diff --git a/.github/workflows/clear-old-test-rules.yml b/.github/workflows/clear-old-test-rules.yml index c5f6d3429a2..f0cefca1ccb 100644 --- a/.github/workflows/clear-old-test-rules.yml +++ b/.github/workflows/clear-old-test-rules.yml @@ -63,7 +63,7 @@ jobs: if [[ "$in_open_pr" = "false" ]]; then rm $file - echo "Removed $pr_num" >> ../message.txt + echo "Removed $file_pr_num" >> ../message.txt fi done diff --git a/.github/workflows/rule-validate.yml b/.github/workflows/rule-validate.yml index c34ed7ce5ea..78efe60f6dc 100644 --- a/.github/workflows/rule-validate.yml +++ b/.github/workflows/rule-validate.yml @@ -8,13 +8,18 @@ on: workflow_dispatch: {} concurrency: - group: ${{ github.head_ref }} + # For pull_request_target workflows we want to use head_ref -- the branch triggering the workflow. Otherwise, + # use ref, which is the branch for a push event. + group: ${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} cancel-in-progress: true jobs: tests: name: Run Rule Validation runs-on: ubuntu-20.04 + permissions: + contents: write + checks: write steps: - name: Set up yq @@ -26,6 +31,16 @@ jobs: ref: ${{ github.head_ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + - uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Add Rule IDs as Needed & Check for Duplicates + # Run before testing, just in case this could invalidate the rule itself + run: | + pip install -r scripts/generate-rule-ids/requirements.txt + python scripts/generate-rule-ids/main.py + - name: Validate Rules run: | for f in *-rules/*.yml @@ -58,32 +73,10 @@ jobs: run: | ! /bin/sh -c 'ls **/*.yaml' - rule-ids: - name: Add Rule IDs & Validate Uniqueness - runs-on: ubuntu-20.04 - - permissions: - contents: write - - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - ref: ${{ github.head_ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - fetch-depth: 0 - - - uses: actions/setup-python@v4 - with: - python-version: '3.10' - - - name: Add Rule IDs as Needed & Check for Duplicates - run: | - pip install -r scripts/generate-rule-ids/requirements.txt - python scripts/generate-rule-ids/main.py - - name: Commit & Push Results, if needed run: | + rm response.txt + if [ -z "$(git status --porcelain)" ]; then echo "No files changed, nothing to do" exit 0 @@ -91,49 +84,30 @@ jobs: git config user.name 'ID Generator' git config user.email 'hello@sublimesecurity.com' - git add -A + git add **/*.yml git commit -m "Auto add rule ID" git push origin ${{ github.head_ref }} - - name: Get the head ref (eg branch) - id: get_head - run: git rev-parse HEAD > sha.txt - - - name: Upload SHA for later job - uses: actions/upload-artifact@v3 - with: - name: sha - path: sha.txt - - # When the rule-ids job adds a commit, GitHub won't trigger actions on the auto commit. Various alternatives - # were explored, but all run into issues when dealing with forks (well we'll see if this does too). - set-checks: - name: Set GH Checks Status - runs-on: ubuntu-20.04 - # Both must complete successfully. We assume that rule-ids does not break our rule validation (if we're not confident - # we can change the ordering. - needs: [rule-ids, tests] - - permissions: - checks: write - - steps: - - - name: Download SHA from Previous Job - uses: actions/download-artifact@v3 - with: - name: sha - - - name: Get the head ref (eg branch) + - name: Get the head SHA id: get_head - run: echo "##[set-output name=HEAD;]$(cat sha.txt)" + run: echo "##[set-output name=HEAD;]$(git rev-parse HEAD)" + # When we add a commit, GitHub won't trigger actions on the auto commit, so we're missing a required check on the + # HEAD commit. + # Various alternatives were explored, but all run into issues when dealing with forks. This sets a "Check" for + # the latest commit, and we can depend on that as a required check. - name: "Create a check run" uses: actions/github-script@v6 + if: github.event_name == 'pull_request_target' env: parameter_url: '${{ github.event.pull_request.html_url }}' with: debug: ${{ secrets.ACTIONS_STEP_DEBUG || false }} + retries: 3 + # Default includes 422 which GitHub returns when it doesn't know about the head_sha we set the status for. + # This occurs when the previous push succeeds, but the checks/pull request component of GitHub isn't yet aware + # of the new commit. This isn't the common case, but it comes up enough to be annoying. + retry-exempt-status-codes: 400, 401, 403, 404 script: | // any JavaScript code can go here, you can use Node JS APIs too. // Docs: https://docs.github.com/en/rest/checks/runs#create-a-check-run @@ -147,8 +121,8 @@ jobs: conclusion: "success", details_url: process.env.parameter_url, output: { - title: "Rule Tests and ID Generation", - summary: "Rule Tests and ID Generation", - text: "Rule Tests and ID Generation", + title: "Rule Tests and ID Updated", + summary: "Rule Tests and ID Updated", + text: "Rule Tests and ID Updated", }, }); diff --git a/.github/workflows/update-test-rules.yml b/.github/workflows/update-test-rules.yml index efd52c86991..89c681c27e0 100644 --- a/.github/workflows/update-test-rules.yml +++ b/.github/workflows/update-test-rules.yml @@ -51,7 +51,7 @@ jobs: uses: lewagon/wait-on-check-action@v1.3.1 with: ref: ${{ steps.comment-branch.outputs.head_sha }} - check-name: 'Run Rule Validation' + check-name: 'Rule Tests and ID Updated' repo-token: ${{ secrets.GITHUB_TOKEN }} wait-interval: 10 diff --git a/detection-rules/attachment_adobe_image_lure_fts.yml b/detection-rules/attachment_adobe_image_lure_fts.yml index 3691e0bdf96..1d84a92ff8c 100644 --- a/detection-rules/attachment_adobe_image_lure_fts.yml +++ b/detection-rules/attachment_adobe_image_lure_fts.yml @@ -1,6 +1,5 @@ name: "Attachment: Adobe image lure with suspicious link from first time sender" -description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language - from a first-time sender." +description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender." type: "rule" severity: "medium" source: | @@ -25,8 +24,15 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious link" - - "Brand impersonation" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Image as content" + - "Impersonation: Brand" +detection_methods: + - "Content analysis" - "Computer Vision" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" id: "1d7add81-9822-576a-bcae-c4440e75e393" diff --git a/detection-rules/attachment_any_html_in_archive_unsolicited.yml b/detection-rules/attachment_any_html_in_archive_unsolicited.yml index 682806f5dc5..95bd7734acc 100644 --- a/detection-rules/attachment_any_html_in_archive_unsolicited.yml +++ b/detection-rules/attachment_any_html_in_archive_unsolicited.yml @@ -25,6 +25,14 @@ source: | ) ) tags: - - "Suspicious attachment" - "Attack surface reduction" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" +detection_methods: + - "Archive analysis" + - "File analysis" id: "6a67c02c-d405-531e-850a-1722849c5fe4" diff --git a/detection-rules/attachment_any_html_new_sender.yml b/detection-rules/attachment_any_html_new_sender.yml index 3a0dd481a41..17aedb1ff72 100644 --- a/detection-rules/attachment_any_html_new_sender.yml +++ b/detection-rules/attachment_any_html_new_sender.yml @@ -27,7 +27,10 @@ source: | ) ) tags: - - "Suspicious attachment" - "Attack surface reduction" +tactics_and_techniques: - "HTML smuggling" +detection_methods: + - "HTML analysis" + - "Sender analysis" id: "57a8f5c5-c4c4-5268-b452-e381dc64ea42" diff --git a/detection-rules/attachment_any_html_unsolicited.yml b/detection-rules/attachment_any_html_unsolicited.yml index fe0b39cbd13..80527bfd3c1 100644 --- a/detection-rules/attachment_any_html_unsolicited.yml +++ b/detection-rules/attachment_any_html_unsolicited.yml @@ -27,7 +27,11 @@ source: | ) ) tags: - - "Suspicious attachment" - "Attack surface reduction" +tactics_and_techniques: - "HTML smuggling" +detection_methods: + - "File analysis" + - "HTML analysis" + - "Sender analysis" id: "ef36763f-917d-5338-b1ac-84047334dce8" diff --git a/detection-rules/attachment_archive_with_chm.yml b/detection-rules/attachment_archive_with_chm.yml index df9c8df125c..926e3f7e0be 100644 --- a/detection-rules/attachment_archive_with_chm.yml +++ b/detection-rules/attachment_archive_with_chm.yml @@ -14,7 +14,11 @@ source: | and any(attachments, .file_extension in~ $file_extensions_common_archives and any(file.explode(.), .file_extension =~ "chm") ) -tags: - - "Suspicious attachment" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" id: "5280e94d-592b-5d80-b548-b0e2ad4c9eae" diff --git a/detection-rules/attachment_archive_with_exe.yml b/detection-rules/attachment_archive_with_exe.yml index 8ca7adbc3a9..24101b3a289 100644 --- a/detection-rules/attachment_archive_with_exe.yml +++ b/detection-rules/attachment_archive_with_exe.yml @@ -19,7 +19,12 @@ source: | any(.flavors.yara, . == "mz_file") ) ) -tags: - - "Suspicious attachment" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" + - "YARA" id: "e2b0ad86-1264-567e-b7c4-78d7ddbe7722" diff --git a/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml b/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml index ace4dcc07e5..f3cc147ff46 100644 --- a/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml +++ b/detection-rules/attachment_archive_with_pdf_wsf_txt_attached.qakbot.yml @@ -15,6 +15,13 @@ source: | and any(file.explode(.), .depth == 1 and .file_extension == "wsf") ) tags: - - "QakBot" - - "Suspicious attachment" + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "File analysis" id: "16b2e239-a7d1-51ef-aac1-562b3cc59787" diff --git a/detection-rules/attachment_callback_phish_with_img.yml b/detection-rules/attachment_callback_phish_with_img.yml index 11ad1403e23..29ad847fe58 100644 --- a/detection-rules/attachment_callback_phish_with_img.yml +++ b/detection-rules/attachment_callback_phish_with_img.yml @@ -19,7 +19,7 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) - + and sender.email.domain.root_domain in $free_email_providers and any(attachments, .file_extension in~ ('png', 'jpg', 'jpeg') and any(file.explode(.), @@ -39,7 +39,7 @@ source: | "*refund*", "*+1*" ))) >= 4) - + and any(file.explode(.), length(filter(.scan.strings.strings, strings.ilike(., "*geek squad*", @@ -52,7 +52,18 @@ source: | "*secure anywhere*" ))) >=1) ) -tags: +attack_types: - "Callback Phishing" - - "Customer service fraud" +tactics_and_techniques: + - "Evasion" + - "Free email provider" + - "Out of band pivot" + - "Social engineering" + - "Image as content" +detection_methods: + - "Content analysis" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" + - "Computer Vision" id: "60acbb36-8ed1-562e-8027-260c2fdf0f04" diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml index 580f9c80641..c951fafcf30 100644 --- a/detection-rules/attachment_callback_phish_with_pdf.yml +++ b/detection-rules/attachment_callback_phish_with_pdf.yml @@ -23,7 +23,7 @@ source: | // sender is freemail and sender.email.domain.root_domain in $free_email_providers - + // the attachment is a pdf with 1 page, and at least 60 ocr chars and any(attachments, .file_extension == "pdf" and any(file.explode(.), @@ -47,7 +47,7 @@ source: | "*refund*", "*+1*" ))) >= 4) - + // 1 of the following strings is found, representing common Callback brands and any(file.explode(.), length(filter(.scan.strings.strings, strings.ilike(., @@ -60,7 +60,17 @@ source: | "*paypal*", ))) >=1) ) -tags: +attack_types: - "Callback Phishing" - - "Customer service fraud" +tactics_and_techniques: + - "Evasion" + - "Free email provider" + - "Out of band pivot" + - "PDF" + - "Social engineering" +detection_methods: + - "Exif analysis" + - "File analysis" + - "Optical Character Recognition" + - "Sender analysis" id: "ac33f097-af20-554c-b29a-56f21be1b285" diff --git a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml index 3806b56d0aa..4158d855436 100644 --- a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml +++ b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml @@ -21,7 +21,11 @@ source: | and length(filter(.scan.strings.strings, strings.ilike(.,'{\f*;}'))) > 10000 ) ) -tags: - - "Office exploit" - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Exploit" +detection_methods: + - "Content analysis" + - "File analysis" id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d" diff --git a/detection-rules/attachment_disallowed_file_type_in_archive.yml b/detection-rules/attachment_disallowed_file_type_in_archive.yml index ec4161c0f79..fdfb6213a46 100644 --- a/detection-rules/attachment_disallowed_file_type_in_archive.yml +++ b/detection-rules/attachment_disallowed_file_type_in_archive.yml @@ -194,6 +194,12 @@ source: | ) ) tags: - - "Suspicious attachment" - "Attack surface reduction" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" id: "3859e3e7-51c9-5259-9b7d-f8c0957696c0" diff --git a/detection-rules/attachment_docusign_image_suspicious_links.yml b/detection-rules/attachment_docusign_image_suspicious_links.yml index 057ce4705bd..76e6ca214fc 100644 --- a/detection-rules/attachment_docusign_image_suspicious_links.yml +++ b/detection-rules/attachment_docusign_image_suspicious_links.yml @@ -28,8 +28,17 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious link" - - "Brand impersonation" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: - "Computer Vision" + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" + - "URL screenshot" id: "814a5694-d626-5bf4-a1ba-a1dbcb625279" diff --git a/detection-rules/attachment_dropbox_image_suspicious_links.yml b/detection-rules/attachment_dropbox_image_suspicious_links.yml index 5de6896143a..77bed727988 100644 --- a/detection-rules/attachment_dropbox_image_suspicious_links.yml +++ b/detection-rules/attachment_dropbox_image_suspicious_links.yml @@ -6,7 +6,7 @@ source: | type.inbound and length(filter(attachments, .file_type not in~ ('png', 'jpeg', 'jpg', 'bmp'))) == 0 and any(body.links, not strings.ilike(.href_url.domain.root_domain, "dropbox.*")) - + and any(attachments, .file_type in~ ('png','jpg','jpeg','bmp') and any(file.explode(.), any(.scan.strings.strings, strings.ilike(., "*dropbox*")) @@ -24,7 +24,15 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious link" - - "Brand impersonation" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Optical Character Recognition" + - "Sender analysis" id: "500eee2d-d793-5450-a87f-825ce27c897d" diff --git a/detection-rules/attachment_eicar.yml b/detection-rules/attachment_eicar.yml index a8e90fbb65c..0ca141f4953 100644 --- a/detection-rules/attachment_eicar.yml +++ b/detection-rules/attachment_eicar.yml @@ -1,7 +1,7 @@ name: "Attachment: EICAR String Present" description: | This rule detects the EICAR test string, used to evaluate Anti-Virus scanning and file inspection capabilities. - + For performance reasons, this rule is limited to attachments with "eicar" in the file name. references: - "https://www.eicar.org/download-anti-malware-testfile/" @@ -18,4 +18,8 @@ source: | )) tags: - "EICAR" +attack_types: + - "Malware/Ransomware" +detection_methods: + - "File analysis" id: "592e2319-9e4f-5e3d-9b34-22259ddc3416" diff --git a/detection-rules/attachment_eml_cred_theft.yml b/detection-rules/attachment_eml_cred_theft.yml index 4d63e828e19..88e8063435f 100644 --- a/detection-rules/attachment_eml_cred_theft.yml +++ b/detection-rules/attachment_eml_cred_theft.yml @@ -1,6 +1,6 @@ name: "Attachment: EML with link to credential phishing page" description: | - Attached EML contains a link which uses language resembling credential phishing. + Attached EML links to a credential phishing site. type: "rule" severity: "medium" source: | @@ -12,18 +12,10 @@ source: | .domain.domain in $free_file_hosts or .domain.root_domain in $free_subdomain_hosts ) - and any(.scan.url.urls, - // another option is using credphish disposition, - // we're just waiting on an update to flag Adobe on indd[.]adobe[.]com - any(file.explode(beta.linkanalysis(.).screenshot), - any(ml.nlu_classifier(.scan.ocr.raw).intents, - .name == "cred_theft" and - .confidence == "high" - ) - ) + beta.linkanalysis(.).credphish.disposition == "phishing" ) - ) + ) ) // engaging language in the original body @@ -36,9 +28,21 @@ source: | and not any(headers.references, strings.contains(body.html.display_text, .) ) -tags: - - "Suspicious attachment" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Free file host" + - "Free subdomain host" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "HTML analysis" - "Natural Language Understanding" - - "Credential phishing" + - "Optical Character Recognition" + - "URL analysis" + - "URL screenshot" id: "1df41cca-369a-5bff-83cc-0f9ddf1ff007" diff --git a/detection-rules/attachment_eml_file_with_ipfs_links.yml b/detection-rules/attachment_eml_file_with_ipfs_links.yml index ced2a638495..2797732d568 100644 --- a/detection-rules/attachment_eml_file_with_ipfs_links.yml +++ b/detection-rules/attachment_eml_file_with_ipfs_links.yml @@ -8,12 +8,12 @@ type: "rule" severity: "medium" source: | type.inbound - + and any(attachments, .content_type == "message/rfc822" and any(file.explode(.), any(.scan.url.urls, strings.icontains(beta.linkanalysis(.).effective_url.url, 'ipfs') - + or ( regex.icontains(beta.linkanalysis(.).effective_url.path, '[\.-/]ipfs|ipfs[\.-/]') and beta.linkanalysis(.).effective_url.domain.domain not in $org_domains @@ -31,8 +31,14 @@ source: | ) ) ) - -tags: - - "Suspicious attachment" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Free file host" + - "Free subdomain host" + - "IPFS" +detection_methods: + - "File analysis" + - "URL analysis" id: "1fe9d7e7-892b-5b7f-a334-53b3fbddb9fe" diff --git a/detection-rules/attachment_eml_html_attachment_portal.yml b/detection-rules/attachment_eml_html_attachment_portal.yml index 5a752414260..5dc69446d86 100644 --- a/detection-rules/attachment_eml_html_attachment_portal.yml +++ b/detection-rules/attachment_eml_html_attachment_portal.yml @@ -5,48 +5,84 @@ type: "rule" severity: "high" source: | type.inbound + // exclude bounce backs & read receipts and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*") and not regex.icontains(subject.subject, "^(undeliverable|read:)") and not any(attachments, .content_type == "message/delivery-status") + // if the "References" is in the body of the message, it's probably a bounce - and not any(headers.references, - strings.contains(body.html.display_text, .) + and not any(headers.references, strings.contains(body.html.display_text, .)) + and ( + (length(headers.references) == 0 and headers.in_reply_to is null) + or ( + not strings.istarts_with(subject.subject, "re:") + and not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to")) + ) ) - and any(attachments, .content_type == "message/rfc822" - and any(file.explode(.), - ( - // suspicious strings found in javascript - length(filter(.scan.javascript.strings, strings.ilike(., - "*username*", "*login-form*", "*email-form*", "*Incorrect password. Please try again.*", "*Password Incomplete, please try again*" - ))) >= 3 or - ( - // suspicious strings found outside of javascript, but binexplode'd file still of HTML type - .flavors.mime in~ ("text/html", "text/plain") and - length(filter(.scan.strings.strings, strings.ilike(., - "*username*", "*login-form*", "*email-form*", "*Incorrect password. Please try again.*", "*Password Incomplete, please try again*" - ))) >= 3 - ) - ) or - //Known phishing obfuscation - ( - length( - filter( - .scan.strings.strings, strings.ilike(., - //Enter password - "*Enter password*", - //Forgotten my password - "*Forgotten my password*", - //Sign in - "*Sign in*" + and any(attachments, + .content_type == "message/rfc822" + and any(file.explode(.), + ( + // suspicious strings found in javascript + length(filter(.scan.javascript.strings, + strings.ilike(., + "*username*", + "*login-form*", + "*email-form*", + "*Incorrect password. Please try again.*", + "*Password Incomplete, please try again*" + ) + ) ) - ) - ) >= 2 - ) - ) + >= 3 + or ( + + // suspicious strings found outside of javascript, but binexplode'd file still of HTML type + .flavors.mime in~ ("text/html", "text/plain") + and length(filter(.scan.strings.strings, + strings.ilike(., + "*username*", + "*login-form*", + "*email-form*", + "*Incorrect password. Please try again.*", + "*Password Incomplete, please try again*" + ) + ) + ) + >= 3 + ) + ) + or + + //Known phishing obfuscation + ( + length(filter(.scan.strings.strings, + strings.ilike(., + //Enter password + "*Enter password*", + //Forgotten my password + "*Forgotten my password*", + //Sign in + "*Sign in*" + ) + ) + ) + >= 2 + ) + ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" - - "Credential phishing" -id: "6e4df158-6498-572b-9448-a343c531e5f9" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "HTML analysis" + - "Javascript analysis" + - "Sender analysis" +id: "6e4df158-6498-572b-9448-a343c531e5f9" \ No newline at end of file diff --git a/detection-rules/attachment_eml_suspicious_link_language.yml b/detection-rules/attachment_eml_suspicious_link_language.yml index 11707ce6bfb..6e56eff21fa 100644 --- a/detection-rules/attachment_eml_suspicious_link_language.yml +++ b/detection-rules/attachment_eml_suspicious_link_language.yml @@ -49,8 +49,18 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Free file host" + - "Free subdomain host" + - "Social engineering" +detection_methods: + - "File analysis" + - "Header analysis" + - "HTML analysis" - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" id: "2038ffcc-c38e-5cb3-8594-7f40c112d08c" diff --git a/detection-rules/attachment_eml_with_html_attachment.yml b/detection-rules/attachment_eml_with_html_attachment.yml index e9daeb73e9c..221f4a1e697 100644 --- a/detection-rules/attachment_eml_with_html_attachment.yml +++ b/detection-rules/attachment_eml_with_html_attachment.yml @@ -54,7 +54,17 @@ source: | ) ) tags: - - "Suspicious attachment" - - "HTML smuggling" - "Attack surface reduction" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "HTML analysis" + - "Sender analysis" id: "c24fd191-1685-5cb8-83ef-618225401332" diff --git a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml index 97c7061d169..dd39e0e495a 100644 --- a/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml +++ b/detection-rules/attachment_emotet_heavily_padded_doc_in_zip.yml @@ -28,6 +28,15 @@ source: | ) ) tags: - - "Suspicious attachment" - - "Emotet" + - "Malfam: Emotet" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "Exif analysis" + - "File analysis" + - "Sender analysis" id: "9a5332ed-0023-5d6e-89d3-bd789c3bde6f" diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml index f1ba0ee9404..db7335545c1 100644 --- a/detection-rules/attachment_encrypted_ole_unsolicited.yml +++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml @@ -22,7 +22,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" - - "Encrypted attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Macros" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "OLE analysis" + - "Sender analysis" id: "1e47e953-576c-5ba9-b84e-b72a1a89de87" diff --git a/detection-rules/attachment_excel_web_query_file_iqy.yml b/detection-rules/attachment_excel_web_query_file_iqy.yml index 9c31f4499f4..5c9666f5fa5 100644 --- a/detection-rules/attachment_excel_web_query_file_iqy.yml +++ b/detection-rules/attachment_excel_web_query_file_iqy.yml @@ -20,6 +20,12 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" id: "510412b5-1926-538f-a510-d796ecd2dc2d" diff --git a/detection-rules/attachment_filename_with_unicode_rtlo.yml b/detection-rules/attachment_filename_with_unicode_rtlo.yml index ae4ee1e7888..4bc236eae92 100644 --- a/detection-rules/attachment_filename_with_unicode_rtlo.yml +++ b/detection-rules/attachment_filename_with_unicode_rtlo.yml @@ -18,6 +18,11 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" id: "357c57a1-dd29-5ad8-ae2f-c4f4c6489575" diff --git a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml index fbef8fd5214..3dad2cd4cab 100644 --- a/detection-rules/attachment_free_subdomain_suspicious_link_language.yml +++ b/detection-rules/attachment_free_subdomain_suspicious_link_language.yml @@ -16,7 +16,7 @@ source: | ) and length(recipients.cc) == 0 and length(recipients.bcc) == 0 - + and any(body.links, any(file.explode(beta.linkanalysis(.).screenshot), any(ml.nlu_classifier(.scan.ocr.raw).intents, @@ -24,7 +24,15 @@ source: | ) ) ) -tags: +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free subdomain host" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" - - "Suspicious link" + - "Optical Character Recognition" + - "URL analysis" + - "URL screenshot" id: "9187479c-8941-5f28-88fe-0735fd2a86bc" diff --git a/detection-rules/attachment_html_all_script.yml b/detection-rules/attachment_html_all_script.yml new file mode 100644 index 00000000000..f6c6ff606a7 --- /dev/null +++ b/detection-rules/attachment_html_all_script.yml @@ -0,0 +1,34 @@ +name: "Attachment: HTML file contains exclusively Javascript" +description: | + Attached HTML file does not contain any HTML other than a ") + ) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" +id: "b6d38168-20bb-5550-8843-6af9426af8b1" diff --git a/detection-rules/attachment_html_attachment_login_page.yml b/detection-rules/attachment_html_attachment_login_page.yml index f6c2fc066fb..1838f3cdc13 100644 --- a/detection-rules/attachment_html_attachment_login_page.yml +++ b/detection-rules/attachment_html_attachment_login_page.yml @@ -11,7 +11,7 @@ authors: - twitter: "ajpc500" source: | type.inbound - + and any(attachments, ( .file_extension in~ ("html", "htm", "shtml", "dhtml") or @@ -60,7 +60,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" +tactics_and_techniques: - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" + - "Sender analysis" id: "3aabf4a7-fefa-5266-83fe-012002c9db4a" diff --git a/detection-rules/attachment_html_excessive_padding.yml b/detection-rules/attachment_html_excessive_padding.yml index 84fc944fe9e..c77855d95b5 100644 --- a/detection-rules/attachment_html_excessive_padding.yml +++ b/detection-rules/attachment_html_excessive_padding.yml @@ -15,7 +15,14 @@ source: | any(.scan.yara.matches, .name == "HTML_EXCESSIVE_PADDING") ) ) -tags: +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" - - "Suspicious attachment" +detection_methods: + - "File analysis" + - "HTML analysis" + - "YARA" id: "0a6aee1e-df58-5f1e-8f49-477ed61babe5" diff --git a/detection-rules/attachment_html_recipients_suspicious_js.yml b/detection-rules/attachment_html_recipients_suspicious_js.yml index 79f87f251af..1b16511c01d 100644 --- a/detection-rules/attachment_html_recipients_suspicious_js.yml +++ b/detection-rules/attachment_html_recipients_suspicious_js.yml @@ -29,9 +29,15 @@ source: | ) ) ) -tags: +attack_types: + - "Credential Phishing" +tactics_and_techniques: - "HTML smuggling" - - "Suspicious attachments" - - "Credential phishing" - + - "Scripting" +detection_methods: + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" + - "YARA" id: "5333493d-48a8-532d-a621-d278a59bbf9b" diff --git a/detection-rules/attachment_html_smuggling_atob.yml b/detection-rules/attachment_html_smuggling_atob.yml index f996d0dfaae..22a231df0c6 100644 --- a/detection-rules/attachment_html_smuggling_atob.yml +++ b/detection-rules/attachment_html_smuggling_atob.yml @@ -31,7 +31,18 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" + - "Sender analysis" + - "URL analysis" id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e" diff --git a/detection-rules/attachment_html_smuggling_auto_file_download.yml b/detection-rules/attachment_html_smuggling_auto_file_download.yml index 3060a4f4f3b..23a25411362 100644 --- a/detection-rules/attachment_html_smuggling_auto_file_download.yml +++ b/detection-rules/attachment_html_smuggling_auto_file_download.yml @@ -32,7 +32,18 @@ source: | ) ) ) -tags: +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "HTML smuggling" - - "Suspicious attachment" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" + - "Sender analysis" + - "URL analysis" id: "abf724f5-d59e-546c-aec2-3f1bc0e2f14b" diff --git a/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml b/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml index 25679d0929f..03ef8b93fba 100644 --- a/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml +++ b/detection-rules/attachment_html_smuggling_concatenation_obfuscation.yml @@ -20,7 +20,16 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" id: "108ab346-bc11-5f96-916c-678891332ae8" diff --git a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml index 57496000133..a931b1c87cb 100644 --- a/detection-rules/attachment_html_smuggling_double_encoded_zip.yml +++ b/detection-rules/attachment_html_smuggling_double_encoded_zip.yml @@ -1,45 +1,55 @@ -name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment" -description: | - Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content. -references: - - "https://twitter.com/pr0xylife/status/1593325734004768770" - - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar" - - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9" - - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7" -type: "rule" -severity: "high" -authors: - - twitter: "ajpc500" -source: | - type.inbound - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) - ) - and any(attachments, - .file_extension in ("html", "htm") and - any(file.explode(.), - any(.scan.strings.strings, strings.ilike(., - // Double Base64 encoded zips - "*VUVzREJCUUFBUUFJQ*", - "*VFc0RCQlFBQVFBSU*", - "*VRXNEQkJRQUFRQUlB*", - // Reversed base64 strings double encoded zips - "*QJFUUBFUUCJERzVUV*", - "*USBFVQBFlQCR0cFV*", - "*BlUQRFUQRJkQENXRV*" - ) - )) - ) -tags: - - "Suspicious attachment" - - "HTML smuggling" - - "QakBot" - - "Malware" -id: "61ebb07b-264e-59fb-a82c-d91957991081" +name: "Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment" +description: | + Qakbot double Base64 encodes zip files within their HTML smuggling email attachments. This leads to predictable file header strings appearing in the HTML string content. +references: + - "https://twitter.com/pr0xylife/status/1593325734004768770" + - "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_qbot_payloads.yar" + - "https://delivr.to/payloads?id=0e04949a-24f3-4acd-b77c-bbffc4cb3cb9" + - "https://delivr.to/payloads?id=ef39f124-6766-491c-a46c-00f2b60aa7a7" +type: "rule" +severity: "high" +authors: + - twitter: "ajpc500" +source: | + type.inbound + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) + and any(attachments, + .file_extension in ("html", "htm") and + any(file.explode(.), + any(.scan.strings.strings, strings.ilike(., + // Double Base64 encoded zips + "*VUVzREJCUUFBUUFJQ*", + "*VFc0RCQlFBQVFBSU*", + "*VRXNEQkJRQUFRQUlB*", + // Reversed base64 strings double encoded zips + "*QJFUUBFUUCJERzVUV*", + "*USBFVQBFlQCR0cFV*", + "*BlUQRFUQRJkQENXRV*" + ) + )) + ) +tags: + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Sender analysis" +id: "61ebb07b-264e-59fb-a82c-d91957991081" diff --git a/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml b/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml index 649536690c9..43ee40b7a9e 100644 --- a/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml +++ b/detection-rules/attachment_html_smuggling_embedded_b64_iso.yml @@ -2,8 +2,8 @@ name: "Attachment: HTML smuggling with embedded base64-encoded ISO" description: | HTML attachment contains a base-64 encoded ISO. This is a known TTP for multiple threat actors. references: - - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d" - - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a" + - "https://delivr.to/payloads?id=cf6c9867-4358-4b3b-b7eb-3432ac39e71d" + - "https://playground.sublimesecurity.com?id=78587abf-1027-4c6c-9edf-c1bd928de97a" type: "rule" severity: "high" source: | @@ -25,7 +25,17 @@ source: | ) )) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "ISO" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Sender analysis" id: "294ecd2d-bc98-5a67-850a-60a1a29aea76" diff --git a/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml b/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml index 60a3cb7968c..496c97e06f6 100644 --- a/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml +++ b/detection-rules/attachment_html_smuggling_embedded_b64_pe.yml @@ -2,9 +2,9 @@ name: "Attachment: HTML smuggling with embedded base64-encoded executable" description: | HTML attachmemt contains a base-64 encoded executable. references: - - "https://delivr.to/payloads?id=739e977c-8e8f-4ba8-940a-c53ba77cecca" - - "https://www.microsoft.com/en-us/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium" - - "https://sandbox.sublimesecurity.com?id=28fe5e67-2dec-4072-a263-24ee53cc54c3" + - "https://delivr.to/payloads?id=739e977c-8e8f-4ba8-940a-c53ba77cecca" + - "https://www.microsoft.com/en-us/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium" + - "https://sandbox.sublimesecurity.com?id=28fe5e67-2dec-4072-a263-24ee53cc54c3" type: "rule" severity: "high" source: | @@ -18,7 +18,14 @@ source: | and any(file.explode(.), any(.flavors.yara, . == 'base64_pe')) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" +detection_methods: + - "Archive analysis" + - "File analysis" + - "HTML analysis" + - "YARA" id: "b00c4527-957c-53ba-9eee-c5ef555b24e3" diff --git a/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml b/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml index 4e4501ac177..bc152efce18 100644 --- a/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml +++ b/detection-rules/attachment_html_smuggling_embedded_base64_file_download.yml @@ -19,7 +19,16 @@ source: | ) ) tags: + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "HTML smuggling" - - "Suspicious link" - - "QakBot" + - "Scripting" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" id: "e04de4e2-154f-5cf9-b108-dbf753ece511" diff --git a/detection-rules/attachment_html_smuggling_entropy.yml b/detection-rules/attachment_html_smuggling_entropy.yml index f66ded602f9..69d3ee01881 100644 --- a/detection-rules/attachment_html_smuggling_entropy.yml +++ b/detection-rules/attachment_html_smuggling_entropy.yml @@ -23,7 +23,15 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" id: "be157288-1955-5ad1-bd6e-4e862248274b" diff --git a/detection-rules/attachment_html_smuggling_eval_atob.yml b/detection-rules/attachment_html_smuggling_eval_atob.yml index 440c5840c3d..7a3e89c662a 100644 --- a/detection-rules/attachment_html_smuggling_eval_atob.yml +++ b/detection-rules/attachment_html_smuggling_eval_atob.yml @@ -16,7 +16,17 @@ source: | any(.scan.strings.strings, regex.imatch(., ".*eval.{1,4}atob.*")) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" id: "9f521ca2-2141-5373-86b1-e3cf8ed8d633" diff --git a/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml b/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml index 9bb94fd1986..6ea62440e16 100644 --- a/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml +++ b/detection-rules/attachment_html_smuggling_fromcharcode_and_others.yml @@ -23,7 +23,17 @@ source: | "catch" in .scan.javascript.keywords ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Javascript analysis" + - "HTML analysis" id: "a68ce0ef-dc81-5889-8d0d-735e3521d735" diff --git a/detection-rules/attachment_html_smuggling_hex_strings.yml b/detection-rules/attachment_html_smuggling_hex_strings.yml index 35a4ca210ca..25e6610ab9f 100644 --- a/detection-rules/attachment_html_smuggling_hex_strings.yml +++ b/detection-rules/attachment_html_smuggling_hex_strings.yml @@ -23,7 +23,16 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" id: "b4208ed6-fdde-5165-a5ca-1fe469c64046" diff --git a/detection-rules/attachment_html_smuggling_location.yml b/detection-rules/attachment_html_smuggling_location.yml index eddf7350bd1..f18a6b260b6 100644 --- a/detection-rules/attachment_html_smuggling_location.yml +++ b/detection-rules/attachment_html_smuggling_location.yml @@ -19,7 +19,17 @@ source: | and length(.scan.javascript.identifiers) < 100 ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Javascript analysis" + - "HTML analysis" id: "e0611295-afb2-5766-ac37-00fe81253487" diff --git a/detection-rules/attachment_html_smuggling_microsoft_signin.yml b/detection-rules/attachment_html_smuggling_microsoft_signin.yml index e5a94a3e37e..8c7359a0542 100644 --- a/detection-rules/attachment_html_smuggling_microsoft_signin.yml +++ b/detection-rules/attachment_html_smuggling_microsoft_signin.yml @@ -36,7 +36,19 @@ source: | ) // allow Microsoft domains just to be safe and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com') -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free subdomain host" - "HTML smuggling" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Javascript analysis" + - "Sender analysis" + - "URL analysis" id: "878d6385-95c2-5540-a887-a6fa9456409c" diff --git a/detection-rules/attachment_html_smuggling_raw_buffer.yml b/detection-rules/attachment_html_smuggling_raw_buffer.yml index eb554c8733e..7962e6fa060 100644 --- a/detection-rules/attachment_html_smuggling_raw_buffer.yml +++ b/detection-rules/attachment_html_smuggling_raw_buffer.yml @@ -24,7 +24,16 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Free subdomain host" - "HTML smuggling" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Javascript analysis" id: "a0d5c3dc-0763-5579-919e-456e5a37bd6f" diff --git a/detection-rules/attachment_html_smuggling_rc4.yml b/detection-rules/attachment_html_smuggling_rc4.yml index 84583c1ddb4..5172cd98bc7 100644 --- a/detection-rules/attachment_html_smuggling_rc4.yml +++ b/detection-rules/attachment_html_smuggling_rc4.yml @@ -18,7 +18,18 @@ source: | and any(file.explode(.), any(.scan.strings.strings, strings.ilike(., "*?[(?[?]+?[?])%256]*"))) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" id: "3a46d765-4b27-5026-9b8e-043e3817854b" diff --git a/detection-rules/attachment_html_smuggling_rot13.yml b/detection-rules/attachment_html_smuggling_rot13.yml index 77d9cceb8ed..6f129e3d32f 100644 --- a/detection-rules/attachment_html_smuggling_rot13.yml +++ b/detection-rules/attachment_html_smuggling_rot13.yml @@ -21,7 +21,18 @@ source: | and length(.scan.javascript.identifiers) < 100 ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Javascript analysis" + - "HTML analysis" id: "6eacc4cf-9357-5441-9380-b561fa630d65" diff --git a/detection-rules/attachment_html_smuggling_settimeout.yml b/detection-rules/attachment_html_smuggling_settimeout.yml index c43e57d571d..75ffc820492 100644 --- a/detection-rules/attachment_html_smuggling_settimeout.yml +++ b/detection-rules/attachment_html_smuggling_settimeout.yml @@ -16,7 +16,17 @@ source: | and any(.scan.strings.strings, strings.ilike(., "*location.href*")) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" id: "4e0b2c32-d176-5351-9b74-1636179a8cda" diff --git a/detection-rules/attachment_html_smuggling_unescape.yml b/detection-rules/attachment_html_smuggling_unescape.yml index 422df259f4d..c422585275e 100644 --- a/detection-rules/attachment_html_smuggling_unescape.yml +++ b/detection-rules/attachment_html_smuggling_unescape.yml @@ -16,7 +16,16 @@ source: | and any(file.explode(.), any(.scan.javascript.identifiers, . == "unescape")) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" id: "0b0fed36-735a-50f1-bf10-6673237a4623" diff --git a/detection-rules/attachment_ics_embedded_document.yml b/detection-rules/attachment_ics_embedded_document.yml index f9271b300b7..11e2ef560b7 100644 --- a/detection-rules/attachment_ics_embedded_document.yml +++ b/detection-rules/attachment_ics_embedded_document.yml @@ -19,6 +19,10 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "File analysis" id: "8f9957d9-a06a-5c5a-83af-2dc5c25bed86" diff --git a/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml b/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml index a680c9aafd0..119efb8056d 100644 --- a/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml +++ b/detection-rules/attachment_ics_link_to_executable_suspicious_language.yml @@ -19,7 +19,12 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "File analysis" - "Natural Language Understanding" id: "7dd310ca-8939-52f3-b840-16ee5679d837" diff --git a/detection-rules/attachment_js_file_execution.yml b/detection-rules/attachment_js_file_execution.yml index 85da6e34d0a..fc73efcddaa 100644 --- a/detection-rules/attachment_js_file_execution.yml +++ b/detection-rules/attachment_js_file_execution.yml @@ -24,6 +24,15 @@ source: | ) ) tags: - - "Suspicious attachment" - "Attack surface reduction" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Javascript analysis" + - "Sender analysis" id: "627ae0b1-fbe7-58cf-ba7d-0cf51b806c8a" diff --git a/detection-rules/attachment_lnk_file.yml b/detection-rules/attachment_lnk_file.yml index 533d85051fb..08febe29f57 100644 --- a/detection-rules/attachment_lnk_file.yml +++ b/detection-rules/attachment_lnk_file.yml @@ -18,6 +18,11 @@ source: | and any(file.explode(.), .file_extension =~ "lnk") ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "LNK" +detection_methods: + - "Archive analysis" + - "File analysis" id: "44532abe-f65f-54e6-afe2-d4589e4253ae" diff --git a/detection-rules/attachment_lnk_file_with_embedded_content.yml b/detection-rules/attachment_lnk_file_with_embedded_content.yml index f9c9b36b71e..24e9fce3974 100644 --- a/detection-rules/attachment_lnk_file_with_embedded_content.yml +++ b/detection-rules/attachment_lnk_file_with_embedded_content.yml @@ -23,7 +23,16 @@ source: | ) ) ) - tags: - - "Suspicious attachment" + - "Malfam: Emotet" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Exploit" + - "LNK" + - "Scripting" +detection_methods: + - "Content analysis" + - "Exif analysis" + - "File analysis" id: "41452f7a-c77d-5259-a5fb-91b1b4419364" diff --git a/detection-rules/attachment_macro_dll_loader.yml b/detection-rules/attachment_macro_dll_loader.yml index 26e5c2d83be..110c4bcb136 100644 --- a/detection-rules/attachment_macro_dll_loader.yml +++ b/detection-rules/attachment_macro_dll_loader.yml @@ -34,8 +34,16 @@ source: | ) ) ) -tags: - - "Suspicious attachment" - - "Office exploit" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Exploit" + - "LNK" - "Macros" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "YARA" id: "3a193f5f-1596-54d8-8fd7-1e09e63e6ea4" diff --git a/detection-rules/attachment_malicious_onenote_commands.yml b/detection-rules/attachment_malicious_onenote_commands.yml index 2a68dd2ce80..5e9422f5c44 100644 --- a/detection-rules/attachment_malicious_onenote_commands.yml +++ b/detection-rules/attachment_malicious_onenote_commands.yml @@ -36,7 +36,14 @@ source: | ) ) ) -tags: - - "Suspicious attachment" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "OneNote" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "YARA" id: "7319f0eb-a3c7-5320-a4ae-6fbf7952369e" diff --git a/detection-rules/attachment_malwarebazaar.yml b/detection-rules/attachment_malwarebazaar.yml index 9bc890f99c7..96091611291 100644 --- a/detection-rules/attachment_malwarebazaar.yml +++ b/detection-rules/attachment_malwarebazaar.yml @@ -1,6 +1,5 @@ name: "MalwareBazaar: Malicious attachment hash (trusted reporters)" -description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware - on MalwareBazaar by trusted reporters from first-time senders." +description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from first-time senders." type: "rule" severity: "medium" source: | @@ -17,8 +16,11 @@ source: | ) ) tags: - - "MalwareBazaar" - - "Abusech" - - "Suspicious attachment" - - "Malware" + - "Abusech: MalwareBazaar" +attack_types: + - "Malware/Ransomware" +detection_methods: + - "File analysis" + - "Sender analysis" + - "Threat intelligence" id: "5b5c9c3e-92c2-56cd-ad0d-1a2e195fa2b4" diff --git a/detection-rules/attachment_mht_embedded_vbscript.yml b/detection-rules/attachment_mht_embedded_vbscript.yml index eb446f00df6..eb726a3b679 100644 --- a/detection-rules/attachment_mht_embedded_vbscript.yml +++ b/detection-rules/attachment_mht_embedded_vbscript.yml @@ -33,7 +33,14 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "HTML analysis" + - "Sender analysis" id: "b30353a6-773e-5b6d-9252-751b5bc95799" diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 4fda032ffce..63e026b0764 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -45,8 +45,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" - - "Brand impersonation" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" - "QR code" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Header analysis" + - "QR code analysis" + - "Sender analysis" id: "ed0f772a-6543-5947-80d1-55a11ea63074" diff --git a/detection-rules/attachment_msi_installer.yml b/detection-rules/attachment_msi_installer.yml index 27ffb0b5538..3f2809e0f14 100644 --- a/detection-rules/attachment_msi_installer.yml +++ b/detection-rules/attachment_msi_installer.yml @@ -3,7 +3,7 @@ description: | Recursively scans files and archives to detect MSI installer files. Coercing a target user to run an MSI can be used as part of an 'IT Support' or 'software update' social engineering attack. - + Execution of the delivered MSI could enable the attacker to execute malicious code on the target user's host. references: - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md" @@ -24,6 +24,11 @@ source: | ) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" id: "ae17b1a9-41e3-513c-9762-0c3fd30b9818" diff --git a/detection-rules/attachment_office365_image.yml b/detection-rules/attachment_office365_image.yml index 2dcbccdff5a..c5b859c224b 100644 --- a/detection-rules/attachment_office365_image.yml +++ b/detection-rules/attachment_office365_image.yml @@ -84,6 +84,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Optical Character Recognition" + - "Sender analysis" id: "edce0229-5e8f-5359-a5c8-36570840049f" diff --git a/detection-rules/attachment_office_file_with_vsto.yml b/detection-rules/attachment_office_file_with_vsto.yml index 7372ad8f65f..e002db57b4c 100644 --- a/detection-rules/attachment_office_file_with_vsto.yml +++ b/detection-rules/attachment_office_file_with_vsto.yml @@ -16,6 +16,15 @@ source: | and strings.ilike(.value, "*.vsto*")) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "Exif analysis" + - "File analysis" + - "Sender analysis" + - "URL analysis" id: "27afa730-6dd5-58ec-9deb-ed5170de210d" diff --git a/detection-rules/attachment_office_remote_doc_template.yml b/detection-rules/attachment_office_remote_doc_template.yml index 4a7803a156c..4d5a98f36d5 100644 --- a/detection-rules/attachment_office_remote_doc_template.yml +++ b/detection-rules/attachment_office_remote_doc_template.yml @@ -20,7 +20,10 @@ source: | ) ) ) -tags: - - "Suspicious attachment" - - "Office exploit" +attack_types: + - "Malware/Ransomware" +detection_methods: + - "Archive analysis" + - "File analysis" + - "URL analysis" id: "d9601104-c330-5995-9fae-4d30b969c081" diff --git a/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml b/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml index ecddad76814..2eba94214f6 100644 --- a/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml +++ b/detection-rules/attachment_pdf_credtheft_link_suspicious_file.yml @@ -21,9 +21,17 @@ source: | ) ) ) -tags: +tags: + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "File analysis" - "Natural Language Understanding" - - "Suspicious attachment" - - "Suspicious link" - - "QakBot" + - "Optical Character Recognition" + - "URL analysis" id: "adda3c3f-8966-5f46-9924-234bbaee0a2c" diff --git a/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml b/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml index 97c4fd3560d..f774f6cec4b 100644 --- a/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml +++ b/detection-rules/attachment_pdf_file_fraudulent_cryptocurrency_exchange.yml @@ -8,17 +8,28 @@ references: type: "rule" severity: "low" source: | - type.inbound - and sender.email.domain.root_domain in $free_email_providers - and length(attachments) == 1 - and all(attachments, .file_extension == "pdf" - and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)') - and any(file.explode(.), - .scan.exiftool.page_count >=5 - and .depth == 0 - and length(filter(.scan.strings.strings, regex.match(.,'^\/URI \(http.*'))) == 1) - ) + type.inbound + and sender.email.domain.root_domain in $free_email_providers + and length(attachments) == 1 + and all(attachments, .file_extension == "pdf" + and regex.icontains(.file_name, '(\d\.\d{3,4}.{0,12}BTC|bitcoin)') + and any(file.explode(.), + .scan.exiftool.page_count >=5 + and .depth == 0 + and length(filter(.scan.strings.strings, regex.match(.,'^\/URI \(http.*'))) == 1) + ) tags: - "Cryptocurrency" - - "Fraud" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Brand" + - "PDF" + - "Social engineering" +detection_methods: + - "Exif analysis" + - "File analysis" + - "Sender analysis" + - "URL analysis" id: "47601cb7-5278-58b1-b503-0456c235a18d" diff --git a/detection-rules/attachment_pdf_file_with_embedded_content.yml b/detection-rules/attachment_pdf_file_with_embedded_content.yml index 26e2f7f7afb..65cdf617f72 100644 --- a/detection-rules/attachment_pdf_file_with_embedded_content.yml +++ b/detection-rules/attachment_pdf_file_with_embedded_content.yml @@ -47,6 +47,12 @@ source: | "hta_file")) ) )) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "PDF" +detection_methods: + - "File analysis" + - "Sender analysis" + - "YARA" id: "c2e04516-2e6c-5079-8b67-327578e98315" diff --git a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml index 468ae2680c6..1c06ab53db8 100644 --- a/detection-rules/attachment_pdf_linking_to_password_protected_file.yml +++ b/detection-rules/attachment_pdf_linking_to_password_protected_file.yml @@ -1,38 +1,47 @@ name: "Attachment: Adobe branded PDF file linking to a password-protected file from first-time sender" description: | - Detects pdf files with links to a remotely hosted password-protected file. This is a common technique - abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat) + Detects pdf files with links to a remotely hosted password-protected file. This is a common technique + abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat) type: "rule" severity: "high" source: | - type.inbound + type.inbound - and any(attachments, .file_extension == "pdf" - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, - .name == "cred_theft" and .confidence == "high" - ) - - and strings.icontains(.scan.ocr.raw, "password-protected") - - and any(ml.nlu_classifier(.scan.ocr.raw).entities, - .name == "org" and .text == "Adobe" - ) - ) - ) + and any(attachments, .file_extension == "pdf" + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence == "high" + ) + + and strings.icontains(.scan.ocr.raw, "password-protected") + + and any(ml.nlu_classifier(.scan.ocr.raw).entities, + .name == "org" and .text == "Adobe" + ) + ) + ) - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) - ) -tags: - - "Machine Learning" - - "Suspicious attachment" + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "Impersonation: Brand" + - "PDF" +detection_methods: + - "Archive analysis" + - "File analysis" - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" id: "5ea75469-58e8-561e-9a19-24da14a946b7" diff --git a/detection-rules/attachment_pdf_with_google_ae_redirect.yml b/detection-rules/attachment_pdf_with_google_ae_redirect.yml index 430f1ac7e54..b9e675bd503 100644 --- a/detection-rules/attachment_pdf_with_google_ae_redirect.yml +++ b/detection-rules/attachment_pdf_with_google_ae_redirect.yml @@ -2,7 +2,7 @@ name: "PDF attachment with Google (AE) redirecting to a php file" description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL" references: - "https://twitter.com/Cryptolaemus1/status/1649200761610571776?s=20" - - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c" + - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c" type: "rule" severity: "high" source: | @@ -20,7 +20,14 @@ source: | ) ) tags: - - "Suspicious attachment" + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" - - "QakBot" + - "PDF" +detection_methods: + - "Content analysis" + - "File analysis" + - "URL analysis" id: "57ae513f-54b6-5ddd-9527-449a6d2a23c3" diff --git a/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml b/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml index 013537e5211..6cab6954a6b 100644 --- a/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml +++ b/detection-rules/attachment_pdf_with_link_to_zip_containing_wsf.yml @@ -1,6 +1,6 @@ name: "Attachment: PDF with link to zip containing a wsf file" description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file" -references: +references: - "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70" - "https://twitter.com/Cryptolaemus1/status/1649091718552379392" - "https://twitter.com/Cryptolaemus1/status/1650826597333696515" @@ -26,6 +26,15 @@ source: | ) ) tags: - - "Suspicious attachment" - - "QakBot" + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "URL analysis" id: "93bc7db4-248f-502a-bc9a-919915cbc0fb" diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml index 84d163e83e8..da90feb2835 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_suspicious_files.yml @@ -28,8 +28,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) - tags: - - "Suspicious attachment" - - "Ave Maria" + - "Malfam: Ave Maria" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000" diff --git a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml index dcacd0a3bcf..fa4445966f9 100644 --- a/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml +++ b/detection-rules/attachment_pdf_with_low_reputation_link_to_zip_file.yml @@ -31,6 +31,16 @@ source: | ) ) tags: - - "Suspicious attachment" - - "QakBot" + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1" diff --git a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml index 6307626333f..5337ab10cb4 100644 --- a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml +++ b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml @@ -23,6 +23,12 @@ source: | ))) >= 1 ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Macros" +detection_methods: + - "File analysis" + - "Macro analysis" id: "1c591681-3f02-5d1e-be08-fc1e6793c68b" diff --git a/detection-rules/attachment_powerpoint_hyperlinks.yml b/detection-rules/attachment_powerpoint_hyperlinks.yml new file mode 100644 index 00000000000..ffe826ae20a --- /dev/null +++ b/detection-rules/attachment_powerpoint_hyperlinks.yml @@ -0,0 +1,34 @@ +name: "Attachment: PowerPoint with suspicious hyperlink" +description: | + Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code. +references: + - "https://twitter.com/doc_guard/status/1570190610774257665" +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, (.file_extension in~ ("ppt", "pptx")) + and any(file.explode(.), + any(.scan.exiftool.fields, .key == "Hyperlinks" + and ( + 4 of ( + strings.ilike(.value, "*[Convert]::ToChar*"), + strings.ilike(.value, "*vbs*"), + strings.ilike(.value, "*[IO.File]::Create*"), + strings.ilike(.value, "*[IO.File]::Exists*"), + strings.ilike(.value, "*[io.FileOPtions]::DeleteOnClose*"), + strings.ilike(.value, "*Net.WebClient*"), + strings.ilike(.value, "*dll*"), + ) + ) + ) + )) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "Exif analysis" + - "File analysis" +id: "0a999fb1-f44f-54cf-814b-6fd2e83f5704" diff --git a/detection-rules/attachment_powershell_content.yml b/detection-rules/attachment_powershell_content.yml index 2cede6a35d9..dd04a89d362 100644 --- a/detection-rules/attachment_powershell_content.yml +++ b/detection-rules/attachment_powershell_content.yml @@ -25,6 +25,11 @@ source: | ("ps1", "ps1xml", "psm1", "psd1", "pssc", "psrc", "cdxml", "ps2", "ps2xml", "psc2",) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" id: "c12566db-83af-506a-b9be-adbc01755999" diff --git a/detection-rules/attachment_rdp_connection_file.yml b/detection-rules/attachment_rdp_connection_file.yml index 2be7aef45ed..fe1d1bdf823 100644 --- a/detection-rules/attachment_rdp_connection_file.yml +++ b/detection-rules/attachment_rdp_connection_file.yml @@ -21,5 +21,11 @@ source: | ) ) tags: - - "Suspicious attachment" + - "Attack surface reduction" +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +detection_methods: + - "Archive analysis" + - "File analysis" id: "2409a422-4116-5a40-b929-c1b47ed5c1e5" diff --git a/detection-rules/attachment_rtf_embedded_content.yml b/detection-rules/attachment_rtf_embedded_content.yml index 20ac5f578a8..6b58cfec305 100644 --- a/detection-rules/attachment_rtf_embedded_content.yml +++ b/detection-rules/attachment_rtf_embedded_content.yml @@ -17,6 +17,11 @@ source: | or .file_extension in~ ("bat", "exe", "vbs") ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "File analysis" + - "YARA" id: "61dd2dd7-21cf-58be-bd58-87ae677a00ab" diff --git a/detection-rules/attachment_sfx_commands.yml b/detection-rules/attachment_sfx_commands.yml index 705e4539ce7..5a511230f96 100644 --- a/detection-rules/attachment_sfx_commands.yml +++ b/detection-rules/attachment_sfx_commands.yml @@ -14,6 +14,11 @@ source: | and any(.scan.strings.strings, strings.ilike(., 'Setup=*')) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "File analysis" id: "343e6c8c-8e46-5f3d-a5ee-c79360f73376" diff --git a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml index 9c8631918d1..7860c972952 100644 --- a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml +++ b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml @@ -23,6 +23,13 @@ source: | )) ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Macros" + - "Scripting" +detection_methods: + - "Content analysis" + - "File analysis" + - "Macro analysis" id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004" diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml index 03ffa8d6b96..fa6dded2b49 100644 --- a/detection-rules/attachment_soliciting_enable_macros.yml +++ b/detection-rules/attachment_soliciting_enable_macros.yml @@ -28,7 +28,14 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "Macros" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "Optical Character Recognition" + - "Sender analysis" id: "e9d75515-8d64-531d-8ccb-9153150d0ee3" diff --git a/detection-rules/attachment_suspicious_csproj.yml b/detection-rules/attachment_suspicious_csproj.yml new file mode 100644 index 00000000000..06c22e23675 --- /dev/null +++ b/detection-rules/attachment_suspicious_csproj.yml @@ -0,0 +1,28 @@ +name: "Attachment: .csproj with suspicious commands" +description: | + Attached .csproj file contains suspicious commands. +references: + - "https://delivr.to/payloads?id=9d80cf8d-fb68-40fb-8969-4b11f3a29c9f" +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + .file_extension == "csproj" + and any(file.explode(.), + ( + (any(.scan.strings.strings, strings.contains(., 'DllImport'))) + and (any(.scan.strings.strings, strings.icontains(., 'CreateProcess'))) + ) + ) + ) +tags: + - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Scripting" +detection_methods: + - "File analysis" +id: "fe45b81d-43df-52fc-9bf8-79824819fb51" diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml index 3af7d5e3813..7ddfae736ab 100644 --- a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml +++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml @@ -19,8 +19,12 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "Macros" - - "Machine Learning" +detection_methods: + - "File analysis" + - "Macro analysis" + - "Sender analysis" id: "37cec120-2757-5e99-a489-1315780dae08" diff --git a/detection-rules/attachment_svg_embedded_js.yml b/detection-rules/attachment_svg_embedded_js.yml index 02549b90e3e..6945b1d03ce 100644 --- a/detection-rules/attachment_svg_embedded_js.yml +++ b/detection-rules/attachment_svg_embedded_js.yml @@ -39,7 +39,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Scripting" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" + - "XML analysis" id: "f70293bc-b6da-5dbd-8756-e3ca282aba35" diff --git a/detection-rules/attachment_svg_file_execution.yml b/detection-rules/attachment_svg_file_execution.yml index 7b3472628ef..52db4e75e64 100644 --- a/detection-rules/attachment_svg_file_execution.yml +++ b/detection-rules/attachment_svg_file_execution.yml @@ -27,7 +27,12 @@ source: | and any(.scan.strings.strings, strings.like(., "*Run*", "*Execute*")) ) ) -tags: - - "Suspicious attachment" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" id: "084b0cde-4352-5624-b1e8-2d9ecd1f7218" diff --git a/detection-rules/attachment_uncommon_compressed.yml b/detection-rules/attachment_uncommon_compressed.yml index cb8775fa43c..488e25a7fd9 100644 --- a/detection-rules/attachment_uncommon_compressed.yml +++ b/detection-rules/attachment_uncommon_compressed.yml @@ -9,9 +9,13 @@ type: "rule" severity: "low" source: | type.inbound - and any(attachments, .file_extension in ('tar', 'iso', 'img', 'cab', - 'gadget', 'uue')) + and any(attachments, .file_extension in ('tar', 'iso', 'img', 'cab', 'gadget', 'uue')) tags: - - "Suspicious attachment" - "Attack surface reduction" -id: "0c6fba7a-b8a9-5491-a32c-411882e10c79" +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +detection_methods: + - "Archive analysis" + - "File analysis" +id: "0c6fba7a-b8a9-5491-a32c-411882e10c79" \ No newline at end of file diff --git a/detection-rules/attachment_url_with_unc_path.yml b/detection-rules/attachment_url_with_unc_path.yml index 86eb9ee8b11..366944f0bd7 100644 --- a/detection-rules/attachment_url_with_unc_path.yml +++ b/detection-rules/attachment_url_with_unc_path.yml @@ -13,7 +13,11 @@ source: | or any(.scan.strings.strings, regex.icontains(., '%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)')) // percent-encoded UNC paths ) ) -tags: - - "Suspicious attachment" - - "Windows exploit" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "LNK" +detection_methods: + - "File analysis" id: "3b7ee0fb-3540-51b6-a5db-9b21fdd3c9af" diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml index 888f76a77b7..d4ba1a6a1c0 100644 --- a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml @@ -1,7 +1,7 @@ name: "Attachment with auto-executing macro (unsolicited)" description: | Attachment from an unsolicited sender contains a macro that will auto-execute when the file is opened. - + Macros are a common phishing technique used to deploy malware. references: - "https://www.trustedsec.com/blog/malicious-macros-for-script-kiddies/" @@ -23,7 +23,21 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" + + // negate replies + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "Macros" +detection_methods: + - "Archive analysis" + - "Header analysis" + - "File analysis" + - "Macro analysis" + - "OLE analysis" + - "Sender analysis" id: "af6624c3-2a28-5fbb-8936-fb29e55dd29d" diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml index 988f8865253..37dfcf5b083 100644 --- a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml @@ -26,7 +26,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "Macros" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "Sender analysis" id: "d48b3e53-dee4-546b-b81a-0c781929fdfb" diff --git a/detection-rules/attachment_vba_macro_calling_executable.yml b/detection-rules/attachment_vba_macro_calling_executable.yml index ca1032e06a8..ca8f74e4bcd 100644 --- a/detection-rules/attachment_vba_macro_calling_executable.yml +++ b/detection-rules/attachment_vba_macro_calling_executable.yml @@ -13,7 +13,12 @@ source: | and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*"))) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "Macros" +detection_methods: + - "Archive analysis" + - "File analysis" id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c" diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml index d6826b1432d..64fa45578d8 100644 --- a/detection-rules/attachment_vba_macro_employee_impersonation.yml +++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml @@ -1,7 +1,7 @@ name: "Attachment with VBA macros from employee impersonation (unsolicited)" description: | Attachment contains a VBA macro from a sender your organization has never sent an email to. - + Sender is using a display name that matches the display name of someone in your organization. @@ -27,10 +27,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Employee" - "Macros" - - "Unsolicited" - - "Suspicious sender" - - "Employee impersonation" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Macro analysis" + - "Sender analysis" id: "9b262123-9010-5245-89a7-9ebd75333b2a" diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml index c663ed6ec92..56be092673d 100644 --- a/detection-rules/attachment_vba_macro_high_risk.yml +++ b/detection-rules/attachment_vba_macro_high_risk.yml @@ -21,7 +21,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: - "Macros" +detection_methods: + - "File analysis" + - "Macro analysis" + - "OLE analysis" + - "Sender analysis" id: "a2b20e16-b363-50f1-92a5-ee6c41012118" diff --git a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml index 9ee26a8fac6..c81f3e21e0b 100644 --- a/detection-rules/attachment_with_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_encrypted_zip_unsolicited.yml @@ -20,6 +20,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Encryption" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" id: "697c87ae-943d-54a0-a41b-ba1667147e03" diff --git a/detection-rules/attachment_with_suspicious_author_unsolicited.yml b/detection-rules/attachment_with_suspicious_author_unsolicited.yml index 845d0bdd9e5..5a9e5decc7f 100644 --- a/detection-rules/attachment_with_suspicious_author_unsolicited.yml +++ b/detection-rules/attachment_with_suspicious_author_unsolicited.yml @@ -19,6 +19,9 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +detection_methods: + - "File analysis" + - "Sender analysis" id: "40f518b9-88a2-59c5-8f6a-54bfd0fdf209" diff --git a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml index 5caa3cb3b18..f8204c292ae 100644 --- a/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml +++ b/detection-rules/attachment_with_unknown_encrypted_zip_unsolicited.yml @@ -23,6 +23,14 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious attachment" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" + - "YARA" id: "529d4a9a-ffa7-5a53-a065-df244ec67e7a" diff --git a/detection-rules/body_business_email_compromise_new_sender.yml b/detection-rules/body_business_email_compromise_new_sender.yml index 4019a8c128b..18e7cea6a04 100644 --- a/detection-rules/body_business_email_compromise_new_sender.yml +++ b/detection-rules/body_business_email_compromise_new_sender.yml @@ -1,6 +1,6 @@ name: "Body: Business Email Compromise (BEC) attempt from first-time sender" description: | - Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders. + Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from first-time senders. type: "rule" severity: "medium" source: | @@ -22,9 +22,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Machine Learning" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" - - "Suspicious sender" - - "Business Email Compromise" + - "Sender analysis" id: "96d4c35a-ca53-559e-9db3-349dbbdffc20" diff --git a/detection-rules/body_business_email_compromise_unsolicited.yml b/detection-rules/body_business_email_compromise_unsolicited.yml index 73d3205001f..56610cc6c3a 100644 --- a/detection-rules/body_business_email_compromise_unsolicited.yml +++ b/detection-rules/body_business_email_compromise_unsolicited.yml @@ -1,6 +1,6 @@ name: "Body: Business Email Compromise (BEC) attempt from unsolicited sender" description: | - Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders. + Detects potential Business Email Compromise (BEC) attacks by analyzing text within the email body from unsolicited senders. type: "rule" severity: "medium" source: | @@ -38,9 +38,14 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Machine Learning" - - "Natural Language Understanding" - - "Suspicious sender" - - "Business Email Compromise" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" + - "Spoofing" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Sender analysis" id: "57eccc45-0408-55ee-ae33-8203e166254a" diff --git a/detection-rules/body_callback_phishing_no_attachment.yml b/detection-rules/body_callback_phishing_no_attachment.yml index 1a35d0896d7..f537ce3ce84 100644 --- a/detection-rules/body_callback_phishing_no_attachment.yml +++ b/detection-rules/body_callback_phishing_no_attachment.yml @@ -18,7 +18,7 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) - + and sender.email.domain.root_domain in $free_email_providers and strings.ilike(body.plain.raw, "*mcafee*", "*norton*", "*geek squad*", "*paypal*", "*ebay*", "*symantec*", "*best buy*", "*lifelock*") and 4 of ( @@ -35,7 +35,14 @@ source: | strings.ilike(body.plain.raw, '*refund*'), strings.ilike(body.plain.raw, '*+1*') ) -tags: +attack_types: - "Callback Phishing" - - "Customer service fraud" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Brand" + - "Out of band pivot" + - "Social engineering" +detection_methods: + - "File analysis" + - "Sender analysis" id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1" diff --git a/detection-rules/body_extortion.yml b/detection-rules/body_extortion.yml index 7d08f96cfe6..62fb414bdda 100644 --- a/detection-rules/body_extortion.yml +++ b/detection-rules/body_extortion.yml @@ -1,7 +1,7 @@ name: "Extortion / sextortion (first-time sender)" description: | - Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender. -references: + Detects extortion and sextortion attempts by analyzing the email body text from a first-time sender. +references: - "https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/" type: "rule" severity: "low" @@ -28,10 +28,14 @@ source: | // many extortion emails spoof sender domains and fail sender authentication or any(headers.hops, .authentication_results.dmarc == "fail") ) - -tags: - - "Machine Learning" - - "Natural Language Understanding" +attack_types: - "Extortion" - - "Sextortion" +tactics_and_techniques: + - "Social engineering" + - "Spoofing" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" id: "265913eb-2ccd-5f77-9a09-f6d8539fd2f6" diff --git a/detection-rules/body_html_callback_phishing_no_attachment.yml b/detection-rules/body_html_callback_phishing_no_attachment.yml index 9cb24d4f6c3..2241ffac3b7 100644 --- a/detection-rules/body_html_callback_phishing_no_attachment.yml +++ b/detection-rules/body_html_callback_phishing_no_attachment.yml @@ -6,37 +6,45 @@ description: | type: "rule" severity: "medium" source: | - type.inbound - and length(attachments) == 0 - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) - ) - - and sender.email.domain.root_domain in $free_email_providers - and any([body.html.inner_text], strings.ilike(., "*mcafee*", "*norton*", "*geek squad*", "*paypal*", "*ebay*", "*symantec*", "*best buy*", "*lifelock*")) - and any([body.html.inner_text], strings.ilike(., "*+1*")) + type.inbound + and length(attachments) == 0 + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $recipient_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $recipient_domains + ) + ) + + and sender.email.domain.root_domain in $free_email_providers + and any([body.html.inner_text], strings.ilike(., "*mcafee*", "*norton*", "*geek squad*", "*paypal*", "*ebay*", "*symantec*", "*best buy*", "*lifelock*")) + and any([body.html.inner_text], strings.ilike(., "*+1*")) - and 4 of ( - strings.ilike(body.html.inner_text, '*purchase*'), - strings.ilike(body.html.inner_text, '*subscription*'), - strings.ilike(body.html.inner_text, '*antivirus*'), - strings.ilike(body.html.inner_text, '*order*'), - strings.ilike(body.html.inner_text, '*support*'), - strings.ilike(body.html.inner_text, '*receipt*'), - strings.ilike(body.html.inner_text, '*invoice*'), - strings.ilike(body.html.inner_text, '*call*'), - strings.ilike(body.html.inner_text, '*cancel*'), - strings.ilike(body.html.inner_text, '*renew*'), - strings.ilike(body.html.inner_text, '*refund*') - ) -tags: + and 4 of ( + strings.ilike(body.html.inner_text, '*purchase*'), + strings.ilike(body.html.inner_text, '*subscription*'), + strings.ilike(body.html.inner_text, '*antivirus*'), + strings.ilike(body.html.inner_text, '*order*'), + strings.ilike(body.html.inner_text, '*support*'), + strings.ilike(body.html.inner_text, '*receipt*'), + strings.ilike(body.html.inner_text, '*invoice*'), + strings.ilike(body.html.inner_text, '*call*'), + strings.ilike(body.html.inner_text, '*cancel*'), + strings.ilike(body.html.inner_text, '*renew*'), + strings.ilike(body.html.inner_text, '*refund*') + ) +attack_types: - "Callback Phishing" - - "Customer service fraud" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Brand" + - "Out of band pivot" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" id: "afe5dec2-1ec0-505e-b5dd-768144d71bec" diff --git a/detection-rules/body_html_smuggling_atob_in_body.yml b/detection-rules/body_html_smuggling_atob_in_body.yml index e2ef2a67068..6641ceb145e 100644 --- a/detection-rules/body_html_smuggling_atob_in_body.yml +++ b/detection-rules/body_html_smuggling_atob_in_body.yml @@ -1,5 +1,5 @@ name: "HTML smuggling with atob in message body" -description: | +description: | Detects if the email body HTML contains the document write or insertAdjacentHTML method and atob function call. This technique has been observed leading to credential phishing. type: "rule" @@ -8,7 +8,12 @@ source: | type.inbound and (length(body.plain.raw) < 200 or body.plain.raw is null) and regex.icontains(body.html.raw, "document.{0,10}(write|insertAdjacentHTML).{0,10}atob") -tags: - - "Suspicious body" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "HTML smuggling" +detection_methods: + - "Content analysis" + - "HTML analysis" id: "0f86851f-3ec4-50b6-ba1a-cba096642d0e" diff --git a/detection-rules/body_job_scam_new_sender.yml b/detection-rules/body_job_scam_new_sender.yml index 88dea7186e0..7e4c12ace6f 100644 --- a/detection-rules/body_job_scam_new_sender.yml +++ b/detection-rules/body_job_scam_new_sender.yml @@ -1,6 +1,6 @@ name: "Job Scam (first-time sender)" description: | - Detects job scam attempts by analyzing the email body text from a first-time sender. + Detects job scam attempts by analyzing the email body text from a first-time sender. type: "rule" severity: "low" source: | @@ -25,10 +25,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) - -tags: - - "Machine Learning" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" - - "Scam" - - "Suspicious sender" + - "Sender analysis" id: "a37dc32d-33a4-5097-a585-ff6c345d0ecc" diff --git a/detection-rules/body_microsoft_logo_bing_redirect.yml b/detection-rules/body_microsoft_logo_bing_redirect.yml index c10b1517d33..cb7058d8f47 100644 --- a/detection-rules/body_microsoft_logo_bing_redirect.yml +++ b/detection-rules/body_microsoft_logo_bing_redirect.yml @@ -43,12 +43,12 @@ source: | ) ) ) - + // Bing redirect and any(body.links, .href_url.domain.root_domain == 'bing.com' and .href_url.path =~ '/ck/a') - + and sender.email.domain.root_domain not in $org_domains - + and sender.email.domain.root_domain not in ( "bing.com", "microsoft.com", @@ -60,8 +60,17 @@ source: | "sharepointonline.com", "yammer.com" ) -tags: - - "Suspicious content" - - "Brand impersonation" - - "Suspicious link" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: Brand" + - "Open redirect" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" id: "27b8d8d8-a117-5d34-b4b0-9adb7c7c971e" diff --git a/detection-rules/body_unicode_slashes_in_url.yml b/detection-rules/body_unicode_slashes_in_url.yml index 045125689bc..5dfe4f3fe9f 100644 --- a/detection-rules/body_unicode_slashes_in_url.yml +++ b/detection-rules/body_unicode_slashes_in_url.yml @@ -13,6 +13,12 @@ source: | regex.icontains(body.plain.raw, 'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+') or any(body.links, regex.icontains(.href_url.url,'https?:\/\/[^\s⁄∕]+(?:\/[^\s⁄∕]+)*[⁄∕][^\s⁄∕]+')) ) -tags: - - "Suspicious Link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "URL analysis" id: "12069f5b-a774-53ba-8473-633291f71e84" diff --git a/detection-rules/callback_phishing_nlu_body_or_attachments.yml b/detection-rules/callback_phishing_nlu_body_or_attachments.yml index 252ab8f624a..4aa91a9de3c 100644 --- a/detection-rules/callback_phishing_nlu_body_or_attachments.yml +++ b/detection-rules/callback_phishing_nlu_body_or_attachments.yml @@ -1,37 +1,42 @@ name: "Callback Phishing NLU body or attachment from first-time sender" description: | - Detects callback scams by analyzing text within images of receipts or invoices from first time senders. + Detects callback scams by analyzing text within images of receipts or invoices from first time senders. type: "rule" severity: "medium" source: | - type.inbound - and ( - any(attachments, .file_type in ("png", "jpg", "pdf") - and any(file.explode(.), - any(ml.nlu_classifier(.scan.ocr.raw).intents, - .name == "callback_scam" and .confidence == "high" - ) + type.inbound + and ( + any(attachments, + .file_type in ("png", "jpg", "pdf") + and any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "callback_scam" and .confidence == "high" + ) + ) + ) + or any(ml.nlu_classifier(body.current_thread.text).intents, + .name in ("callback_scam") and .confidence == "high" ) ) - or - any(ml.nlu_classifier(coalesce( - body.html.display_text, body.plain.raw)).intents, - .name in ("callback_scam") and .confidence == "high" - ) - ) - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) ) - ) -tags: - - "Machine Learning" - - "Customer service fraud" - - "Natural Language Understanding" +attack_types: - "Callback Phishing" +tactics_and_techniques: + - "Out of band pivot" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Optical Character Recognition" + - "Natural Language Understanding" + - "Sender analysis" id: "b93c6f94-c9a3-587a-8eb5-6856754f8222" diff --git a/detection-rules/cve_2021_40444_external_relationship.yml b/detection-rules/cve_2021_40444_external_relationship.yml index 97c39d974f4..d98db979cbb 100644 --- a/detection-rules/cve_2021_40444_external_relationship.yml +++ b/detection-rules/cve_2021_40444_external_relationship.yml @@ -29,7 +29,17 @@ source: | ) ) tags: - - "Suspicious attachment" - "CVE-2021-40444" - - "Office exploit" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Exploit" + - "Macros" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "Macro analysis" + - "OLE analysis" id: "8cefcf7f-2a48-5102-9b09-8db995759223" diff --git a/detection-rules/disposable_sender_unsolicited.yml b/detection-rules/disposable_sender_unsolicited.yml index 4cead019139..0da99bbf41f 100644 --- a/detection-rules/disposable_sender_unsolicited.yml +++ b/detection-rules/disposable_sender_unsolicited.yml @@ -8,6 +8,6 @@ source: |- type.inbound and sender.email.domain.root_domain in $disposable_email_providers and sender.email.email not in $recipient_emails -tags: - - "Suspicious sender" +detection_methods: + - "Sender analysis" id: "5436b3db-3f17-5100-8136-1d03fc221fca" diff --git a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml index 7bc9c94cc58..bedb767f21f 100644 --- a/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml +++ b/detection-rules/file_sharing_link_from_suspicious_sender_domain.yml @@ -17,9 +17,12 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "File sharing link" - - "Suspicious link" - - "Suspicious sender" - - "Spam" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Free file host" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "95f20354-3091-537e-9fe0-80ea8b64913b" diff --git a/detection-rules/file_sharing_link_suspicious_subject.yml b/detection-rules/file_sharing_link_suspicious_subject.yml index cf4077a8441..ff3c735beee 100644 --- a/detection-rules/file_sharing_link_suspicious_subject.yml +++ b/detection-rules/file_sharing_link_suspicious_subject.yml @@ -19,8 +19,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "File sharing link" - - "Suspicious link" - - "Suspicious subject" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free file host" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" + - "URL analysis" id: "a306e2a6-addc-5e26-9be1-c146f37fd7f2" diff --git a/detection-rules/headers_anonymousfox.yml b/detection-rules/headers_anonymousfox.yml index fa8ddf64fb9..3b1e379309b 100644 --- a/detection-rules/headers_anonymousfox.yml +++ b/detection-rules/headers_anonymousfox.yml @@ -13,6 +13,11 @@ source: | regex.icontains(.name, "X-Authenticated-Sender|X-Sender") and regex.icontains(.value, "(anonymous|smtp)fox-")) or regex.icontains(sender.email.email, "(anonymous|smtp)fox-")) -tags: - - "Suspicious headers" +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "2506206e-b879-57fa-bcfd-95c66eb02db8" diff --git a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml index fe567a322cc..782509a0586 100644 --- a/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml +++ b/detection-rules/headers_bec_masked_recipients_no_links_freemail_replyto.yml @@ -7,18 +7,18 @@ type: "rule" severity: "medium" source: | type.inbound - + and any(recipients.to, .email.email == sender.email.email) and length(recipients.cc) == 0 and length(recipients.bcc) == 0 - + and length(body.links) == 0 - + and any(headers.reply_to, .email.domain.domain in $free_email_providers and not .email.domain.domain == sender.email.domain.domain ) - + and ( ( sender.email.domain.root_domain in $free_email_providers @@ -29,8 +29,12 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious sender" - - "Suspicious headers" - - "Business Email Compromise" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Free email provider" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "682191bf-a623-5f03-a497-9b8590535697" diff --git a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml index 8750cbbc14a..c0360a0682b 100644 --- a/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml +++ b/detection-rules/headers_freemail_replyto_returnpath_mismatch.yml @@ -4,21 +4,32 @@ type: "rule" severity: "medium" source: | type.inbound - and any(ml.nlu_classifier(coalesce( - body.html.display_text, body.plain.raw)).intents, - .name in ("bec") and .confidence in ("medium", "high") + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name in ("bec") and .confidence in ("medium", "high") ) and ( headers.return_path.domain.root_domain in $free_email_providers or ( length(headers.reply_to) > 0 - and all(headers.reply_to, - .email.domain.root_domain in $free_email_providers) + and all(headers.reply_to, .email.domain.root_domain in $free_email_providers) + ) + ) + and not ( + sender.email.domain.root_domain == "paypal.com" + and any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*pass") ) ) and sender.email.domain.root_domain not in $free_email_providers -tags: - - "Suspicious sender" - - "Business Email Compromise" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" + - "Sender analysis" id: "83e5e2df-7049-5990-b20d-1ff6bc6fd6f0" diff --git a/detection-rules/headers_invalid_ios_build.yml b/detection-rules/headers_invalid_ios_build.yml index 4b7fa27f9cb..1f962733e94 100644 --- a/detection-rules/headers_invalid_ios_build.yml +++ b/detection-rules/headers_invalid_ios_build.yml @@ -7,7 +7,12 @@ source: | type.inbound and regex.contains(headers.mailer, '(iPad|iPhone) Mail') and not regex.contains(headers.mailer, '(iPad|iPhone) Mail \([0-9]{2}') -tags: - - "Suspicious headers" - - "Suspicious sender" +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Header analysis" id: "e0b74072-3210-5511-9ad9-2c945ab28abb" diff --git a/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml b/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml index adb5df9970d..ea173528ddf 100644 --- a/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml +++ b/detection-rules/headers_php_mailer_with_common_phishing_attachments.yml @@ -11,7 +11,10 @@ source: | type.inbound and strings.ilike(headers.mailer, '*phpmailer*') and any(attachments, .file_name in~ ('image.png', 'name.png', 'use.png')) -tags: - - "Suspicious attachment" - - "PHP mailer" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Image as content" +detection_methods: + - "Header analysis" id: "07e03563-88f6-5d2f-8730-7d17f860ba14" diff --git a/detection-rules/headers_replyto_new_domain_nlu_request.yml b/detection-rules/headers_replyto_new_domain_nlu_request.yml index 23f5616fb1f..c477612dfd6 100644 --- a/detection-rules/headers_replyto_new_domain_nlu_request.yml +++ b/detection-rules/headers_replyto_new_domain_nlu_request.yml @@ -46,8 +46,15 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Vendor impersonation" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" - - "New domain" + - "Sender analysis" + - "URL analysis" + - "Whois" id: "db4d9bb3-0eca-5525-9a99-7c1c773b580f" diff --git a/detection-rules/headers_russia_return_path.yml b/detection-rules/headers_russia_return_path.yml index 23356c7d392..1e3c6025da9 100644 --- a/detection-rules/headers_russia_return_path.yml +++ b/detection-rules/headers_russia_return_path.yml @@ -17,7 +17,11 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious headers" - +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "588b3954-c03a-57fb-b5a4-abf993a8c003" diff --git a/detection-rules/headers_sendgrid_onmicrosoft.yml b/detection-rules/headers_sendgrid_onmicrosoft.yml index bb309b8d40b..b8daac8b4de 100644 --- a/detection-rules/headers_sendgrid_onmicrosoft.yml +++ b/detection-rules/headers_sendgrid_onmicrosoft.yml @@ -9,6 +9,10 @@ source: | type.inbound and headers.return_path.domain.domain == "sendgrid.net" and sender.email.domain.root_domain == "onmicrosoft.com" -tags: - - "Suspicious headers" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Header analysis" id: "271f4ae9-9681-5d61-a94d-8fa714db826d" diff --git a/detection-rules/headers_spf_temp_error.yml b/detection-rules/headers_spf_temp_error.yml index f3734667407..d237245ed1e 100644 --- a/detection-rules/headers_spf_temp_error.yml +++ b/detection-rules/headers_spf_temp_error.yml @@ -14,6 +14,8 @@ severity: "medium" source: | type.inbound and any(headers.hops, any(.fields, strings.ilike(.name, "Received-SPF") and strings.ilike(.value, "*spf=temperror*"))) -tags: - - "Suspicious headers" +tactics_and_techniques: + - "Spoofing" +detection_methods: + - "Header analysis" id: "2df7e839-8ffb-5d84-ac87-a45239d0d24b" diff --git a/detection-rules/headers_voicemail_sendgrid.yml b/detection-rules/headers_voicemail_sendgrid.yml index 0c455dcbabd..149daddbc12 100644 --- a/detection-rules/headers_voicemail_sendgrid.yml +++ b/detection-rules/headers_voicemail_sendgrid.yml @@ -9,6 +9,11 @@ source: | type.inbound and headers.return_path.domain.domain == 'sendgrid.net' and strings.ilike(subject.subject, '*voicemail*', '*voice message*') -tags: - - "Suspicious headers" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" id: "21cad89c-55e0-5cf1-8677-bf0242633a82" diff --git a/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml b/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml index b00f78cb53e..d471fa194af 100644 --- a/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml +++ b/detection-rules/headers_zimbra_mailer_unsupported_os_versions.yml @@ -8,6 +8,6 @@ source: | type.inbound and strings.starts_with(headers.mailer, "Zimbra") and regex.icontains(headers.mailer, '\b(5\.1|6\.1)\.\d{4}\b') -tags: - - "Suspicious sender" +detection_methods: + - "Header analysis" id: "d23e694f-a23d-5730-9a04-29629f2e6696" diff --git a/detection-rules/impersonation_adp.yml b/detection-rules/impersonation_adp.yml index 87c6e792dae..f42224d5045 100644 --- a/detection-rules/impersonation_adp.yml +++ b/detection-rules/impersonation_adp.yml @@ -10,7 +10,12 @@ source: | and sender.display_name in~ ('RS-Plan-Admin@adp.com','ADP','SecurityServices_NoReply@adp.com') and sender.email.domain.root_domain not in~ ('adp.com', 'adpsurveys.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "bb9cf46b-188e-58f5-996e-b35caf2423a2" diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 8ebdcaa4fec..40e073c96a3 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -40,11 +40,17 @@ source: | 'amazon.com.tr', 'amazonpay.in', 'amazonpay.com', + 'q4inc.com', 'synchronybank.com', ) and sender.email.email not in $recipient_emails and sender.email.domain.domain not in $org_domains -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "13fc967d-4cc6-501d-9637-8c0761a1a354" diff --git a/detection-rules/impersonation_amazon_suspicious_text.yml b/detection-rules/impersonation_amazon_suspicious_text.yml new file mode 100644 index 00000000000..537fd7cd1f3 --- /dev/null +++ b/detection-rules/impersonation_amazon_suspicious_text.yml @@ -0,0 +1,75 @@ +name: "Brand impersonation: Amazon with suspicious attachment" +description: | + Impersonation of Amazon. These are most commonly fake shipping notifications. + Amazon is the #2 most-impersonated brand (as of Q2 2020) +references: + - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams" + - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US" +type: "rule" +severity: "medium" +source: | + type.inbound + and strings.ilike(sender.display_name, "amazon*") + and any(attachments, .file_type in ("pdf", "jpg", "jpeg", "png") + and any(ml.logo_detect(.).brands, + .name == "Amazon" and .confidence in~ ("medium", "high") + ) + and ( + any(file.explode(.), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name != "benign" and .confidence == "high" + ) + ) + or any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents, + .name != "benign" and .confidence == "high" + ) + ) + ) + // unsolicited + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $recipient_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $recipient_domains + ) + ) + and sender.email.domain.root_domain not in~ ( + 'amazon.com', + 'amazon.com.au', + 'amazon.co.uk', + 'amazon.de', + 'amazon.es', + 'amazon.fr', + 'amazon.it', + 'amazon.in', + 'amazon.lu', + 'amazon.com.au', + 'amazonsellerservices.com', + 'amazon.ae', + 'amazon.sa', + 'amazon.cn', + 'amazon.ca', + 'amazon.com.mx', + 'amazon.com.br', + 'amazon.sg', + 'amazon.com.tr', + 'amazonpay.in', + 'amazonpay.com', + 'synchronybank.com', + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "File analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" +id: "5751dcb9-071d-540b-9ec3-410d6aa80c11" diff --git a/detection-rules/impersonation_amex.yml b/detection-rules/impersonation_amex.yml index 1185c91cbcb..8cad2868b4b 100644 --- a/detection-rules/impersonation_amex.yml +++ b/detection-rules/impersonation_amex.yml @@ -15,7 +15,13 @@ source: | and sender.email.domain.root_domain not in ('aexp.com','americanexpress.com', 'americanexpress.co.uk', 'aexpfeedback.com', 'amexnetwork.com', 'accountonline.com', 'transunion.com', 'amexgiftcard.com', 'amexgbt.com') and sender.email.domain.domain not in ('accountprotection.microsoft.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "992a9fa9-84ee-5065-8486-b3a2a8ffa676" diff --git a/detection-rules/impersonation_apple.yml b/detection-rules/impersonation_apple.yml index e44dd8a97b8..c341f889b6f 100644 --- a/detection-rules/impersonation_apple.yml +++ b/detection-rules/impersonation_apple.yml @@ -13,7 +13,12 @@ source: | ) and sender.email.domain.root_domain !~ 'apple.com' and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "0b17f2c2-e100-5d51-b53e-ee3da0431f1d" diff --git a/detection-rules/impersonation_bank_of_america.yml b/detection-rules/impersonation_bank_of_america.yml index 3b12bf58530..7487e05a17d 100644 --- a/detection-rules/impersonation_bank_of_america.yml +++ b/detection-rules/impersonation_bank_of_america.yml @@ -14,7 +14,13 @@ source: | ) and sender.email.domain.root_domain not in~ ('bankofamerica.com', 'transunion.com', 'bofa.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "d2fc6ea1-0c8d-57e0-bcaa-732a2e6b76e4" diff --git a/detection-rules/impersonation_barracuda.yml b/detection-rules/impersonation_barracuda.yml index 8d17082e960..f8e419f29d0 100644 --- a/detection-rules/impersonation_barracuda.yml +++ b/detection-rules/impersonation_barracuda.yml @@ -22,7 +22,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "583fd5eb-ebd1-5753-944c-1d85f2a82348" diff --git a/detection-rules/impersonation_binance.yml b/detection-rules/impersonation_binance.yml index f6e73b6236a..33be6a6de61 100644 --- a/detection-rules/impersonation_binance.yml +++ b/detection-rules/impersonation_binance.yml @@ -33,7 +33,18 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +tags: + - "Cryptocurrency" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "HTML analysis" + - "Natural Language Understanding" + - "Sender analysis" id: "c3302a76-ff5f-5619-b806-2bfec382f588" diff --git a/detection-rules/impersonation_blockchain.yml b/detection-rules/impersonation_blockchain.yml index d1d8760bd45..fd59c27b031 100644 --- a/detection-rules/impersonation_blockchain.yml +++ b/detection-rules/impersonation_blockchain.yml @@ -14,7 +14,13 @@ source: | and any(distinct(headers.hops, .received_spf.verdict is not null), strings.like(.received_spf.verdict, "*fail")) and sender.email.domain.root_domain not in~ ('blockchain.com', 'wxblockchain.com', 'ai-blockchain.com', 'envisionblockchain.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "0d85e555-bf7c-50a9-afba-de3c67818b6f" diff --git a/detection-rules/impersonation_chase.yml b/detection-rules/impersonation_chase.yml index 9c8edd043d9..3c1732303ac 100644 --- a/detection-rules/impersonation_chase.yml +++ b/detection-rules/impersonation_chase.yml @@ -16,9 +16,16 @@ source: | or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2 or strings.ilevenshtein(sender.display_name, 'echase') <= 2 ) + and sender.display_name not in ("Chaser") and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "c680f1e7-01b9-5b95-897b-65957f4a57aa" diff --git a/detection-rules/impersonation_coinbase.yml b/detection-rules/impersonation_coinbase.yml index 2bf431822bf..cd6b5a13235 100644 --- a/detection-rules/impersonation_coinbase.yml +++ b/detection-rules/impersonation_coinbase.yml @@ -29,6 +29,14 @@ source: | ) ) tags: - - "Brand impersonation" - - "Suspicious sender" + - "Cryptocurrency" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "3dca757a-fb21-53c0-ac17-b0f110e8db60" diff --git a/detection-rules/impersonation_dhl.yml b/detection-rules/impersonation_dhl.yml index bb376f9f0ff..d5cd44d8299 100644 --- a/detection-rules/impersonation_dhl.yml +++ b/detection-rules/impersonation_dhl.yml @@ -25,7 +25,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "be4b4ae0-d393-5f8b-b984-5cf4ad7cbeb5" diff --git a/detection-rules/impersonation_digital_ocean.yml b/detection-rules/impersonation_digital_ocean.yml index 116804a606e..a3ca8088647 100644 --- a/detection-rules/impersonation_digital_ocean.yml +++ b/detection-rules/impersonation_digital_ocean.yml @@ -12,7 +12,13 @@ source: | ) and sender.email.domain.root_domain !~ 'digitalocean.com' and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "7f2f0e97-b89f-54dd-9167-cbf1e55b112b" diff --git a/detection-rules/impersonation_docusign.yml b/detection-rules/impersonation_docusign.yml index fbd7000378a..2af461dce5a 100644 --- a/detection-rules/impersonation_docusign.yml +++ b/detection-rules/impersonation_docusign.yml @@ -62,7 +62,15 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Brand impersonation" - - "DocuSign" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" + - "Spoofing" +detection_methods: + - "Header analysis" + - "Sender analysis" + - "URL analysis" id: "4d29235c-08b9-5f9b-950e-60b05c4691fb" diff --git a/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml b/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml index 2c92c535988..09a34f1c365 100644 --- a/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml +++ b/detection-rules/impersonation_domain_replyto_freemail_lookalike_financial_request.yml @@ -24,9 +24,14 @@ source: | and any(ml.nlu_classifier(.).intents, .name != "benign") ) ) -tags: - - "Domain Impersonation" - - "Suspicious ReplyTo" - - "Machine Learning" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" + - "Sender analysis" id: "43026a40-4285-51a7-a42e-f08b9ee41b97" diff --git a/detection-rules/impersonation_dropbox.yml b/detection-rules/impersonation_dropbox.yml index 2bc4d671335..870e402b031 100644 --- a/detection-rules/impersonation_dropbox.yml +++ b/detection-rules/impersonation_dropbox.yml @@ -17,7 +17,14 @@ source: | ) ) and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Sender analysis" id: "61f11d12-7033-53c9-a95a-df982ff31c4b" diff --git a/detection-rules/impersonation_employee_payroll_fraud.yml b/detection-rules/impersonation_employee_payroll_fraud.yml index 55d7d741d01..c8e01b2286f 100644 --- a/detection-rules/impersonation_employee_payroll_fraud.yml +++ b/detection-rules/impersonation_employee_payroll_fraud.yml @@ -14,7 +14,7 @@ source: | or sender.email.domain.root_domain in $free_email_providers ) - + and 1 of ( regex.icontains(body.plain.raw, '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'), regex.icontains(body.html.inner_text, '(pay\s?(roll|check|date|day)|direct deposit|\bdd\b|gehalt|salario|salary)'), @@ -30,7 +30,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Payroll fraud" - - "Employee impersonation" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: Employee" + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" id: "2beb7d85-dfe3-5ecc-9b2a-d7416a3ef992" diff --git a/detection-rules/impersonation_employee_subject.yml b/detection-rules/impersonation_employee_subject.yml index d9009361063..d46d07f0d5a 100644 --- a/detection-rules/impersonation_employee_subject.yml +++ b/detection-rules/impersonation_employee_subject.yml @@ -1,6 +1,6 @@ name: "BEC: Employee impersonation with subject manipulation" description: | - Subject matches the display name of someone in your organization, and the body resembles a BEC attack. + Subject matches the display name of someone in your organization, and the body resembles a BEC attack. type: "rule" severity: "medium" source: | @@ -29,10 +29,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Employee impersonation" - - "Suspicious sender" - - "Machine Learning" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: Employee" + - "Social engineering" +detection_methods: + - "Content analysis" - "Natural Language Understanding" - - "Business Email Compromise" + - "Sender analysis" id: "9adfc77b-cabe-5ef8-b1ed-6ad5d682447f" diff --git a/detection-rules/impersonation_employee_urgent_request.yml b/detection-rules/impersonation_employee_urgent_request.yml index caf165cfd2e..5c52c9b98f9 100644 --- a/detection-rules/impersonation_employee_urgent_request.yml +++ b/detection-rules/impersonation_employee_urgent_request.yml @@ -1,8 +1,8 @@ name: "Employee impersonation with urgent request (first-time sender)" description: | - Sender is using a display name that matches the display name of someone in your organization. + Sender is using a display name that matches the display name of someone in your organization. - Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders. + Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders. type: "rule" severity: "medium" source: | @@ -33,9 +33,14 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Employee impersonation" - - "Suspicious sender" - - "Machine Learning" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: Employee" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" + - "Sender analysis" id: "1ce9a146-1293-531e-bb02-0af7ad1b018e" diff --git a/detection-rules/impersonation_exodus.yml b/detection-rules/impersonation_exodus.yml index b47e1938e70..4704dc61445 100644 --- a/detection-rules/impersonation_exodus.yml +++ b/detection-rules/impersonation_exodus.yml @@ -15,6 +15,14 @@ source: | or any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities, .text == "wallet") ) tags: - - "Brand impersonation" - "Cryptocurrency" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" id: "40c77ecc-782d-595a-a042-7fe7e4d756ee" diff --git a/detection-rules/impersonation_facebook.yml b/detection-rules/impersonation_facebook.yml index 02a9f03b206..b27ebe9629d 100644 --- a/detection-rules/impersonation_facebook.yml +++ b/detection-rules/impersonation_facebook.yml @@ -15,7 +15,13 @@ source: | ) and sender.email.domain.root_domain not in~ ('facebook.com','facebookmail.com', 'eventsatfacebook.com', 'facebookenterprise.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "e38f1e3b-79be-5a59-b084-24a851daf6b9" diff --git a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml index f4ff77857fa..1834add8b97 100644 --- a/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml +++ b/detection-rules/impersonation_fake_msg_thread_mismatched_from_freemail_replyto.yml @@ -2,49 +2,55 @@ name: "Fake Message Thread - First Time Sender with a Mismatched Freemail Reply- description: | Fake Message Threads or Chain Reuse is a common confidence technique exploited by threat actors to bolster credibility. This is typically used in conjunction with a reply-to address that is not the same as the sender address. -references: +references: - "https://playground.sublimesecurity.com?id=5ab9a225-4de3-494f-9a55-e16ec9e1e5c3" type: "rule" severity: "medium" source: | - type.inbound + type.inbound - // First-time sender - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) - ) + // First-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) - // Reply-to is a freemail sender but From is not - and any(headers.reply_to, - .email.domain.domain in $free_email_providers - and not .email.domain.domain == sender.email.domain.domain - ) + // Reply-to is a freemail sender but From is not + and any(headers.reply_to, + .email.domain.domain in $free_email_providers + and not .email.domain.domain == sender.email.domain.domain + ) - // Exclude marketing emails - and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing") + // Exclude marketing emails + and not strings.ilike(sender.email.local_part, "support", "sales", "noreply", "marketing") - // Check for Message Thread Indicators - and ( - strings.istarts_with(subject.subject, "RE:") - or any([body.plain.raw, body.html.display_text], - regex.icontains(.,"From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:") - ) + // Check for Message Thread Indicators + and ( + strings.istarts_with(subject.subject, "RE:") + or any([body.plain.raw, body.html.display_text], + regex.icontains(.,"From:[ a-z0-9<>_@\\.]{0,80}Sent:[ a-z0-9<>_@\\.:]{0,40}To:[ a-z0-9<>_@\\.;]{0,300}(Cc:)?.{0,300}Subject:") + ) - ) + ) - // Check for the Presence of References or In-Reply-To properties - and ( - length(headers.references) == 0 - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) - ) -tags: - - "Contact impersonation" - - "Fake Message Thread" + // Check for the Presence of References or In-Reply-To properties + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" id: "ca64e819-576b-574a-abcc-63f1916e8a41" diff --git a/detection-rules/impersonation_fake_shipping_notification.yml b/detection-rules/impersonation_fake_shipping_notification.yml index 06cafd32acf..7b003eb09ba 100644 --- a/detection-rules/impersonation_fake_shipping_notification.yml +++ b/detection-rules/impersonation_fake_shipping_notification.yml @@ -1,7 +1,7 @@ name: "Fake shipping notification with link to free file hosting" description: | This rule detects spam emails impersonating FedEx, UPS, or USPS with links to free file hosting. -references: +references: - "https://playground.sublimesecurity.com?id=64feb22a-03e8-4d8f-83f6-a828dc5e3540" severity: "low" type: "rule" @@ -26,7 +26,14 @@ source: | ) or sender.email.domain.valid == false ) -tags: +attack_types: - "Spam" - - "Brand impersonation" +tactics_and_techniques: + - "Free file host" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" id: "6d3fe05e-8ee6-586e-a2c6-60488ecf347a" diff --git a/detection-rules/impersonation_fedex.yml b/detection-rules/impersonation_fedex.yml index ce5e54f3af0..a6b9412cfac 100644 --- a/detection-rules/impersonation_fedex.yml +++ b/detection-rules/impersonation_fedex.yml @@ -15,7 +15,13 @@ source: | // sedex.com is not affiliated with FedEx, but is an apparent FP and sender.email.domain.root_domain not in~ ('fedex.com', 'sedex.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "94a2b602-2bc1-5ea3-941e-752e3a2235cf" diff --git a/detection-rules/impersonation_finra.yml b/detection-rules/impersonation_finra.yml index 077d679bded..d31b31cae3e 100644 --- a/detection-rules/impersonation_finra.yml +++ b/detection-rules/impersonation_finra.yml @@ -25,7 +25,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "15c81db4-b3ba-5e9a-978c-194f77b56739" diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 95532ee6232..138e6d21d85 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -25,7 +25,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "9402f92b-f2b1-5452-8124-fdad4a88feb4" diff --git a/detection-rules/impersonation_google_via_msft_forms.yml b/detection-rules/impersonation_google_via_msft_forms.yml index f955466bd32..c8890d2b6b5 100644 --- a/detection-rules/impersonation_google_via_msft_forms.yml +++ b/detection-rules/impersonation_google_via_msft_forms.yml @@ -14,7 +14,14 @@ source: | any(body.links, .href_url.domain.root_domain not in $tranco_1m) or strings.ilike(body.html.display_text, "*suspicious activities*", "*failure to secure*", "*loose your*", "*suspended*") ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" id: "1daac608-66f7-5d0a-ab0f-ff9902ddabb7" diff --git a/detection-rules/impersonation_gusto.yml b/detection-rules/impersonation_gusto.yml index 7ca3ec295d9..3c7312fe349 100644 --- a/detection-rules/impersonation_gusto.yml +++ b/detection-rules/impersonation_gusto.yml @@ -15,7 +15,15 @@ source: | and .confidence in ("medium", "high")) and sender.email.domain.root_domain !~ 'gusto.com' and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Computer vision" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "Header analysis" + - "Sender analysis" id: "54025c1c-34bc-5cbf-97b8-d544806fc587" diff --git a/detection-rules/impersonation_human_resources.yml b/detection-rules/impersonation_human_resources.yml index 0dc695bcd9c..b3496282108 100644 --- a/detection-rules/impersonation_human_resources.yml +++ b/detection-rules/impersonation_human_resources.yml @@ -6,9 +6,9 @@ source: | type.inbound and sender.email.domain.domain not in $org_domains and regex.icontains(sender.display_name, '(\bh\W?r\W?\b|human resources|hr depart(ment)?|employee relations)') - + and (length(body.links) > 0 or length(attachments) > 0) - + // Request and Urgency and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request") and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency") @@ -19,8 +19,8 @@ source: | ) or length(ml.nlu_classifier(body.html.inner_text).intents) == 0 ) - - + + and ( ( sender.email.domain.root_domain in $free_email_providers @@ -32,6 +32,15 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Department impersonation" +attack_types: + - "BEC/Fraud" + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Employee" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" id: "8c95a6a8-50d3-5697-a379-c00bda8e1922" diff --git a/detection-rules/impersonation_ledger.yml b/detection-rules/impersonation_ledger.yml index 7f7a46c6019..0f5b09331be 100644 --- a/detection-rules/impersonation_ledger.yml +++ b/detection-rules/impersonation_ledger.yml @@ -38,7 +38,14 @@ source: | ) ) tags: - - "Brand impersonation" - "Cryptocurrency" - - "Ledger" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "5f934755-cd03-5f4c-a5bd-a8899e7108c1" diff --git a/detection-rules/impersonation_linkedin.yml b/detection-rules/impersonation_linkedin.yml index e75e5063796..8c0e3ab07d7 100644 --- a/detection-rules/impersonation_linkedin.yml +++ b/detection-rules/impersonation_linkedin.yml @@ -14,7 +14,13 @@ source: | ) and sender.email.domain.root_domain !~ 'linkedin.com' and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "1a0cde6d-ce91-575f-a6a4-7a88b12f2ca4" diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index 803d24e2b20..c36840119f0 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -1,10 +1,10 @@ name: "Brand impersonation: Microsoft" description: | - Impersonation of the Microsoft brand. + Impersonation of the Microsoft brand. references: - - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/" - - "https://cofense.com/blog/office-365-phishing-variant/" - - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/" + - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/" + - "https://cofense.com/blog/office-365-phishing-variant/" + - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/" type: "rule" severity: "high" authors: @@ -45,7 +45,12 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" id: "6e2f04e6-b607-5e36-9015-d39c98265579" diff --git a/detection-rules/impersonation_microsoft_fake_sign_in_alert.yml b/detection-rules/impersonation_microsoft_fake_sign_in_alert.yml new file mode 100644 index 00000000000..6b655705cea --- /dev/null +++ b/detection-rules/impersonation_microsoft_fake_sign_in_alert.yml @@ -0,0 +1,96 @@ +name: "Brand impersonation: Microsoft fake sign-in alert" +description: | + Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response. +type: "rule" +severity: "medium" +source: | + type.inbound + // no links found in body + and length(body.links) == 0 + // Microsoft strings + and ( + strings.contains(subject.subject, "Microsoft") + or strings.contains(sender.display_name, "Microsoft") + or strings.contains(body.current_thread.text, "Microsoft") + or ( + + // or Microsoft Brand logo + any(attachments, + .file_type in ('png', 'jpeg', 'jpg', 'bmp') + and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) + ) + ) + ) + + // Body contains Indicators of fake sign in notification + and ( + regex.contains(body.current_thread.text, + '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)' + ) + or regex.contains(body.current_thread.text, "Unusual.{0,10}activity") + ) + + + and ( + + // If the sender is freemail + sender.email.domain.domain in $free_email_providers + or ( + + // sender is not freemail, but the return path email or reply to email is + sender.email.domain.domain not in $free_email_providers + and ( + headers.return_path.domain.root_domain in $free_email_providers + or ( + length(headers.reply_to) > 0 + and ( + all(headers.reply_to, .email.domain.root_domain in $free_email_providers) + ) + ) + or ( + + // if all replyto domain, return_path domain, sender domain mismatch + length(headers.reply_to) > 0 + and all(headers.reply_to, + .email.domain.domain != headers.return_path.domain.domain + and headers.return_path.domain.domain != sender.email.domain.domain + ) + ) + + // or the domain is less than 90 days old + or beta.whois(sender.email.domain).days_old <= 90 + or ( + + // or Compauth verdict is not pass/softpass + any(headers.hops, + .authentication_results.compauth.verdict is not null + and .authentication_results.compauth.verdict not in ("pass", "softpass") + ) + ) + ) + ) + ) + and sender.email.domain.root_domain not in ( + "bing.com", + "microsoft.com", + "microsoftonline.com", + "microsoftsupport.com", + "microsoft365.com", + "office.com", + "onedrive.com", + "sharepointonline.com", + "yammer.com", + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Sender analysis" + - "Whois" +id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236" diff --git a/detection-rules/impersonation_microsoft_quarantine.yml b/detection-rules/impersonation_microsoft_quarantine.yml index 00917fe743d..2b7b1927e12 100644 --- a/detection-rules/impersonation_microsoft_quarantine.yml +++ b/detection-rules/impersonation_microsoft_quarantine.yml @@ -32,8 +32,18 @@ source: | "sharepointonline.com", "yammer.com", ) -tags: - - "Brand impersonation" - - "Suspicious content" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" id: "185db6b3-b35c-578d-bd9f-dab0703288fe" diff --git a/detection-rules/impersonation_microsoft_teams.yml b/detection-rules/impersonation_microsoft_teams.yml new file mode 100644 index 00000000000..4b56e2189cc --- /dev/null +++ b/detection-rules/impersonation_microsoft_teams.yml @@ -0,0 +1,25 @@ +name: "Brand impersonation: Microsoft Teams" +description: | + Impersonation of a Microsoft Teams message. +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + .file_type in ("pdf", "jpg", "jpeg", "png") + and any(file.explode(.), + regex.icontains(.scan.ocr.raw, "trying to reach you.*microsoft teams") + ) + ) + and sender.email.domain.root_domain not in ("microsoft.com", "microsoftsupport.com", "office.com") +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Optical Character Recognition" + - "Sender analysis" +id: "9cd53055-8e1a-5a45-b78f-34a62f0793dd" diff --git a/detection-rules/impersonation_netflix.yml b/detection-rules/impersonation_netflix.yml index 574410929fc..deb0c71ce17 100644 --- a/detection-rules/impersonation_netflix.yml +++ b/detection-rules/impersonation_netflix.yml @@ -16,7 +16,13 @@ source: | ) and sender.email.domain.root_domain !~ 'netflix.com' and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "9f39eea5-2edf-524d-b68b-d8d0bdb74273" diff --git a/detection-rules/impersonation_norton_lifelock.yml b/detection-rules/impersonation_norton_lifelock.yml index 634b31e9e2c..2cb0864b1be 100644 --- a/detection-rules/impersonation_norton_lifelock.yml +++ b/detection-rules/impersonation_norton_lifelock.yml @@ -44,7 +44,15 @@ source: | ) ) -tags: - - "Brand impersonation" - - "Suspicious attachment" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Sender analysis" id: "32bd9efd-67ba-54e2-81d0-89cf16e85a70" diff --git a/detection-rules/impersonation_outlook.yml b/detection-rules/impersonation_outlook.yml index 1e54faba910..1af429a1fbb 100644 --- a/detection-rules/impersonation_outlook.yml +++ b/detection-rules/impersonation_outlook.yml @@ -9,7 +9,13 @@ source: | and regex.icontains(sender.email.domain.domain, '.*outlook.com.+') and sender.email.domain.root_domain != 'outlook.com.au' and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "1fe5bf7b-c4e8-5f8e-a2d7-07e32bd9678f" diff --git a/detection-rules/impersonation_paypal.yml b/detection-rules/impersonation_paypal.yml index 68c42ee68df..d15b6c23e8a 100644 --- a/detection-rules/impersonation_paypal.yml +++ b/detection-rules/impersonation_paypal.yml @@ -63,7 +63,16 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Sender analysis" id: "a6b2ceee-ea57-594d-8437-698fad55c9bf" diff --git a/detection-rules/impersonation_recipient_domain.yml b/detection-rules/impersonation_recipient_domain.yml index 0f3c7c09dd0..eedf925ca66 100644 --- a/detection-rules/impersonation_recipient_domain.yml +++ b/detection-rules/impersonation_recipient_domain.yml @@ -18,7 +18,7 @@ source: | // recipient's domain is in the sender's display name and strings.icontains(sender.display_name, .email.domain.root_domain)) - + and not ( strings.contains(sender.display_name, "on behalf of") and sender.email.domain.root_domain == "microsoftonline.com" @@ -35,6 +35,11 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "63e5808a-ab9a-5112-bc41-545db8c0afd2" diff --git a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml index 112256164e9..087cf4725c7 100644 --- a/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml +++ b/detection-rules/impersonation_recipient_sld_in_sender_local_fts.yml @@ -1,11 +1,18 @@ name: "Impersonation: Recipient SLD in sender's email address local part" type: "rule" +severity: "low" description: | The sender's email address local part contains the recipients SLD, the sender's domain is not a known org domain, and it's a first time sender. source: | type.inbound - and any(recipients.to, strings.contains(sender.email.local_part, .email.domain.sld)) + and ( + any(recipients.to, + (strings.contains(sender.email.local_part, .email.domain.sld) + // checking to ensure no FPs, like "me" in "me.com" + and length(.email.domain.sld) > 3) + ) + ) and sender.email.domain.root_domain not in $org_domains and ( ( @@ -17,8 +24,11 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -severity: "low" -tags: - - "Organization impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "926f3b53-415c-590e-b5f7-a15c6d9e62c2" diff --git a/detection-rules/impersonation_ripple.yml b/detection-rules/impersonation_ripple.yml index 5ecf978e7e2..69176a1177c 100644 --- a/detection-rules/impersonation_ripple.yml +++ b/detection-rules/impersonation_ripple.yml @@ -21,6 +21,12 @@ source: | ) ) tags: - - "Brand impersonation" - "Cryptocurrency" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "68b39736-70e0-5bf7-8a0a-3e2206552251" diff --git a/detection-rules/impersonation_sharepoint_body_credential_theft.yml b/detection-rules/impersonation_sharepoint_body_credential_theft.yml index 17c7267a323..d3252dd7cd1 100644 --- a/detection-rules/impersonation_sharepoint_body_credential_theft.yml +++ b/detection-rules/impersonation_sharepoint_body_credential_theft.yml @@ -11,10 +11,15 @@ source: | and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint") ) and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents, .name == "cred_theft") -tags: +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: - "Computer Vision" + - "Content analysis" + - "File analysis" - "Natural Language Understanding" - - "Suspicious content" - - "Brand impersonation" - - "Credential phishing" + - "Sender analysis" id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9" diff --git a/detection-rules/impersonation_sharepoint_image_credential_theft.yml b/detection-rules/impersonation_sharepoint_image_credential_theft.yml index 74fc155eac4..cb947d11466 100644 --- a/detection-rules/impersonation_sharepoint_image_credential_theft.yml +++ b/detection-rules/impersonation_sharepoint_image_credential_theft.yml @@ -17,9 +17,17 @@ source: | ) ) ) -tags: +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Image as content" + - "Social engineering" +detection_methods: - "Computer Vision" + - "File analysis" + - "Header analysis" - "Natural Language Understanding" - - "Brand impersonation" - - "Credential phishing" + - "Optical Character Recognition" + - "Sender analysis" id: "0ac51b9a-7a2a-5be2-9e04-f71b9bfd61ac" diff --git a/detection-rules/impersonation_siliconvalleybank.yml b/detection-rules/impersonation_siliconvalleybank.yml index bd1731c80dc..fef5f14f685 100644 --- a/detection-rules/impersonation_siliconvalleybank.yml +++ b/detection-rules/impersonation_siliconvalleybank.yml @@ -9,6 +9,13 @@ source: | or strings.ilevenshtein(sender.display_name, 'svb') <= 1 ) and beta.whois(sender.email.domain).days_old <= 30 -tags: -- "Brand impersonation" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Whois" id: "a01f61d9-a01a-548c-9a48-49f8d3732d05" diff --git a/detection-rules/impersonation_spotify.yml b/detection-rules/impersonation_spotify.yml index 3a4d51903c5..4e982b24716 100644 --- a/detection-rules/impersonation_spotify.yml +++ b/detection-rules/impersonation_spotify.yml @@ -25,7 +25,12 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "70e80f91-179d-51dc-9bbd-75f1bc6f9bb3" diff --git a/detection-rules/impersonation_stellar.yml b/detection-rules/impersonation_stellar.yml index 90fffb5a1d5..898f25f88ee 100644 --- a/detection-rules/impersonation_stellar.yml +++ b/detection-rules/impersonation_stellar.yml @@ -21,6 +21,12 @@ source: | ) ) tags: - - "Brand impersonation" - "Cryptocurrency" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "2af9ab94-77b2-5bf9-89f5-5206ee214d57" diff --git a/detection-rules/impersonation_sublime_security.yml b/detection-rules/impersonation_sublime_security.yml index 5c0169e1194..b1dd99c3ad9 100644 --- a/detection-rules/impersonation_sublime_security.yml +++ b/detection-rules/impersonation_sublime_security.yml @@ -28,9 +28,12 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Brand impersonation" - - "Contact impersonation" - - "Executive impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "949484ed-c774-5f53-b91f-cd02ee6104f9" diff --git a/detection-rules/impersonation_turbotax.yml b/detection-rules/impersonation_turbotax.yml index c8d1cc07331..f0ed686bf7f 100644 --- a/detection-rules/impersonation_turbotax.yml +++ b/detection-rules/impersonation_turbotax.yml @@ -14,7 +14,12 @@ source: | ) and sender.email.domain.root_domain not in~ ('intuit.com', 'turbotax.com', 'intuit.ca') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "90084031-cd65-5184-a7d6-a1e61d32b82b" diff --git a/detection-rules/impersonation_twitter.yml b/detection-rules/impersonation_twitter.yml index 3f09aba4177..dc64485fd8c 100644 --- a/detection-rules/impersonation_twitter.yml +++ b/detection-rules/impersonation_twitter.yml @@ -14,7 +14,12 @@ source: | ) and sender.email.domain.domain not in~ ('twitter.com', 'privaterelay.appleid.com', 'stripe.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "013c32c2-fa05-5456-9c45-284e008ff6a4" diff --git a/detection-rules/impersonation_ukr_net.yml b/detection-rules/impersonation_ukr_net.yml index 096d107a387..7a399e522f3 100644 --- a/detection-rules/impersonation_ukr_net.yml +++ b/detection-rules/impersonation_ukr_net.yml @@ -48,7 +48,12 @@ source: | ) ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Threat intelligence" id: "3cb4015f-1e35-5bba-8d83-d5ed3dfff011" diff --git a/detection-rules/impersonation_ups.yml b/detection-rules/impersonation_ups.yml index dce289a4568..f1c421ae669 100644 --- a/detection-rules/impersonation_ups.yml +++ b/detection-rules/impersonation_ups.yml @@ -18,6 +18,13 @@ source: | ) and any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null) and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Sender analysis" id: "73b68869-5720-5dc3-b4bc-15730de972d8" diff --git a/detection-rules/impersonation_vanta.yml b/detection-rules/impersonation_vanta.yml index 9a407aae9d0..241749c7896 100644 --- a/detection-rules/impersonation_vanta.yml +++ b/detection-rules/impersonation_vanta.yml @@ -19,7 +19,12 @@ source: | ) and sender.email.domain.root_domain in $free_email_providers and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "883d4382-11a6-5924-9e3e-2cb5a11c3f56" diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index 01230c1196a..d7f223835cb 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -14,7 +14,12 @@ source: | ) and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "0ab15d4f-865f-518c-b54d-81043399e6f2" diff --git a/detection-rules/impersonation_vip_urgent_request.yml b/detection-rules/impersonation_vip_urgent_request.yml index 399e7d7de36..ca351239169 100644 --- a/detection-rules/impersonation_vip_urgent_request.yml +++ b/detection-rules/impersonation_vip_urgent_request.yml @@ -1,8 +1,8 @@ name: "VIP impersonation with urgent request (first-time sender)" description: | - Sender is using a display name that matches the display name of someone in your $org_vips list. + Sender is using a display name that matches the display name of someone in your $org_vips list. - Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders. + Detects potential Business Email Compromise (BEC) attacks by analyzing text within email body first-time senders. type: "rule" severity: "high" source: | @@ -31,10 +31,14 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "VIP impersonation" - - "Executive impersonation" - - "Suspicious sender" - - "Machine Learning" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: VIP" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Content analysis" - "Natural Language Understanding" + - "Sender analysis" id: "0dd1fa60-6e89-5f70-81a1-6b64eef0e428" diff --git a/detection-rules/impersonation_wells_fargo.yml b/detection-rules/impersonation_wells_fargo.yml index fa263090b22..df4a0d019c4 100644 --- a/detection-rules/impersonation_wells_fargo.yml +++ b/detection-rules/impersonation_wells_fargo.yml @@ -18,7 +18,13 @@ source: | ) and sender.email.domain.root_domain not in~ ('wellsfargo.com', 'wellsfargoadvisors.com', 'transunion.com', 'wellsfargoemail.com', 'wellsfargorewards.com', 'comcast-spectacor.com', 'investordelivery.com', 'comcastspectacor.com') and sender.email.email not in $recipient_emails -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" id: "02d7301f-cc29-5031-9a1e-f013400805ba" diff --git a/detection-rules/impersonation_wise_suspicious_attachment.yml b/detection-rules/impersonation_wise_suspicious_attachment.yml new file mode 100644 index 00000000000..7ee9bb9b194 --- /dev/null +++ b/detection-rules/impersonation_wise_suspicious_attachment.yml @@ -0,0 +1,29 @@ +name: "Brand impersonation: Wise with suspicious attachment" +description: | + Impersonating Wise Financial, as confirmed by NLU, and contains a suspicious attachment type. +type: "rule" +severity: "high" +source: | + type.inbound + and ( + strings.ilike(sender.display_name, '*wise*') + or strings.ilike(sender.email.domain.domain, '*wise*') + ) + and any(ml.nlu_classifier(body.current_thread.text).tags, .name in ("payment", "invoice")) + and any(attachments, .file_type + in $file_extensions_common_archives + or .file_type in $file_extensions_executables + or .file_type in $file_extensions_macros + or .file_type in ("lz") + ) + and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs') +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Natural Language Understanding" + - "Sender analysis" +id: "01480f95-dc1e-5b9a-a360-96bfee663c39" diff --git a/detection-rules/impersonation_zoom_strict.yml b/detection-rules/impersonation_zoom_strict.yml index d1ed6c9eb42..7f16a2066ac 100644 --- a/detection-rules/impersonation_zoom_strict.yml +++ b/detection-rules/impersonation_zoom_strict.yml @@ -28,7 +28,11 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "00f3d94f-7ed2-5dde-a48d-fb5fcbc20cd2" diff --git a/detection-rules/inline_image_as_message.yml b/detection-rules/inline_image_as_message.yml index fbefd1f6e79..545207dd3ff 100644 --- a/detection-rules/inline_image_as_message.yml +++ b/detection-rules/inline_image_as_message.yml @@ -24,7 +24,13 @@ source: | ) and strings.ilike(body.html.raw, "*img*cid*") and sender.email.email not in $recipient_emails -tags: - - "Malware" - - "Credential phishing" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Image as content" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "URL analysis" id: "823d7107-2605-5671-9acb-ba172d071671" diff --git a/detection-rules/link_coinbase_low_rep_or_shortened.yml b/detection-rules/link_coinbase_low_rep_or_shortened.yml index 256d80b16ce..25ca7d8847f 100644 --- a/detection-rules/link_coinbase_low_rep_or_shortened.yml +++ b/detection-rules/link_coinbase_low_rep_or_shortened.yml @@ -6,13 +6,13 @@ severity: "medium" source: | type.inbound and sender.email.domain.root_domain != "coinbase.com" - + // more than 0 less than 5 links and 0 < length(body.links) < 5 - + // none of the links are to coinbase.com and all(body.links, .href_url.domain.root_domain != "coinbase.com") - + // low rep or url shortened links found and any(body.links, .href_url.domain.domain in $url_shorteners @@ -45,8 +45,16 @@ source: | or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Coinbase") ) -tags: - - "Brand impersonation" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Free subdomain host" + - "Image as content" + - "Impersonation: Brand" +detection_methods: - "Computer Vision" + - "Content analysis" + - "File analysis" + - "URL analysis" id: "b61e2f8e-ab8e-5212-ab20-c294babfc6d9" diff --git a/detection-rules/link_contains_punycode_characters.yml b/detection-rules/link_contains_punycode_characters.yml index 3c2000757cc..b6602634cf6 100644 --- a/detection-rules/link_contains_punycode_characters.yml +++ b/detection-rules/link_contains_punycode_characters.yml @@ -25,6 +25,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious content" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Lookalike domain" + - "Punycode" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "74b3698c-d75e-52db-9596-48af93817822" diff --git a/detection-rules/link_credential_phishing.yml b/detection-rules/link_credential_phishing.yml index 1bf25aeaf72..4da5dafcea0 100644 --- a/detection-rules/link_credential_phishing.yml +++ b/detection-rules/link_credential_phishing.yml @@ -20,8 +20,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Credential phishing" - - "Suspicious link" - - "Machine Learning" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Sender analysis" + - "URL analysis" + - "URL screenshot" id: "a278012b-6c2b-5bca-b32c-f3663459bb1d" diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 1e857150b43..f2ab0717bac 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -313,8 +313,15 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Credential phishing" - - "Machine Learning" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free email provider" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" id: "c2bc8ca2-d207-5c7d-96e4-a0d3d33b2af5" diff --git a/detection-rules/link_credential_phishing_language_ipfs.yml b/detection-rules/link_credential_phishing_language_ipfs.yml index b1a39819299..b94fc53e673 100644 --- a/detection-rules/link_credential_phishing_language_ipfs.yml +++ b/detection-rules/link_credential_phishing_language_ipfs.yml @@ -25,8 +25,14 @@ source: | ) ) ) -tags: +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Free subdomain host" + - "IPFS" +detection_methods: + - "Content analysis" - "Natural Language Understanding" - - "Credential phishing" - - "Suspicious link" + - "URL analysis" id: "996c4d83-0a13-53e4-928c-6c08caeedab7" diff --git a/detection-rules/link_credential_phishing_secure_message.yml b/detection-rules/link_credential_phishing_secure_message.yml new file mode 100644 index 00000000000..51ae6b43e60 --- /dev/null +++ b/detection-rules/link_credential_phishing_secure_message.yml @@ -0,0 +1,42 @@ +name: "Credential phishing: 'Secure message' and engaging language" +description: | + Body contains language resembling credential theft, and a "secure message" from a first-time sender. +type: "rule" +severity: "medium" +source: | + type.inbound + + and any(ml.nlu_classifier(body.current_thread.text).intents, + .name == "cred_theft" and .confidence == "high" + ) + + // ----- other suspicious signals here ----- + and strings.icontains(body.html.display_text, "secure message") + + // todo: automated display name / human local part + // todo: suspicious link (unfurl click trackers) + + // ---------- + + // has at least 1 link + and length(body.links) > 0 + + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Natural Language Understanding" + - "Sender analysis" +id: "bd95a7b1-dc96-53c1-bb7c-3a0f98b04744" diff --git a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml index 1d5f0d36eaf..b3fbdb5bcb6 100644 --- a/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml +++ b/detection-rules/link_credential_phishing_suspicious_sender_tld_and_signals.yml @@ -61,8 +61,14 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Credential phishing" - - "Machine Learning" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "File analysis" - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" id: "447386dc-e748-5aca-8da4-a3d15345550c" diff --git a/detection-rules/link_credential_phishing_voicemail_language.yml b/detection-rules/link_credential_phishing_voicemail_language.yml index 6298286013f..7b446d465d4 100644 --- a/detection-rules/link_credential_phishing_voicemail_language.yml +++ b/detection-rules/link_credential_phishing_voicemail_language.yml @@ -53,9 +53,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious link" - - "Suspicious content" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" - "Natural Language Understanding" - - "Credential phishing" + - "Sender analysis" + - "URL analysis" id: "74ba7787-e543-5ce8-b6eb-e1ecdb8f1d67" diff --git a/detection-rules/link_deactivated_bitly.yml b/detection-rules/link_deactivated_bitly.yml index ad36e9320f4..c7d0fb33248 100644 --- a/detection-rules/link_deactivated_bitly.yml +++ b/detection-rules/link_deactivated_bitly.yml @@ -15,6 +15,10 @@ source: | beta.linkanalysis(.).final_dom.display_text, "*link*blocked*" ) ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "URL analysis" id: "1528eb6c-22fa-5879-b48c-53ee466fde23" diff --git a/detection-rules/link_download_disk_image_in_encrypted_zip.yml b/detection-rules/link_download_disk_image_in_encrypted_zip.yml index 1045312f38f..03c55ce08db 100644 --- a/detection-rules/link_download_disk_image_in_encrypted_zip.yml +++ b/detection-rules/link_download_disk_image_in_encrypted_zip.yml @@ -1,41 +1,50 @@ -name: "Link to auto-downloaded disk image in encrypted zip" -description: | - A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot. -type: "rule" -references: - - "https://twitter.com/pr0xylife/status/1592502966409654272" - - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353" - - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" - - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/" -severity: "medium" -authors: - - twitter: "ajpc500" -source: | - type.inbound - and any(body.links, - any(beta.linkanalysis(.).files_downloaded, - any( - file.explode(.), ( - any(.flavors.yara, . == "encrypted_zip") and - any(.scan.zip.all_paths, any([".img", ".iso", ".vhd"], strings.ends_with(.., .))) - ) - ) - ) - ) - // first-time sender - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) - ) -tags: - - "QakBot" - - "Suspicious link" - - "Malware" - - "HTML smuggling" -id: "b50f0cb1-67b8-570c-9b34-0de08ff52508" +name: "Link to auto-downloaded disk image in encrypted zip" +description: | + A link in the body of the email downloads an encrypted zip that contains a disk image of the format IMG, ISO or VHD. This is a combination of file types used to deliver Qakbot. +type: "rule" +references: + - "https://twitter.com/pr0xylife/status/1592502966409654272" + - "https://delivr.to/payloads?id=ca00292e-d5a2-43f9-b638-6c0b01b73353" + - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" + - "https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/" +severity: "medium" +authors: + - twitter: "ajpc500" +source: | + type.inbound + and any(body.links, + any(beta.linkanalysis(.).files_downloaded, + any( + file.explode(.), ( + any(.flavors.yara, . == "encrypted_zip") and + any(.scan.zip.all_paths, any([".img", ".iso", ".vhd"], strings.ends_with(.., .))) + ) + ) + ) + ) + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +tags: + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" + - "URL analysis" + - "YARA" +id: "b50f0cb1-67b8-570c-9b34-0de08ff52508" diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml index d0324c36adb..51f23a46dad 100644 --- a/detection-rules/link_download_suspicious_file.yml +++ b/detection-rules/link_download_suspicious_file.yml @@ -45,9 +45,17 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) - -tags: - - "HTML smuggling" - - "Suspicious link" - - "Malware" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Encryption" + - "Evasion" + - "LNK" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Sender analysis" + - "URL analysis" + - "YARA" id: "67ae2152-ac52-52d4-bec2-6bbc4a488df9" diff --git a/detection-rules/link_dynamics_form.yml b/detection-rules/link_dynamics_form.yml index 249601c8526..57279577c92 100644 --- a/detection-rules/link_dynamics_form.yml +++ b/detection-rules/link_dynamics_form.yml @@ -37,7 +37,15 @@ source: | ) ) ) -tags: - - "Suspicious links" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "File analysis" + - "Optical Character Recognition" - "Natural Language Understanding" + - "URL analysis" + - "URL screenshot" id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc" diff --git a/detection-rules/link_fake_fax_low_reputation.yml b/detection-rules/link_fake_fax_low_reputation.yml new file mode 100644 index 00000000000..0bf72f79c40 --- /dev/null +++ b/detection-rules/link_fake_fax_low_reputation.yml @@ -0,0 +1,82 @@ +name: "Brand impersonation: Fake fax" +description: | + Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender. +references: + - "https://www.hoxhunt.com/blog/fax-phishing" +type: "rule" +severity: "medium" +source: | + type.inbound + and 0 < length(body.links) < 5 + and sender.email.domain.root_domain not in $org_domains + and any(body.links, + ( + .href_url.domain.domain not in $tranco_1m or + .href_url.domain.domain in $free_file_hosts or + .href_url.domain.root_domain in $free_subdomain_hosts or + .href_url.domain.domain in $url_shorteners or + + // mass mailer link, masks the actual URL + .href_url.domain.root_domain in ( + "hubspotlinks.com", + "mandrillapp.com", + "sendgrid.net", + ) + ) + ) + + // any brand logo detected + and ( + any(attachments, + .file_type in ('png', 'jpeg', 'jpg', 'bmp') + and any(ml.logo_detect(.).brands, .name is not null) + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, + .name is not null) + ) + + // Subject or sender contains fax + and ( + strings.icontains(subject.subject, "fax") or + strings.icontains(sender.display_name, "fax") + ) + + // suspicious content + and ( + strings.ilike(body.plain.raw, "*fax*") + or ( + any(attachments, + .file_type in ('png', 'jpeg', 'jpg', 'bmp') + and any(file.explode(.), + strings.ilike(.scan.ocr.raw, "*fax*") + ) + ) + ) + ) + + // first time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Image as content" + - "Free file host" + - "Free subdomain host" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" +id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6" diff --git a/detection-rules/link_fake_thread_nlu_financial_request.yml b/detection-rules/link_fake_thread_nlu_financial_request.yml index d36a6240d66..4f52fb5e712 100644 --- a/detection-rules/link_fake_thread_nlu_financial_request.yml +++ b/detection-rules/link_fake_thread_nlu_financial_request.yml @@ -4,7 +4,7 @@ type: "rule" severity: "medium" source: | type.inbound - + // suspicious link and any(body.links, .href_url.domain.root_domain not in $tranco_1m and @@ -23,7 +23,10 @@ source: | length(headers.references) == 0 and headers.in_reply_to is null ) - or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + or ( + not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + and not any(headers.hops, strings.ilike(.signature.headers, "*:reply-to")) + ) ) // sender's domain is not in body, and body has > 0 links @@ -62,9 +65,14 @@ source: | // sender domain matches no body domains all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain), ) -tags: - - "Suspicious link" - - "Fake Message Thread" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" - - "Machine Learning" + - "Sender analysis" + - "URL analysis" id: "8fd0e211-285d-5cbd-9c11-868c0501b526" diff --git a/detection-rules/link_firebase_new_domain_redirect.yml b/detection-rules/link_firebase_new_domain_redirect.yml index f41911bd9c1..56770e6e0dd 100644 --- a/detection-rules/link_firebase_new_domain_redirect.yml +++ b/detection-rules/link_firebase_new_domain_redirect.yml @@ -13,6 +13,12 @@ source: | strings.icontains(.href_url.domain.domain, "app") and any(beta.linkanalysis(.).redirect_history, beta.whois(.domain).days_old < 7) ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "URL analysis" + - "Whois" id: "5a204a37-3120-53c1-a55a-5f4f09c61dc4" diff --git a/detection-rules/link_google_amp_suspicious_indicators.yml b/detection-rules/link_google_amp_suspicious_indicators.yml new file mode 100644 index 00000000000..69b2c6eb4ea --- /dev/null +++ b/detection-rules/link_google_amp_suspicious_indicators.yml @@ -0,0 +1,67 @@ +name: "Google Accelerated Mobile Pages (AMP) abuse" +description: | + This rule is designed to identify phishing attempts abusing Google AMP's URL structure for malicious activities. + The rule aims to detect specific URL patterns, further analyzing both message content, as well as the destination of the link to distinguish + between legitimate Google AMP pages and potential malicious usage. +references: + - "https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/" +type: "rule" +severity: "medium" +source: | + type.inbound + + // Any body links with a domain SLD of 'google' and a path starting with /amp/s + and any(body.links, + .href_url.domain.sld == "google" + and strings.starts_with(.href_url.path, "/amp/s/") + + // Brand Logo detected that is not google + and ( + any(ml.logo_detect(beta.message_screenshot()).brands, + .name is not null and .name != "Google" + ) + + // or the page has a login or captcha + or ( + beta.linkanalysis(.).credphish.contains_login + or beta.linkanalysis(.).credphish.contains_captcha + ) + + // or linkanalysis concludes phishing of medium to high confidence + or any([beta.linkanalysis(.)], + .credphish.disposition == "phishing" + and .credphish.brand.confidence in ("medium", "high") + ) + + // or NLU detected cred theft on the landing page + or any(file.explode(beta.linkanalysis(.).screenshot), + any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence in ("medium", "high") + ) + + // captcha partially loaded + or strings.icontains(.scan.ocr.raw, "Checking if the site connection is secure") + ) + + // or the link display text contains "password" + or strings.icontains(.display_text, "password") + + // or the link contains the recipients email in the url path + or any(recipients.to, strings.icontains(..href_url.path, .email.email)) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Brand" + - "Open redirect" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" + - "URL screenshot" +id: "46907029-ef83-50a8-9198-75af39dd5f3b" diff --git a/detection-rules/link_google_apps_script_macro.yml b/detection-rules/link_google_apps_script_macro.yml index 027c84db8ee..455c236c8c7 100644 --- a/detection-rules/link_google_apps_script_macro.yml +++ b/detection-rules/link_google_apps_script_macro.yml @@ -22,7 +22,13 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "d10146df-547f-5a89-8690-477283e3b1f7" diff --git a/detection-rules/link_google_comment_script_macro.yml b/detection-rules/link_google_comment_script_macro.yml index 04205c4c9d9..f3b769a83de 100644 --- a/detection-rules/link_google_comment_script_macro.yml +++ b/detection-rules/link_google_comment_script_macro.yml @@ -22,7 +22,13 @@ source: | // Or the Sender Display Name is not in your Org Display Names or not any($org_display_names, strings.istarts_with(sender.display_name, strings.concat(., " (Google "))) ) -tags: - - "Suspicious link" - - "Open redirect" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" id: "66fecd30-4628-5e53-b3cb-5355a6741487" diff --git a/detection-rules/link_google_fake_sign_in_image_lure.yml b/detection-rules/link_google_fake_sign_in_image_lure.yml new file mode 100644 index 00000000000..0f7f8a25679 --- /dev/null +++ b/detection-rules/link_google_fake_sign_in_image_lure.yml @@ -0,0 +1,50 @@ +name: "Brand impersonation: Google fake sign-in warning" +description: | + Detects messages with image attachments containing fake Google sign-in warnings with no links leading to Google sites. +type: "rule" +severity: "high" +source: | + type.inbound + and length(body.links) > 0 + + // Google Logo in Attachment + and any(attachments, + .file_type in ('png', 'jpeg', 'jpg', 'bmp') + and any(ml.logo_detect(.).brands, .name in ("Google")) + ) + and any(attachments, + .file_type in~ ('bmp', 'png', 'jpg', 'jpeg') + and ( + any(file.explode(.), + // Fake activity warning + length(filter(.scan.strings.strings, strings.ilike(., + "*new sign-in*", + "*google account*", + "*secure your account*", + "*check activity*" + ))) >= 3 + ) + ) + ) + + // legitimate sign-in warnings contains links to google, gmail or googleapis.com + and ( + not all(body.links, + .href_url.domain.root_domain in ("google.com", "gmail.com", "googleapis.com") + or .href_url.domain.root_domain is null + ) + ) + and sender.email.domain.root_domain not in $org_domains + and sender.email.domain.root_domain != "google.com" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "File analysis" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" +id: "2d998eee-476b-5f9c-a244-3c11f79138dd" diff --git a/detection-rules/link_google_translate.yml b/detection-rules/link_google_translate.yml index 953f843b108..de404ccf609 100644 --- a/detection-rules/link_google_translate.yml +++ b/detection-rules/link_google_translate.yml @@ -1,5 +1,4 @@ name: "Link: Google Translate (unsolicited)" - description: | Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain. This rule identifies instances of Google Translate links from unsolicited senders. @@ -25,6 +24,12 @@ source: | ) ) tags: - - "Suspicious link" - "Attack surface reduction" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "6949e115-b806-56ea-8976-420bb9d47e5c" diff --git a/detection-rules/link_html_smuggling_with_adobe_branding.yml b/detection-rules/link_html_smuggling_with_adobe_branding.yml index b54b99f3b44..d400afe4923 100644 --- a/detection-rules/link_html_smuggling_with_adobe_branding.yml +++ b/detection-rules/link_html_smuggling_with_adobe_branding.yml @@ -36,9 +36,16 @@ source: | ) ) tags: - - "HTML smuggling" - - "Suspicious link" - - "Brand impersonation" - - "Malware" - - "QakBot" + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "File analysis" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" + - "URL screenshot" id: "e826c2cf-740c-5588-b0a1-8f45bb5baf47" diff --git a/detection-rules/link_html_smuggling_with_google_drive_branding.yml b/detection-rules/link_html_smuggling_with_google_drive_branding.yml index 61aeab77c77..9998b9f2052 100644 --- a/detection-rules/link_html_smuggling_with_google_drive_branding.yml +++ b/detection-rules/link_html_smuggling_with_google_drive_branding.yml @@ -21,7 +21,7 @@ source: | // Hi from Qakbot any(file.explode(beta.linkanalysis(.).screenshot), - all([ + any([ "the file is not displayed correctly", "use local downloaded file" ], strings.icontains(..scan.ocr.raw, .)) @@ -39,9 +39,16 @@ source: | ) ) tags: - - "HTML smuggling" - - "Suspicious link" - - "Brand impersonation" - - "Malware" - - "QakBot" + - "Malfam: QakBot" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "File analysis" + - "Optical Character Recognition" + - "URL analysis" + - "URL screenshot" id: "4b5343be-9b10-58a3-8d14-a1bae1eebc62" diff --git a/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml b/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml index 036bae54467..7e41ca94b07 100644 --- a/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml +++ b/detection-rules/link_invoice_fake_customer_service_freemail_sender.yml @@ -15,8 +15,15 @@ source: | ) // First time sender exclusions are in place to avoid legitimate messages from known freemail senders. and sender.email.email not in $sender_emails -tags: - - "Invoice fraud" - - "Receipt fraud" - - "Customer service fraud" +attack_types: + - "BEC/Fraud" + - "Callback Phishing" +tactics_and_techniques: + - "Free email provider" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" id: "3825232d-be75-5ad1-ba7f-a3ec97d23960" diff --git a/detection-rules/link_ipfs_phishing.yml b/detection-rules/link_ipfs_phishing.yml index d7d80e9a50c..668f3492769 100644 --- a/detection-rules/link_ipfs_phishing.yml +++ b/detection-rules/link_ipfs_phishing.yml @@ -1,6 +1,5 @@ name: "Link: IPFS" -description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links - that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites." +description: "Detects messages containing links that have 'ipfs' in the domain, or unanalyzed links that contain 'ipfs' in the url. IPFS has been recently observed hosting phishing sites." references: - "https://securelist.com/ipfs-phishing/109158/" - "https://docs.ipfs.tech/how-to/address-ipfs-on-web/" @@ -12,7 +11,7 @@ source: | and any(body.links, // Any body link domains contain "ipfs" strings.icontains(.href_url.domain.domain, "ipfs") - + // Or the path contains ipfs anchored to a leading or trailing '-', '/', '.' or ( regex.icontains(.href_url.query_params, '[\.-/]ipfs|ipfs[\.-/]') @@ -45,6 +44,14 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Free file host" + - "Free subdomain host" + - "IPFS" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "19fa6442-83b9-5479-ba04-61906b595929" diff --git a/detection-rules/link_login_or_captcha.yml b/detection-rules/link_login_or_captcha.yml index 897f8b83d8a..28342feeed5 100644 --- a/detection-rules/link_login_or_captcha.yml +++ b/detection-rules/link_login_or_captcha.yml @@ -24,8 +24,9 @@ source: | // if it's a known brand impersonation, we'll detect it in other rules and .href_url.domain.root_domain not in ("zendesk.com") and beta.linkanalysis(.).effective_url.domain.root_domain not in ("zendesk.com") + and beta.linkanalysis(.).effective_url.domain.domain not in ("login.squarespace.com") ) - + // exclude FP prone senders and sender.email.domain.root_domain not in ("sharepointonline.com") @@ -40,8 +41,14 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Credential phishing" - - "Suspicious link" - - "Machine Learning" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free subdomain host" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "File analysis" + - "Sender analysis" + - "URL screenshot" id: "93288f82-fbd2-5e88-b207-7f06386495a6" diff --git a/detection-rules/link_microsoft_device_code_phish.yml b/detection-rules/link_microsoft_device_code_phish.yml index ec098762b03..50111ea8102 100644 --- a/detection-rules/link_microsoft_device_code_phish.yml +++ b/detection-rules/link_microsoft_device_code_phish.yml @@ -41,6 +41,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" id: "61f3ae67-c05c-506f-bbfe-764108a40974" diff --git a/detection-rules/link_microsoft_go2_open_redirect_phish.yml b/detection-rules/link_microsoft_go2_open_redirect_phish.yml index cc550409a62..82d692fcfb2 100644 --- a/detection-rules/link_microsoft_go2_open_redirect_phish.yml +++ b/detection-rules/link_microsoft_go2_open_redirect_phish.yml @@ -22,8 +22,13 @@ source: | and headers.mailer is null and regex.icontains(body.html.inner_text, '(i͏c͏r͏os͏of͏|icrosof)|(office|o)\s?365') -tags: - - "Suspicious link" - - "Credential phishing" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" - "Open redirect" +detection_methods: + - "Content analysis" + - "Header analysis" + - "URL analysis" id: "51667096-1628-5113-809b-97155a03eadf" diff --git a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml index 24677dcc45e..56a8df0da3f 100644 --- a/detection-rules/link_microsoft_impersonation_using_hosted_png.yml +++ b/detection-rules/link_microsoft_impersonation_using_hosted_png.yml @@ -27,7 +27,7 @@ source: | // org domain in the subject of the message and any($org_domains, strings.icontains(subject.subject, .)) - + // first-time sender and ( ( @@ -39,8 +39,14 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Brand impersonation" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" - "Natural Language Understanding" + - "Sender analysis" + - "URL analysis" id: "07c696d4-c58e-5252-96e2-70211f9de338" diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml index c1116fa52dc..8c1f579ea3e 100644 --- a/detection-rules/link_microsoft_low_reputation.yml +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -21,7 +21,7 @@ source: | ) // exclude sources of potential FPs - and .href_url.domain.root_domain not in ("svc.ms", "sharepoint.com", "1drv.ms") + and .href_url.domain.root_domain not in ("svc.ms", "sharepoint.com", "1drv.ms", "microsoft.com") ) // not a reply @@ -91,9 +91,20 @@ source: | "sharepointonline.com", "yammer.com" ) - -tags: - - "Suspicious link" - - "Brand impersonation" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Image as content" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" id: "b59201b6-f253-55a6-9c0a-e1500a32a751" diff --git a/detection-rules/link_new_domain_in_link_first_time_sender.yml b/detection-rules/link_new_domain_in_link_first_time_sender.yml index e88a1d838de..ea1ed146a45 100644 --- a/detection-rules/link_new_domain_in_link_first_time_sender.yml +++ b/detection-rules/link_new_domain_in_link_first_time_sender.yml @@ -18,7 +18,12 @@ source: | ) ) tags: - - "Suspicious link" - - "New domain" - "Attack surface reduction" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +detection_methods: + - "Sender analysis" + - "URL analysis" + - "Whois" id: "4805b0e6-6d35-512b-8053-87dd0edacc8a" diff --git a/detection-rules/link_notion_file_share.yml b/detection-rules/link_notion_file_share.yml index fa67e9cde57..c77e215dfca 100644 --- a/detection-rules/link_notion_file_share.yml +++ b/detection-rules/link_notion_file_share.yml @@ -24,7 +24,14 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) - -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "Free file host" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" id: "f7307929-bbfd-58b6-81e4-afff7610cff2" diff --git a/detection-rules/link_office365_suspicious_app_authorization.yml b/detection-rules/link_office365_suspicious_app_authorization.yml index 4df7bdfe762..8a6eceb0163 100644 --- a/detection-rules/link_office365_suspicious_app_authorization.yml +++ b/detection-rules/link_office365_suspicious_app_authorization.yml @@ -11,6 +11,8 @@ source: | type.inbound and any(body.links, .href_url.domain.domain == 'login.microsoftonline.com' and strings.ilike(.href_url.query_params, '*offline_access*', '*.readwrite*', '*.read*')) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" +detection_methods: + - "URL analysis" id: "13a8c430-3e62-5c8f-86b5-3722599bead4" diff --git a/detection-rules/link_outlook_left_to_right_exploit.yml b/detection-rules/link_outlook_left_to_right_exploit.yml index c30f9dcc678..5de1c572dc0 100644 --- a/detection-rules/link_outlook_left_to_right_exploit.yml +++ b/detection-rules/link_outlook_left_to_right_exploit.yml @@ -9,7 +9,13 @@ source: | type.inbound // this regex contains a Unicode U+200E character (may not be visible in many clients) and regex.contains(body.html.raw, 'base.{0,100}‎/>') -tags: - - "Suspicious link" - - "Office exploit" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Exploit" +detection_methods: + - "Content analysis" + - "HTML analysis" + - "URL analysis" id: "160cc681-dfb3-5820-aa03-37f0289bd0e2" diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 8bb13ac67b0..286d56d4be6 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -7,18 +7,18 @@ type: "rule" severity: "medium" source: | type.inbound - + // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready and any(attachments, .file_type in~ ('bmp', 'png', 'jpg', 'jpeg', 'gif') and any(file.explode(.), .scan.qr.type == "url" - + // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains and any(recipients.to, strings.icontains(..scan.qr.data, .email.email)) and .scan.qr.url.domain.root_domain not in $org_domains ) ) - + // NLU has identified cred_theft language with high confidence and ( any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents, .name == "cred_theft" and .confidence == "high") @@ -34,7 +34,7 @@ source: | ) ) ) - + // first-time sender and ( ( @@ -46,8 +46,17 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -tags: - - "Suspicious Link" - - "Natural Language Understanding" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" - "QR code" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Computer Vision" + - "Natural Language Understanding" + - "QR code analysis" + - "Sender analysis" + - "URL analysis" id: "25a84d1c-9578-53e3-98a7-ca9b43abb28b" diff --git a/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml b/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml index dccbc21799c..0b4e11af5c0 100644 --- a/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml +++ b/detection-rules/link_sharepoint_online_multiple_recipients_from_outside_org.yml @@ -11,9 +11,13 @@ source: | and length(recipients.to) > 40 // You may want to adjust this threshold if 40 is too aggressive and any(recipients.to, .email.domain.domain in $free_email_providers) and sender.display_name not in $org_display_names -tags: - - "Suspicious link" - - "Suspicious content" - - "Suspicious subject" - - "Suspicious sender" +attack_types: + - "Credential Phishing" + - "Spam" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" id: "5579bb4b-a225-57c1-99e1-65c704bad6ad" diff --git a/detection-rules/link_undisclosed_recipients_credphish.yml b/detection-rules/link_undisclosed_recipients_credphish.yml index 249341cbf17..12650b125a5 100644 --- a/detection-rules/link_undisclosed_recipients_credphish.yml +++ b/detection-rules/link_undisclosed_recipients_credphish.yml @@ -20,7 +20,12 @@ source: | ) ) ) -tags: - - "Suspicious headers" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Computer Vision" + - "Header analysis" + - "URL screenshot" id: "06fc155e-f779-50a7-ad5f-3c3777fbf8f5" diff --git a/detection-rules/lookalike_sender_domain.yml b/detection-rules/lookalike_sender_domain.yml index 72f47d708c6..c36d1af53bf 100644 --- a/detection-rules/lookalike_sender_domain.yml +++ b/detection-rules/lookalike_sender_domain.yml @@ -24,7 +24,13 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: - - "Suspicious sender" +attack_types: + - "BEC/Fraud" + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Lookalike domain" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "67721993-4f5d-575b-970b-3ced67a874fa" diff --git a/detection-rules/malformed_url_prefix.yml b/detection-rules/malformed_url_prefix.yml index cfa7f116571..5e973073a53 100644 --- a/detection-rules/malformed_url_prefix.yml +++ b/detection-rules/malformed_url_prefix.yml @@ -1,12 +1,17 @@ name: Malformed URL prefix description: | Malformed URL prefix is a technique used to evade email security scanners. -references: +references: - "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/" type: "rule" severity: "high" source: | any(body.links, regex.icontains(.href_url.url, ':/\\')) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "URL analysis" id: "4e659d28-53fa-51ca-888d-a7cab1e4bcad" diff --git a/detection-rules/mass_campaign_recipient_address_new_sender.yml b/detection-rules/mass_campaign_recipient_address_new_sender.yml index d6a88ae41cf..28cfdbd4ca9 100644 --- a/detection-rules/mass_campaign_recipient_address_new_sender.yml +++ b/detection-rules/mass_campaign_recipient_address_new_sender.yml @@ -48,9 +48,12 @@ source: | ) // we could add additional logic here, such as suspicious subject, url shortener, sus link, etc. -tags: - - "Credential phishing" - - "Machine Learning" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Social engineering" +detection_methods: + - "Header analysis" - "Natural Language Understanding" - - "Suspicious subject" + - "Sender analysis" id: "599dabf5-6287-5adf-8a8f-70649ccf0f92" diff --git a/detection-rules/open_redirect_atdmt.yml b/detection-rules/open_redirect_atdmt.yml index 53b8854fc87..759e44ed73c 100644 --- a/detection-rules/open_redirect_atdmt.yml +++ b/detection-rules/open_redirect_atdmt.yml @@ -10,6 +10,11 @@ severity: "medium" source: | type.inbound and any(body.links, .href_url.domain.domain == 'ad.atdmt.com' and strings.ilike(.href_url.path, '*/c*')) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "URL analysis" id: "fafbd230-bb09-5306-b652-3060639b8660" diff --git a/detection-rules/open_redirect_avast.yml b/detection-rules/open_redirect_avast.yml index 8157f93be99..dec9e0aa290 100644 --- a/detection-rules/open_redirect_avast.yml +++ b/detection-rules/open_redirect_avast.yml @@ -19,7 +19,12 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) -tags: +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" - - "Suspicious link" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "5f635658-19be-5112-a47b-f8c9bd271999" diff --git a/detection-rules/open_redirect_bmwusa.yml b/detection-rules/open_redirect_bmwusa.yml index 46a69e09457..0ee00f692e9 100644 --- a/detection-rules/open_redirect_bmwusa.yml +++ b/detection-rules/open_redirect_bmwusa.yml @@ -7,7 +7,12 @@ source: | type.inbound and sender.email.domain.root_domain not in~ ('bmw.com', 'bmwusa.com') and any(body.links, .href_url.domain.domain == 't.msg.bmwusa.com' and .href_url.path =~ '/r/') -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "1bf4e69a-1762-5168-8dc9-c5d3d0d4a181" diff --git a/detection-rules/open_redirect_googleweblight.yml b/detection-rules/open_redirect_googleweblight.yml index a9f3018b254..6efa7b7a8a3 100644 --- a/detection-rules/open_redirect_googleweblight.yml +++ b/detection-rules/open_redirect_googleweblight.yml @@ -11,6 +11,12 @@ source: | .href_url.domain.domain == 'googleweblight.com' and strings.ilike(.href_url.url, '*/i?u=*') ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "27030ba5-c9dc-5789-bd3e-621626e0a123" diff --git a/detection-rules/open_redirect_hhs.yml b/detection-rules/open_redirect_hhs.yml index 98fee55417c..5556fe70450 100644 --- a/detection-rules/open_redirect_hhs.yml +++ b/detection-rules/open_redirect_hhs.yml @@ -9,6 +9,12 @@ source: | type.inbound and any(body.links, .href_url.domain.domain == 'dcis.hhs.gov' and strings.ilike(.href_url.query_params, '*service*')) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "c2d8cda9-358e-5856-93a7-8e76d1ab1df5" diff --git a/detection-rules/open_redirect_linkedin.yml b/detection-rules/open_redirect_linkedin.yml index b6e1fcfec96..d5e063483f3 100644 --- a/detection-rules/open_redirect_linkedin.yml +++ b/detection-rules/open_redirect_linkedin.yml @@ -8,11 +8,25 @@ authors: severity: "medium" source: | type.inbound - and sender.email.domain.root_domain != "linkedin.com" - and any(body.links, .href_url.domain.root_domain == 'linkedin.com' and .href_url.path == '/slink') - and any(body.links, strings.ilike(.href_url.query_params, 'code=*')) -tags: + and ( + ( + sender.email.domain.root_domain != "linkedin.com" + and any(body.links, .href_url.domain.root_domain == 'linkedin.com' and .href_url.path == '/slink') + and any(body.links, strings.ilike(.href_url.query_params, 'code=*')) + ) + or any(attachments, .file_type == "pdf" + and any(file.explode(.), + any(.scan.url.urls, .domain.root_domain == 'linkedin.com' and .path == '/slink') + and any(.scan.url.urls, strings.ilike(.query_params, 'code=*')) + ) + ) + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" - - "Suspicious link" - -id: "5ad2ffae-fca7-58ff-90bd-8efbd98c0a72" +detection_methods: + - "Sender analysis" + - "URL analysis" +id: "5ad2ffae-fca7-58ff-90bd-8efbd98c0a72" \ No newline at end of file diff --git a/detection-rules/open_redirect_mcgill.yml b/detection-rules/open_redirect_mcgill.yml index 2b2a145b9b9..c11b91eb90e 100644 --- a/detection-rules/open_redirect_mcgill.yml +++ b/detection-rules/open_redirect_mcgill.yml @@ -8,7 +8,12 @@ source: | and any(body.links, .href_url.domain.domain == 'myalumni.mcgill.ca' and .href_url.path =~ '/redirect.aspx') and any(body.links, strings.ilike(.href_url.query_params, '*tokenUrl=*')) and sender.email.domain.root_domain != 'mcgill.ca' -tags: +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" - - "Suspicious link" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "5d006c90-a585-576f-84af-d4f9e4365d39" diff --git a/detection-rules/open_redirect_msn.yml b/detection-rules/open_redirect_msn.yml index 3a907e0f6e7..ecaf61f8506 100644 --- a/detection-rules/open_redirect_msn.yml +++ b/detection-rules/open_redirect_msn.yml @@ -16,7 +16,12 @@ source: | and .href_url.path =~ "/en-gb/lifestyle/rf-best-products-uk/redirect" and strings.icontains(.href_url.query_params, "url") ) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "0e0a691a-3bf9-573a-82dd-96b4ef8f96c5" diff --git a/detection-rules/open_redirect_panera_bread.yml b/detection-rules/open_redirect_panera_bread.yml index be9359e78aa..acf8a71a3ed 100644 --- a/detection-rules/open_redirect_panera_bread.yml +++ b/detection-rules/open_redirect_panera_bread.yml @@ -9,6 +9,12 @@ source: | type.inbound and any(body.links, .href_url.domain.domain == 't.e1.panerabread.com' and .href_url.path =~ '/r/') and sender.email.domain.root_domain != 'panerabread.com' -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "91a726a2-9f14-54bf-8f2c-fe7ed7ee6142" diff --git a/detection-rules/open_redirect_samsung.yml b/detection-rules/open_redirect_samsung.yml index d927e18afdd..2c368baf97b 100644 --- a/detection-rules/open_redirect_samsung.yml +++ b/detection-rules/open_redirect_samsung.yml @@ -10,6 +10,12 @@ source: | type.inbound and any(body.links, .href_url.domain.domain == 't.info.samsungusa.com' and .href_url.path =~ '/r/') and sender.email.domain.root_domain != 'samsungusa.com' -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "164ece9a-26ca-5872-9604-7e948722d627" diff --git a/detection-rules/open_redirect_slack.yml b/detection-rules/open_redirect_slack.yml index 779eddba4cf..f2c7632c34c 100644 --- a/detection-rules/open_redirect_slack.yml +++ b/detection-rules/open_redirect_slack.yml @@ -7,6 +7,12 @@ source: | type.inbound and sender.email.domain.root_domain not in~ ('atlassian.net', 'slack.com', 'soundtrap.com') and any(body.links, .href_url.domain.domain == 'slack-redir.net' and strings.ilike(.href_url.query_params, '*url=*')) -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "1b15f4a3-e7ab-56c1-9ba3-f63788389ebe" diff --git a/detection-rules/open_redirect_snapchat.yml b/detection-rules/open_redirect_snapchat.yml index 22f77a548f3..20f76e0e19d 100644 --- a/detection-rules/open_redirect_snapchat.yml +++ b/detection-rules/open_redirect_snapchat.yml @@ -9,6 +9,12 @@ source: | type.inbound and any(body.links, .href_url.domain.domain == "click.snapchat.com") and sender.email.domain.root_domain != "snapchat.com" -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "6f363e68-ced9-5f0e-8951-4070623cd705" diff --git a/detection-rules/open_redirect_ticketmaster.yml b/detection-rules/open_redirect_ticketmaster.yml index acc098a2241..49c98050f58 100644 --- a/detection-rules/open_redirect_ticketmaster.yml +++ b/detection-rules/open_redirect_ticketmaster.yml @@ -10,7 +10,12 @@ source: | and any(body.links, .href_url.domain.domain == 'links.engage.ticketmaster.com' and .href_url.path =~ '/ctt') and sender.email.domain.root_domain != 'ticketmaster.com' and headers.return_path.domain.root_domain != "ticketmaster.com" -tags: +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" - - "Suspicious link" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "a5b3901f-e57b-5fb9-a3d7-ee2205cc0c5b" diff --git a/detection-rules/open_redirect_vk.yml b/detection-rules/open_redirect_vk.yml index 7bd7c3d2bf5..fec229a9238 100644 --- a/detection-rules/open_redirect_vk.yml +++ b/detection-rules/open_redirect_vk.yml @@ -9,7 +9,12 @@ source: | type.inbound and any(body.links, .href_url.domain.root_domain == 'vk.com' and .href_url.path =~ '/away.php') and sender.email.domain.root_domain != 'vk.com' -tags: +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: - "Open redirect" - - "Suspicious link" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "6ebd6d42-b0d5-5585-a715-aa939097ed99" diff --git a/detection-rules/open_redirect_youtube.yml b/detection-rules/open_redirect_youtube.yml index a09bdd7d568..3edbb9797ee 100644 --- a/detection-rules/open_redirect_youtube.yml +++ b/detection-rules/open_redirect_youtube.yml @@ -9,6 +9,12 @@ source: | type.inbound and any(body.links, .href_url.domain.root_domain == "youtube.com" and strings.icontains(.href_url.url, "attribution_link?")) and sender.email.domain.root_domain != "youtube.com" -tags: - - "Suspicious link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" id: "fb33bffe-d3db-5acb-ae19-5ddc6b5b0b01" diff --git a/detection-rules/paypal_invoice_abuse.yml b/detection-rules/paypal_invoice_abuse.yml index 4f47dfb2a9a..90549fbc2f0 100644 --- a/detection-rules/paypal_invoice_abuse.yml +++ b/detection-rules/paypal_invoice_abuse.yml @@ -8,39 +8,46 @@ references: - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam" severity: "medium" source: | - type.inbound - and length(attachments) == 0 - and sender.email.domain.root_domain == "paypal.com" - and not any(headers.hops, .authentication_results.dmarc == "fail") - and strings.ilike(body.html.display_text, "*seller note*") - and ( - ( - //phone number but not 800 number - regex.contains(body.html.inner_text, '[\s:,-]\+?\d{1,2}[\s:,-]\(?([2-7][0-9]{2}|80[1-9]|8[1-9][0-9])\)?[\s:,-]\d{3}[\s:,-]\d{4}\b') - and ( - 4 of ( - strings.ilike(body.html.inner_text, '*you did not*'), - strings.ilike(body.html.inner_text, '*subscription*'), - strings.ilike(body.html.inner_text, '*antivirus*'), - strings.ilike(body.html.inner_text, '*order*'), - strings.ilike(body.html.inner_text, '*support*'), - strings.ilike(body.html.inner_text, '*receipt*'), - strings.ilike(body.html.inner_text, '*invoice*'), - strings.ilike(body.html.inner_text, '*call*'), - strings.ilike(body.html.inner_text, '*cancel*'), - strings.ilike(body.html.inner_text, '*renew*'), - strings.ilike(body.html.inner_text, '*refund*'), - strings.ilike(body.html.inner_text, '*+1*'), - strings.ilike(body.html.inner_text, '*help*desk*') - ) - ) - ) - or ( - //Unicode confusables words obfuscated in note - regex.contains(body.html.inner_text, '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹') - ) - ) -tags: + type.inbound + and length(attachments) == 0 + and sender.email.domain.root_domain == "paypal.com" + and not any(headers.hops, .authentication_results.dmarc == "fail") + and strings.ilike(body.html.display_text, "*seller note*") + and ( + ( + //phone number but not 800 number + regex.contains(body.html.inner_text, '[\s:,-]\+?\d{1,2}[\s:,-]\(?([2-7][0-9]{2}|80[1-9]|8[1-9][0-9])\)?[\s:,-]\d{3}[\s:,-]\d{4}\b') + and ( + 4 of ( + strings.ilike(body.html.inner_text, '*you did not*'), + strings.ilike(body.html.inner_text, '*subscription*'), + strings.ilike(body.html.inner_text, '*antivirus*'), + strings.ilike(body.html.inner_text, '*order*'), + strings.ilike(body.html.inner_text, '*support*'), + strings.ilike(body.html.inner_text, '*receipt*'), + strings.ilike(body.html.inner_text, '*invoice*'), + strings.ilike(body.html.inner_text, '*call*'), + strings.ilike(body.html.inner_text, '*cancel*'), + strings.ilike(body.html.inner_text, '*renew*'), + strings.ilike(body.html.inner_text, '*refund*'), + strings.ilike(body.html.inner_text, '*+1*'), + strings.ilike(body.html.inner_text, '*help*desk*') + ) + ) + ) + or ( + //Unicode confusables words obfuscated in note + regex.contains(body.html.inner_text, '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹') + ) + ) +attack_types: + - "BEC/Fraud" - "Callback Phishing" - - "Customer service fraud" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Sender analysis" id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f" diff --git a/detection-rules/punycode_sender_domain.yml b/detection-rules/punycode_sender_domain.yml index bed5f01ddbb..fc010ad69d5 100644 --- a/detection-rules/punycode_sender_domain.yml +++ b/detection-rules/punycode_sender_domain.yml @@ -10,8 +10,14 @@ type: "rule" severity: "high" source: | type.inbound and strings.ilike(sender.email.domain.domain, "*xn--*") -tags: - - "Suspicious sender" - - "Punycode" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" - "Lookalike domain" + - "Punycode" + - "Social engineering" +detection_methods: + - "Sender analysis" id: "bc3d8db5-dc83-5b77-bee4-9cf62f32b6de" diff --git a/detection-rules/recipients_undisclosed_compauth_check.yml b/detection-rules/recipients_undisclosed_compauth_check.yml index 984ec6c09ab..2a6d2c4bbc8 100644 --- a/detection-rules/recipients_undisclosed_compauth_check.yml +++ b/detection-rules/recipients_undisclosed_compauth_check.yml @@ -33,9 +33,11 @@ source: | ) ) ) -tags: - - "Suspicious sender" - - "Suspicious headers" +detection_methods: + - "Content analysis" + - "Computer Vision" + - "Header analysis" - "Natural Language Understanding" - - "Machine Learning" + - "URL analysis" + - "URL screenshot" id: "34fb65f6-03e8-5752-b602-4f294172b5db" diff --git a/detection-rules/recipients_undisclosed_free_subdomain_host.yml b/detection-rules/recipients_undisclosed_free_subdomain_host.yml index 50d2de0c853..192c3709b64 100644 --- a/detection-rules/recipients_undisclosed_free_subdomain_host.yml +++ b/detection-rules/recipients_undisclosed_free_subdomain_host.yml @@ -5,7 +5,7 @@ type: "rule" severity: "medium" source: | type.inbound - + and any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts and .href_url.domain.subdomain is not null @@ -17,7 +17,9 @@ source: | ) and length(recipients.cc) == 0 and length(recipients.bcc) == 0 -tags: - - "Suspicious link" - - "Suspicious headers" +tactics_and_techniques: + - "Free subdomain host" +detection_methods: + - "Header analysis" + - "URL analysis" id: "c23d979d-de80-599d-b0ca-c7fef217885e" diff --git a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml index 728f7c5d427..50ab9cacd78 100644 --- a/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml +++ b/detection-rules/recipients_undisclosed_nlu_cred_theft_low_rep_links.yml @@ -1,6 +1,5 @@ name: "Suspicious Recipients pattern with NLU credential theft indicators" -description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a - credential theft intent with medium to high confidence from a suspicious low reputation link domain" +description: "Detects messages with undisclosed recipients (likely all bcc) and NLU identified a credential theft intent with medium to high confidence from a suspicious low reputation link domain" type: "rule" severity: "medium" source: | @@ -12,7 +11,7 @@ source: | and length(recipients.cc) == 0 and length(recipients.bcc) == 0 and any(body.links, .href_url.domain.domain not in $tranco_1m) - + and ( any(body.links, regex.icontains(.display_text, '(view|click|download|goto)?(attachment|download|file|online|document)s?') @@ -25,9 +24,13 @@ source: | .name in ("cred_theft") and .confidence in ("medium", "high") ) -tags: - - "Suspicious sender" - - "Suspicious headers" - - "Suspicious link" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" - "Natural Language Understanding" + - "URL analysis" id: "8e121c3e-b9cf-5aa3-b799-e025a69b7d8c" diff --git a/detection-rules/sender_new_from_domain_first_time_sender.yml b/detection-rules/sender_new_from_domain_first_time_sender.yml index 23b3e70fc61..61bf772d666 100644 --- a/detection-rules/sender_new_from_domain_first_time_sender.yml +++ b/detection-rules/sender_new_from_domain_first_time_sender.yml @@ -17,7 +17,8 @@ source: | ) ) tags: - - "Suspicious sender" - - "New domain" - "Attack surface reduction" +detection_methods: + - "Sender analysis" + - "Whois" id: "d87fa543-aabb-55f5-9660-23c9e7a85b2a" diff --git a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml index 616ee7220d5..ad1dbaa3f82 100644 --- a/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml +++ b/detection-rules/spam_campaign_excessive_display_text_with_keywords.yml @@ -1,15 +1,15 @@ name: "Spam: Campaign with excessive display-text and keywords found" -type: "rule" description: | Detects affiliate marketing spam where any link contains display-text greater than 3000 chars and specific values found. -references: - - "https://playground.sublimesecurity.com?id=aa90e106-fa06-43f2-aa85-50d69591e073" +references: + - "https://playground.sublimesecurity.com?id=aa90e106-fa06-43f2-aa85-50d69591e073" +type: "rule" +severity: "low" source: | type.inbound and length(body.links) > 0 - and ( - any(body.links, length(.display_text) >3000) - ) + and any(body.links, length(.display_text) >3000) + and any( body.links, regex.icontains(.display_text, '(\bPassword:)', 'Hi.{0,5}Welcome\b') ) @@ -24,7 +24,8 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) -severity: "low" -tags: +attack_types: - "Spam" +detection_methods: + - "Content analysis" id: "140e46a1-c8a6-530a-ad88-21b7e4b4b02f" diff --git a/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml b/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml index 69aa68b9e0f..027e82f540d 100644 --- a/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml +++ b/detection-rules/spam_campaign_excessive_space_obfuscation_free_file_hosting.yml @@ -2,7 +2,7 @@ name: "Spam: Campaign with excessive space/char obfuscation and free file hosted description: | This rule detects mass spam campaigns using excessive space padding with links utilizing free file hosting. -references: +references: - "https://playground.sublimesecurity.com?id=a340c08c-a1d9-41a9-96f8-6d1fe888cb5b" type: "rule" severity: "low" @@ -22,6 +22,11 @@ source: | ) or sender.email.domain.valid == false ) -tags: +attack_types: - "Spam" +tactics_and_techniques: + - "Free file host" +detection_methods: + - "Content analysis" + - "Sender analysis" id: "122bc0ca-4f9c-5403-9b4e-7e9d47b92ef2" diff --git a/detection-rules/spam_url_shortener_emojis.yml b/detection-rules/spam_url_shortener_emojis.yml new file mode 100644 index 00000000000..9e06b64f841 --- /dev/null +++ b/detection-rules/spam_url_shortener_emojis.yml @@ -0,0 +1,46 @@ +name: "Spam: URL shortener with short body content and emojis" +description: | + Detects spam from freemail senders, where the majority of the body is a URL shortener and emojis. +type: "rule" +severity: "low" +source: | + type.inbound + + // sender is a freemail + and sender.email.domain.root_domain in $free_email_providers + + // has a URL shortener + and any(body.links, + .href_url.domain.root_domain in $url_shorteners + ) + + // short body, basically just the URL + and length(body.plain.raw) < 100 + + // has an emoji in the subject or body + and ( + regex.contains(body.plain.raw, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]') + or regex.contains(subject.subject, '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]') + + ) + + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +attack_types: + - "Spam" +tactics_and_techniques: + - "Free email provider" +detection_methods: + - "Content analysis" + - "Sender analysis" + - "URL analysis" +id: "b7797e4c-f2d7-5330-8a16-7123fe9bb6a8" diff --git a/detection-rules/spoof_dropbox.yml b/detection-rules/spoof_dropbox.yml index b23ab4c22aa..32e7d3076d6 100644 --- a/detection-rules/spoof_dropbox.yml +++ b/detection-rules/spoof_dropbox.yml @@ -9,7 +9,13 @@ source: | and any(distinct(headers.hops, .authentication_results.dmarc is not null), strings.ilike(.authentication_results.dmarc, "*fail")) // mitigates situations where an ESG misconfiguration could cause auth failures and not strings.ends_with(headers.message_id, ".dropbox.com>") -tags: - - "Brand impersonation" - - "Suspicious sender" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Impersonation: Brand" + - "Spoofing" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "bd99740a-07e1-5c6f-92f6-b223478effa8" diff --git a/detection-rules/spoofable_internal_domain_suspicious_signals.yml b/detection-rules/spoofable_internal_domain_suspicious_signals.yml index 9446d76c936..d9c07b3caf2 100644 --- a/detection-rules/spoofable_internal_domain_suspicious_signals.yml +++ b/detection-rules/spoofable_internal_domain_suspicious_signals.yml @@ -73,5 +73,17 @@ source: | ) tags: - - "Spoof" + - "Attack surface reduction" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Free subdomain host" + - "Social engineering" + - "Spoofing" +detection_methods: + - "Content analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Sender analysis" id: "40089d69-9150-5270-97f1-9f68e4ca9a5a" diff --git a/detection-rules/stripe_invoice_abuse.yml b/detection-rules/stripe_invoice_abuse.yml index ed10ac1a16d..673d28d72b2 100644 --- a/detection-rules/stripe_invoice_abuse.yml +++ b/detection-rules/stripe_invoice_abuse.yml @@ -10,7 +10,7 @@ source: | and length(attachments) == 2 and sender.email.domain.root_domain == "stripe.com" and any(headers.hops, .authentication_results.dmarc == "pass") - + and any(attachments, .file_extension == "pdf" and any(file.explode(.), length(filter(.scan.strings.strings, strings.ilike(., @@ -23,7 +23,12 @@ source: | ))) >= 4 ) ) -tags: +attack_types: + - "BEC/Fraud" - "Callback Phishing" - - "Customer service fraud" +tactics_and_techniques: + - "PDF" +detection_methods: + - "File analysis" + - "Header analysis" id: "90162d16-0311-579f-b256-b501ca29bb35" diff --git a/detection-rules/suspicious_request_for_quote_html_smuggling.yml.yml b/detection-rules/suspicious_request_for_quote_html_smuggling.yml similarity index 92% rename from detection-rules/suspicious_request_for_quote_html_smuggling.yml.yml rename to detection-rules/suspicious_request_for_quote_html_smuggling.yml index d2542148923..616f8ce02c5 100644 --- a/detection-rules/suspicious_request_for_quote_html_smuggling.yml.yml +++ b/detection-rules/suspicious_request_for_quote_html_smuggling.yml @@ -6,7 +6,7 @@ type: "rule" severity: "high" source: | type.inbound - + // RFP/RFQ language and 1 of ( ( @@ -36,7 +36,7 @@ source: | body.html.display_text, body.plain.raw)).tags,.name == "purchase_order" and .confidence == "high") ) ) - + // HTML smuggling and any(attachments, ( @@ -61,10 +61,15 @@ source: | ) ) ) -tags: - - "RFP" - - "RFQ" - - "Suspicious attachment" - - "HTML smuggling" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Javascript analysis" - "Natural Language Understanding" + - "URL analysis" id: "a47a5755-a698-5daf-98b5-21cdcf893ee2" diff --git a/detection-rules/suspicious_request_for_quote_or_purchase.yml b/detection-rules/suspicious_request_for_quote_or_purchase.yml index a2cf639cba3..32845806c39 100644 --- a/detection-rules/suspicious_request_for_quote_or_purchase.yml +++ b/detection-rules/suspicious_request_for_quote_or_purchase.yml @@ -21,7 +21,7 @@ source: | and any(headers.reply_to, .email.email not in $recipient_emails) ) ) - + and 2 of ( ( regex.icontains(coalesce(body.html.display_text, body.plain.raw), '(discuss.{0,15}purchas(e|ing))') @@ -50,10 +50,13 @@ source: | body.html.display_text, body.plain.raw)).tags,.name == "purchase_order" and .confidence == "high") ) ) -tags: - - "Suspicious sender" - - "Fraud" - - "RFQ" - - "RFP" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Free email provider" +detection_methods: + - "Content analysis" - "Natural Language Understanding" + - "URL analysis" id: "2ac0d329-c1fb-5c87-98dd-ea3e5b85377a" diff --git a/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml b/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml index 35d02c72e37..c150bd7e286 100644 --- a/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml +++ b/detection-rules/suspicious_sharepoint_file_share_undisclosed_recipients.yml @@ -6,13 +6,19 @@ type: "rule" severity: "medium" source: | type.inbound - + // Suspicious recipient pattern and any(recipients.to, .display_name == "Undisclosed recipients") and strings.contains(body.html.display_text, "shared a file with you") and strings.icontains(subject.subject, "shared") and any(body.links, .href_url.domain.root_domain == "sharepoint.com") -tags: - - "Suspicious headers" - - "Suspicious Link" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" + - "Header analysis" + - "URL analysis" id: "998a0826-e917-5a8f-9e15-0f1ded21bf91" diff --git a/detection-rules/suspicious_shipping_notification.yml b/detection-rules/suspicious_shipping_notification.yml index 7791cb14d75..3d1f34b6141 100644 --- a/detection-rules/suspicious_shipping_notification.yml +++ b/detection-rules/suspicious_shipping_notification.yml @@ -7,20 +7,25 @@ source: | type.inbound // contains at least 1 link and length(body.links) > 0 - + and 3 of ( strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*(1)*"), strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*waiting for delivery*"), strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*delivery missed*"), strings.ilike(coalesce(body.html.display_text, body.plain.raw), "*tracking number*") ) - + // urgent/time-sensitive language and any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities, .name == "urgency") - + // email is not personalized with recipients name and any(recipients.to, any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).entities, .text == ..email.local_part)) -tags: +attack_types: + - "Credential Phishing" + - "Spam" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "Content analysis" - "Natural Language Understanding" - - "Suspicious body" id: "67748b0a-ac4c-525c-8393-7ed7b1b51f29" diff --git a/detection-rules/uri_handler_search_ms.yml b/detection-rules/uri_handler_search_ms.yml new file mode 100644 index 00000000000..3743df9390d --- /dev/null +++ b/detection-rules/uri_handler_search_ms.yml @@ -0,0 +1,27 @@ +name: "URI protocol handler: search-ms" +description: | + Detects HTML attachments using the search-ms URI protocol handler, + a technique observed ITW to deliver malicious payloads. + + This rule can be updated to analyze links in PDF attachments and message bodies +references: + - "https://twitter.com/blackorbird/status/1684505999301029888?s=20" +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, .file_type == "html" + and any(file.explode(.), + any(.scan.strings.strings, + regex.contains(., 'search-ms:query.*location:\\\\') + ) + ) + ) +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "File analysis" + - "HTML analysis" +id: "ee27d9c0-2d7e-5f6d-85be-73f3bf5b7cb1" diff --git a/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml b/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml index 99588db10e5..f5f22f7b46a 100644 --- a/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml +++ b/detection-rules/urlhaus_malicious_dom_in_body_or_pdf.yml @@ -45,8 +45,14 @@ source: | ) ) tags: - - "Suspicious links" - - "Suspicious attachments" - - "URLhaus" - - "Abusech" + - "Abusech: URLhaus" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "PDF" +detection_methods: + - "File analysis" + - "Threat intelligence" + - "URL analysis" id: "cfca2986-0daa-582c-a379-fb0a31329847" diff --git a/detection-rules/vip_impersonation_attack_surface_reduction.yml b/detection-rules/vip_impersonation_attack_surface_reduction.yml index 56290b850b9..7b1babdc6ee 100644 --- a/detection-rules/vip_impersonation_attack_surface_reduction.yml +++ b/detection-rules/vip_impersonation_attack_surface_reduction.yml @@ -1,52 +1,57 @@ name: "VIP / Executive impersonation (first-time sender, unsolicited)" description: | - Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before. + Sender display name matches the display name of a user in the $org_vips list, and the sender has never been seen before. - The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. - Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list + The $org_vips list must first be manually connected to a VIP group of your upstream provider (Google Workspace and Microsoft 365 only) in order for this rule to work. + Once connected, the list will be automatically synced and kept up-to-date. For more information, see the $org_vips documentation: https://docs.sublimesecurity.com/docs/configure-org_vips-list - This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender. + This rule is recommended to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any* message that matches the protected list of display names from a first-time or unsolicited sender. - Additional rule logic can be added to look for suspicious subjects, suspicious links, etc. + Additional rule logic can be added to look for suspicious subjects, suspicious links, etc. type: "rule" severity: "high" -source: | - type.inbound +source: | + type.inbound - and any($org_vips, .display_name == sender.display_name) + and any($org_vips, .display_name == sender.display_name) - and ( - // ignore personal <> work emails - // where the sender and mailbox's display name are the same - length(recipients.to) > 1 or length(recipients.cc) > 1 - or sender.display_name != mailbox.display_name - ) + and ( + // ignore personal <> work emails + // where the sender and mailbox's display name are the same + length(recipients.to) > 1 or length(recipients.cc) > 1 + or sender.display_name != mailbox.display_name + ) - // first-time sender - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $sender_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $sender_domains - ) - ) + // first-time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) - // unsolicited - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) - ) + // unsolicited + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $recipient_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $recipient_domains + ) + ) tags: - - "VIP impersonation" - - "Executive impersonation" - "Attack surface reduction" +attack_types: + - "BEC/Fraud" +tactics_and_techniques: + - "Impersonation: VIP" +detection_methods: + - "Header analysis" + - "Sender analysis" id: "e42c84b7-9d50-5870-9a5d-311670a14bc1" diff --git a/insights/content/tracking_pixel.yml b/insights/content/tracking_pixel.yml new file mode 100644 index 00000000000..bf77570e07c --- /dev/null +++ b/insights/content/tracking_pixel.yml @@ -0,0 +1,16 @@ +name: "Tracking pixel in HTML body" +type: "query" +source: | + ( + // standard html + regex.contains(body.html.raw, + ']*?width="1(px)?"[^>]*?height="1(px)?"[^>]*?style="[^"]*(visibility:hidden|display:none)[^"]*"[^>]*?>' + ) + // handle quoted printable variants + or regex.contains(body.html.raw, + '' + ) + ) +severity: "low" +tags: + - "Tracking pixel" diff --git a/signals/attachment_count.yml b/signals/attachments/attachment_count.yml similarity index 100% rename from signals/attachment_count.yml rename to signals/attachments/attachment_count.yml diff --git a/signals/attachment_filesizes.yml b/signals/attachments/attachment_filesizes.yml similarity index 100% rename from signals/attachment_filesizes.yml rename to signals/attachments/attachment_filesizes.yml diff --git a/signals/content/body_tracking_pixel.yml b/signals/content/body_tracking_pixel.yml new file mode 100644 index 00000000000..63ea71b5eef --- /dev/null +++ b/signals/content/body_tracking_pixel.yml @@ -0,0 +1,13 @@ +name: "Tracking pixel in HTML body" +type: "query" +source: | + ( + // standard html + regex.contains(body.html.raw, + ']*?width="1(px)?"[^>]*?height="1(px)?"[^>]*?style="[^"]*(visibility:hidden|display:none)[^"]*"[^>]*?>' + ) + // handle quoted printable variants + or regex.contains(body.html.raw, + '' + ) + ) diff --git a/signals/headers/headers_fake_thread.yml b/signals/headers/headers_fake_thread.yml new file mode 100644 index 00000000000..4573126026c --- /dev/null +++ b/signals/headers/headers_fake_thread.yml @@ -0,0 +1,9 @@ +name: "Fake message thread" +type: "query" +source: | + type.inbound + and strings.istarts_with(subject.subject, "RE:") + and ( + length(headers.references) == 0 + or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To"))) + ) diff --git a/signals/headers/headers_gmail_autoforward.yml b/signals/headers/headers_gmail_autoforward.yml new file mode 100644 index 00000000000..b8e4abf63ba --- /dev/null +++ b/signals/headers/headers_gmail_autoforward.yml @@ -0,0 +1,7 @@ +name: "Gmail Auto-Forward" +type: "query" +source: | + any([headers.return_path.email], + strings.ilike(headers.return_path.local_part, "*+caf_=*") and type.inbound + ) + diff --git a/signals/headers/headers_microsoft_scl.yml b/signals/headers/headers_microsoft_scl.yml new file mode 100644 index 00000000000..6f501f14a24 --- /dev/null +++ b/signals/headers/headers_microsoft_scl.yml @@ -0,0 +1,8 @@ +name: "Microsoft SCL" +type: "query" +source: | + filter( + map(headers.hops, + map(filter(.fields, .name =~ "X-ms-exchange-organization-scl"), .value) + ), length(.) > 0 + ) diff --git a/signals/headers/headers_mismatched_from_reply_to.yml b/signals/headers/headers_mismatched_from_reply_to.yml new file mode 100644 index 00000000000..b6c05c0dace --- /dev/null +++ b/signals/headers/headers_mismatched_from_reply_to.yml @@ -0,0 +1,7 @@ +name: "Mismatched From and Reply-to Doms" +type: "query" +source: | + any(headers.reply_to, + length(headers.reply_to) > 0 + and all(headers.reply_to, .email.domain.root_domain != sender.email.domain.root_domain) + ) diff --git a/signals/headers/headers_mismatched_from_return_path.yml b/signals/headers/headers_mismatched_from_return_path.yml new file mode 100644 index 00000000000..4557ab04dad --- /dev/null +++ b/signals/headers/headers_mismatched_from_return_path.yml @@ -0,0 +1,8 @@ +name: "Mismatched From and Return-Path" +type: "query" +source: | + any([headers.return_path.email], + (headers.return_path.email is not null + and headers.return_path.email != sender.email.email + and type.inbound) + ) diff --git a/signals/headers/headers_phishing_simulation_cofense.yml b/signals/headers/headers_phishing_simulation_cofense.yml new file mode 100644 index 00000000000..1a6427e8350 --- /dev/null +++ b/signals/headers/headers_phishing_simulation_cofense.yml @@ -0,0 +1,16 @@ +name: "Cofense PhishMe phishing simulation" +type: "query" +source: | + any(headers.ips, .ip in ( + "13.113.166.58", + "35.182.57.68", + "52.1.96.230", + "52.20.128.29", + "52.20.155.14", + "52.28.182.143", + "52.28.252.18", + "52.29.24.224", + "52.29.5.79", + "52.5.119.169", + "52.62.59.61", + )) diff --git a/signals/headers/headers_phishing_simulation_hoxhunt.yml b/signals/headers/headers_phishing_simulation_hoxhunt.yml new file mode 100644 index 00000000000..97463d5042a --- /dev/null +++ b/signals/headers/headers_phishing_simulation_hoxhunt.yml @@ -0,0 +1,4 @@ +name: "HoxHunt phishing simulation" +type: "query" +source: | + any(headers.hops, strings.ends_with(.signature.domain, ".hoxhuntsigning.com")) diff --git a/signals/headers/headers_phishing_simulation_knowbe4.yml b/signals/headers/headers_phishing_simulation_knowbe4.yml new file mode 100644 index 00000000000..9fc45b7a381 --- /dev/null +++ b/signals/headers/headers_phishing_simulation_knowbe4.yml @@ -0,0 +1,4 @@ +name: "KnowBe4 phishing simulation" +type: "query" +source: | + any(headers.ips, regex.match(.ip, '147\.10\.167\.([0-9]|[0-5][0-9]|6[0-3])', '23.21.109.(197|212)', '52.49.(201.246|235.189)')) diff --git a/signals/headers/headers_undisclosed_recipients.yml b/signals/headers/headers_undisclosed_recipients.yml new file mode 100644 index 00000000000..0f2e86ad8f3 --- /dev/null +++ b/signals/headers/headers_undisclosed_recipients.yml @@ -0,0 +1,6 @@ +name: "Undisclosed Recipients" +type: "query" +source: | + any([recipients.to, recipients.bcc, recipients.cc], + any(., .display_name =~ "Undisclosed recipients:") + ) diff --git a/signals/headers/headers_x_originating_ip.yml b/signals/headers/headers_x_originating_ip.yml new file mode 100644 index 00000000000..07ee4ec53a1 --- /dev/null +++ b/signals/headers/headers_x_originating_ip.yml @@ -0,0 +1,4 @@ +name: "X-Originating-IP" +type: "query" +source: | + headers.x_originating_ip.ip diff --git a/signals/links/link_google_open_redirect.yml b/signals/links/link_google_open_redirect.yml index 2e6a6d2e877..5d5aa0ac8e5 100644 --- a/signals/links/link_google_open_redirect.yml +++ b/signals/links/link_google_open_redirect.yml @@ -2,4 +2,4 @@ name: "Link: Google Open Redirect" type: "query" source: | length(filter(body.links, - regex.icontains(.href_url.url, "https?://(www.)?google.[a-zA-Z]{2,}/url\\?q=https?://.+"))) + regex.icontains(.href_url.url, "https?://(www.)?google.[a-zA-Z]{2,}/url\\?(hl=.{2})?&q=http(s)?://")))