From 9dfdfd87ca612fa3619a258c2483811a12abcf38 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Mon, 23 Dec 2024 23:51:32 -0500 Subject: [PATCH 1/3] Create attachment_html_with_long_timeout.yml --- .../attachment_html_with_long_timeout.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 detection-rules/attachment_html_with_long_timeout.yml diff --git a/detection-rules/attachment_html_with_long_timeout.yml b/detection-rules/attachment_html_with_long_timeout.yml new file mode 100644 index 00000000000..8a5009ea71a --- /dev/null +++ b/detection-rules/attachment_html_with_long_timeout.yml @@ -0,0 +1,28 @@ +name: "Attachment: HTML file with abnormally long timeout" +description: "Detects inbound messages containing HTML attachments that use abnormally long setTimeout functions as a potential sandbox evasion technique." +type: "rule" +severity: "high" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ("html", "htm", "shtml", "dhtml") + or .file_type == "html" + ) + and + + regex.icontains(file.parse_html(.).raw, 'setTimeout\(\(\) =>.*?\d{4}\);') + ) + and not headers.return_path.domain.root_domain == "phriendlyphishing.com" + + +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +tactics_and_techniques: + - "HTML smuggling" + - "Scripting" +detection_methods: + - "File analysis" + - "HTML analysis" + - "Header analysis" From 9074e47443025d2b7e54033022aada95fda854f5 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 24 Dec 2024 04:52:53 +0000 Subject: [PATCH 2/3] Auto add rule ID --- detection-rules/attachment_html_with_long_timeout.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_html_with_long_timeout.yml b/detection-rules/attachment_html_with_long_timeout.yml index 8a5009ea71a..7bbfec521e5 100644 --- a/detection-rules/attachment_html_with_long_timeout.yml +++ b/detection-rules/attachment_html_with_long_timeout.yml @@ -26,3 +26,4 @@ detection_methods: - "File analysis" - "HTML analysis" - "Header analysis" +id: "dc11f4fe-480f-5136-b02d-c69c5a65f85e" From 53f6205df6ffa467828d93d22e8a6862a7dbafc9 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Tue, 24 Dec 2024 11:02:16 -0500 Subject: [PATCH 3/3] Update attachment_html_with_long_timeout.yml formatting --- detection-rules/attachment_html_with_long_timeout.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/detection-rules/attachment_html_with_long_timeout.yml b/detection-rules/attachment_html_with_long_timeout.yml index 7bbfec521e5..f2f866ef185 100644 --- a/detection-rules/attachment_html_with_long_timeout.yml +++ b/detection-rules/attachment_html_with_long_timeout.yml @@ -9,13 +9,11 @@ source: | .file_extension in~ ("html", "htm", "shtml", "dhtml") or .file_type == "html" ) - and - - regex.icontains(file.parse_html(.).raw, 'setTimeout\(\(\) =>.*?\d{4}\);') + and regex.icontains(file.parse_html(.).raw, + 'setTimeout\(\(\) =>.*?\d{4}\);' ) - and not headers.return_path.domain.root_domain == "phriendlyphishing.com" - - + ) + and not headers.return_path.domain.root_domain == "phriendlyphishing.com" attack_types: - "Malware/Ransomware" - "Credential Phishing"