From f669bd4641bcfcfbe86e953ff0cb324183685ce2 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Fri, 27 Dec 2024 12:52:54 -0600 Subject: [PATCH] Create link_hidden_dir.yml --- detection-rules/link_hidden_dir.yml | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 detection-rules/link_hidden_dir.yml diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml new file mode 100644 index 00000000000..e54205c5884 --- /dev/null +++ b/detection-rules/link_hidden_dir.yml @@ -0,0 +1,34 @@ +name: "Link: Common Hidden Directory Observed" +description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(body.links) < 10 + and any(body.links, + ( + strings.icontains(.href_url.path, "/.well-known/") + and not strings.icontains(.href_url.path, '/.well-known/security.txt') + ) + or strings.icontains(.href_url.path, "/.js/") + or strings.icontains(.href_url.path, "/.env/") + or strings.icontains(.href_url.path, "/.git/") + or strings.icontains(.href_url.path, "/.svn/") + or strings.icontains(.href_url.path, "/.hg/") + or strings.icontains(.href_url.path, "/.DS_Store/") + or strings.icontains(.href_url.path, "/.htpasswd/") + or strings.icontains(.href_url.path, "/.htaccess/") + or strings.icontains(.href_url.path, "/.bash_history/") + or strings.icontains(.href_url.path, "/.bashrc/") + or strings.icontains(.href_url.path, "/.zshrc/") + or strings.icontains(.href_url.path, "/.profile/") + ) +tags: + - "Attack surface reduction" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "URL analysis" + - "HTML analysis"