + ) + and any(file.explode(.), strings.ilike(.file_extension, "dll")) ) ) attack_types: From c4b4232783503572793c283ed7da4c3bcdd3bb1d Mon Sep 17 00:00:00 2001 From: Cameron Dunn Date: Mon, 11 Sep 2023 09:23:03 -0700 Subject: [PATCH 04/13] Bump MQL mimic test timeout (#784) --- .github/workflows/mql-mimic-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mql-mimic-tests.yml b/.github/workflows/mql-mimic-tests.yml index 2fc54945220..de506e94e80 100644 --- a/.github/workflows/mql-mimic-tests.yml +++ b/.github/workflows/mql-mimic-tests.yml @@ -37,4 +37,4 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} checkName: "MQL Mimic Tests" ref: ${{ github.sha }} - timeoutSeconds: 1800 + timeoutSeconds: 3600 From 273049d5c6178722cb1dbffa361652f83dc66455 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Tue, 12 Sep 2023 18:27:21 -0700 Subject: [PATCH 05/13] Add known Venmo domain (#786) --- detection-rules/impersonation_venmo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index e22d70de6cf..513a75b1ec3 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -12,7 +12,7 @@ source: | or strings.ilevenshtein(sender.display_name, 'venmo') <= 1 or strings.ilike(sender.email.domain.domain, '*venmo*') ) - and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com') + and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com') and sender.email.email not in $recipient_emails // and not if the sender.display.name contains "via" and dmarc pass from venmo.com From 1ba9c2c30a20978b4a2cd49c707dfc0b9a83aa98 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Sep 2023 21:32:53 -0400 Subject: [PATCH 06/13] New Rule: Attachment PDF with link to dmg file download (#785) Co-authored-by: ID Generator Co-authored-by: Josh Kamdjou --- .../attachment_pdf_link_to_dmg.yml | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 detection-rules/attachment_pdf_link_to_dmg.yml diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml new file mode 100644 index 00000000000..da3da87d685 --- /dev/null +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -0,0 +1,68 @@ +name: "Attachment: PDF with link to DMG file download" +description: | + This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. +references: + - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html" + - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users" + - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/​" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + .file_type == "pdf" + and any(file.explode(.), + any(.scan.url.urls, + + // url links to dmg or zip + ( + strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip") + ) + + // and downloads a dmg or a zip + and any(beta.linkanalysis(.).files_downloaded, + ( + .file_extension == "dmg" + or ( + .file_extension in~ $file_extensions_common_archives + + // and the zip contains a dmg file + and any(file.explode(.), + (.file_extension =~ "dmg") + + // exif inspection if encrypted + or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg") + ) + ) + ) + ) + ) + ) + ) + + + // first time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +tags: + - "Malfam: MetaStealer" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "URL analysis" + +id: "2c486fe0-506d-5498-bb19-dbe58904f9dc" From d970f3620a4aa54856d7c75d6504dd4631bb31de Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 13 Sep 2023 17:55:07 -0400 Subject: [PATCH 07/13] FP Tune: link_qr_code_suspicious_language_fts.yml (#788) --- .../link_qr_code_suspicious_language_fts.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 9b000eade0c..70a5f553c6b 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -7,19 +7,22 @@ type: "rule" severity: "medium" source: | type.inbound - + // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready + // and length(attachments) < 10 and any(attachments, .file_type in $file_types_images and any(file.explode(.), .scan.qr.type == "url" - + // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains - and any(recipients.to, strings.icontains(..scan.qr.data, .email.email)) + and any(recipients.to, + strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid + ) and .scan.qr.url.domain.root_domain not in $org_domains ) ) - + // NLU has identified cred_theft language with high confidence and ( any(ml.nlu_classifier(body.current_thread.text).intents, @@ -40,7 +43,7 @@ source: | ) ) ) - + // first-time sender and ( ( From dec1558b31f56ad4052ae1143dea5444778eaa07 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 13 Sep 2023 17:55:55 -0400 Subject: [PATCH 08/13] FP Tune: Update impersonation_microsoft.yml (#789) --- detection-rules/impersonation_microsoft.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index e903b05d922..19f7c44aa24 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -36,8 +36,13 @@ source: | 'Microsoft Azure' ) ) - and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com') - + and sender.email.domain.root_domain not in~ ( + 'microsoft.com', + 'microsoftsupport.com', + 'office.com', + 'teams-events.com' + ) + // first-time sender and ( ( @@ -49,6 +54,7 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: From fd061d1749a86ea122c045b43ce2627cac0ca29e Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 14 Sep 2023 05:24:17 -0700 Subject: [PATCH 09/13] Updating Rule: link_qr_code_suspicious_language_fts.yml (#792) --- detection-rules/link_qr_code_suspicious_language_fts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 70a5f553c6b..cdae99e81c3 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -11,7 +11,7 @@ source: | // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready // and length(attachments) < 10 and any(attachments, - .file_type in $file_types_images + (.file_type in $file_types_images or .file_type == "pdf") and any(file.explode(.), .scan.qr.type == "url" From 8a98a852b574a04ddf4ae77f03f41dd584e2627f Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 18 Sep 2023 09:34:06 -0400 Subject: [PATCH 10/13] FP fix: Update link_credential_phishing_intent_and_other_indicators.yml (#790) --- ...ink_credential_phishing_intent_and_other_indicators.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 9a305f9ede5..c564026ff9a 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -279,7 +279,8 @@ source: | // this is common in link tracking, both for // benign marketing traffic but also attackers any(recipients.to, - strings.icontains(..href_url.url, .email.local_part) + .email.domain.valid + and strings.icontains(..href_url.url, .email.local_part) and strings.icontains(..href_url.url, .email.domain.domain) ) ) @@ -290,12 +291,12 @@ source: | and ( // freemail providers should never be sending this type of email sender.email.domain.domain in $free_email_providers - + // if not freemail, it's suspicious if the sender's root domain // doesn't match any links in the body or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) ) - + // first-time sender and ( ( From e116d257a4a5998a208e64c191a51c798f96152d Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:44:26 -0700 Subject: [PATCH 11/13] Updating rule: impersonation_amazon.yml (#795) --- detection-rules/impersonation_amazon.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 0070ab55275..9ff86750df6 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -25,6 +25,11 @@ source: | and sender.email.domain.root_domain in $free_email_providers ) ) + // negate listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', From 3bdf87800e0f993e8877a5efad0e43ac612edc56 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:46:36 -0700 Subject: [PATCH 12/13] Updating rule: impersonation_amazon.yml (#794) --- detection-rules/impersonation_amazon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 9ff86750df6..a3c4eb0f132 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -33,6 +33,7 @@ source: | and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', + 'amazon.com.be', 'amazon.co.uk', 'amazon.de', 'amazon.es', From bf62f17de84c0f7f21def7cf41c4015f552ab5f6 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:48:58 -0700 Subject: [PATCH 13/13] Updating rule: impersonation_github.yml (#796) --- detection-rules/impersonation_github.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 7f60c752bac..8b3b3e79a5f 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -13,6 +13,11 @@ source: | or strings.ilike(sender.email.email, '*github*') or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1 ) + // negating listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in ( 'github.com', 'gitlab.com',