Link: Common Hidden Directory Observed

Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites.

Sublime rule (View on GitHub)

 1name: "Link: Common Hidden Directory Observed"
 2description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
 3references:
 4  - "https://datatracker.ietf.org/doc/html/rfc8615"
 5  - "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and 0 < length(body.links) <= 10
11  and any(body.links,
12          (
13            strings.icontains(.href_url.path, "/.well-known/")
14            and regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
15          )
16          or strings.icontains(.href_url.path, "/.js/")
17          or strings.icontains(.href_url.path, "/.env/")
18          or strings.icontains(.href_url.path, "/.git/")
19          or strings.icontains(.href_url.path, "/.svn/")
20          or strings.icontains(.href_url.path, "/.hg/")
21          or strings.icontains(.href_url.path, "/.DS_Store/")
22          or strings.icontains(.href_url.path, "/.htpasswd/")
23          or strings.icontains(.href_url.path, "/.htaccess/")
24          or strings.icontains(.href_url.path, "/.bash_history/")
25          or strings.icontains(.href_url.path, "/.bashrc/")
26          or strings.icontains(.href_url.path, "/.zshrc/")
27          or strings.icontains(.href_url.path, "/.profile/")
28
29
30  )
31  // negate highly trusted sender domains unless they fail DMARC authentication
32  and (
33    (
34      sender.email.domain.root_domain in $high_trust_sender_root_domains
35      and not headers.auth_summary.dmarc.pass
36    )
37    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
38  )  
39tags:
40 - "Attack surface reduction"
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Evasion"
45detection_methods:
46  - "URL analysis"
47  - "HTML analysis"
48id: "9f316da6-821c-5fed-b967-80fc0e740626"

Related rules

to-top