Attachment: Excel Web Query File (IQY)
Recursively scans files and archives to detect IQY files.
Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.
Sublime rule (View on GitHub)
1name: "Attachment: Excel Web Query File (IQY)"
2description: |
3 Recursively scans files and archives to detect IQY files.
4
5 Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.
6references:
7 - "http://www.labofapenetrationtester.com/2015/08/abusing-web-query-iqy-files.html"
8 - "https://delivr.to/payloads?id=c8c6c2dd-f882-48c1-9d3c-d338c45f95fe"
9type: "rule"
10authors:
11 - twitter: "jkcoote"
12severity: "high"
13source: |
14 type.inbound
15 and (
16 any(attachments, .file_extension =~ "iqy")
17 or (
18 any(attachments,
19 .file_extension in~ $file_extensions_common_archives
20 and any(file.explode(.), .file_extension =~ "iqy")
21 )
22 )
23 )
24attack_types:
25 - "Credential Phishing"
26 - "Malware/Ransomware"
27tactics_and_techniques:
28 - "Evasion"
29detection_methods:
30 - "Archive analysis"
31 - "File analysis"
32id: "510412b5-1926-538f-a510-d796ecd2dc2d"