Skip to content

Commit 5ab1992

Browse files
[PR #3998] modified rule: Attachment: QR code with recipient targeting and special characters
1 parent 1d882a7 commit 5ab1992

File tree

1 file changed

+22
-35
lines changed

1 file changed

+22
-35
lines changed

detection-rules/3998_attachment_qr_with_recipient_targeting_and_special_characters.yml

Lines changed: 22 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -73,62 +73,49 @@ source: |
7373
or (
7474
// Email Attachments
7575
any(file.parse_eml(.).attachments,
76-
any(file.explode(.),
77-
.scan.qr.type == "url"
78-
// QR code URL contains recipient's email (targeting indicator)
79-
and any(recipients.to,
80-
.email.domain.valid
81-
and (
82-
// Plaintext email address in URL
83-
strings.icontains(..scan.qr.url.url, .email.email)
84-
// OR base64 encoded email address
85-
or any(strings.scan_base64(..scan.qr.url.url,
86-
format="url",
87-
ignore_padding=true
88-
),
89-
strings.icontains(., ..email.email)
90-
)
91-
)
92-
)
76+
//
77+
// This rule makes use of a beta feature and is subject to change without notice
78+
// using the beta feature in custom rules is not suggested until it has been formally released
79+
//
80+
any(beta.scan_qr(.).items,
81+
.type is not null
9382
// a single path
94-
and strings.count(.scan.qr.url.path, '/') == 2
83+
and strings.count(.url.path, '/') == 2
9584
and (
9685
(
9786
(
98-
strings.contains(.scan.qr.url.path, '/$')
99-
or strings.contains(.scan.qr.url.path, '/*')
100-
or strings.contains(.scan.qr.url.path, '/#')
87+
strings.contains(.url.path, '/$')
88+
or strings.contains(.url.path, '/*')
89+
or strings.contains(.url.path, '/#')
10190
)
10291
// subdomain should contain num{3}alpha or alphanum{3}
103-
and regex.icontains(.scan.qr.url.domain.subdomain,
92+
and regex.icontains(.url.domain.subdomain,
10493
'^(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)$'
10594
)
10695
// url path should contain num{3}alpha or alphanum{3}
107-
and regex.icontains(.scan.qr.url.path,
96+
and regex.icontains(.url.path,
10897
'\/(?:[a-z]+[0-9]{3}|[0-9]{3}[a-z]+)\/'
10998
)
11099
)
111100
or (
112101
// special char in the path
113102
(
114-
strings.contains(.scan.qr.url.path, '!')
115-
or strings.contains(.scan.qr.url.path, '@')
103+
strings.contains(.url.path, '!')
104+
or strings.contains(.url.path, '@')
116105
)
117106
and (
118-
strings.contains(.scan.qr.url.path, '/$')
119-
or strings.contains(.scan.qr.url.path, '/*')
120-
or strings.contains(.scan.qr.url.path, '/#')
107+
strings.contains(.url.path, '/$')
108+
or strings.contains(.url.path, '/*')
109+
or strings.contains(.url.path, '/#')
121110
// hex dollar sign
122-
or strings.icontains(.scan.qr.url.path, '%24')
111+
or strings.icontains(.url.path, '%24')
123112
// hex star
124-
or strings.icontains(.scan.qr.url.path, '%2A')
113+
or strings.icontains(.url.path, '%2A')
125114
// hex pound
126-
or strings.icontains(.scan.qr.url.path, '%23')
115+
or strings.icontains(.url.path, '%23')
127116
)
128117
// ensure expected ordering
129-
and regex.icontains(.scan.qr.url.url,
130-
'[!@].*(?:[$*]|%2[A43])'
131-
)
118+
and regex.icontains(.url.url, '[!@].*(?:[$*]|%2[A43])')
132119
)
133120
)
134121
)
@@ -201,4 +188,4 @@ detection_methods:
201188
id: "a4ebed09-6966-5b4c-8449-f066d65b4c99"
202189
og_id: "fc9e1c09-4691-5cde-94d1-ccd953f1b63a"
203190
testing_pr: 3998
204-
testing_sha: e2d76195bf62085228e261fec1c2d676d80e5fdd
191+
testing_sha: be1c1a4731fb85046d3941a24ef203c3e64f20ca

0 commit comments

Comments
 (0)