-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathattachment_onenote_suspicious_strings.yml
52 lines (51 loc) · 1.85 KB
/
attachment_onenote_suspicious_strings.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
name: "Attachment: OneNote file with Suspicious Strings"
description: |
Detection of OneNote files with IoCs from previously observed threat actor activity.
type: "rule"
severity: "medium"
authors:
- twitter: "delivr_to"
references:
- https://delivr.to/payloads?id=56188625-d386-489e-bf50-604d89675c2a
- https://delivr.to/payloads?id=2722d95f-f51d-4ad7-aeb1-60a38e52ae5e
- https://delivr.to/payloads?id=e8dce489-d33e-46b5-9e9f-cf2713abd213
source: |
type.inbound
and any(attachments,
(
.file_extension in ("one", "onepkg") or
.file_extension in $file_extensions_common_archives
) and
any(beta.binexplode(.), any(.flavors.yara, . == "onenote_file")) and
any(beta.binexplode(.),
(
any(.scan.strings.strings, strings.ilike(.,
"*RegWrite*",
"*RegRead*",
"*rundll32*",
"*<job id=*", //wsf
"*powershell.exe*",
"*#@~^*", // Microsoft Script Encoding File Header, jse, vbe
'*C:\Users\Public*',
"*69 6e 76 6f 6b 65 2d 77 65 62 72 65 71 75 65 73 74*", // invoke-webrequest
"*system.net.webclient*",
"*WScript.Shell*",
'*HKCU\SOFTWARE*',
"*https://www.instructables.com/How-to-Make-a-message-box-using-VBScript/*",
"*This document is corrupted and could not be opened*"
)) or
strings.ilike(.scan.ocr.raw,
"*This document contains attachments from the cloud*", // Adobe/365 branding
"*Double-Click The \"Open Protected View\" button to securely view document contents*", //O365 branding
"*Microsoft 365* is the new name for Microsoft's Office 365 subscription service*" //O365 branding
)
)
)
)
and (
not profile.by_sender_email().solicited
or sender.email.domain.domain == "delivrto.me"
)
tags:
- "Suspicious Attachment"
- "QakBot"