← Back to Explore
sublimehighRule
Attachment: PowerPoint with suspicious hyperlink
Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
Detection Query
type.inbound
and any(attachments,
(.file_extension in~ ("ppt", "pptx"))
and any(file.explode(.),
any(.scan.exiftool.fields,
.key == "Hyperlinks"
and (
4 of (
strings.ilike(.value, "*[Convert]::ToChar*"),
strings.ilike(.value, "*vbs*"),
strings.ilike(.value, "*[IO.File]::Create*"),
strings.ilike(.value, "*[IO.File]::Exists*"),
strings.ilike(.value,
"*[io.FileOPtions]::DeleteOnClose*"
),
strings.ilike(.value, "*Net.WebClient*"),
strings.ilike(.value, "*dll*"),
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PowerPoint with suspicious hyperlink"
description: |
Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
references:
- "https://twitter.com/doc_guard/status/1570190610774257665"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(.file_extension in~ ("ppt", "pptx"))
and any(file.explode(.),
any(.scan.exiftool.fields,
.key == "Hyperlinks"
and (
4 of (
strings.ilike(.value, "*[Convert]::ToChar*"),
strings.ilike(.value, "*vbs*"),
strings.ilike(.value, "*[IO.File]::Create*"),
strings.ilike(.value, "*[IO.File]::Exists*"),
strings.ilike(.value,
"*[io.FileOPtions]::DeleteOnClose*"
),
strings.ilike(.value, "*Net.WebClient*"),
strings.ilike(.value, "*dll*"),
)
)
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Scripting"
detection_methods:
- "Exif analysis"
- "File analysis"
id: "0a999fb1-f44f-54cf-814b-6fd2e83f5704"