From a86e9f4566f98e1c3d0dff12ddd5033497930b71 Mon Sep 17 00:00:00 2001 From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> Date: Mon, 20 May 2024 09:07:22 +0100 Subject: [PATCH] Update roblox-phishing-8l0pamh6.yml Minor description and detection field names fixes --- indicators/roblox-phishing-8l0pamh6.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/indicators/roblox-phishing-8l0pamh6.yml b/indicators/roblox-phishing-8l0pamh6.yml index 2aa88395..36f676ec 100644 --- a/indicators/roblox-phishing-8l0pamh6.yml +++ b/indicators/roblox-phishing-8l0pamh6.yml @@ -1,9 +1,10 @@ title: Roblox Phishing Kit 8l0pamh6 description: | - Detects Roblox phishing sites using a roblox body id and cdn. - Usually at /controlPage/create you can create a "Beaming link". - Often spread trough discord. - + Detects Roblox phishing sites using a Roblox specific strings + within the DOM. + + Usually at /controlPage/create you can create a "Beaming link" + These are often spread through Discord to victims. references: - https://www.youtube.com/watch?v=lUL2vgyhsw4 - https://urlscan.io/result/c716b820-174e-4211-9c09-4663b4a7e47d/ @@ -13,19 +14,19 @@ references: detection: - realdomain: + realDomains: hostname|endswith: - .roblox.com - .rbxcdn.com - rbxbodyid: + rbxBodyId: dom|contains: body id="rbx-body" - rbxcdn: + rbxCDN: dom|contains: rbxcdn - - condition: rbxcdn and rbxbodyid and not realdomain + + condition: rbxCDN and rbxBodyId and not realDomains tags: - kit