New Rule: Malware: Pikabot URL (#1166)

detection-rules/link_pikabot_malware.yml

@@ -0,0 +1,53 @@
+name: "Malware: Pikabot delivery via URL auto-download"
+description: "This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(body.links, regex.contains(.display_url.url, '[A-Za-z0-9]\/\?[0-9]+$'))
+  and (
+    any(body.links,
+        .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
+    )
+    or any(body.links,
+           any(beta.linkanalysis(., mode="aggressive").files_downloaded,
+               .file_extension in~ $file_extensions_common_archives
+               and (
+                 any(file.explode(.),
+                     .file_extension =~ "js"
+                     or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
+                 )
+               )
+           )
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and (
+        any(distinct(headers.hops, .authentication_results.dmarc is not null),
+            strings.ilike(.authentication_results.dmarc, "*fail")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+
+  and (
+    not profile.by_sender().solicited
+    or profile.by_sender().any_messages_malicious_or_spam
+  )
+tags:
+  - "Malfam: Pikabot"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Threat intelligence"
+  - "URL analysis"
+id: "f4be4572-82dc-5229-81ad-bd9fc9d6b673"