-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update attachment_pdf_extortion_leveraging_breach_data.yml by @morriscode #2310 Source SHA aedb24f Triggered by @morriscode
- Loading branch information
Sublime Rule Testing Bot
committed
Jan 14, 2025
1 parent
16c948c
commit fd04191
Showing
1 changed file
with
75 additions
and
0 deletions.
There are no files selected for viewing
75 changes: 75 additions & 0 deletions
75
detection-rules/attachment_pdf_extortion_leveraging_breach_data.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| name: "Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender" | ||
| description: "Detects sextortion attempts leveraging breach data, including names, addresses, phone numbers and frequently using Google Maps/Bing Maps streetview images to bolster confidence and fear." | ||
| type: "rule" | ||
| severity: "high" | ||
| source: | | ||
| type.inbound | ||
| // sender is a freemail domain | ||
| and sender.email.domain.root_domain in $free_email_providers | ||
| // attachment filename is the same as the subject | ||
| and any(attachments, | ||
| ( | ||
| strings.ilevenshtein(strings.concat(subject.subject, | ||
| ".", | ||
| .file_extension | ||
| ), | ||
| .file_name | ||
| ) <= 1 | ||
| ) | ||
| or strings.contains(.file_name, subject.subject) | ||
| ) | ||
| // body contains a US address, or the body is the subject | ||
| and ( | ||
| regex.icontains(body.current_thread.text, | ||
| '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s[A-Z]{2}\s\d{5}(?:-\d{4})?(?:\n)?|\d+\s[\w\s.]+(?:Street|St|Avenue|Ave|Boulevard|Blvd|Road|Rd|Drive|Dr|Lane|Ln|Court|Ct|Way|Place|Pl|Terrace|Ter|Circle|Cir|Parkway|Pkwy|Trail|Trl|Highway|Hwy|Loop)\b\.?', | ||
| // a Canadian address | ||
| '\d+\s[\w\s.]+(?:\n)?[\w\s]+\s((?:Ontario|ON)|(?:Quebec|QC)|(?:Nova Scotia|NS)|(?:New Brunswick|NB)|(?:Manitoba|MB)|(?:British Columbia|BC)|(?:Prince Edward Island|PEI?)|(?:Saskatchewan|SK)|(?:Alberta|AB)|(?:Newfoundland and Labrador|NL)|(?:Yukon|YT)|(?:Northwest Territories|NT)|(?:Nunavut|NU))\s*[ABCEGHJ-NPRSTVXY]\d[ABCEGHJ-NPRSTV-Z][ -]?\d[ABCEGHJ-NPRSTV-Z]\d' | ||
| ) | ||
| or subject.subject == body.current_thread.text | ||
| ) | ||
| // there's a PDF attachment with an image at a depth of one, measuring 148x148 and containing a QR code that is a BTC address | ||
| and any(attachments, | ||
| .file_type == "pdf" | ||
| and any(file.explode(.), | ||
| ( | ||
| (.depth == 1 and .flavors.mime == "image/jpeg") | ||
| and ( | ||
| .scan.exiftool.image_height == 148 | ||
| and .scan.exiftool.image_width == 148 | ||
| and regex.match(.scan.qr.data, | ||
| '(1[a-km-zA-HJ-NP-Z1-9]{25,34}|3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qp-z0-9]{39,59})' | ||
| ) | ||
| ) | ||
| ) | ||
| or ( | ||
| any(.scan.strings.strings, | ||
| regex.icontains(., | ||
| 'Amount(?:\s*\w+){0,3}\s*:?\s*(?:USD\s*)?(?:\$\s?\d+|\d+\s?\$?)' | ||
| ) | ||
| ) | ||
| and any(.scan.strings.strings, | ||
| regex.icontains(., | ||
| '(\bBITCOIN\b|\bBTC\b|\bLTC\b|Wallet)' | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| ) | ||
| attack_types: | ||
| - "BEC/Fraud" | ||
| tactics_and_techniques: | ||
| - "Free email provider" | ||
| - "PDF" | ||
| - "Social engineering" | ||
| - "QR code" | ||
| detection_methods: | ||
| - "Content analysis" | ||
| - "File analysis" | ||
| - "QR code analysis" | ||
| id: "efb5a213-df55-5ddc-a300-ad3a6da8e74e" | ||
| testing_pr: 2310 | ||
| testing_sha: aedb24f0f031de4a17fa9308c489db85269b522f |