-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathattachment_remote_template_injection.yml
56 lines (51 loc) · 1.63 KB
/
attachment_remote_template_injection.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: "Attachment: Remote Template Injection"
description: |
A document, or zipped document that makes use of remote template injection.
type: "rule"
severity: "medium"
authors:
- twitter: "delivr_to"
references:
- https://delivr.to/payloads?id=ef187d5d-3188-483e-b3b5-9ab5e0e032f7
source: |
type.inbound
and any(attachments,
(
(
// office files
.file_extension in~ ("doc", "docm", "docx", "dot", "dotm", "pptm", "ppsm", "xlm", "xls", "xlsb", "xlsm", "xlt", "xltm")
// detect files without an extension
or .file_type in ("docx")
)
and any(beta.oletools(.).relationships,
.name =~ "attachedtemplate" and
regex.icontains(.target, "http.*")
)
)
or (
(
// explode archives
.file_extension in~ $file_extensions_common_archives
// detect files without an extension
or .file_type in ("7z")
// rtf files
or .file_extension in~ ("rtf")
)
and (
any(beta.binexplode(.),
(
// office files
.flavors.mime == "text/xml" and
any(.scan.strings.strings, regex.icontains(., "attachedTemplate.*target.*http.*"))
) or
(
// rtf files
.flavors.mime == "text/rtf" and
any(.scan.strings.strings, regex.icontains(., "attachedTemplate.*target.*http.*"))
)
)
)
)
)
tags:
- "Suspicious Attachment"