diff --git a/detection-rules/link_hidden_dir.yml b/detection-rules/link_hidden_dir.yml index b4a4b771b92..34d25ad9d6d 100644 --- a/detection-rules/link_hidden_dir.yml +++ b/detection-rules/link_hidden_dir.yml @@ -1,37 +1,11 @@ name: "Link: Common Hidden Directory Observed" description: "Links in the message point to sensitive system directories like .git, .env, or .well-known that could expose confidential configuration data or system files. Actors will often abuse these directories to hide credential phishing landing pages of compromised sites." +references: + - "https://datatracker.ietf.org/doc/html/rfc8615" + - "https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml" type: "rule" severity: "medium" -source: | - type.inbound - and length(body.links) < 10 - and any(body.links, - ( - strings.icontains(.href_url.path, "/.well-known/") - and not strings.ends_with(.href_url.path, '/.well-known/security.txt') - and not strings.ends_with(.href_url.path, '/.well-known/jwks.json') - ) - or strings.icontains(.href_url.path, "/.js/") - or strings.icontains(.href_url.path, "/.env/") - or strings.icontains(.href_url.path, "/.git/") - or strings.icontains(.href_url.path, "/.svn/") - or strings.icontains(.href_url.path, "/.hg/") - or strings.icontains(.href_url.path, "/.DS_Store/") - or strings.icontains(.href_url.path, "/.htpasswd/") - or strings.icontains(.href_url.path, "/.htaccess/") - or strings.icontains(.href_url.path, "/.bash_history/") - or strings.icontains(.href_url.path, "/.bashrc/") - or strings.icontains(.href_url.path, "/.zshrc/") - or strings.icontains(.href_url.path, "/.profile/") - ) - // negate highly trusted sender domains unless they fail DMARC authentication - and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass - ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains - ) +source: "type.inbound\nand 0 < length(body.links) <= 10\nand any(body.links,\n (\n strings.icontains(.href_url.path, \"/.well-known/\")\n \n // https://datatracker.ietf.org/doc/html/rfc9116\n and not strings.ends_with(.href_url.path, '/.well-known/security.txt')\n \n // https://datatracker.ietf.org/doc/html/rfc7517\n // NOT registered with IANA\n and not strings.ends_with(.href_url.path, '/.well-known/jwks.json')\n \n // https://www.w3.org/TR/change-password-url/#semantics\n and not strings.ends_with(.href_url.path, '/.well-known/change-password')\n )\n or strings.icontains(.href_url.path, \"/.js/\")\n or strings.icontains(.href_url.path, \"/.env/\")\n or strings.icontains(.href_url.path, \"/.git/\")\n or strings.icontains(.href_url.path, \"/.svn/\")\n or strings.icontains(.href_url.path, \"/.hg/\")\n or strings.icontains(.href_url.path, \"/.DS_Store/\")\n or strings.icontains(.href_url.path, \"/.htpasswd/\")\n or strings.icontains(.href_url.path, \"/.htaccess/\")\n or strings.icontains(.href_url.path, \"/.bash_history/\")\n or strings.icontains(.href_url.path, \"/.bashrc/\")\n or strings.icontains(.href_url.path, \"/.zshrc/\")\n or strings.icontains(.href_url.path, \"/.profile/\")\n\n\n)\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and not headers.auth_summary.dmarc.pass\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" tags: - "Attack surface reduction" attack_types: @@ -43,4 +17,4 @@ detection_methods: - "HTML analysis" id: "9f316da6-821c-5fed-b967-80fc0e740626" testing_pr: 2250 -testing_sha: 483588ad6776e9e230ede9b5473e16d33f0a04bf +testing_sha: cada3ba7b355702ab7fabb7c78af1db1e7b038b1