From a406ae2cfb5bcc7f54586b80f70418fa96cbd107 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 10 Jan 2025 10:58:26 -0500 Subject: [PATCH 1/3] Create link_youtube_user_info_excessive_padding.yml --- ...nk_youtube_user_info_excessive_padding.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 detection-rules/link_youtube_user_info_excessive_padding.yml diff --git a/detection-rules/link_youtube_user_info_excessive_padding.yml b/detection-rules/link_youtube_user_info_excessive_padding.yml new file mode 100644 index 00000000000..2c5734216a4 --- /dev/null +++ b/detection-rules/link_youtube_user_info_excessive_padding.yml @@ -0,0 +1,35 @@ +name: "Link: Obfuscation via YouTube.com user info with excessive URL padding" +description: "Identifies instances where a malicious actor leverages YouTube's domain name as a username in a URL, while the actual root domain leads elsewhere. The URL is further obfuscated using excessive URL-encoded spaces (%20) to hide the true destination in preview windows." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(body.links) < 100 + and any(body.links, + ( + // Detects cases where the URL starts with youtube.com but the root domain is not youtube.com. + // A browser will interpret the URL as directing to malicious-site.com, ignoring youtube.com entirely + // because everything before the @ symbol is treated as a username. + ( + regex.match(.href_url.url, + 'https?:\/\/(?:www\.)?youtube.com.*' + ) // Matches URLs starting with youtube.com + or .href_url.username == "youtube.com" // Checks if youtube.com is used as a username + ) + and .href_url.domain.root_domain != "youtube.com" // Verifies that the actual root domain is not youtube.com + + // Detects excessive padding (e.g., %20) used to obfuscate the malicious portion of the URL. + // Padding forces the malicious portion to be hidden in truncated previews (e.g., in email clients or chat apps). + + and strings.count(.href_url.url, "%20") > 30 // Flags URLs with more than 30 URL-encoded spaces + ) + ) + + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" + - "Impersonation: Brand" +detection_methods: + - "URL analysis" From 9adcbe142c4fe62dd10eb51aa658d7fdb4fcd4a2 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Fri, 10 Jan 2025 16:00:29 +0000 Subject: [PATCH 2/3] Auto add rule ID --- detection-rules/link_youtube_user_info_excessive_padding.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/link_youtube_user_info_excessive_padding.yml b/detection-rules/link_youtube_user_info_excessive_padding.yml index 2c5734216a4..8f8e662e45c 100644 --- a/detection-rules/link_youtube_user_info_excessive_padding.yml +++ b/detection-rules/link_youtube_user_info_excessive_padding.yml @@ -33,3 +33,4 @@ tactics_and_techniques: - "Impersonation: Brand" detection_methods: - "URL analysis" +id: "91b7b09a-f353-533c-a4b5-f15af3b1eb63" From db9fd0bd8b680de82c1d1d0113703c1916070332 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Fri, 10 Jan 2025 11:59:36 -0500 Subject: [PATCH 3/3] Update link_youtube_user_info_excessive_padding.yml --- detection-rules/link_youtube_user_info_excessive_padding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/link_youtube_user_info_excessive_padding.yml b/detection-rules/link_youtube_user_info_excessive_padding.yml index 8f8e662e45c..8e3eb3d84a9 100644 --- a/detection-rules/link_youtube_user_info_excessive_padding.yml +++ b/detection-rules/link_youtube_user_info_excessive_padding.yml @@ -1,4 +1,4 @@ -name: "Link: Obfuscation via YouTube.com user info with excessive URL padding" +name: "Link: Obfuscation via YouTube.com User Info with Excessive URL Padding" description: "Identifies instances where a malicious actor leverages YouTube's domain name as a username in a URL, while the actual root domain leads elsewhere. The URL is further obfuscated using excessive URL-encoded spaces (%20) to hide the true destination in preview windows." type: "rule" severity: "medium"