From e71063ad0b09641e8653f4cc32f2ebee7df1d3dc Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Thu, 31 Oct 2024 15:37:03 -0500
Subject: [PATCH] Update link_download_suspicious_file.yml (#2074)

---
 detection-rules/link_download_suspicious_file.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_download_suspicious_file.yml b/detection-rules/link_download_suspicious_file.yml
index 5dda05ac12d..ee6c2e72cee 100644
--- a/detection-rules/link_download_suspicious_file.yml
+++ b/detection-rules/link_download_suspicious_file.yml
@@ -29,8 +29,15 @@ source: |
                   )
                   // for both non-encrypted zips and encrypted zips
                   // that were successfully cracked
-                  or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe")
+                  or .file_extension in ("dll", "exe", "html", "lnk", "js", "vba", "vbs", "vbe", "bat")
                   or strings.ilike(.file_name, "*.exe")
+                  or (
+                    .file_extension not in ("dll", "exe")
+                    and (
+                      .flavors.mime in ("application/x-dosexec")
+                      or any(.flavors.yara, . in ('mz_file'))
+                    )
+                  )
               )
               and not (
                 ml.link_analysis(..).effective_url.domain.root_domain == "zoom.us"