Skip to content

Commit

Permalink
Update and rename steam-getsiteconfig.yml to steam-732d40f3.yml
Browse files Browse the repository at this point in the history
Modify detection logic to use more robust flags
  • Loading branch information
IlluminatiFish authored May 20, 2024
1 parent 0d992df commit cb18c20
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 29 deletions.
29 changes: 29 additions & 0 deletions indicators/steam-732d40f3.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
title: Steam Phishing Kit 732d40f3
description: |
Detects Steam phishing pages that obtain their template
configuration from `/api/getsiteconfig`
references:
- https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
- https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
- https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
- https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
- https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
- https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
- https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118

detection:

siteConfiguration:
requests|contains: "/api/getsiteconfig/"

loadedIFrame:
dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'

footerMessage:
dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'

condition: siteConfiguration and loadedIFrame and footerMessage

tags:
- target.steam
- threat_actor_country.russia
29 changes: 0 additions & 29 deletions indicators/steam-getsiteconfig.yml

This file was deleted.

0 comments on commit cb18c20

Please sign in to comment.