From 0ab381ffd8c89e028a00ae336e13e521d8eaa532 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Sun, 26 Jan 2025 23:15:34 +0000 Subject: [PATCH] Sync from PR#2343 Create open_redirect_plasticsurgery.yml by @zoomequipd https://github.com/sublime-security/sublime-rules/pull/2343 Source SHA 7276e1bf21089394144c89dac18d31c6704e23ab Triggered by @zoomequipd --- .../open_redirect_plasticsurgery.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 detection-rules/open_redirect_plasticsurgery.yml diff --git a/detection-rules/open_redirect_plasticsurgery.yml b/detection-rules/open_redirect_plasticsurgery.yml new file mode 100644 index 00000000000..6ea25661816 --- /dev/null +++ b/detection-rules/open_redirect_plasticsurgery.yml @@ -0,0 +1,17 @@ +name: "Open Redirect: plasticsurgery.or.kr" +description: | + Message contains use of the plasticsurgery.or.kr open redirect. This has been exploited in the wild. +type: "rule" +severity: "medium" +source: "type.inbound\nand any(body.links,\n .href_url.domain.root_domain == \"plasticsurgery.or.kr\"\n and strings.icontains(.href_url.path, '/bbs/link.php')\n and strings.icontains(.href_url.query_params, 'code=')\n and strings.icontains(.href_url.query_params, 'url=')\n\n and not regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*plasticsurgery\\.or\\.kr(?:\\&|\\/|$)') \n \n\n)\nand not sender.email.domain.root_domain == \"plasticsurgery.or.kr\"\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" +id: "76dbd946-62d1-527f-b50b-fa4548c002d8" +testing_pr: 2343 +testing_sha: 7276e1bf21089394144c89dac18d31c6704e23ab