From 8c006cca81114cf2e4d8359945566055787eed67 Mon Sep 17 00:00:00 2001 From: DZ <142337924+p-o-s-t@users.noreply.github.com> Date: Sat, 7 Jun 2025 09:43:21 -0500 Subject: [PATCH 1/6] Update example.yara Changed first string match to be a regex pattern search; removed `wide` modifier since emails are in UTF-8. --- example.yara | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/example.yara b/example.yara index 09cf613..b4dba96 100644 --- a/example.yara +++ b/example.yara @@ -11,22 +11,22 @@ rule Email_iCal_Spoof_Detection { // Define a variable for the target domains // This regex group will be used in other regex strings // Populate this with the list of authorized domains that you expect icals to be forwarded or sent from from - $target_domains_regex = "(natesubra|example)\\.com" + $target_domains_regex = /(natesubra|example)\\.(com|net)/ // String to identify an iCal attachment by its Content-Type header - $ical_content_type = "Content-Type: text/calendar" nocase ascii wide + $ical_content_type = "Content-Type: text/calendar" nocase ascii // String to identify the beginning of iCal content - $ical_begin = "BEGIN:VCALENDAR" nocase ascii wide + $ical_begin = "BEGIN:VCALENDAR" nocase ascii // Regex to find 'ORGANIZER' field with the specific domains within iCal content // This accounts for various formats of the ORGANIZER field, including common CN (Common Name) // We use the $target_domains_regex variable here - $ical_organizer_domain = /ORGANIZER(?:;CN=[^:]+)?:mailto:[^@]+@#target_domains_regex/ nocase ascii wide + $ical_organizer_domain = /ORGANIZER(?:;CN=[^:]+)?:mailto:[^@]+@#target_domains_regex/ nocase ascii // Regex to find the 'From' header with the specific domains // We use the $target_domains_regex variable here - $from_header_domain = /From:.*<[^@]+@#target_domains_regex>/ nocase ascii wide + $from_header_domain = /From:.*<[^@]+@#target_domains_regex>/ nocase ascii condition: // Ensure it's likely an iCal attachment by checking content type or begin tag From c3109162acad6545ae89dd613e987ae0813c027b Mon Sep 17 00:00:00 2001 From: DZ <142337924+p-o-s-t@users.noreply.github.com> Date: Sat, 7 Jun 2025 10:35:40 -0500 Subject: [PATCH 2/6] Update example.yara Removed target domains, moved to the respective strings looking for regex. --- example.yara | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/example.yara b/example.yara index b4dba96..194dfcc 100644 --- a/example.yara +++ b/example.yara @@ -1,4 +1,3 @@ -// https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a rule Email_iCal_Spoof_Detection { meta: author = "Nate Subra" @@ -6,13 +5,9 @@ rule Email_iCal_Spoof_Detection { description = "Detects emails with iCal attachments where ORGANIZER is a target domain but sender is not." severity = "MEDIUM" version = "1.2" + reference = "https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a" strings: - // Define a variable for the target domains - // This regex group will be used in other regex strings - // Populate this with the list of authorized domains that you expect icals to be forwarded or sent from from - $target_domains_regex = /(natesubra|example)\\.(com|net)/ - // String to identify an iCal attachment by its Content-Type header $ical_content_type = "Content-Type: text/calendar" nocase ascii @@ -21,12 +16,11 @@ rule Email_iCal_Spoof_Detection { // Regex to find 'ORGANIZER' field with the specific domains within iCal content // This accounts for various formats of the ORGANIZER field, including common CN (Common Name) - // We use the $target_domains_regex variable here - $ical_organizer_domain = /ORGANIZER(?:;CN=[^:]+)?:mailto:[^@]+@#target_domains_regex/ nocase ascii + $ical_organizer_domain = /ORGANIZER;(CN=[^:]+)?:mailto:[^@]+@(natesubra|example)\.com/ nocase ascii // Regex to find the 'From' header with the specific domains // We use the $target_domains_regex variable here - $from_header_domain = /From:.*<[^@]+@#target_domains_regex>/ nocase ascii + $from_header_domain = /From:.*<[^@]+@(natesubra|example)\.com>/ nocase ascii condition: // Ensure it's likely an iCal attachment by checking content type or begin tag From 1c98a0dfadd4484d4263a9bfb35495b9ed68dd60 Mon Sep 17 00:00:00 2001 From: DZ <142337924+p-o-s-t@users.noreply.github.com> Date: Sat, 7 Jun 2025 17:14:25 -0500 Subject: [PATCH 3/6] Create sublime_sec_ical_render_bender.yaml --- sublime_sec_ical_render_bender.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 sublime_sec_ical_render_bender.yaml diff --git a/sublime_sec_ical_render_bender.yaml b/sublime_sec_ical_render_bender.yaml new file mode 100644 index 0000000..eefad15 --- /dev/null +++ b/sublime_sec_ical_render_bender.yaml @@ -0,0 +1,14 @@ +name: iCal Render Bender Detection +severity: medium +reference: "https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a" +source: + type.inbound + and any(attachments, .file_extension in (".ical", ".ics", ".ifb", ".icalendar") + and any(file.explode(.), + any(.scan.yara.matches, + .name == "sus_calendar_attachment") ## to be renamed at later time + ) + ) +tags: + - "Social Engineering" + - "Pretext" From 771b0d9888876e4552414c3c58442ac7ba1c11da Mon Sep 17 00:00:00 2001 From: DZ <142337924+p-o-s-t@users.noreply.github.com> Date: Sat, 7 Jun 2025 17:19:30 -0500 Subject: [PATCH 4/6] Update sublime_sec_ical_render_bender.yaml Add check for return path and from address not matching. --- sublime_sec_ical_render_bender.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sublime_sec_ical_render_bender.yaml b/sublime_sec_ical_render_bender.yaml index eefad15..d9cac3f 100644 --- a/sublime_sec_ical_render_bender.yaml +++ b/sublime_sec_ical_render_bender.yaml @@ -6,8 +6,9 @@ source: and any(attachments, .file_extension in (".ical", ".ics", ".ifb", ".icalendar") and any(file.explode(.), any(.scan.yara.matches, - .name == "sus_calendar_attachment") ## to be renamed at later time + .name == "sus_calendar_attachment") ) + and headers.return_path.email != sender.email.email ) tags: - "Social Engineering" From 39c886407bdd7665f15b1165b1d6a8f251a8732c Mon Sep 17 00:00:00 2001 From: DZ <142337924+p-o-s-t@users.noreply.github.com> Date: Sat, 7 Jun 2025 17:22:44 -0500 Subject: [PATCH 5/6] Update and rename example.yara to sus_calendar_attachment.yar Minor updates. --- example.yara => sus_calendar_attachment.yar | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename example.yara => sus_calendar_attachment.yar (100%) diff --git a/example.yara b/sus_calendar_attachment.yar similarity index 100% rename from example.yara rename to sus_calendar_attachment.yar From 3826814a2c43f031b84f5b43b4b703503d25edb0 Mon Sep 17 00:00:00 2001 From: DZ <142337924+p-o-s-t@users.noreply.github.com> Date: Sat, 7 Jun 2025 17:23:08 -0500 Subject: [PATCH 6/6] Update sublime_sec_ical_render_bender.yaml Add more checks. --- sublime_sec_ical_render_bender.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sublime_sec_ical_render_bender.yaml b/sublime_sec_ical_render_bender.yaml index d9cac3f..7fff6cd 100644 --- a/sublime_sec_ical_render_bender.yaml +++ b/sublime_sec_ical_render_bender.yaml @@ -8,8 +8,9 @@ source: any(.scan.yara.matches, .name == "sus_calendar_attachment") ) - and headers.return_path.email != sender.email.email ) + and headers.return_path.email != sender.email.email + and any(attachments, .content_type == "text/calendar") tags: - "Social Engineering" - "Pretext"