From 6153ca2d90588f9f72731a395e5bf063b7099b14 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Fri, 27 Dec 2024 19:00:52 +0000
Subject: [PATCH] Sync from PR#2250

Create link_hidden_dir.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2250
Source SHA f6ef607e1659b7957561ba22b7f00127c63de349
Triggered by @zoomequipd
---
 detection-rules/link_hidden_dir.yml | 45 +++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 detection-rules/link_hidden_dir.yml

diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml
new file mode 100644
index 00000000000..2e47dc5299c
--- /dev/null
+++ b/detection-rules/link_hidden_dir.yml
@@ -0,0 +1,45 @@
+name: "Link: Common Hidden Directory Observed"
+description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.links) < 10
+  and any(body.links,
+          (
+            strings.icontains(.href_url.path, "/.well-known/")
+            and not strings.icontains(.href_url.path, '/.well-known/security.txt')
+          )
+          or strings.icontains(.href_url.path, "/.js/")
+          or strings.icontains(.href_url.path, "/.env/")
+          or strings.icontains(.href_url.path, "/.git/")
+          or strings.icontains(.href_url.path, "/.svn/")
+          or strings.icontains(.href_url.path, "/.hg/")
+          or strings.icontains(.href_url.path, "/.DS_Store/")
+          or strings.icontains(.href_url.path, "/.htpasswd/")
+          or strings.icontains(.href_url.path, "/.htaccess/")
+          or strings.icontains(.href_url.path, "/.bash_history/")
+          or strings.icontains(.href_url.path, "/.bashrc/")
+          or strings.icontains(.href_url.path, "/.zshrc/")
+          or strings.icontains(.href_url.path, "/.profile/")
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+tags:
+  - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Evasion"
+detection_methods:
+  - "URL analysis"
+  - "HTML analysis"
+id: "9f316da6-821c-5fed-b967-80fc0e740626"
+testing_pr: 2250
+testing_sha: f6ef607e1659b7957561ba22b7f00127c63de349