Update link_download_suspicious_file.yml (#2074)

sublime-security · Oct 31, 2024 · e71063a · e71063a
1 parent c1c88d8
commit e71063a
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml
@@ -29,8 +29,15 @@ source: |
                   )
                   // for both non-encrypted zips and encrypted zips
                   // that were successfully cracked
-                  or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe")
+                  or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
                   or strings.ilike(.file_name, "*.exe")
+                  or (
+                    .file_extension not in ("dll", "exe")
+                    and (
+                      .flavors.mime in ("application/x-dosexec")
+                      or any(.flavors.yara, . in ('mz_file'))
+                    )
+                  )
               )
               and not (
                 ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"