Skip to content

Commit

Permalink
Sync from PR#2245
Browse files Browse the repository at this point in the history 
Create attachment_html_with_long_timeout.yml by @morriscode
#2245
Source SHA 9074e47
Triggered by @morriscode
  • Loading branch information
Sublime Rule Testing Bot committed Dec 24, 2024
1 parent 8d48170 commit 4fb86af
Showing 1 changed file with 18 additions and 0 deletions.
18 changes: 18 additions & 0 deletions detection-rules/attachment_html_with_long_timeout.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: "Attachment: HTML file with abnormally long timeout"
description: "Detects inbound messages containing HTML attachments that use abnormally long setTimeout functions as a potential sandbox evasion technique."
type: "rule"
severity: "high"
source: "type.inbound\nand any(attachments,\n (\n .file_extension in~ (\"html\", \"htm\", \"shtml\", \"dhtml\")\n or .file_type == \"html\"\n )\n and \n\n regex.icontains(file.parse_html(.).raw, 'setTimeout\\(\\(\\) =>.*?\\d{4}\\);')\n )\n and not headers.return_path.domain.root_domain == \"phriendlyphishing.com\"\n"
attack_types:
- "Malware/Ransomware"
- "Credential Phishing"
tactics_and_techniques:
- "HTML smuggling"
- "Scripting"
detection_methods:
- "File analysis"
- "HTML analysis"
- "Header analysis"
id: "dc11f4fe-480f-5136-b02d-c69c5a65f85e"
testing_pr: 2245
testing_sha: 9074e47443025d2b7e54033022aada95fda854f5

0 comments on commit 4fb86af

Please sign in to comment.