Skip to content

Commit

Permalink
Merge branch 'main' into sam.html.javascript
Browse files Browse the repository at this point in the history
  • Loading branch information
@morriscode
morriscode authored Sep 22, 2023
2 parents e93a91a + 0fe0450 commit ff2b356
Show file tree
Hide file tree
Showing 3 changed files with 105 additions and 1 deletion.
49 changes: 49 additions & 0 deletions detection-rules/attachment_html_smuggling_body_onload.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: "Attachment: HTML smuggling 'body onload' linking to suspicious destination"
description: |
Potential HTML Smuggling.
This rule inspects HTML attachments that contain a single link and leveraging an HTML body onload event. The linked domain must be in the URLhaus trusted repoters list, or have a suspicious TLD.
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
)
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(.),
not length(.scan.url.invalid_urls) > 0
and length(.scan.url.urls) == 1
and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
and (
any(.scan.url.urls,
.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
// To-do uncomment below when list is created
//or .domain.root_domain in $suspicious_root_domains
or .domain.tld in $suspicious_tlds
)
)
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "HTML smuggling"
- "Scripting"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "HTML analysis"
- "Link analysis"
id: "c1e2beed-e71e-58d2-b922-9601337645b2"
39 changes: 39 additions & 0 deletions detection-rules/attachment_html_smuggling_decimal_encoding.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: "Attachment: HTML smuggling with decimal encoding"
description: |
Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures.
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
)
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(.),
// suspicious identifiers
any(.scan.strings.strings,
regex.contains(., '(\d{2,3},){60,}')
)
)
)
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "HTML smuggling"
- "Scripting"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "HTML analysis"
id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"
18 changes: 17 additions & 1 deletion detection-rules/body_business_email_compromise_unsolicited.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,22 @@ source: |
)
),
)
// negate "via" senders via dmarc authentication or gmail autoforwards
and (
not (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "pass")
or (
not any([headers.return_path.email],
strings.ilike(headers.return_path.local_part, "*+caf_=*")
)
and strings.contains(sender.display_name, "via")
)
)
)
)
// unsolicited
and (
(
Expand All @@ -39,6 +54,7 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
Expand Down

0 comments on commit ff2b356

Please sign in to comment.