Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create link_hidden_dir.yml #2250

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
48 changes: 48 additions & 0 deletions detection-rules/link_hidden_dir.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: "Link: Common Hidden Directory Observed"
description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
references:
- "https://datatracker.ietf.org/doc/html/rfc8615"
- "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml"
type: "rule"
severity: "medium"
source: |
type.inbound
and 0 < length(body.links) <= 10
and any(body.links,
(
strings.icontains(.href_url.path, "/.well-known/")
and regex.icontains(.href_url.path, '\/\.well-known\/[^\/]+\/')
)
or strings.icontains(.href_url.path, "/.js/")
or strings.icontains(.href_url.path, "/.env/")
or strings.icontains(.href_url.path, "/.git/")
or strings.icontains(.href_url.path, "/.svn/")
or strings.icontains(.href_url.path, "/.hg/")
or strings.icontains(.href_url.path, "/.DS_Store/")
or strings.icontains(.href_url.path, "/.htpasswd/")
or strings.icontains(.href_url.path, "/.htaccess/")
or strings.icontains(.href_url.path, "/.bash_history/")
or strings.icontains(.href_url.path, "/.bashrc/")
or strings.icontains(.href_url.path, "/.zshrc/")
or strings.icontains(.href_url.path, "/.profile/")


)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "URL analysis"
- "HTML analysis"
id: "9f316da6-821c-5fed-b967-80fc0e740626"
Loading