Attachment: OLE external relationship containing file scheme link to executable filetype
This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.
Sublime rule (View on GitHub)
1name: "Attachment: OLE external relationship containing file scheme link to executable filetype"
2description: "This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in~ $file_extensions_macros
10 or .file_extension in~ $file_extensions_common_archives
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 and .size < 100000000
16 )
17 )
18 and length(file.oletools(.).relationships) < 500
19 and any(file.oletools(.).relationships,
20 .target_url.scheme == "file"
21 and regex.icontains(.target_url.path,
22 '\.(action|ahk|apk|app|appimage|applescript|bat|bin|cab|cmd|command|cpl|dll|dmg|exe|gadget|hta|inf|ins|ipa|isu|jar|job|js|jse|lnk|msi|msp|paf|pif|ps1|rgs|run|scr|sct|sh|shb|vb|vbe|vbs)($|[^\w])'
23 )
24 )
25 )
26 and (
27 not profile.by_sender().any_false_positives
28 or profile.by_sender().any_messages_malicious_or_spam
29 )
30
31tags:
32 - "Attack surface reduction"
33 - "PikaBot"
34 - "DarkGate"
35attack_types:
36 - "Malware/Ransomware"
37tactics_and_techniques:
38 - "Evasion"
39detection_methods:
40 - "Archive analysis"
41 - "Content analysis"
42 - "OLE analysis"
43 - "Sender analysis"
44
45id: "33bf6fd4-b170-5da2-808a-ffe74af6e21b"