Attachment: OLE external relationship containing file scheme link to executable filetype
This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software.
Sublime rule (View on GitHub)
1name: "Attachment: OLE external relationship containing file scheme link to executable filetype"
2description: "This rule identifies attachments containing file scheme links pointing to executable file types, a common indicator of malware distribution. It applies to various suspicious file extensions and archive formats, aiming to prevent the initiation and execution of malicious software."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 .file_extension in~ $file_extensions_macros
10 or .file_extension in~ $file_extensions_common_archives
11 or (
12 .file_extension is null
13 and .file_type == "unknown"
14 and .content_type == "application/octet-stream"
15 and .size < 100000000
16 )
17 )
18 and any(file.oletools(.).relationships,
19 .target_url.scheme == "file"
20 and regex.icontains(.target_url.path,
21 '\.(action|ahk|apk|app|appimage|applescript|bat|bin|cab|cmd|command|cpl|dll|dmg|exe|gadget|hta|inf|ins|ipa|isu|jar|job|js|jse|lnk|msi|msp|paf|pif|ps1|rgs|run|scr|sct|sh|shb|vb|vbe|vbs)($|[^\w])'
22 )
23 )
24 )
25 and (
26 not profile.by_sender().any_false_positives
27 or profile.by_sender().any_messages_malicious_or_spam
28 )
29
30tags:
31 - "Attack surface reduction"
32 - "PikaBot"
33 - "DarkGate"
34attack_types:
35 - "Malware/Ransomware"
36tactics_and_techniques:
37 - "Evasion"
38detection_methods:
39 - "Archive analysis"
40 - "Content analysis"
41 - "OLE analysis"
42 - "Sender analysis"
43
44id: "33bf6fd4-b170-5da2-808a-ffe74af6e21b"