Adding extension-less Office file snippet (#679)

sublime-security · Dec 19, 2023 · fa11a71 · fa11a71
1 parent e75cdde
commit fa11a71
Show file tree

Hide file tree

Showing 15 changed files with 111 additions and 26 deletions.
diff --git a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml
@@ -15,6 +15,12 @@ source: |
             .file_extension in~ ("rtf", "doc", "docx")
             or .file_extension in~ $file_extensions_common_archives
             or .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
           )
           and any(file.explode(.),
                   any(.scan.strings.strings, strings.ilike(., '*\fonttbl*'))

diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml
@@ -9,7 +9,15 @@ severity: "medium"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension in~ $file_extensions_macros
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
           and file.oletools(.).indicators.encryption.exists
   )
   and (

diff --git a/detection-rules/attachment_office_file_with_vsto.yml b/detection-rules/attachment_office_file_with_vsto.yml
@@ -13,6 +13,12 @@ source: |
           (
             .file_extension in~ $file_extensions_macros
             or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
           )
           and any(file.explode(.),
                   .file_extension in~ (

diff --git a/detection-rules/attachment_office_remote_doc_template.yml b/detection-rules/attachment_office_remote_doc_template.yml
@@ -13,6 +13,12 @@ source: |
               // office files
               .file_extension in~ $file_extensions_macros
               or .file_extension in~ $file_extensions_common_archives
+              or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
             )
             and any(file.explode(.),
                     .flavors.mime == "text/xml"

diff --git a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml
@@ -13,7 +13,15 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension in~ $file_extensions_macros
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
           and any(file.explode(.),
                   1 of (
                     any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")),

diff --git a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml
@@ -11,26 +11,14 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension in~ (
-            // MS Word
-            "doc",
-            "docm",
-            "docx",
-            "dot",
-            "dotm",
-            // MS Excel
-            "xls",
-            "xlsx",
-            "xlsm",
-            "xlm",
-            "xlsb",
-            "xlt",
-            "xltm",
-            // MS PowerPoint
-            "ppt",
-            "pptx",
-            "pptm",
-            "ppsm"
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
           )
           and any(file.explode(.),
                   any(.scan.strings.strings,

diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml
@@ -12,6 +12,12 @@ source: |
           (
             .file_extension in~ $file_extensions_macros
             or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
           )
           and any(file.explode(.),
                   strings.ilike(.scan.ocr.raw, "*please*enable*macros")

diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml
@@ -6,7 +6,15 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension in~ $file_extensions_macros
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+            )
+          )
           and ml.macro_classifier(.).malicious
           and ml.macro_classifier(.).confidence in ("high")
   )

diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml
@@ -10,7 +10,15 @@ severity: "medium"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension in~ $file_extensions_macros
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                  .file_extension is null
+                  and .file_type == "unknown"
+                  and .content_type == "application/octet-stream"
+                  and .size < 100000000
+            )
+          )
           and any(file.oletools(.).macros.keywords, .type =~ "autoexec")
   )
   and (

diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml
@@ -11,6 +11,12 @@ source: |
           (
             .file_extension in~ $file_extensions_macros
             or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
           )
           and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen"))
   )

diff --git a/detection-rules/attachment_vba_macro_calling_executable.yml b/detection-rules/attachment_vba_macro_calling_executable.yml
@@ -13,6 +13,12 @@ source: |
           (
             .file_extension in~ $file_extensions_macros
             or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
           )
           and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
   )

diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml
@@ -17,6 +17,12 @@ source: |
           (
             .file_extension in~ $file_extensions_macros
             or .file_extension in~ $file_extensions_common_archives
+            or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
           )
           and file.oletools(.).indicators.vba_macros.exists
   )

diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml
@@ -8,7 +8,15 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension in~ $file_extensions_macros
+          (
+            .file_extension in~ $file_extensions_macros
+            or (
+                  .file_extension is null
+                  and .file_type == "unknown"
+                  and .content_type == "application/octet-stream"
+                  and .size < 100000000
+            )
+          )
           and file.oletools(.).indicators.vba_macros.risk == "high"
   )
   and (

diff --git a/detection-rules/cve_2021_40444_external_relationship.yml b/detection-rules/cve_2021_40444_external_relationship.yml
@@ -18,7 +18,16 @@ source: |
   type.inbound
   and any(attachments,
           (
-            (.file_extension in~ $file_extensions_macros or .file_extension =~ "rtf")
+            (
+              .file_extension in~ $file_extensions_macros 
+              or .file_extension =~ "rtf"
+              or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+              )
+            )
             and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*"))
           )
           or (

diff --git a/detection-rules/impersonation_wise_suspicious_attachment.yml b/detection-rules/impersonation_wise_suspicious_attachment.yml
@@ -15,6 +15,12 @@ source: |
           or .file_type in $file_extensions_executables
           or .file_type in $file_extensions_macros
           or .file_type in ("lz")
+          or (
+                .file_extension is null
+                and .file_type == "unknown"
+                and .content_type == "application/octet-stream"
+                and .size < 100000000
+          )
   )
   and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs')
 attack_types: