From 6bc92f90980188e83c471ba2a17a6861659fa614 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 20 Sep 2023 15:11:21 -0400 Subject: [PATCH] Update attachment_html_recipient_in_javascript_identifiers.yml Fixing issue where the rule would fail to flag if the recipient and the javascript terms were found in separate exploded pieces of the same file. --- ...ent_html_recipient_in_javascript_identifiers.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml index 849592d655b..1e6167c7cf1 100644 --- a/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml +++ b/detection-rules/attachment_html_recipient_in_javascript_identifiers.yml @@ -7,7 +7,7 @@ source: | type.inbound and any(attachments, ( - .file_extension in~ ("html", "htm", "shtml", "dhtml") + .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml") or ( .file_extension is null and .file_type == "unknown" @@ -16,13 +16,18 @@ source: | ) or .file_extension in~ $file_extensions_common_archives or .file_type == "html" + or .content_type == "text/html" ) and any(file.explode(.), // suspicious identifiers - any(.scan.javascript.identifiers, strings.like(., "atob", "decrypt")) + any([.scan.strings.strings, .scan.javascript.identifiers], + any(., strings.like(., "*atob*", "*decrypt*")) + ) // Recipients address found in javascript - and any(recipients.to, - any(..scan.javascript.strings, strings.icontains(., ..email.email)) + and any(file.explode(..), + any(recipients.to, + any(..scan.javascript.strings, strings.icontains(., ..email.email)) + ) ) ) )