From f9a6af85d5991df8b6d26574293f4c2f4ebbc6e0 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sat, 25 Jan 2025 23:03:46 -0600 Subject: [PATCH 1/5] Create open_redirect_sciencebuddies.yml --- .../open_redirect_sciencebuddies.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 detection-rules/open_redirect_sciencebuddies.yml diff --git a/detection-rules/open_redirect_sciencebuddies.yml b/detection-rules/open_redirect_sciencebuddies.yml new file mode 100644 index 00000000000..2bb5497ed4e --- /dev/null +++ b/detection-rules/open_redirect_sciencebuddies.yml @@ -0,0 +1,32 @@ +name: "Open Redirect: sciencebuddies.org" +description: | + Message contains use of the sciencebuddies.org open redirect. This has been exploited in the wild. +type: "rule" +severity: "medium" +source: | + type.inbound + and any(body.links, + .href_url.domain.root_domain == "sciencebuddies.org" + and strings.icontains(.href_url.path, '/Handlers/QrCode.aspx') + and strings.icontains(.href_url.query_params, 'u=') + and not regex.icontains(.href_url.query_params, 'u=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*sciencebuddies\.org(?:\&|\/|$)') + + + ) + and not sender.email.domain.root_domain == "sciencebuddies.org" + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" From 753ff6dab62d2116f74024ee9484b0ceb315c588 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Sun, 26 Jan 2025 05:07:05 +0000 Subject: [PATCH 2/5] Auto add rule ID --- detection-rules/open_redirect_sciencebuddies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/open_redirect_sciencebuddies.yml b/detection-rules/open_redirect_sciencebuddies.yml index 2bb5497ed4e..c62e778e03f 100644 --- a/detection-rules/open_redirect_sciencebuddies.yml +++ b/detection-rules/open_redirect_sciencebuddies.yml @@ -30,3 +30,4 @@ tactics_and_techniques: detection_methods: - "Sender analysis" - "URL analysis" +id: "019317d4-4c63-582d-9940-9ec5822be0b1" From dc8a71d2da2dfc163ad82d3aa79eb0b3f6fe8e61 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sun, 26 Jan 2025 20:46:52 -0600 Subject: [PATCH 3/5] Create open_redirect_k-mil.yml --- detection-rules/open_redirect_k-mil.yml | 32 +++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 detection-rules/open_redirect_k-mil.yml diff --git a/detection-rules/open_redirect_k-mil.yml b/detection-rules/open_redirect_k-mil.yml new file mode 100644 index 00000000000..aa0f26ab744 --- /dev/null +++ b/detection-rules/open_redirect_k-mil.yml @@ -0,0 +1,32 @@ +name: "Open Redirect: k-mil.net" +description: | + Message contains use of the k-mil.net open redirect. This has been exploited in the wild. +type: "rule" +severity: "medium" +source: | + type.inbound + and any(body.links, + .href_url.domain.root_domain == "k-mil.net" + and strings.iends_with(.href_url.path, 'official_url') + and strings.icontains(.href_url.query_params, 'u=') + and not regex.icontains(.href_url.query_params, + 'u=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*k-mil\.net(?:\&|\/|$)' + ) + ) + and not sender.email.domain.root_domain == "k-mil.net" + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) +attack_types: + - "Credential Phishing" + - "Malware/Ransomware" +tactics_and_techniques: + - "Open redirect" +detection_methods: + - "Sender analysis" + - "URL analysis" From 4a776301155c682879866cecb6e98cc811feedab Mon Sep 17 00:00:00 2001 From: ID Generator Date: Mon, 27 Jan 2025 02:47:23 +0000 Subject: [PATCH 4/5] Auto add rule ID --- detection-rules/open_redirect_k-mil.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/open_redirect_k-mil.yml b/detection-rules/open_redirect_k-mil.yml index aa0f26ab744..3ff4d581af0 100644 --- a/detection-rules/open_redirect_k-mil.yml +++ b/detection-rules/open_redirect_k-mil.yml @@ -30,3 +30,4 @@ tactics_and_techniques: detection_methods: - "Sender analysis" - "URL analysis" +id: "9f422356-1ee1-5135-9132-a45cf14c802e" From 422eb4f42ffdc0462fd1ba9b3302e7597a7792d1 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sun, 26 Jan 2025 20:47:39 -0600 Subject: [PATCH 5/5] Delete detection-rules/open_redirect_k-mil.yml --- detection-rules/open_redirect_k-mil.yml | 33 ------------------------- 1 file changed, 33 deletions(-) delete mode 100644 detection-rules/open_redirect_k-mil.yml diff --git a/detection-rules/open_redirect_k-mil.yml b/detection-rules/open_redirect_k-mil.yml deleted file mode 100644 index 3ff4d581af0..00000000000 --- a/detection-rules/open_redirect_k-mil.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "Open Redirect: k-mil.net" -description: | - Message contains use of the k-mil.net open redirect. This has been exploited in the wild. -type: "rule" -severity: "medium" -source: | - type.inbound - and any(body.links, - .href_url.domain.root_domain == "k-mil.net" - and strings.iends_with(.href_url.path, 'official_url') - and strings.icontains(.href_url.query_params, 'u=') - and not regex.icontains(.href_url.query_params, - 'u=(?:https?(?:%3a|:))?(?:%2f|\/){2}[^&]*k-mil\.net(?:\&|\/|$)' - ) - ) - and not sender.email.domain.root_domain == "k-mil.net" - // negate highly trusted sender domains unless they fail DMARC authentication - and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass - ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains - ) -attack_types: - - "Credential Phishing" - - "Malware/Ransomware" -tactics_and_techniques: - - "Open redirect" -detection_methods: - - "Sender analysis" - - "URL analysis" -id: "9f422356-1ee1-5135-9132-a45cf14c802e"