From 2bcac7a69268fe3b4182ae4856384239f15606fe Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 5 Sep 2023 12:48:46 -0400 Subject: [PATCH 1/3] New Rule: Credential Theft: Image as content, short or no body contents --- ...t_credential_phishing_image_as_content.yml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 detection-rules/attachment_credential_phishing_image_as_content.yml diff --git a/detection-rules/attachment_credential_phishing_image_as_content.yml b/detection-rules/attachment_credential_phishing_image_as_content.yml new file mode 100644 index 00000000000..8e81c3f21de --- /dev/null +++ b/detection-rules/attachment_credential_phishing_image_as_content.yml @@ -0,0 +1,48 @@ +name: "Credential Theft: Image as content, short or no body contents" +description: | + Testing to account for corrupt PNG's. +references: + +type: "rule" +severity: "medium" +source: | + type.inbound + and length(body.links) < 2 + and 0 < (length(attachments)) < 3 + and ( + // body text is very short + ( + 0 <= (length(body.current_thread.text)) < 10 or body.current_thread.text is null + ) + or ( + length(body.current_thread.text) < 900 + // or body is most likely all warning banner (text contains the sender and common warning banner language) + and ( + ( + strings.contains(body.current_thread.text, sender.email.email) + and strings.contains(body.current_thread.text, 'caution') + ) + or regex.icontains(body.current_thread.text, + "intended recipient's use only|external email|sent from outside|you don't often" + ) + ) + ) + ) + and ( + all(attachments, + (.file_type in $file_types_images) + and ( + any(file.explode(.), + any(.scan.exiftool.fields, .value == "Truncated PNG image") + or ( + any(ml.logo_detect(..).brands, .name is not null) + and any(ml.nlu_classifier(.scan.ocr.raw).intents, + .name == "cred_theft" and .confidence == "high" + ) + ) + ) + ) + ) + ) +tags: + - "Potential Rule - Sam" \ No newline at end of file From 41452b132f84bd2f36ccb96537787b28ade62422 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 5 Sep 2023 13:03:02 -0400 Subject: [PATCH 2/3] Update attachment_credential_phishing_image_as_content.yml --- ...t_credential_phishing_image_as_content.yml | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/detection-rules/attachment_credential_phishing_image_as_content.yml b/detection-rules/attachment_credential_phishing_image_as_content.yml index 8e81c3f21de..59dd58c32d0 100644 --- a/detection-rules/attachment_credential_phishing_image_as_content.yml +++ b/detection-rules/attachment_credential_phishing_image_as_content.yml @@ -1,8 +1,8 @@ -name: "Credential Theft: Image as content, short or no body contents" +name: "Credential Phishing: Image as content, short or no body contents" description: | - Testing to account for corrupt PNG's. -references: - + This rule identifies incoming messages with minimal links, all image attachments and either empty, brief + or the body text is only a warning banner/disclaimer. It also checks for truncated PNG images or logos in addition + to high-confidence credit theft intentions. type: "rule" severity: "medium" source: | @@ -44,5 +44,15 @@ source: | ) ) ) -tags: - - "Potential Rule - Sam" \ No newline at end of file +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Image as content" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" From ee54b63da3c00c9254ff8f3cf51b31a5d7bcaf1f Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 5 Sep 2023 17:04:24 +0000 Subject: [PATCH 3/3] Auto add rule ID --- .../attachment_credential_phishing_image_as_content.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_credential_phishing_image_as_content.yml b/detection-rules/attachment_credential_phishing_image_as_content.yml index 59dd58c32d0..dc9b0a60fc6 100644 --- a/detection-rules/attachment_credential_phishing_image_as_content.yml +++ b/detection-rules/attachment_credential_phishing_image_as_content.yml @@ -56,3 +56,4 @@ detection_methods: - "Header analysis" - "Natural Language Understanding" - "Optical Character Recognition" +id: "01313f38-d0d1-5240-b407-8f9158639277"