Attachment: ICS with embedded document
ICS invite contains an embedded document.
Sublime rule (View on GitHub)
1name: "Attachment: ICS with embedded document"
2description: |
3 ICS invite contains an embedded document.
4references:
5 - "https://delivr.to/payloads?id=2212f8db-5a21-4b36-a15e-4097adbc136d"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_extension == "ics"
12 and any(file.explode(.),
13 any(.scan.strings.strings, strings.ilike(., '*ATTACH;ENCODING=*;VALUE=BINARY*'))
14 and 1 of (
15 any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.doc*')),
16 any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.dot*')),
17 any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.pp*')),
18 any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.wbk*')),
19 any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.xl*')),
20 )
21 )
22 )
23attack_types:
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Evasion"
27detection_methods:
28 - "File analysis"
29id: "8f9957d9-a06a-5c5a-83af-2dc5c25bed86"