Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signals from detection rules, batch 1 #819

Closed
wants to merge 1 commit into from
Closed

Signals from detection rules, batch 1 #819

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions signals/attachments/attachment_adobe_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
name: "Attachment: Adobe image"
type: "query"
source: |
any(attachments, .file_type in $file_types_images
and any(ml.logo_detect(.).brands, .name == "Adobe" and .confidence in ("high"))
)
7 changes: 7 additions & 0 deletions signals/attachments/attachment_archive_with_chm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: "Attachment: Archive with CHM file"
type: "query"
source: |
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .file_extension =~ "chm")
)
7 changes: 7 additions & 0 deletions signals/attachments/attachment_archive_with_exe.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: "Attachment: Archive with EXE file"
type: "query"
source: |
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), any(.flavors.yara, . == "mz_file"))
)
7 changes: 7 additions & 0 deletions signals/attachments/attachment_archive_with_html.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: "Attachment: HTML file in archive"
type: "query"
source: |
any(attachments,
.file_extension in~ $file_extensions_common_archives
and any(file.explode(.), .depth > 0 and .file_extension in~ ("html", "htm"))
)
6 changes: 6 additions & 0 deletions signals/attachments/attachment_eml.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
name: "Attachment: EML"
type: "query"
source: |
// reduce FPs by checking count of attachments
length(attachments) == 1
and any(attachments, .content_type == "message/rfc822")
7 changes: 7 additions & 0 deletions signals/attachments/attachment_html.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: "Attachment: HTML file"
type: "query"
source: |
any(attachments,
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_type == "html"
)
15 changes: 15 additions & 0 deletions signals/attachments/attachment_image_suspicious_text.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: "Attachment: Image with suspicious text"
type: "query"
source: |
any(attachments, .file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*review*",
"*sign*",
"*view*",
"*completed document*",
"*open agreement*",
"important edocs"
)
)
)
4 changes: 4 additions & 0 deletions signals/content/brand_docusign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
name: "Brand: DocuSign"
type: "query"
source: |
any(ml.logo_detect(beta.message_screenshot()).brands, .name == "DocuSign" and .confidence in ("medium", "high"))
10 changes: 10 additions & 0 deletions signals/content/brand_dropbox.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
name: "Brand: Dropbox"
type: "query"
source: |
// todo: dropbox image via logo_detect
any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*dropbox*")
)
)
8 changes: 8 additions & 0 deletions signals/headers/headers_bounce_back.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
name: "Bounce back"
type: "query"
source: |
not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
Comment on lines +4 to +8
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a snippet to exclude bounce-backs. It'll basically fire on everything that's not a bounceback. I think you want the inverse?

Suggested change
not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not regex.icontains(subject.subject, "^(undeliverable|read:)")
and not any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and not any(headers.references, strings.contains(body.html.display_text, .))
strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and regex.icontains(subject.subject, "^(undeliverable|read:)")
and any(attachments, .content_type == "message/delivery-status")
// if the "References" is in the body of the message, it's probably a bounce
and any(headers.references, strings.contains(body.html.display_text, .))

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkamdjou fysa