-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sender Profiles: Prevalence and Past behavior by @morriscode #815 Source SHA aed114f Triggered by @cameron-dunn-sublime
- Loading branch information
Sublime Rule Testing Bot
committed
Oct 2, 2023
1 parent
80925b7
commit fff7f05
Showing
27 changed files
with
1,043 additions
and
104 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| name: "Attachment: Adobe image lure with suspicious link from first time sender" | ||
| description: "Detects Adobe phishing messages with an Adobe logo attached, with suspicious link language from a first-time sender." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and length(filter(attachments, .file_type not in $file_types_images)) == 0 | ||
| and length(body.links) > 0 | ||
| and all(body.links, .display_text is null) | ||
| and any(attachments, | ||
| any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high")) | ||
| and any(file.explode(.), | ||
| strings.ilike(.scan.ocr.raw, | ||
| "*review*", | ||
| "*sign*", | ||
| "*view*", | ||
| "*completed document*", | ||
| "*open agreement*" | ||
| ) | ||
| ) | ||
| ) | ||
| and ( | ||
| profile.by_sender().prevalence in ("new", "outlier") | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "Malware/Ransomware" | ||
| tactics_and_techniques: | ||
| - "Image as content" | ||
| - "Impersonation: Brand" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Computer Vision" | ||
| - "Optical Character Recognition" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| id: "1d7add81-9822-576a-bcae-c4440e75e393" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
33 changes: 33 additions & 0 deletions
33
detection-rules/attachment_any_html_in_archive_unsolicited.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| name: "Attachment: Any HTML file within archive (unsolicited)" | ||
| description: "Recursively scans archives to detect HTML files from unsolicited senders. \n\nHTML files can be used for HTML smuggling and embedded in archives to evade detection.\n" | ||
| references: | ||
| - "https://twitter.com/executemalware/status/1537569201577156611" | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and any(attachments, | ||
| .file_extension in~ $file_extensions_common_archives | ||
| and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm")) | ||
| ) | ||
| and ( | ||
| not profile.by_sender().solicited | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| tags: | ||
| - "Attack surface reduction" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| - "Malware/Ransomware" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "HTML smuggling" | ||
| detection_methods: | ||
| - "Archive analysis" | ||
| - "File analysis" | ||
| id: "6a67c02c-d405-531e-850a-1722849c5fe4" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| name: "Attachment: Any HTML file (first-time sender)" | ||
| description: | | ||
| Potential HTML smuggling attacks from new senders. | ||
| Use if passing HTML files is not normal behavior in your environment. | ||
| This rule may be expanded to inspect HTML attachments for suspicious code. | ||
| references: | ||
| - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript" | ||
| - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd" | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html") | ||
| // first-time sender | ||
| and ( | ||
| profile.by_sender().prevalence in ("new", "outlier") | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| tags: | ||
| - "Attack surface reduction" | ||
| tactics_and_techniques: | ||
| - "HTML smuggling" | ||
| detection_methods: | ||
| - "HTML analysis" | ||
| - "Sender analysis" | ||
| id: "57a8f5c5-c4c4-5268-b452-e381dc64ea42" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| name: "Attachment: Any HTML file (unsolicited)" | ||
| description: | | ||
| Potential HTML smuggling attacks in unsolicited messages. | ||
| Use if passing HTML files is not normal behavior in your environment. | ||
| This rule may be expanded to inspect HTML attachments for suspicious code. | ||
| references: | ||
| - "https://ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript" | ||
| - "https://sandbox.sublimesecurity.com?id=106315e9-166a-4e0f-946e-88ff6fd5f9fd" | ||
| type: "rule" | ||
| severity: "low" | ||
| source: | | ||
| type.inbound | ||
| and any(attachments, .file_extension in~ ('htm', 'html') or .file_type == "html") | ||
| // unsolicited | ||
| and ( | ||
| not profile.by_sender().solicited | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| tags: | ||
| - "Attack surface reduction" | ||
| tactics_and_techniques: | ||
| - "HTML smuggling" | ||
| detection_methods: | ||
| - "File analysis" | ||
| - "HTML analysis" | ||
| - "Sender analysis" | ||
| id: "ef36763f-917d-5338-b1ac-84047334dce8" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| name: "Attachment: Callback Phishing solicitation via image file" | ||
| description: "A fraudulent invoice/receipt found in an image attachment.\nCallback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. \nThe resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.\n" | ||
| type: "rule" | ||
| authors: | ||
| - twitter: "vector_sec" | ||
| severity: "high" | ||
| source: | | ||
| type.inbound | ||
| and ( | ||
| not profile.by_sender().solicited | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| and sender.email.domain.root_domain in $free_email_providers | ||
| and any(attachments, | ||
| .file_type in $file_types_images | ||
| and any(file.explode(.), | ||
| 4 of ( | ||
| strings.icontains(.scan.ocr.raw, "purchase"), | ||
| strings.icontains(.scan.ocr.raw, "subscription"), | ||
| strings.icontains(.scan.ocr.raw, "antivirus"), | ||
| strings.icontains(.scan.ocr.raw, "order"), | ||
| strings.icontains(.scan.ocr.raw, "support"), | ||
| strings.icontains(.scan.ocr.raw, "receipt"), | ||
| strings.icontains(.scan.ocr.raw, "amount"), | ||
| strings.icontains(.scan.ocr.raw, "charged"), | ||
| strings.icontains(.scan.ocr.raw, "invoice"), | ||
| strings.icontains(.scan.ocr.raw, "call"), | ||
| strings.icontains(.scan.ocr.raw, "cancel"), | ||
| strings.icontains(.scan.ocr.raw, "renew"), | ||
| strings.icontains(.scan.ocr.raw, "refund"), | ||
| strings.icontains(.scan.ocr.raw, "+1") | ||
| ) | ||
| ) | ||
| and any(file.explode(.), | ||
| strings.ilike(.scan.ocr.raw, | ||
| "*geek squad*", | ||
| "*lifelock*", | ||
| "*best buy*", | ||
| "*mcafee*", | ||
| "*norton*", | ||
| "*ebay*", | ||
| "*paypal*", | ||
| "*secure anywhere*" | ||
| ) | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "Free email provider" | ||
| - "Out of band pivot" | ||
| - "Social engineering" | ||
| - "Image as content" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "Optical Character Recognition" | ||
| - "Sender analysis" | ||
| - "URL analysis" | ||
| - "Computer Vision" | ||
| id: "60acbb36-8ed1-562e-8027-260c2fdf0f04" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: "Attachment: Callback Phishing solicitation via pdf file" | ||
| description: "A fraudulent invoice/receipt found in an single page pdf attachment.\nCallback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. \nThe resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.\n" | ||
| type: "rule" | ||
| severity: "high" | ||
| source: "type.inbound\nand (\n not profile.by_sender().solicited\n or (\n profile.by_sender().any_messages_malicious_or_spam\n and not profile.by_sender().any_false_positives\n )\n)\n\n// single attachment\nand length(attachments) == 1\n\n// sender is freemail\nand sender.email.domain.root_domain in $free_email_providers\n\n// the attachment is a pdf with 1 page, and at least 60 ocr chars\nand any(attachments,\n .file_extension == \"pdf\"\n and any(file.explode(.), .scan.exiftool.page_count == 1)\n and any(file.explode(.), length(.scan.ocr.raw) > 60)\n\n // 4 of the following strings are found \n and any(file.explode(.),\n 4 of (\n strings.icontains(.scan.ocr.raw, \"purchase\"),\n strings.icontains(.scan.ocr.raw, \"payment\"),\n strings.icontains(.scan.ocr.raw, \"transaction\"),\n strings.icontains(.scan.ocr.raw, \"subscription\"),\n strings.icontains(.scan.ocr.raw, \"antivirus\"),\n strings.icontains(.scan.ocr.raw, \"order\"),\n strings.icontains(.scan.ocr.raw, \"support\"),\n strings.icontains(.scan.ocr.raw, \"help line\"),\n strings.icontains(.scan.ocr.raw, \"receipt\"),\n strings.icontains(.scan.ocr.raw, \"invoice\"),\n strings.icontains(.scan.ocr.raw, \"call\"),\n strings.icontains(.scan.ocr.raw, \"helpdesk\"),\n strings.icontains(.scan.ocr.raw, \"cancel\"),\n strings.icontains(.scan.ocr.raw, \"renew\"),\n strings.icontains(.scan.ocr.raw, \"refund\"),\n regex.icontains(.scan.ocr.raw, '\\+\\d')\n )\n )\n\n // 1 of the following strings is found, representing common Callback brands \n and any(file.explode(.),\n 1 of (\n strings.icontains(.scan.ocr.raw, \"geek squad\"),\n strings.icontains(.scan.ocr.raw, \"lifelock\"),\n strings.icontains(.scan.ocr.raw, \"best buy\"),\n strings.icontains(.scan.ocr.raw, \"mcafee\"),\n strings.icontains(.scan.ocr.raw, \"norton\"),\n strings.icontains(.scan.ocr.raw, \"ebay\"),\n strings.icontains(.scan.ocr.raw, \"paypal\"),\n )\n )\n)\n" | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "Free email provider" | ||
| - "Out of band pivot" | ||
| - "PDF" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Exif analysis" | ||
| - "File analysis" | ||
| - "Optical Character Recognition" | ||
| - "Sender analysis" | ||
| id: "ac33f097-af20-554c-b29a-56f21be1b285" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
detection-rules/attachment_dropbox_image_suspicious_links.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| name: "Attachment: Dropbox image lure with no Dropbox domains in links" | ||
| description: "Detects Dropbox phishing emails with no dropbox links with image attachments from first time sender." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| and length(filter(attachments, .file_type not in $file_types_images)) == 0 | ||
| and any(body.links, not strings.ilike(.href_url.domain.root_domain, "dropbox.*")) | ||
| and any(attachments, | ||
| .file_type in $file_types_images | ||
| and any(file.explode(.), | ||
| strings.ilike(.scan.ocr.raw, "*dropbox*") | ||
| and strings.ilike(.scan.ocr.raw, "*review*", "*sign*") | ||
| ) | ||
| ) | ||
| and ( | ||
| profile.by_sender().prevalence in ("new", "outlier") | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Impersonation: Brand" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "File analysis" | ||
| - "Header analysis" | ||
| - "Optical Character Recognition" | ||
| - "Sender analysis" | ||
| id: "500eee2d-d793-5450-a87f-825ce27c897d" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| name: "Attachment: EML file with HTML attachment (unsolicited)" | ||
| description: | | ||
| Detects HTML files in EML attachments from unsolicited senders. | ||
| Reduces attack surface against HTML smuggling. | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: | | ||
| type.inbound | ||
| // has EML attachment | ||
| and any(attachments, | ||
| .content_type == "message/rfc822" | ||
| and any(file.explode(.), | ||
| // HTML file inside EML attachment | ||
| // we've seen files named ".htm.", which results in an empty | ||
| // .file_extension, so instead we look at .file_name | ||
| // they should be rare enough in EML attachments to not cause | ||
| // extraneous FPs | ||
| strings.ilike(.file_name, "*htm*") | ||
| // optional: we can add additional signals here if necessary | ||
| // identify at least one additional suspicious signal in the message | ||
| // and ( | ||
| // // html smuggling signals | ||
| // any(.scan.javascript.identifiers, . == "unescape") or | ||
| // any(.scan.strings.strings, regex.icontains(., "eval")) or | ||
| // // more signals here if needed | ||
| // // commonly abused sender TLD | ||
| // strings.ilike(sender.email.domain.tld, "*.jp") | ||
| // ) | ||
| ) | ||
| ) | ||
| // exclude bounce backs & read receipts | ||
| and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*") | ||
| and not regex.icontains(subject.subject, "^(undeliverable|read:)") | ||
| and not any(attachments, .content_type == "message/delivery-status") | ||
| // if the "References" is in the body of the message, it's probably a bounce | ||
| and not any(headers.references, strings.contains(body.html.display_text, .)) | ||
| // unsolicited | ||
| and ( | ||
| not profile.by_sender().solicited | ||
| or ( | ||
| profile.by_sender().any_messages_malicious_or_spam | ||
| and not profile.by_sender().any_false_positives | ||
| ) | ||
| ) | ||
| tags: | ||
| - "Attack surface reduction" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| - "Malware/Ransomware" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "HTML smuggling" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "File analysis" | ||
| - "Header analysis" | ||
| - "HTML analysis" | ||
| - "Sender analysis" | ||
| id: "c24fd191-1685-5cb8-83ef-618225401332" | ||
| testing_pr: 815 | ||
| testing_sha: aed114f25899ab2d1ff2b5519c78aa177a48fa26 |
Oops, something went wrong.