From 27716f147ba3b333d309320339419b94c97567f8 Mon Sep 17 00:00:00 2001 From: Aiden Mitchell Date: Thu, 7 Dec 2023 10:31:41 -0800 Subject: [PATCH 1/2] Create impersonation_dashlane.yml --- detection-rules/impersonation_dashlane.yml | 40 ++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 detection-rules/impersonation_dashlane.yml diff --git a/detection-rules/impersonation_dashlane.yml b/detection-rules/impersonation_dashlane.yml new file mode 100644 index 00000000000..df43f400dba --- /dev/null +++ b/detection-rules/impersonation_dashlane.yml @@ -0,0 +1,40 @@ +name: "Brand impersonation: Dashlane" +description: "Impersonation of the password management software Dashlane." +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + regex.icontains(sender.display_name, '\bDashlane\b') + or strings.ilike(sender.email.domain.domain, '*Dashlane*') + ) + and sender.email.domain.root_domain not in~ ('dashlane.com') + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Header analysis" + - "Sender analysis" From 2b8e242d7b8d15e5c3150a38ac9725891a6f9030 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 7 Dec 2023 18:33:06 +0000 Subject: [PATCH 2/2] Auto add rule ID --- detection-rules/impersonation_dashlane.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/impersonation_dashlane.yml b/detection-rules/impersonation_dashlane.yml index df43f400dba..7c217b54031 100644 --- a/detection-rules/impersonation_dashlane.yml +++ b/detection-rules/impersonation_dashlane.yml @@ -38,3 +38,4 @@ tactics_and_techniques: detection_methods: - "Header analysis" - "Sender analysis" +id: "9e400937-4e7e-53fe-ad34-8393ab01890e"