From 273049d5c6178722cb1dbffa361652f83dc66455 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Tue, 12 Sep 2023 18:27:21 -0700 Subject: [PATCH 1/9] Add known Venmo domain (#786) --- detection-rules/impersonation_venmo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/impersonation_venmo.yml b/detection-rules/impersonation_venmo.yml index e22d70de6cf..513a75b1ec3 100644 --- a/detection-rules/impersonation_venmo.yml +++ b/detection-rules/impersonation_venmo.yml @@ -12,7 +12,7 @@ source: | or strings.ilevenshtein(sender.display_name, 'venmo') <= 1 or strings.ilike(sender.email.domain.domain, '*venmo*') ) - and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com') + and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com') and sender.email.email not in $recipient_emails // and not if the sender.display.name contains "via" and dmarc pass from venmo.com From 1ba9c2c30a20978b4a2cd49c707dfc0b9a83aa98 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 12 Sep 2023 21:32:53 -0400 Subject: [PATCH 2/9] New Rule: Attachment PDF with link to dmg file download (#785) Co-authored-by: ID Generator Co-authored-by: Josh Kamdjou --- .../attachment_pdf_link_to_dmg.yml | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 detection-rules/attachment_pdf_link_to_dmg.yml diff --git a/detection-rules/attachment_pdf_link_to_dmg.yml b/detection-rules/attachment_pdf_link_to_dmg.yml new file mode 100644 index 00000000000..da3da87d685 --- /dev/null +++ b/detection-rules/attachment_pdf_link_to_dmg.yml @@ -0,0 +1,68 @@ +name: "Attachment: PDF with link to DMG file download" +description: | + This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. +references: + - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html" + - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users" + - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/​" +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + .file_type == "pdf" + and any(file.explode(.), + any(.scan.url.urls, + + // url links to dmg or zip + ( + strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip") + ) + + // and downloads a dmg or a zip + and any(beta.linkanalysis(.).files_downloaded, + ( + .file_extension == "dmg" + or ( + .file_extension in~ $file_extensions_common_archives + + // and the zip contains a dmg file + and any(file.explode(.), + (.file_extension =~ "dmg") + + // exif inspection if encrypted + or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg") + ) + ) + ) + ) + ) + ) + ) + + + // first time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) +tags: + - "Malfam: MetaStealer" +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "URL analysis" + +id: "2c486fe0-506d-5498-bb19-dbe58904f9dc" From d970f3620a4aa54856d7c75d6504dd4631bb31de Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 13 Sep 2023 17:55:07 -0400 Subject: [PATCH 3/9] FP Tune: link_qr_code_suspicious_language_fts.yml (#788) --- .../link_qr_code_suspicious_language_fts.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 9b000eade0c..70a5f553c6b 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -7,19 +7,22 @@ type: "rule" severity: "medium" source: | type.inbound - + // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready + // and length(attachments) < 10 and any(attachments, .file_type in $file_types_images and any(file.explode(.), .scan.qr.type == "url" - + // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains - and any(recipients.to, strings.icontains(..scan.qr.data, .email.email)) + and any(recipients.to, + strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid + ) and .scan.qr.url.domain.root_domain not in $org_domains ) ) - + // NLU has identified cred_theft language with high confidence and ( any(ml.nlu_classifier(body.current_thread.text).intents, @@ -40,7 +43,7 @@ source: | ) ) ) - + // first-time sender and ( ( From dec1558b31f56ad4052ae1143dea5444778eaa07 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 13 Sep 2023 17:55:55 -0400 Subject: [PATCH 4/9] FP Tune: Update impersonation_microsoft.yml (#789) --- detection-rules/impersonation_microsoft.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection-rules/impersonation_microsoft.yml b/detection-rules/impersonation_microsoft.yml index e903b05d922..19f7c44aa24 100644 --- a/detection-rules/impersonation_microsoft.yml +++ b/detection-rules/impersonation_microsoft.yml @@ -36,8 +36,13 @@ source: | 'Microsoft Azure' ) ) - and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com') - + and sender.email.domain.root_domain not in~ ( + 'microsoft.com', + 'microsoftsupport.com', + 'office.com', + 'teams-events.com' + ) + // first-time sender and ( ( @@ -49,6 +54,7 @@ source: | and sender.email.domain.domain not in $sender_domains ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: From fd061d1749a86ea122c045b43ce2627cac0ca29e Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 14 Sep 2023 05:24:17 -0700 Subject: [PATCH 5/9] Updating Rule: link_qr_code_suspicious_language_fts.yml (#792) --- detection-rules/link_qr_code_suspicious_language_fts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_qr_code_suspicious_language_fts.yml b/detection-rules/link_qr_code_suspicious_language_fts.yml index 70a5f553c6b..cdae99e81c3 100644 --- a/detection-rules/link_qr_code_suspicious_language_fts.yml +++ b/detection-rules/link_qr_code_suspicious_language_fts.yml @@ -11,7 +11,7 @@ source: | // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready // and length(attachments) < 10 and any(attachments, - .file_type in $file_types_images + (.file_type in $file_types_images or .file_type == "pdf") and any(file.explode(.), .scan.qr.type == "url" From 8a98a852b574a04ddf4ae77f03f41dd584e2627f Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 18 Sep 2023 09:34:06 -0400 Subject: [PATCH 6/9] FP fix: Update link_credential_phishing_intent_and_other_indicators.yml (#790) --- ...ink_credential_phishing_intent_and_other_indicators.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml index 9a305f9ede5..c564026ff9a 100644 --- a/detection-rules/link_credential_phishing_intent_and_other_indicators.yml +++ b/detection-rules/link_credential_phishing_intent_and_other_indicators.yml @@ -279,7 +279,8 @@ source: | // this is common in link tracking, both for // benign marketing traffic but also attackers any(recipients.to, - strings.icontains(..href_url.url, .email.local_part) + .email.domain.valid + and strings.icontains(..href_url.url, .email.local_part) and strings.icontains(..href_url.url, .email.domain.domain) ) ) @@ -290,12 +291,12 @@ source: | and ( // freemail providers should never be sending this type of email sender.email.domain.domain in $free_email_providers - + // if not freemail, it's suspicious if the sender's root domain // doesn't match any links in the body or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain) ) - + // first-time sender and ( ( From e116d257a4a5998a208e64c191a51c798f96152d Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:44:26 -0700 Subject: [PATCH 7/9] Updating rule: impersonation_amazon.yml (#795) --- detection-rules/impersonation_amazon.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 0070ab55275..9ff86750df6 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -25,6 +25,11 @@ source: | and sender.email.domain.root_domain in $free_email_providers ) ) + // negate listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', From 3bdf87800e0f993e8877a5efad0e43ac612edc56 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:46:36 -0700 Subject: [PATCH 8/9] Updating rule: impersonation_amazon.yml (#794) --- detection-rules/impersonation_amazon.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml index 9ff86750df6..a3c4eb0f132 100644 --- a/detection-rules/impersonation_amazon.yml +++ b/detection-rules/impersonation_amazon.yml @@ -33,6 +33,7 @@ source: | and sender.email.domain.root_domain not in~ ( 'amazon.com', 'amazon.com.au', + 'amazon.com.be', 'amazon.co.uk', 'amazon.de', 'amazon.es', From bf62f17de84c0f7f21def7cf41c4015f552ab5f6 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Mon, 18 Sep 2023 08:48:58 -0700 Subject: [PATCH 9/9] Updating rule: impersonation_github.yml (#796) --- detection-rules/impersonation_github.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/detection-rules/impersonation_github.yml b/detection-rules/impersonation_github.yml index 7f60c752bac..8b3b3e79a5f 100644 --- a/detection-rules/impersonation_github.yml +++ b/detection-rules/impersonation_github.yml @@ -13,6 +13,11 @@ source: | or strings.ilike(sender.email.email, '*github*') or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1 ) + // negating listservs + and not ( + any(headers.hops, any(.fields, .name == "List-Unsubscribe")) + and strings.contains(sender.display_name, "via") + ) and sender.email.domain.root_domain not in ( 'github.com', 'gitlab.com',