Attachment: Excel Web Query File (IQY)

Recursively scans files and archives to detect IQY files.

Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.

Sublime rule (View on GitHub)

 1name: "Attachment: Excel Web Query File (IQY)"
 2description: |
 3  Recursively scans files and archives to detect IQY files.
 4
 5  Coercing a target user into providing credentials to an attacker-controlled web server, or for SMB relaying.  
 6references:
 7  - "http://www.labofapenetrationtester.com/2015/08/abusing-web-query-iqy-files.html"
 8  - "https://delivr.to/payloads?id=c8c6c2dd-f882-48c1-9d3c-d338c45f95fe"
 9type: "rule"
10authors:
11  - twitter: "jkcoote"
12severity: "high"
13source: |
14  type.inbound
15  and (
16    any(attachments, .file_extension =~ "iqy")
17    or (
18      any(attachments,
19          .file_extension in~ $file_extensions_common_archives
20          and any(file.explode(.), .file_extension =~ "iqy")
21      )
22    )
23  )  
24attack_types:
25  - "Credential Phishing"
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Evasion"
29detection_methods:
30  - "Archive analysis"
31  - "File analysis"
32id: "510412b5-1926-538f-a510-d796ecd2dc2d"
to-top