diff --git a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml index 26f9c8d15bf..287d904f307 100644 --- a/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml +++ b/detection-rules/attachment_cve_2023_21716_rtf_fonts.yml @@ -15,6 +15,12 @@ source: | .file_extension in~ ("rtf", "doc", "docx") or .file_extension in~ $file_extensions_common_archives or .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), any(.scan.strings.strings, strings.ilike(., '*\fonttbl*')) diff --git a/detection-rules/attachment_encrypted_ole_unsolicited.yml b/detection-rules/attachment_encrypted_ole_unsolicited.yml index 5ff81403b9c..48e17d88edc 100644 --- a/detection-rules/attachment_encrypted_ole_unsolicited.yml +++ b/detection-rules/attachment_encrypted_ole_unsolicited.yml @@ -9,7 +9,15 @@ severity: "medium" source: | type.inbound and any(attachments, - .file_extension in~ $file_extensions_macros + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) and file.oletools(.).indicators.encryption.exists ) and ( diff --git a/detection-rules/attachment_office_file_with_vsto.yml b/detection-rules/attachment_office_file_with_vsto.yml index 9aff7756fcf..ae047267106 100644 --- a/detection-rules/attachment_office_file_with_vsto.yml +++ b/detection-rules/attachment_office_file_with_vsto.yml @@ -13,6 +13,12 @@ source: | ( .file_extension in~ $file_extensions_macros or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), .file_extension in~ ( diff --git a/detection-rules/attachment_office_remote_doc_template.yml b/detection-rules/attachment_office_remote_doc_template.yml index d4a2ab9d6b3..aa89657903d 100644 --- a/detection-rules/attachment_office_remote_doc_template.yml +++ b/detection-rules/attachment_office_remote_doc_template.yml @@ -13,6 +13,12 @@ source: | // office files .file_extension in~ $file_extensions_macros or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), .flavors.mime == "text/xml" diff --git a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml index 45adb180705..2ddd08714ef 100644 --- a/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml +++ b/detection-rules/attachment_potential_sandbox_evasion_in_office_file.yml @@ -13,7 +13,15 @@ severity: "high" source: | type.inbound and any(attachments, - .file_extension in~ $file_extensions_macros + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) and any(file.explode(.), 1 of ( any(.scan.strings.strings, strings.ilike(., "*Win32_Processor*")), diff --git a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml index 61ba3240bfc..090d0c925ad 100644 --- a/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml +++ b/detection-rules/attachment_shellbrowserwindow_com_object_in_macro.yml @@ -11,26 +11,14 @@ severity: "high" source: | type.inbound and any(attachments, - .file_extension in~ ( - // MS Word - "doc", - "docm", - "docx", - "dot", - "dotm", - // MS Excel - "xls", - "xlsx", - "xlsm", - "xlm", - "xlsb", - "xlt", - "xltm", - // MS PowerPoint - "ppt", - "pptx", - "pptm", - "ppsm" + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), any(.scan.strings.strings, diff --git a/detection-rules/attachment_soliciting_enable_macros.yml b/detection-rules/attachment_soliciting_enable_macros.yml index c502919588b..4f7a5dd1907 100644 --- a/detection-rules/attachment_soliciting_enable_macros.yml +++ b/detection-rules/attachment_soliciting_enable_macros.yml @@ -12,6 +12,12 @@ source: | ( .file_extension in~ $file_extensions_macros or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*please*enable*macros") diff --git a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml index 5cc38d278ec..dc368521da4 100644 --- a/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml +++ b/detection-rules/attachment_suspicious_vba_macro_first_time_sender.yml @@ -6,7 +6,15 @@ severity: "high" source: | type.inbound and any(attachments, - .file_extension in~ $file_extensions_macros + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) and ml.macro_classifier(.).malicious and ml.macro_classifier(.).confidence in ("high") ) diff --git a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml index 8cc39d8b582..b881b899d14 100644 --- a/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_exec_unsolicited.yml @@ -10,7 +10,15 @@ severity: "medium" source: | type.inbound and any(attachments, - .file_extension in~ $file_extensions_macros + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) and any(file.oletools(.).macros.keywords, .type =~ "autoexec") ) and ( diff --git a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml index 7bbe7543329..52532af3c61 100644 --- a/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml +++ b/detection-rules/attachment_vba_macro_auto_open_unsolicited.yml @@ -11,6 +11,12 @@ source: | ( .file_extension in~ $file_extensions_macros or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), any(.scan.vba.auto_exec, . == "AutoOpen")) ) diff --git a/detection-rules/attachment_vba_macro_calling_executable.yml b/detection-rules/attachment_vba_macro_calling_executable.yml index afea6b087aa..ae922dd6780 100644 --- a/detection-rules/attachment_vba_macro_calling_executable.yml +++ b/detection-rules/attachment_vba_macro_calling_executable.yml @@ -13,6 +13,12 @@ source: | ( .file_extension in~ $file_extensions_macros or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*"))) ) diff --git a/detection-rules/attachment_vba_macro_employee_impersonation.yml b/detection-rules/attachment_vba_macro_employee_impersonation.yml index ac8d8b2fbba..d58757c84a2 100644 --- a/detection-rules/attachment_vba_macro_employee_impersonation.yml +++ b/detection-rules/attachment_vba_macro_employee_impersonation.yml @@ -17,6 +17,12 @@ source: | ( .file_extension in~ $file_extensions_macros or .file_extension in~ $file_extensions_common_archives + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and file.oletools(.).indicators.vba_macros.exists ) diff --git a/detection-rules/attachment_vba_macro_high_risk.yml b/detection-rules/attachment_vba_macro_high_risk.yml index 8b9ab322c5e..fa40f49ff44 100644 --- a/detection-rules/attachment_vba_macro_high_risk.yml +++ b/detection-rules/attachment_vba_macro_high_risk.yml @@ -8,7 +8,15 @@ severity: "high" source: | type.inbound and any(attachments, - .file_extension in~ $file_extensions_macros + ( + .file_extension in~ $file_extensions_macros + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) and file.oletools(.).indicators.vba_macros.risk == "high" ) and ( diff --git a/detection-rules/cve_2021_40444_external_relationship.yml b/detection-rules/cve_2021_40444_external_relationship.yml index f7b83ff077b..c88e861f50d 100644 --- a/detection-rules/cve_2021_40444_external_relationship.yml +++ b/detection-rules/cve_2021_40444_external_relationship.yml @@ -18,7 +18,16 @@ source: | type.inbound and any(attachments, ( - (.file_extension in~ $file_extensions_macros or .file_extension =~ "rtf") + ( + .file_extension in~ $file_extensions_macros + or .file_extension =~ "rtf" + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) + ) and any(file.oletools(.).relationships, regex.icontains(.target, ".*html:http.*")) ) or ( diff --git a/detection-rules/impersonation_wise_suspicious_attachment.yml b/detection-rules/impersonation_wise_suspicious_attachment.yml index 9c08fa76a1a..dc59a23fdc3 100644 --- a/detection-rules/impersonation_wise_suspicious_attachment.yml +++ b/detection-rules/impersonation_wise_suspicious_attachment.yml @@ -15,6 +15,12 @@ source: | or .file_type in $file_extensions_executables or .file_type in $file_extensions_macros or .file_type in ("lz") + or ( + .file_extension is null + and .file_type == "unknown" + and .content_type == "application/octet-stream" + and .size < 100000000 + ) ) and sender.email.domain.root_domain not in~ ('wise.com', 'wise.jobs') attack_types: