From 6bc92f90980188e83c471ba2a17a6861659fa614 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 15:11:21 -0400 Subject: [PATCH 1/2] Update attachment_html_recipient_in_javascript_identifiers.yml Fixing issue where the rule would fail to flag if the recipient and the javascript terms were found in separate exploded pieces of the same file. --- ...ent_html_recipient_in_javascript_identifiers.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml index 849592d655b..1e6167c7cf1 100644 --- a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml +++ b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml @@ -7,7 +7,7 @@ source: | type.inbound and any(attachments, ( - .file_extension in~ ("html", "htm", "shtml", "dhtml") + .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml") or ( .file_extension is null and .file_type == "unknown" @@ -16,13 +16,18 @@ source: | ) or .file_extension in~ $file_extensions_common_archives or .file_type == "html" + or .content_type == "text/html" ) and any(file.explode(.), // suspicious identifiers - any(.scan.javascript.identifiers, strings.like(., "atob", "decrypt")) + any([.scan.strings.strings, .scan.javascript.identifiers], + any(., strings.like(., "*atob*", "*decrypt*")) + ) // Recipients address found in javascript - and any(recipients.to, - any(..scan.javascript.strings, strings.icontains(., ..email.email)) + and any(file.explode(..), + any(recipients.to, + any(..scan.javascript.strings, strings.icontains(., ..email.email)) + ) ) ) ) From e93a91a094fe6026ab7077f367fd95b5ab1521ac Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 22 Sep 2023 13:26:24 -0400 Subject: [PATCH 2/2] Update attachment_html_recipient_in_javascript_identifiers.yml --- ...ent_html_recipient_in_javascript_identifiers.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml index 1e6167c7cf1..92325b3de87 100644 --- a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml +++ b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml @@ -12,7 +12,6 @@ source: | .file_extension is null and .file_type == "unknown" and .content_type == "application/octet-stream" - and .size < 100000000 ) or .file_extension in~ $file_extensions_common_archives or .file_type == "html" @@ -23,14 +22,14 @@ source: | any([.scan.strings.strings, .scan.javascript.identifiers], any(., strings.like(., "*atob*", "*decrypt*")) ) - // Recipients address found in javascript - and any(file.explode(..), - any(recipients.to, - any(..scan.javascript.strings, strings.icontains(., ..email.email)) - ) + ) + // Recipients address found in javascript + and any(file.explode(.), + any(recipients.to, + any(..scan.javascript.strings, strings.icontains(., ..email.email)) ) ) - ) + ) attack_types: - "Credential Phishing" tactics_and_techniques: