Sync from PR#679

Adding extension-less Office file snippet by @aidenmitchell #679 Source SHA 7628945 Triggered by @morriscode
sublime-security · Nov 21, 2023 · 387dacd · 387dacd
1 parent 5195be1
commit 387dacd
Show file tree

Hide file tree

Showing 15 changed files with 629 additions and 0 deletions.
diff --git a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml
@@ -0,0 +1,39 @@
+name: "Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability"
+description: |
+  Attachment contains an RTF file with a font table defining an excessive number of fonts, used to exploit CVE-2023-21716.
+references:
+  - "https://delivr.to/payloads?id=0a465e03-82a7-42c1-9ded-b0b6b046c86d"
+  - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716"
+  - "https://twitter.com/jduck/status/1632471544935923712"
+  - "https://github.com/gyaansastra/CVE-2023-21716"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("rtf", "doc", "docx")
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
+          and any(file.explode(.),
+                  any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))
+                  and length(filter(.scan.strings.strings, strings.ilike(., '{\f*;}'))) > 10000
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Exploit"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+id: "23714cca-f0c6-5fa5-a68b-98c9d60a508d"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml
@@ -0,0 +1,43 @@
+name: "Attachment: Encrypted Microsoft Office file (unsolicited)"
+description: |
+  Encrypted OLE2 (eg Microsoft Office) attachment from an unsolicited sender. Attachment encryption is a common technique used to bypass malware scanning products.
+  Use if receiving encrypted attachments is not normal behavior in your environment.
+references:
+  - "https://www.cyren.com/blog/articles/anatomy-of-an-attack-password-protected-files-attached-to-emails"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
+          and file.oletools(.).indicators.encryption.exists
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Macros"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "OLE analysis"
+  - "Sender analysis"
+id: "1e47e953-576c-5ba9-b84e-b72a1a89de87"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_office_file_with_vsto.yml b/detection-rules/attachment_office_file_with_vsto.yml
@@ -0,0 +1,61 @@
+name: "Attachment: Office Document with VSTO Add-in"
+description: |
+  Recursively scans files and archives to detect Office documents with VSTO Add-ins.
+type: "rule"
+references:
+  - "https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010"
+severity: "high"
+authors:
+  - twitter: "vector_sec"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
+          )
+          and any(file.explode(.),
+                  .file_extension in~ (
+                    "doc",
+                    "docm",
+                    "docx",
+                    "dot",
+                    "dotm",
+                    "xls",
+                    "xlsx",
+                    "xlsm",
+                    "xlm",
+                    "xlsb",
+                    "xlt",
+                    "xltm",
+                    "ppt",
+                    "pptx",
+                    "pptm",
+                    "ppsm"
+                  )
+                  and any(.scan.exiftool.fields,
+                          .key == "Tag_AssemblyLocation" and strings.ilike(.value, "*.vsto*")
+                          and not strings.ilike(.value, 'C:\Program Files*')
+                  )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "Exif analysis"
+  - "File analysis"
+  - "Sender analysis"
+  - "URL analysis"
+id: "27afa730-6dd5-58ec-9deb-ed5170de210d"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_office_remote_doc_template.yml b/detection-rules/attachment_office_remote_doc_template.yml
@@ -0,0 +1,37 @@
+name: "Attachment: Office document loads remote document template"
+description: |
+  Recursively scans archives and Office documents to detect remote document template injection.
+references:
+  - "https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            (
+              // office files
+              .file_extension in~ $file_extensions_macros
+              or .file_extension in~ $file_extensions_common_archives
+              or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
+            )
+            and any(file.explode(.),
+                    .flavors.mime == "text/xml"
+                    and any(.scan.strings.strings, regex.icontains(., ".*Target.*http.*dotm.*"))
+            )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "URL analysis"
+id: "d9601104-c330-5995-9fae-4d30b969c081"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml
@@ -0,0 +1,45 @@
+name: "Attachment: Potential Sandbox Evasion in Office File"
+description: |
+  Scans attached files with known Office file extension, and alerts on the presence of strings indicative of sandbox evasion checks.
+
+  Malicious code may carry out checks against the local host (e.g. running processes, disk size, domain-joined status) before running its final payload.
+references:
+  - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/tree/main/src/SandBoxEvasion"
+  - "https://delivr.to/payloads?id=6e8d282b-7608-4720-9277-fd4ba750aa9c"
+type: "rule"
+authors:
+  - twitter: "ajpc500"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
+          and any(file.explode(.),
+                  1 of (
+                    any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")),
+                    any(.scan.strings.strings, strings.ilike(., "*Win32_LogicalDisk*")),
+                    any(.scan.strings.strings, strings.ilike(., "*Win32_ComputerSystem*")),
+                    any(.scan.strings.strings, strings.ilike(., "*Win32_Process*")),
+                    any(.scan.strings.strings, strings.ilike(., "*LDAP://RootDSE*"))
+                  )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "Macros"
+detection_methods:
+  - "File analysis"
+  - "Macro analysis"
+id: "1c591681-3f02-5d1e-be08-fc1e6793c68b"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml
@@ -0,0 +1,40 @@
+name: "Attachment: Macro with Suspected Use of COM ShellBrowserWindow Object for Process Creation"
+description: |
+  Macro references the ShellBrowserWindow COM object which can be used to spawn new processes from Explorer.exe rather than as a child process of the Office application. This can be useful for a threat actor attempting to evade security controls.
+references:
+  - "https://blog.f-secure.com/dechaining-macros-and-evading-edr/"
+  - "https://delivr.to/payloads?id=0db5ac46-b59d-4bec-8252-59a40a0d9dec"
+type: "rule"
+authors:
+  - twitter: "ajpc500"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
+          and any(file.explode(.),
+                  any(.scan.strings.strings,
+                      strings.ilike(., "*new:C08AFD90-F2A1-11D1-8455-00A0C91F3880*")
+                  )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+  - "Scripting"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Macro analysis"
+id: "527fc7f0-2750-57e2-bf2f-fbfea88b1004"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml
@@ -0,0 +1,46 @@
+name: "Attachment soliciting user to enable macros"
+description: |
+  Recursively scans files and archives to detect documents that ask the
+  user to enable macros, including if that text appears within an embedded image.
+references:
+  - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document"
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
+          and any(file.explode(.),
+                  strings.ilike(.scan.ocr.raw, "*please*enable*macros")
+                  or any(.scan.strings.strings, strings.ilike(., "*please enable macros*"))
+          )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Macro analysis"
+  - "Optical Character Recognition"
+  - "Sender analysis"
+id: "e9d75515-8d64-531d-8ccb-9153150d0ee3"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304
diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
@@ -0,0 +1,38 @@
+name: "Attachment: Suspicious VBA macros from first-time sender"
+description: |
+  Detects any VBA macro attachment that scores above a medium confidence threshold in the Sublime Macro Classifier.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
+          and ml.macro_classifier(.).malicious
+          and ml.macro_classifier(.).confidence in ("high")
+  )
+  and (
+    profile.by_sender().prevalence in ("new", "outlier")
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_false_positives
+    )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Macros"
+detection_methods:
+  - "File analysis"
+  - "Macro analysis"
+  - "Sender analysis"
+id: "37cec120-2757-5e99-a489-1315780dae08"
+testing_pr: 679
+testing_sha: 762894502b2b43e0f80c2f49fe85b09fa3c4c304