Skip to content

Commit 8a9d17c

Browse files
Create link_susp_gophp.yml
1 parent c8898a1 commit 8a9d17c

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
name: "Link: Suspicious go.php redirect with document lure"
2+
description: "Detects links ending in 'go.php' with authentication parameters that masquerade as document access links using 'Open Document' display text."
3+
type: "rule"
4+
severity: "medium"
5+
source: |
6+
type.inbound
7+
and any(body.current_thread.links,
8+
strings.ends_with(.href_url.path, "go.php")
9+
and strings.starts_with(.href_url.query_params, "auth=")
10+
and strings.count(.href_url.path, "/") == 2
11+
and .display_text == "Open Document"
12+
)
13+
14+
attack_types:
15+
- "Credential Phishing"
16+
tactics_and_techniques:
17+
- "Evasion"
18+
- "Social engineering"
19+
detection_methods:
20+
- "Content analysis"
21+
- "URL analysis"

0 commit comments

Comments
 (0)