sublimelowRule

Attachment: ICS with embedded document

ICS invite contains an embedded document.

MITRE ATT&CK

defense-evasion

Detection Query

type.inbound
and any(attachments,
        .file_extension == "ics"
        and strings.ilike(file.parse_text(.).text,
                          '*ATTACH;ENCODING=*;VALUE=BINARY*'
        )
        and (
          strings.ilike(file.parse_text(.).text, '*FILENAME=*.doc*')
          or strings.ilike(file.parse_text(.).text, '*FILENAME=*.dot*')
          or strings.ilike(file.parse_text(.).text, '*FILENAME=*.pp*')
          or strings.ilike(file.parse_text(.).text, '*FILENAME=*.wbk*')
          or strings.ilike(file.parse_text(.).text, '*FILENAME=*.xl*')
          or strings.ilike(file.parse_text(.).text, '*FILENAME=*.html*')
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://delivr.to/payloads?id=2212f8db-5a21-4b36-a15e-4097adbc136d

Raw Content

name: "Attachment: ICS with embedded document"
description: |
  ICS invite contains an embedded document.
references:
  - "https://delivr.to/payloads?id=2212f8db-5a21-4b36-a15e-4097adbc136d"
type: "rule"
severity: "low"
source: |
  type.inbound
  and any(attachments,
          .file_extension == "ics"
          and strings.ilike(file.parse_text(.).text,
                            '*ATTACH;ENCODING=*;VALUE=BINARY*'
          )
          and (
            strings.ilike(file.parse_text(.).text, '*FILENAME=*.doc*')
            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.dot*')
            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.pp*')
            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.wbk*')
            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.xl*')
            or strings.ilike(file.parse_text(.).text, '*FILENAME=*.html*')
          )
  )

attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "File analysis"
id: "8f9957d9-a06a-5c5a-83af-2dc5c25bed86"