From fbb1cece7f90da0a72d9973892fb9ea4d27eec87 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 25 Sep 2023 15:54:24 -0400 Subject: [PATCH 01/10] New Rule: Attachment: HTML Smuggling with base64 script source --- ...ml_smuggling_with_base64_script_source.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 detection-rules/attachment_html_smuggling_with_base64_script_source.yml diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml new file mode 100644 index 00000000000..6698411a3e7 --- /dev/null +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -0,0 +1,49 @@ +name: "Attachment: HTML Smuggling with base64 script source" +description: | + Potential HTML smuggling attacks from new senders. + This rule detects HTML files as attachments or within archives that contain base64 script sources from new or outlier senders. +references: + +type: "rule" +severity: "medium" +source: | + type.inbound + and ( + any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml") + or .file_type == "html" + or .content_type == "text/html" + ) + and any(file.explode(.), + length(.scan.strings.strings) < 20 + and any(.scan.strings.strings, + regex.icontains(., 'script src="data:text/html;base64') + ) + ) + ) + or any(attachments, + (.file_extension in~ $file_extensions_common_archives) + and any(file.explode(.), + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml") + or ..file_type == "html" + or ..content_type == "text/html" + ) + and length(.scan.strings.strings) < 20 + and any(.scan.strings.strings, + regex.icontains(., 'script src="data:text/html;base64') + ) + ) + ) + ) + // first-time sender + and ( + profile.by_sender().prevalence in ("new", "outlier") + or ( + profile.by_sender().any_malicious_messages + and not profile.by_sender().any_false_positives + ) + ) +tags: + \ No newline at end of file From 8bb97682919af5ff793851a9c18c3d311f1c3df2 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 25 Sep 2023 15:55:32 -0400 Subject: [PATCH 02/10] New Rule: attachment_html_smuggling_with_base64_script_source.yml --- ...t_html_smuggling_with_base64_script_source.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index 6698411a3e7..b2a42d403e9 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -45,5 +45,16 @@ source: | and not profile.by_sender().any_false_positives ) ) -tags: - \ No newline at end of file +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "HTML smuggling" +detection_methods: + - "Archive analysis" + - "Content analysis" + - "File analysis" + - "HTML analysis" + - "Sender analysis" + From e436656d9444c20c05fae05addf7cc88416d86a6 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Mon, 25 Sep 2023 19:57:52 +0000 Subject: [PATCH 03/10] Auto add rule ID --- .../attachment_html_smuggling_with_base64_script_source.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index b2a42d403e9..ac63a743ac1 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -58,3 +58,4 @@ detection_methods: - "HTML analysis" - "Sender analysis" +id: "f352db77-f2c9-5cfc-b8d3-8adf889f70f3" From 8f8e8adad372ff2edf7e50affb2e3eabd272ceac Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 25 Sep 2023 16:04:33 -0400 Subject: [PATCH 04/10] Update detection-rules/attachment_html_smuggling_with_base64_script_source.yml Co-authored-by: Aiden Mitchell --- .../attachment_html_smuggling_with_base64_script_source.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index ac63a743ac1..3088735d55c 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -2,8 +2,6 @@ name: "Attachment: HTML Smuggling with base64 script source" description: | Potential HTML smuggling attacks from new senders. This rule detects HTML files as attachments or within archives that contain base64 script sources from new or outlier senders. -references: - type: "rule" severity: "medium" source: | From 97524767bc0e47b60c8296ae32b91a4978084ffc Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 20 Oct 2023 12:04:43 -0400 Subject: [PATCH 05/10] Update attachment_html_smuggling_with_base64_script_source.yml Fixing any_malicious_message --- .../attachment_html_smuggling_with_base64_script_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index 3088735d55c..61533abc616 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -39,7 +39,7 @@ source: | and ( profile.by_sender().prevalence in ("new", "outlier") or ( - profile.by_sender().any_malicious_messages + profile.by_sender().any_messages_malicious_or_spam and not profile.by_sender().any_false_positives ) ) From ad0df6da863be662271c58beb02cb82d35f45696 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 30 Oct 2023 12:43:33 -0400 Subject: [PATCH 06/10] Update detection-rules/attachment_html_smuggling_with_base64_script_source.yml Co-authored-by: Aiden Mitchell --- .../attachment_html_smuggling_with_base64_script_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index 61533abc616..c90118520b3 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -1,7 +1,7 @@ name: "Attachment: HTML Smuggling with base64 script source" description: | Potential HTML smuggling attacks from new senders. - This rule detects HTML files as attachments or within archives that contain base64 script sources from new or outlier senders. + This rule detects HTML files as attachments or within archives that contain base64 sources from new or outlier senders. type: "rule" severity: "medium" source: | From d01ff7e6b57049d22183a7b680b9c6f89e799095 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 30 Oct 2023 12:43:39 -0400 Subject: [PATCH 07/10] Update detection-rules/attachment_html_smuggling_with_base64_script_source.yml Co-authored-by: Aiden Mitchell --- .../attachment_html_smuggling_with_base64_script_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index c90118520b3..e843056db4a 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -1,4 +1,4 @@ -name: "Attachment: HTML Smuggling with base64 script source" +name: "Attachment: HTML Smuggling with base64 source" description: | Potential HTML smuggling attacks from new senders. This rule detects HTML files as attachments or within archives that contain base64 sources from new or outlier senders. From f20e7e3679bfee7add5d7910e1c1ee6092f072ca Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 30 Oct 2023 12:43:45 -0400 Subject: [PATCH 08/10] Update detection-rules/attachment_html_smuggling_with_base64_script_source.yml Co-authored-by: Aiden Mitchell --- .../attachment_html_smuggling_with_base64_script_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index e843056db4a..78e2be84011 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -16,7 +16,7 @@ source: | and any(file.explode(.), length(.scan.strings.strings) < 20 and any(.scan.strings.strings, - regex.icontains(., 'script src="data:text/html;base64') + regex.icontains(., 'src="data:text/html;base64') ) ) ) From 8a1f89ec5dc3bc69b7f6312e4cd2595ad03ffdfb Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 30 Oct 2023 12:44:01 -0400 Subject: [PATCH 09/10] Update detection-rules/attachment_html_smuggling_with_base64_script_source.yml Co-authored-by: Aiden Mitchell --- .../attachment_html_smuggling_with_base64_script_source.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index 78e2be84011..5d1406eebfe 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -30,7 +30,7 @@ source: | ) and length(.scan.strings.strings) < 20 and any(.scan.strings.strings, - regex.icontains(., 'script src="data:text/html;base64') + regex.icontains(., 'src="data:text/html;base64') ) ) ) From 6f50e340017ea3fe438257f7bf613af4be82b2f4 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 21 Nov 2023 12:06:36 -0500 Subject: [PATCH 10/10] Update attachment_html_smuggling_with_base64_script_source.yml --- ...ml_smuggling_with_base64_script_source.yml | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml index 5d1406eebfe..1719bdd5e94 100644 --- a/detection-rules/attachment_html_smuggling_with_base64_script_source.yml +++ b/detection-rules/attachment_html_smuggling_with_base64_script_source.yml @@ -1,7 +1,7 @@ name: "Attachment: HTML Smuggling with base64 source" description: | Potential HTML smuggling attacks from new senders. - This rule detects HTML files as attachments or within archives that contain base64 sources from new or outlier senders. + This rule detects HTML files as attachments or within archives that contain base64 sources from new and unsolicited senders. type: "rule" severity: "medium" source: | @@ -35,13 +35,24 @@ source: | ) ) ) - // first-time sender and ( profile.by_sender().prevalence in ("new", "outlier") - or ( - profile.by_sender().any_messages_malicious_or_spam - and not profile.by_sender().any_false_positives + and not profile.by_sender().solicited + ) + + and not profile.by_sender().any_false_positives + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) attack_types: - "Credential Phishing"