Attachment: OLE external relationship containing file scheme link to IP address

calendar Apr 12, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space.

Sublime rule (View on GitHub)

 1name: "Attachment: OLE external relationship containing file scheme link to IP address"
 2description: "This rule identifies attachments containing file scheme links pointing to IP Addresses, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software. The rule negates firing on IP addresses governed by RFC1918 or privately allocated space. "
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          (
 9            .file_extension in~ $file_extensions_macros
10            or .file_extension in~ $file_extensions_common_archives
11            or (
12              .file_extension is null
13              and .file_type == "unknown"
14              and .content_type == "application/octet-stream"
15              and .size < 100000000
16            )
17          )
18          and any(file.oletools(.).relationships,
19                  .target_url.scheme == "file"
20                  and regex.contains(.target_url.path, '([0-9]{2,3}\.){3}[0-9]{2,3}')
21                  and not regex.icontains(.target_url.path,
22                                      '(10\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))|(172\.(?:1[6-9]|2\d|3[0-1])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))|(192\.168\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5])\.(?:\d{1,2}|1\d{2}|2[0-4]\d|25[0-5]))'
23  
24                  )
25          )
26  )
27   and (
28      not profile.by_sender().any_false_positives
29      or profile.by_sender().any_messages_malicious_or_spam
30   )  
31
32tags:
33  - "Attack surface reduction"
34attack_types:
35  - "Malware/Ransomware"
36tactics_and_techniques:
37  - "Evasion"
38detection_methods:
39  - "Archive analysis"
40  - "Content analysis"
41  - "OLE analysis"
42  - "Sender analysis"
43
44id: "3aab998c-00a6-5c10-b482-094db7140e52"

Related rules

to-top