Merge branch 'main' into morriscode-gitgudnoob

Author: morriscode

.github/workflows/mql-mimic-tests.yml

@@ -37,4 +37,4 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
           checkName: "MQL Mimic Tests"
           ref: ${{ github.sha }}
-          timeoutSeconds: 1800
+          timeoutSeconds: 3600

detection-rules/attachment_macro_dll_loader.yml

@@ -8,17 +8,19 @@ severity: "high"
 source: |
   type.inbound
   and any(attachments,
-          .file_extension == "zip"
-          and (
-            any(file.explode(.),
-                .scan.zip.encrypted == false
-                // zip contains a dll file
-                and any(.scan.zip.all_paths, strings.icontains(., "dll"))
-            )
-            and any(file.explode(.),
-                    // macro references a dll file
-                    any(.flavors.yara, strings.like(., "vb_file"))
-                    and any(.scan.strings.strings, strings.icontains(., "dll"))
+          (
+            .file_extension == "zip"
+            and (
+              any(file.explode(.),
+                  .scan.zip.encrypted == false
+                  // zip contains a dll file
+                  and any(.scan.zip.all_paths, strings.icontains(., "dll"))
+              )
+              and any(file.explode(.),
+                      // macro references a dll file
+                      any(.flavors.yara, strings.like(., "vb_file"))
+                      and any(.scan.strings.strings, strings.icontains(., "dll"))
+              )
             )
           )
           or any(file.explode(.), // fallback for encrypted zips
@@ -27,13 +29,13 @@ source: |
                  // zip contains a dll file
                  and any(.scan.zip.all_paths, strings.icontains(., "dll"))
           )
-          or any(attachments,
-                 .file_extension in~ $file_extensions_common_archives
-                 and any(file.explode(.),
-                         any(.flavors.yara, strings.like(., "vb_file"))
-                         and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
-                 )
-                 and any(file.explode(.), strings.ilike(.file_extension, "dll"))
+          or (
+            .file_extension in~ $file_extensions_common_archives
+            and any(file.explode(.),
+                    any(.flavors.yara, strings.like(., "vb_file"))
+                    and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
+            )
+            and any(file.explode(.), strings.ilike(.file_extension, "dll"))
           )
   )
 attack_types:

detection-rules/attachment_pdf_link_to_dmg.yml

@@ -0,0 +1,68 @@
+name: "Attachment: PDF with link to DMG file download"
+description: |
+  This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware. 
+references:
+  - "https://thehackernews.com/2023/09/beware-metastealer-malware-targets.html"
+  - "https://duo.com/decipher/new-metastealer-malware-targets-macos-users"
+  - "https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/​"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_type == "pdf"
+          and any(file.explode(.),
+                  any(.scan.url.urls,
+  
+                      // url links to dmg or zip
+                      (
+                        strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip")
+                      )
+  
+                      // and downloads a dmg or a zip
+                      and any(beta.linkanalysis(.).files_downloaded,
+                              (
+                                .file_extension == "dmg"
+                                or (
+                                  .file_extension in~ $file_extensions_common_archives
+  
+                                  // and the zip contains a dmg file
+                                  and any(file.explode(.),
+                                          (.file_extension =~ "dmg")
+  
+                                          // exif inspection if encrypted
+                                          or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg")
+                                  )
+                                )
+                              )
+                      )
+                  )
+          )
+  )
+  
+  
+  // first time sender
+  and (
+    (
+      sender.email.domain.root_domain in $free_email_providers
+      and sender.email.email not in $sender_emails
+    )
+    or (
+      sender.email.domain.root_domain not in $free_email_providers
+      and sender.email.domain.domain not in $sender_domains
+    )
+  )
+tags: 
+  - "Malfam: MetaStealer"
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "URL analysis"
+  
+id: "2c486fe0-506d-5498-bb19-dbe58904f9dc"

detection-rules/impersonation_amazon.yml

@@ -25,9 +25,15 @@ source: |
       and sender.email.domain.root_domain in $free_email_providers
     )
   )
+  // negate listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in~ (
     'amazon.com',
     'amazon.com.au',
+    'amazon.com.be',
     'amazon.co.uk',
     'amazon.de',
     'amazon.es',

detection-rules/impersonation_github.yml

@@ -13,6 +13,11 @@ source: |
     or strings.ilike(sender.email.email, '*github*')
     or strings.ilevenshtein(sender.email.domain.sld, 'github') <= 1
   )
+  // negating listservs
+  and not (
+      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
+      and strings.contains(sender.display_name, "via")
+  )
   and sender.email.domain.root_domain not in (
     'github.com',
     'gitlab.com',

detection-rules/impersonation_microsoft.yml

@@ -36,8 +36,13 @@ source: |
       'Microsoft Azure'
     )
   )
-  and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')
-
+  and sender.email.domain.root_domain not in~ (
+    'microsoft.com',
+    'microsoftsupport.com',
+    'office.com',
+    'teams-events.com'
+  )
+  
   // first-time sender
   and (
     (
@@ -49,6 +54,7 @@ source: |
       and sender.email.domain.domain not in $sender_domains
     )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

detection-rules/impersonation_venmo.yml

@@ -12,7 +12,7 @@ source: |
     or strings.ilevenshtein(sender.display_name, 'venmo') <= 1
     or strings.ilike(sender.email.domain.domain, '*venmo*')
   )
-  and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com')
+  and sender.email.domain.root_domain not in~ ('venmo.com', 'synchronybank.com', 'venmocreditsurvey.com', 'venmo-experience.com')
   and sender.email.email not in $recipient_emails
   
   // and not if the sender.display.name contains "via" and dmarc pass from venmo.com

detection-rules/link_credential_phishing_intent_and_other_indicators.yml

@@ -279,7 +279,8 @@ source: |
           // this is common in link tracking, both for
           // benign marketing traffic but also attackers
           any(recipients.to,
-              strings.icontains(..href_url.url, .email.local_part)
+              .email.domain.valid
+              and strings.icontains(..href_url.url, .email.local_part)
               and strings.icontains(..href_url.url, .email.domain.domain)
           )
   )
@@ -290,12 +291,12 @@ source: |
   and (
     // freemail providers should never be sending this type of email
     sender.email.domain.domain in $free_email_providers
-
+  
     // if not freemail, it's suspicious if the sender's root domain
     // doesn't match any links in the body
     or all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
   )
-
+  
   // first-time sender
   and (
     (

detection-rules/link_qr_code_suspicious_language_fts.yml

@@ -7,19 +7,22 @@ type: "rule"
 severity: "medium"
 source: |
   type.inbound
-
+  
   // check image attachments for QR code, will want to add message.screenshot functionality here when it's ready
+  // and length(attachments) < 10
   and any(attachments,
-          .file_type in $file_types_images
+          (.file_type in $file_types_images or .file_type == "pdf")
           and any(file.explode(.),
                   .scan.qr.type == "url"
-
+  
                   // recipient email address is present in the URL, a common tactic used in credential phishing attacks and the url is not in $org_domains
-                  and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
+                  and any(recipients.to,
+                          strings.icontains(..scan.qr.data, .email.email) and .email.domain.valid
+                  )
                   and .scan.qr.url.domain.root_domain not in $org_domains
           )
   )
-
+  
   // NLU has identified cred_theft language with high confidence
   and (
     any(ml.nlu_classifier(body.current_thread.text).intents,
@@ -40,7 +43,7 @@ source: |
       )
     )
   )
-
+  
   // first-time sender
   and (
     (