From f669bd4641bcfcfbe86e953ff0cb324183685ce2 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 27 Dec 2024 12:52:54 -0600
Subject: [PATCH 1/7] Create link_hidden_dir.yml

---
 detection-rules/link_hidden_dir.yml | 34 +++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 detection-rules/link_hidden_dir.yml

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
new file mode 100644
index 00000000000..e54205c5884
--- /dev/null
+++ b/detection-rules/link_hidden_dir.yml
@@ -0,0 +1,34 @@
+name: "Link: Common Hidden Directory Observed"
+description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 10
+  and any(body.links,
+          (
+            strings.icontains(.href_url.path, "/.well-known/")
+            and not strings.icontains(.href_url.path, '/.well-known/security.txt')
+          )
+          or strings.icontains(.href_url.path, "/.js/")
+          or strings.icontains(.href_url.path, "/.env/")
+          or strings.icontains(.href_url.path, "/.git/")
+          or strings.icontains(.href_url.path, "/.svn/")
+          or strings.icontains(.href_url.path, "/.hg/")
+          or strings.icontains(.href_url.path, "/.DS_Store/")
+          or strings.icontains(.href_url.path, "/.htpasswd/")
+          or strings.icontains(.href_url.path, "/.htaccess/")
+          or strings.icontains(.href_url.path, "/.bash_history/")
+          or strings.icontains(.href_url.path, "/.bashrc/")
+          or strings.icontains(.href_url.path, "/.zshrc/")
+          or strings.icontains(.href_url.path, "/.profile/")
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+  - "HTML analysis"

From ebb33363d6100fa6eb9aa02e063a17d2a989bf40 Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 27 Dec 2024 18:56:31 +0000
Subject: [PATCH 2/7] Auto add rule ID

---
 detection-rules/link_hidden_dir.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index e54205c5884..08507a76f6d 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -32,3 +32,4 @@ tactics_and_techniques:
 detection_methods:
   - "URL analysis"
   - "HTML analysis"
+id: "9f316da6-821c-5fed-b967-80fc0e740626"

From f6ef607e1659b7957561ba22b7f00127c63de349 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 27 Dec 2024 12:56:53 -0600
Subject: [PATCH 3/7] Update link_hidden_dir.yml

---
 detection-rules/link_hidden_dir.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index 08507a76f6d..1a60b99f5b5 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -23,6 +23,14 @@ source: |
           or strings.icontains(.href_url.path, "/.zshrc/")
           or strings.icontains(.href_url.path, "/.profile/")
   )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
 tags:
  - "Attack surface reduction"
 attack_types:

From 483588ad6776e9e230ede9b5473e16d33f0a04bf Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 27 Dec 2024 13:44:08 -0600
Subject: [PATCH 4/7] Update link_hidden_dir.yml

---
 detection-rules/link_hidden_dir.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index 1a60b99f5b5..a9756f9d71b 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -8,7 +8,8 @@ source: |
   and any(body.links,
           (
             strings.icontains(.href_url.path, "/.well-known/")
-            and not strings.icontains(.href_url.path, '/.well-known/security.txt')
+            and not strings.ends_with(.href_url.path, '/.well-known/security.txt')
+            and not strings.ends_with(.href_url.path, '/.well-known/jwks.json')
           )
           or strings.icontains(.href_url.path, "/.js/")
           or strings.icontains(.href_url.path, "/.env/")

From 8d2861135350a4511992a622a5818ffca074a71a Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Thu, 2 Jan 2025 14:12:47 -0600
Subject: [PATCH 5/7] Update link_hidden_dir.yml

---
 detection-rules/link_hidden_dir.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index a9756f9d71b..c1d8c2f967d 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -1,15 +1,26 @@
 name: "Link: Common Hidden Directory Observed"
 description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
+references:
+  - "https://datatracker.ietf.org/doc/html/rfc8615"
+  - "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml"
 type: "rule"
 severity: "medium"
 source: |
   type.inbound
-  and length(body.links) < 10
+  and 0 < length(body.links) <= 10
   and any(body.links,
           (
             strings.icontains(.href_url.path, "/.well-known/")
+            
+            // https://datatracker.ietf.org/doc/html/rfc9116
             and not strings.ends_with(.href_url.path, '/.well-known/security.txt')
+            
+            // https://datatracker.ietf.org/doc/html/rfc7517
+            // NOT registered with IANA
             and not strings.ends_with(.href_url.path, '/.well-known/jwks.json')
+            
+            // https://www.w3.org/TR/change-password-url/#semantics
+            and not strings.ends_with(.href_url.path, '/.well-known/change-password')
           )
           or strings.icontains(.href_url.path, "/.js/")
           or strings.icontains(.href_url.path, "/.env/")
@@ -23,6 +34,8 @@ source: |
           or strings.icontains(.href_url.path, "/.bashrc/")
           or strings.icontains(.href_url.path, "/.zshrc/")
           or strings.icontains(.href_url.path, "/.profile/")
+
+
   )
   // negate highly trusted sender domains unless they fail DMARC authentication
   and (

From bdf114f68348d59312c698ff0170708b5ecc3b9f Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Mon, 6 Jan 2025 08:44:27 -0600
Subject: [PATCH 6/7] Update link_hidden_dir.yml

---
 detection-rules/link_hidden_dir.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index c1d8c2f967d..a3adb323b49 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -21,6 +21,9 @@ source: |
             
             // https://www.w3.org/TR/change-password-url/#semantics
             and not strings.ends_with(.href_url.path, '/.well-known/change-password')
+
+            // https://openid.net/specs/openid-connect-discovery-1_0.html#WellKnownRegistry
+            and not strings.ends_with(.href_url.path, '/.well-known/openid-configuration')
           )
           or strings.icontains(.href_url.path, "/.js/")
           or strings.icontains(.href_url.path, "/.env/")

From fc13aa07f2b4ab70b818246a28eef460dea1d6f3 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Wed, 8 Jan 2025 23:02:12 -0600
Subject: [PATCH 7/7] use regex to catch suspicious well-known urls

---
 detection-rules/link_hidden_dir.yml | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
index a3adb323b49..17b6fbe1d8b 100644
--- a/detection-rules/link_hidden_dir.yml
+++ b/detection-rules/link_hidden_dir.yml
@@ -11,19 +11,7 @@ source: |
   and any(body.links,
           (
             strings.icontains(.href_url.path, "/.well-known/")
-            
-            // https://datatracker.ietf.org/doc/html/rfc9116
-            and not strings.ends_with(.href_url.path, '/.well-known/security.txt')
-            
-            // https://datatracker.ietf.org/doc/html/rfc7517
-            // NOT registered with IANA
-            and not strings.ends_with(.href_url.path, '/.well-known/jwks.json')
-            
-            // https://www.w3.org/TR/change-password-url/#semantics
-            and not strings.ends_with(.href_url.path, '/.well-known/change-password')
-
-            // https://openid.net/specs/openid-connect-discovery-1_0.html#WellKnownRegistry
-            and not strings.ends_with(.href_url.path, '/.well-known/openid-configuration')
+            and regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
           )
           or strings.icontains(.href_url.path, "/.js/")
           or strings.icontains(.href_url.path, "/.env/")