From df7abb5134184ccff90a86da70f55d1e65e8593e Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 28 Sep 2023 12:32:59 -0400 Subject: [PATCH 1/8] initial commit --- ...tachment_qr_code_suspicious_components.yml | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 detection-rules/attachment_qr_code_suspicious_components.yml diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml new file mode 100644 index 00000000000..53aad4d07b3 --- /dev/null +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -0,0 +1,82 @@ +name: "Attachment: QR code with credential phishing indicators" +description: | + Detects messages with between 1-3 attachments, that contain a QR code with multiple conditional checks. LinkAnalysis credential phishing conclusion, or the QR code url traverses suspicious infrastructure, or the final destination is in URLhaus, or downloads a zip or executable, or the leverages url shorteners or known QR abused openredirects. +type: "rule" +severity: "high" +source: | + type.inbound + and ( + any(attachments, + .file_type in $file_types_images + and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) + ) + or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) + ) + and any(attachments, + .file_type in $file_types_images + and ( + any(file.explode(.), + regex.icontains(.scan.ocr.raw, 'scan|camera') + and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode') + ) + or ( + any(file.explode(.), + .scan.qr.type == "url" + // recipient email address is present in the URL, a common tactic used in credential phishing attacks + and any(recipients.to, + strings.icontains(..scan.qr.data, .email.email) + + // the recipients sld is in the senders display name + or any(recipients.to, + strings.icontains(sender.display_name, .email.domain.sld) + ) + + // the recipient local is in the body + or any(recipients.to, + strings.icontains(body.current_thread.text, .email.local_part) + ) + + // or the body is null + or body.current_thread.text is null + or body.current_thread.text == "" + + // or the subject contains authentication/urgency verbiage + or regex.contains(subject.subject, + "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)" + ) + ) + ) + ) + ) + ) + and ( + not any(headers.hops, + .authentication_results.compauth.verdict is not null + and .authentication_results.compauth.verdict == "pass" + and sender.email.domain.domain == "microsoft.com" + ) + ) + // unsolicited + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $recipient_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $recipient_domains + ) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "QR code" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Header analysis" + - "QR code analysis" + - "Sender analysis" +id: "ed0f772a-6543-5947-80d1-55a11ea63074" From b12b784073dd43d664ad213673808299c4e695e0 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 28 Sep 2023 12:34:11 -0400 Subject: [PATCH 2/8] Update attachment_qr_code_suspicious_components.yml --- ...tachment_qr_code_suspicious_components.yml | 90 ++++++++----------- 1 file changed, 35 insertions(+), 55 deletions(-) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index 53aad4d07b3..64404fd0c1f 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -4,69 +4,49 @@ description: | type: "rule" severity: "high" source: | - type.inbound - and ( - any(attachments, - .file_type in $file_types_images - and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) - ) - or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft")) - ) + type.inbound + and 1 <= length(attachments) < 3 + + // Inspects image attachments for QR codes and any(attachments, .file_type in $file_types_images and ( any(file.explode(.), - regex.icontains(.scan.ocr.raw, 'scan|camera') - and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode') - ) - or ( - any(file.explode(.), - .scan.qr.type == "url" - // recipient email address is present in the URL, a common tactic used in credential phishing attacks - and any(recipients.to, - strings.icontains(..scan.qr.data, .email.email) - - // the recipients sld is in the senders display name - or any(recipients.to, - strings.icontains(sender.display_name, .email.domain.sld) - ) - - // the recipient local is in the body - or any(recipients.to, - strings.icontains(body.current_thread.text, .email.local_part) - ) - - // or the body is null - or body.current_thread.text is null - or body.current_thread.text == "" - - // or the subject contains authentication/urgency verbiage - or regex.contains(subject.subject, - "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)" - ) + .scan.qr.type == "url" + and ( + // pass the QR URL to LinkAnalysis + any([beta.linkanalysis(.scan.qr.url)], + .credphish.disposition == "phishing" + // any routing traverses via $suspicious_tld list + or any(.redirect_history, .domain.tld in $suspicious_tlds) + // effective destination in $suspicious_tld list + or .effective_url.domain.tld in $suspicious_tlds + // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters + or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters + // or any files downloaded are zips or executables + or any(.files_downloaded, + .file_extension in $file_extensions_common_archives + or .file_extension in $file_extensions_executables + ) + ) + or ( + // or the QR code's root domain is a url_shortener + .scan.qr.url.domain.root_domain in $url_shorteners + // exclude google maps + and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps') + ) + // the QR code url is a bing open redirect + or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a' + or ( + // usap-dc open redirect + .scan.qr.url.domain.root_domain == "usap-dc.org" + and .scan.qr.url.path =~ "/tracker" + and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http") ) - ) + ) ) ) ) - and ( - not any(headers.hops, - .authentication_results.compauth.verdict is not null - and .authentication_results.compauth.verdict == "pass" - and sender.email.domain.domain == "microsoft.com" - ) - ) - // unsolicited - and ( - ( - sender.email.domain.root_domain in $free_email_providers - and sender.email.email not in $recipient_emails - ) - or ( - sender.email.domain.root_domain not in $free_email_providers - and sender.email.domain.domain not in $recipient_domains - ) - ) attack_types: - "Credential Phishing" From c3bd2a155076c266aa0c899aa82cdf213e70883c Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 28 Sep 2023 12:36:00 -0400 Subject: [PATCH 3/8] Update attachment_qr_code_suspicious_components.yml --- detection-rules/attachment_qr_code_suspicious_components.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index 64404fd0c1f..1d8edaa25b2 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -51,12 +51,14 @@ source: | attack_types: - "Credential Phishing" tactics_and_techniques: - - "Impersonation: Brand" - "QR code" - "Social engineering" detection_methods: - "Computer Vision" - "Header analysis" + - "Natural Language Understanding" - "QR code analysis" - "Sender analysis" + - "URL analysis" + - "URL screenshot" id: "ed0f772a-6543-5947-80d1-55a11ea63074" From 9d70b9bcfd5ecc17704d27b43172a086ef88e8bd Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 28 Sep 2023 12:40:09 -0400 Subject: [PATCH 4/8] Update attachment_qr_code_suspicious_components.yml --- .../attachment_qr_code_suspicious_components.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index 1d8edaa25b2..e68d47bab9d 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -17,12 +17,16 @@ source: | // pass the QR URL to LinkAnalysis any([beta.linkanalysis(.scan.qr.url)], .credphish.disposition == "phishing" + // any routing traverses via $suspicious_tld list or any(.redirect_history, .domain.tld in $suspicious_tlds) + // effective destination in $suspicious_tld list or .effective_url.domain.tld in $suspicious_tlds + // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters + // or any files downloaded are zips or executables or any(.files_downloaded, .file_extension in $file_extensions_common_archives @@ -30,14 +34,18 @@ source: | ) ) or ( + // or the QR code's root domain is a url_shortener .scan.qr.url.domain.root_domain in $url_shorteners + // exclude google maps and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps') ) + // the QR code url is a bing open redirect or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a' or ( + // usap-dc open redirect .scan.qr.url.domain.root_domain == "usap-dc.org" and .scan.qr.url.path =~ "/tracker" From bfee484519f18b09a360b9f5fb7f26907321a120 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 28 Sep 2023 12:51:02 -0400 Subject: [PATCH 5/8] Update attachment_qr_code_suspicious_components.yml --- .../attachment_qr_code_suspicious_components.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index e68d47bab9d..f42e0d0b367 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -56,6 +56,17 @@ source: | ) ) + // first time sender + and ( + ( + sender.email.domain.root_domain in $free_email_providers + and sender.email.email not in $sender_emails + ) + or ( + sender.email.domain.root_domain not in $free_email_providers + and sender.email.domain.domain not in $sender_domains + ) + ) attack_types: - "Credential Phishing" tactics_and_techniques: From 1a984c4c46b28dde700b3b098d5828c9ec540a7b Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Thu, 28 Sep 2023 13:00:07 -0400 Subject: [PATCH 6/8] Update attachment_qr_code_suspicious_components.yml removing dupe id --- detection-rules/attachment_qr_code_suspicious_components.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index f42e0d0b367..26a9ade86b3 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -80,4 +80,3 @@ detection_methods: - "Sender analysis" - "URL analysis" - "URL screenshot" -id: "ed0f772a-6543-5947-80d1-55a11ea63074" From 62ec140876073d38dce723a27c8a3f6ddf4bc605 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 28 Sep 2023 17:01:48 +0000 Subject: [PATCH 7/8] Auto add rule ID --- detection-rules/attachment_qr_code_suspicious_components.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index 26a9ade86b3..18a0b60795f 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -80,3 +80,4 @@ detection_methods: - "Sender analysis" - "URL analysis" - "URL screenshot" +id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322" From 8d5c4cc4377caad9c7f7d03393ac4158054b8ff1 Mon Sep 17 00:00:00 2001 From: Josh Kamdjou Date: Thu, 28 Sep 2023 13:02:25 -0400 Subject: [PATCH 8/8] Update attachment_qr_code_suspicious_components.yml --- detection-rules/attachment_qr_code_suspicious_components.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_qr_code_suspicious_components.yml b/detection-rules/attachment_qr_code_suspicious_components.yml index 18a0b60795f..bb2a94dfca4 100644 --- a/detection-rules/attachment_qr_code_suspicious_components.yml +++ b/detection-rules/attachment_qr_code_suspicious_components.yml @@ -1,6 +1,6 @@ name: "Attachment: QR code with credential phishing indicators" description: | - Detects messages with between 1-3 attachments, that contain a QR code with multiple conditional checks. LinkAnalysis credential phishing conclusion, or the QR code url traverses suspicious infrastructure, or the final destination is in URLhaus, or downloads a zip or executable, or the leverages url shorteners or known QR abused openredirects. + Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more. type: "rule" severity: "high" source: |