diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml new file mode 100644 index 00000000000..da3da87d685 --- /dev/null +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -0,0 +1,68 @@ +name: "Attachment: PDF with link to DMG file download" +description: | + This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. +references: + - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html" + - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users" + - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/​" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + .file_type == "pdf" + and any(file.explode(.), + any(.scan.url.urls, + + // url links to dmg or zip + ( + strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip") + ) + + // and downloads a dmg or a zip + and any(beta.linkanalysis(.).files_downloaded, + ( + .file_extension == "dmg" + or ( + .file_extension in~ $file_extensions_common_archives + + // and the zip contains a dmg file + and any(file.explode(.), + (.file_extension =~ "dmg") + + // exif inspection if encrypted + or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg") + ) + ) + ) + ) + ) + ) + ) + + + // first time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +tags: + - "Malfam: MetaStealer" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "URL analysis" + +id: "2c486fe0-506d-5498-bb19-dbe58904f9dc" diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 0070ab55275..a3c4eb0f132 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -25,9 +25,15 @@ source: | and sender.email.domain.root_domain in $free_email_providers ) ) + // negate listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', + 'amazon.com.be', 'amazon.co.uk', 'amazon.de', 'amazon.es', diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 7f60c752bac..8b3b3e79a5f 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -13,6 +13,11 @@ source: | or strings.ilike(sender.email.email, '*github*') or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1 ) + // negating listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in ( 'github.com', 'gitlab.com', diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index e903b05d922..19f7c44aa24 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -36,8 +36,13 @@ source: | 'Microsoft Azure' ) ) - and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com') - + and sender.email.domain.root_domain not in~ ( + 'microsoft.com', + 'microsoftsupport.com', + 'office.com', + 'teams-events.com' + ) + // first-time sender and ( ( @@ -49,6 +54,7 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index e22d70de6cf..513a75b1ec3 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -12,7 +12,7 @@ source: | or strings.ilevenshtein(sender.display_name, 'venmo') <= 1 or strings.ilike(sender.email.domain.domain, '*venmo*') ) - and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com') + and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com') and sender.email.email not in $recipient_emails // and not if the sender.display.name contains "via" and dmarc pass from venmo.com diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 9a305f9ede5..c564026ff9a 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -279,7 +279,8 @@ source: | // this is common in link tracking, both for // benign marketing traffic but also attackers any(recipients.to, - strings.icontains(..href_url.url, .email.local_part) + .email.domain.valid + and strings.icontains(..href_url.url, .email.local_part) and strings.icontains(..href_url.url, .email.domain.domain) ) ) @@ -290,12 +291,12 @@ source: | and ( // freemail providers should never be sending this type of email sender.email.domain.domain in $free_email_providers - + // if not freemail, it's suspicious if the sender's root domain // doesn't match any links in the body or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) ) - + // first-time sender and ( ( diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 9b000eade0c..cdae99e81c3 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -7,19 +7,22 @@ type: "rule" severity: "medium" source: | type.inbound - + // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready + // and length(attachments) < 10 and any(attachments, - .file_type in $file_types_images + (.file_type in $file_types_images or .file_type == "pdf") and any(file.explode(.), .scan.qr.type == "url" - + // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains - and any(recipients.to, strings.icontains(..scan.qr.data, .email.email)) + and any(recipients.to, + strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid + ) and .scan.qr.url.domain.root_domain not in $org_domains ) ) - + // NLU has identified cred_theft language with high confidence and ( any(ml.nlu_classifier(body.current_thread.text).intents, @@ -40,7 +43,7 @@ source: | ) ) ) - + // first-time sender and ( (