Skip to content

Update to Render_Bender.yar #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
p-o-s-t wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Update to Render_Bender.yar #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8c006cc
Update example.yara
p-o-s-t Jun 7, 2025
c310916
Update example.yara
p-o-s-t Jun 7, 2025
1c98a0d
Create sublime_sec_ical_render_bender.yaml
p-o-s-t Jun 7, 2025
771b0d9
Update sublime_sec_ical_render_bender.yaml
p-o-s-t Jun 7, 2025
39c8864
Update and rename example.yara to sus_calendar_attachment.yar
p-o-s-t Jun 7, 2025
3826814
Update sublime_sec_ical_render_bender.yaml
p-o-s-t Jun 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions sublime_sec_ical_render_bender.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: iCal Render Bender Detection
severity: medium
reference: "https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a"
source:
type.inbound
and any(attachments, .file_extension in (".ical", ".ics", ".ifb", ".icalendar")
and any(file.explode(.),
any(.scan.yara.matches,
.name == "sus_calendar_attachment")
)
)
and headers.return_path.email != sender.email.email
and any(attachments, .content_type == "text/calendar")
tags:
- "Social Engineering"
- "Pretext"
16 changes: 5 additions & 11 deletions example.yara → sus_calendar_attachment.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,26 @@
// https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a
rule Email_iCal_Spoof_Detection {
meta:
author = "Nate Subra"
date = "2025-05-27"
description = "Detects emails with iCal attachments where ORGANIZER is a target domain but sender is not."
severity = "MEDIUM"
version = "1.2"
reference = "https://gist.github.com/natesubra/0577178177ef64adce0866ee71ada41a"

strings:
// Define a variable for the target domains
// This regex group will be used in other regex strings
// Populate this with the list of authorized domains that you expect icals to be forwarded or sent from from
$target_domains_regex = "(natesubra|example)\\.com"

// String to identify an iCal attachment by its Content-Type header
$ical_content_type = "Content-Type: text/calendar" nocase ascii wide
$ical_content_type = "Content-Type: text/calendar" nocase ascii

// String to identify the beginning of iCal content
$ical_begin = "BEGIN:VCALENDAR" nocase ascii wide
$ical_begin = "BEGIN:VCALENDAR" nocase ascii

// Regex to find 'ORGANIZER' field with the specific domains within iCal content
// This accounts for various formats of the ORGANIZER field, including common CN (Common Name)
// We use the $target_domains_regex variable here
$ical_organizer_domain = /ORGANIZER(?:;CN=[^:]+)?:mailto:[^@]+@#target_domains_regex/ nocase ascii wide
$ical_organizer_domain = /ORGANIZER;(CN=[^:]+)?:mailto:[^@]+@(natesubra|example)\.com/ nocase ascii

// Regex to find the 'From' header with the specific domains
// We use the $target_domains_regex variable here
$from_header_domain = /From:.*<[^@]+@#target_domains_regex>/ nocase ascii wide
$from_header_domain = /From:.*<[^@]+@(natesubra|example)\.com>/ nocase ascii

condition:
// Ensure it's likely an iCal attachment by checking content type or begin tag
Expand Down