Sync from PR#2343

Create open_redirect_plasticsurgery.yml by @zoomequipd #2343 Source SHA 18b23d4 Triggered by @zoomequipd
sublime-security · Jan 26, 2025 · b2e6a54 · b2e6a54
1 parent 0ab381f
commit b2e6a54
Showing 1 changed file with 21 additions and 2 deletions.
diff --git a/detection-rules/open_redirect_plasticsurgery.yml b/detection-rules/open_redirect_plasticsurgery.yml
@@ -3,7 +3,26 @@ description: |
   Message contains use of the plasticsurgery.or.kr open redirect. This has been exploited in the wild.
 type: "rule"
 severity: "medium"
-source: "type.inbound\nand any(body.links,\n        .href_url.domain.root_domain == \"plasticsurgery.or.kr\"\n        and strings.icontains(.href_url.path, '/bbs/link.php')\n          and strings.icontains(.href_url.query_params, 'code=')\n                    and strings.icontains(.href_url.query_params, 'url=')\n\n          and not regex.icontains(.href_url.query_params, 'url=(?:https?(?:%3a|:))?(?:%2f|\\/){2}[^&]*plasticsurgery\\.or\\.kr(?:\\&|\\/|$)') \n  \n\n)\nand not sender.email.domain.root_domain == \"plasticsurgery.or.kr\"\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n  (\n    sender.email.domain.root_domain in $high_trust_sender_root_domains\n    and not headers.auth_summary.dmarc.pass\n  )\n  or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n"
+source: |
+  type.inbound
+  and any(body.links,
+          .href_url.domain.root_domain == "plasticsurgery.or.kr"
+          and strings.icontains(.href_url.path, '/bbs/link.php')
+          and strings.icontains(.href_url.query_params, 'code=')
+          and strings.icontains(.href_url.query_params, 'url=')
+          and not regex.icontains(.href_url.query_params,
+                                  'url=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*plasticsurgery\.or\.kr(?:\&|\/|$)'
+          )
+  )
+  and not sender.email.domain.root_domain == "plasticsurgery.or.kr"
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 attack_types:
   - "Credential Phishing"
   - "Malware/Ransomware"
@@ -14,4 +33,4 @@ detection_methods:
   - "URL analysis"
 id: "76dbd946-62d1-527f-b50b-fa4548c002d8"
 testing_pr: 2343
-testing_sha: 7276e1bf21089394144c89dac18d31c6704e23ab
+testing_sha: 18b23d4179538d4b0ce3b6f36ac76d9471138e86