Create link_hidden_dir.yml

sublime-security · Dec 27, 2024 · f669bd4 · f669bd4
1 parent 1d64485
commit f669bd4
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
@@ -0,0 +1,34 @@
+name: "Link: Common Hidden Directory Observed"
+description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 10
+  and any(body.links,
+          (
+            strings.icontains(.href_url.path, "/.well-known/")
+            and not strings.icontains(.href_url.path, '/.well-known/security.txt')
+          )
+          or strings.icontains(.href_url.path, "/.js/")
+          or strings.icontains(.href_url.path, "/.env/")
+          or strings.icontains(.href_url.path, "/.git/")
+          or strings.icontains(.href_url.path, "/.svn/")
+          or strings.icontains(.href_url.path, "/.hg/")
+          or strings.icontains(.href_url.path, "/.DS_Store/")
+          or strings.icontains(.href_url.path, "/.htpasswd/")
+          or strings.icontains(.href_url.path, "/.htaccess/")
+          or strings.icontains(.href_url.path, "/.bash_history/")
+          or strings.icontains(.href_url.path, "/.bashrc/")
+          or strings.icontains(.href_url.path, "/.zshrc/")
+          or strings.icontains(.href_url.path, "/.profile/")
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+  - "HTML analysis"