Attachment: ICS with embedded document

calendar Aug 21, 2023  ยท
Share on: linkedin copy

ICS invite contains an embedded document.

Sublime rule (View on GitHub)

 1name: "Attachment: ICS with embedded document"
 2description: |
 3    ICS invite contains an embedded document.
 4references:
 5  - "https://delivr.to/payloads?id=2212f8db-5a21-4b36-a15e-4097adbc136d"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_extension == "ics"
12          and any(file.explode(.),
13                  any(.scan.strings.strings, strings.ilike(., '*ATTACH;ENCODING=*;VALUE=BINARY*'))
14                  and 1 of (
15                    any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.doc*')),
16                    any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.dot*')),
17                    any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.pp*')),
18                    any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.wbk*')),
19                    any(.scan.strings.strings, strings.ilike(., '*FILENAME=*.xl*')),
20                  )
21          )
22  )  
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Evasion"
27detection_methods:
28  - "File analysis"
29id: "8f9957d9-a06a-5c5a-83af-2dc5c25bed86"
to-top