From 773c41795fb68bb8834e2a84373ca02c5a792214 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 16:24:45 -0400 Subject: [PATCH 1/4] New Rule: Attachment: HTML smuggling with decimal encoding --- ...chment_html_smuggling_decimal_encoding.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 detection-rules/attachment_html_smuggling_decimal_encoding.yml diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml new file mode 100644 index 00000000000..22dfc6a4674 --- /dev/null +++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml @@ -0,0 +1,30 @@ +name: "Attachment: HTML smuggling with decimal encoding" +description: | + Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. +references: + +type: "rule" +severity: "" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml") + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + ) + or .file_extension in~ $file_extensions_common_archives + or .file_type == "html" + or .content_type == "text/html" + ) + and any(file.explode(.), + // suspicious identifiers + any(.scan.strings.strings, + regex.contains(., '(\d{2,3},){60,}') + ) + ) + ) +tags: + \ No newline at end of file From 2ef7133ae9c02445e425128b5a3efd43de30cc93 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 16:25:37 -0400 Subject: [PATCH 2/4] Update attachment_html_smuggling_decimal_encoding.yml --- ...achment_html_smuggling_decimal_encoding.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml index 22dfc6a4674..adf43629bf3 100644 --- a/detection-rules/attachment_html_smuggling_decimal_encoding.yml +++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml @@ -1,10 +1,8 @@ name: "Attachment: HTML smuggling with decimal encoding" description: | Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. -references: - type: "rule" -severity: "" +severity: "medium" source: | type.inbound and any(attachments, @@ -26,5 +24,15 @@ source: | ) ) ) -tags: - \ No newline at end of file +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" + - "Scripting" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" From d39ddb93f60ebf813577c92ddbbecc8c671f59ba Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 16:26:15 -0400 Subject: [PATCH 3/4] Update attachment_html_smuggling_decimal_encoding.yml --- detection-rules/attachment_html_smuggling_decimal_encoding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml index adf43629bf3..1dd1213763b 100644 --- a/detection-rules/attachment_html_smuggling_decimal_encoding.yml +++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml @@ -2,7 +2,7 @@ name: "Attachment: HTML smuggling with decimal encoding" description: | Potential HTML smuggling attack based on large blocks of decimal encoding. Attackers often use decimal encoding as an obfuscation technique to bypass traditional email security measures. type: "rule" -severity: "medium" +severity: "high" source: | type.inbound and any(attachments, From f8370503687493c7d7863f377fb9087c31e1b844 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 20 Sep 2023 20:27:52 +0000 Subject: [PATCH 4/4] Auto add rule ID --- detection-rules/attachment_html_smuggling_decimal_encoding.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_html_smuggling_decimal_encoding.yml b/detection-rules/attachment_html_smuggling_decimal_encoding.yml index 1dd1213763b..236d94bf693 100644 --- a/detection-rules/attachment_html_smuggling_decimal_encoding.yml +++ b/detection-rules/attachment_html_smuggling_decimal_encoding.yml @@ -36,3 +36,4 @@ detection_methods: - "Content analysis" - "File analysis" - "HTML analysis" +id: "f99213c4-7031-50b1-ae81-b45f790d3fa4"