-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create link_youtube_user_info_excessive_padding.yml by @morriscode #2297 Source SHA 9adcbe1 Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Jan 10, 2025
1 parent
39dbf66
commit 9dc2646
Showing
1 changed file
with
15 additions
and
0 deletions.
There are no files selected for viewing
15 changes: 15 additions & 0 deletions
15
detection-rules/link_youtube_user_info_excessive_padding.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| name: "Link: Obfuscation via YouTube.com user info with excessive URL padding" | ||
| description: "Identifies instances where a malicious actor leverages YouTube's domain name as a username in a URL, while the actual root domain leads elsewhere. The URL is further obfuscated using excessive URL-encoded spaces (%20) to hide the true destination in preview windows." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\nand length(body.links) < 100\nand any(body.links,\n (\n // Detects cases where the URL starts with youtube.com but the root domain is not youtube.com.\n // A browser will interpret the URL as directing to malicious-site.com, ignoring youtube.com entirely\n // because everything before the @ symbol is treated as a username.\n (\n regex.match(.href_url.url,\n 'https?:\\/\\/(?:www\\.)?youtube.com.*'\n ) // Matches URLs starting with youtube.com\n or .href_url.username == \"youtube.com\" // Checks if youtube.com is used as a username\n )\n and .href_url.domain.root_domain != \"youtube.com\" // Verifies that the actual root domain is not youtube.com\n\n // Detects excessive padding (e.g., %20) used to obfuscate the malicious portion of the URL.\n // Padding forces the malicious portion to be hidden in truncated previews (e.g., in email clients or chat apps).\n \n and strings.count(.href_url.url, \"%20\") > 30 // Flags URLs with more than 30 URL-encoded spaces\n )\n)\n" | ||
| attack_types: | ||
| - "Credential Phishing" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "Impersonation: Brand" | ||
| detection_methods: | ||
| - "URL analysis" | ||
| id: "91b7b09a-f353-533c-a4b5-f15af3b1eb63" | ||
| testing_pr: 2297 | ||
| testing_sha: 9adcbe142c4fe62dd10eb51aa658d7fdb4fcd4a2 |