Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New rule: attachment_fake_zoom_installer.yml #838

Merged
merged 5 commits into from
Oct 19, 2023
Merged

New rule: attachment_fake_zoom_installer.yml #838

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
795a79d
New rule: attachment_fake_zoom_installer.yml
aidenmitchell Oct 3, 2023
3ca3798
Update attachment_fake_zoom_installer.yml
aidenmitchell Oct 17, 2023
bbb736a
Merge branch 'main' into patch-56
morriscode Oct 17, 2023
ddb151c
Auto add rule ID
Oct 17, 2023
dbd9000
Merge branch 'main' into patch-56
morriscode Oct 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions detection-rules/attachment_fake_zoom_installer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
name: "Attachment: Fake Zoom installer"
description: |
HTML attachment contains a Zoom logo, request language, and a link to an executable. Observed in the wild.
type: "rule"
severity: "high"
source: |
type.inbound
and (
any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(.),
any(ml.logo_detect(file.html_screenshot(..)).brands,
.name == "Zoom" and .confidence in ("medium", "high")
)
and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
.name == "request" and .text =~ "download"
)
and any(.scan.url.urls,
strings.iends_with(.path, ".exe") and .domain.root_domain not in $org_domains
)
)
)
or any(attachments,
(.file_extension in~ $file_extensions_common_archives)
and any(file.explode(.),
(
.file_extension in~ ("html", "htm", "shtml", "dhtml")
or ..file_type == "html"
or ..content_type == "text/html"
)
and any(ml.logo_detect(file.html_screenshot(..)).brands,
.name == "Zoom" and .confidence in ("medium", "high")
)
and any(ml.nlu_classifier(file.parse_html(..).display_text).entities,
.name == "request" and .text =~ "download"
)
and any(.scan.url.urls,
strings.iends_with(.path, ".exe") and .domain.root_domain not in $org_domains
)
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "HTML smuggling"
- "Impersonation: Brand"
- "Scripting"
- "Social engineering"
detection_methods:
- "Archive analysis"
- "Computer Vision"
- "File analysis"
- "HTML analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "840a12a6-a796-5e73-b975-1d1b5f745aea"
Loading