From 2775b7d65fe52ab44f922ba50974c5303cac61cb Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Fri, 22 Sep 2023 08:35:43 -0700
Subject: [PATCH] Updating rule: attachment_pdf_with_google_ae_redirect.yml

Adding .zip detection.
---
 .../attachment_pdf_with_google_ae_redirect.yml        | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/detection-rules/attachment_pdf_with_google_ae_redirect.yml b/detection-rules/attachment_pdf_with_google_ae_redirect.yml
index a002b8b967d..c0a09fcdff2 100644
--- a/detection-rules/attachment_pdf_with_google_ae_redirect.yml
+++ b/detection-rules/attachment_pdf_with_google_ae_redirect.yml
@@ -1,5 +1,5 @@
-name: "PDF attachment with Google (AE) redirecting to a php file"
-description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL"
+name: "PDF attachment with Google (AE) redirecting to a php or zip file"
+description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL."
 references:
   - "https://twitter.com/Cryptolaemus1/status/1649200761610571776?s=20"
   - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c"
@@ -13,8 +13,11 @@ source: |
                   any(.scan.pdf.urls,
                       // url encoded q=http
                       strings.starts_with(.query_params, "q=%68%74%74%70")
-                      // url encoded .php
-                      and strings.contains(.query_params, ".%70%68%70")
+                      // url encoded .php or .zip
+                      and (
+                          strings.contains(.query_params, ".%70%68%70")
+                          or strings.contains(.query_params, "%2e%7a%69%70")
+                      )
                       and .domain.root_domain == "google.ae"
                   )
           )