Attachment: PowerPoint with suspicious hyperlink
Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
Sublime rule (View on GitHub)
1name: "Attachment: PowerPoint with suspicious hyperlink"
2description: |
3 Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
4references:
5 - "https://twitter.com/doc_guard/status/1570190610774257665"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (.file_extension in~ ("ppt", "pptx"))
12 and any(file.explode(.),
13 any(.scan.exiftool.fields,
14 .key == "Hyperlinks"
15 and (
16 4 of (
17 strings.ilike(.value, "*[Convert]::ToChar*"),
18 strings.ilike(.value, "*vbs*"),
19 strings.ilike(.value, "*[IO.File]::Create*"),
20 strings.ilike(.value, "*[IO.File]::Exists*"),
21 strings.ilike(.value, "*[io.FileOPtions]::DeleteOnClose*"),
22 strings.ilike(.value, "*Net.WebClient*"),
23 strings.ilike(.value, "*dll*"),
24 )
25 )
26 )
27 )
28 )
29attack_types:
30 - "Malware/Ransomware"
31tactics_and_techniques:
32 - "Evasion"
33 - "Scripting"
34detection_methods:
35 - "Exif analysis"
36 - "File analysis"
37id: "0a999fb1-f44f-54cf-814b-6fd2e83f5704"