Hi Team,
Could you please advise how to write YARA-L rules to detect email IOCs or share the relevant threat feed name.
Thanks
Question
How can we detect email IOCs in a custom rule or via threat feed name
+4- Bronze 3
+1Hi
Here is an example of one rule which is showing Gmail related logs and correlating with Mandiant Intel.
events:
$e1.metadata.log_type = "WORKSPACE_ACTIVITY" //Log Type
$e1.metadata.event_type = "EMAIL_TRANSACTION" //Event Type
//($e.additional.fields["spf_pass"] = "false" OR //SPF check
//$e.additional.fields["dkim_pass"] = "false" OR //DKIM check
//$e.additional.fields["dmarc_pass"] = "false") //DMARC check)
$e1.network.email.from != "" //From email should not be empty. Most of them are bounce back emails //DMARC check
$e1.additional.fields ["num_message_attachments"] > "1" //At least one attachment
$e1.network.email.from = $sender_email //Sender's email
$e1.principal.administrative_domain = $dom
$e1.about.file.sha256 = $hash //Extract the hash value
not $dom in %internal_mail_domains //Exempt internal domains from detections
$e1.about.file.sha256 != "" //hash is not empty
//$e1.about.application = "smtp-outbound"
$e1.principal.application = "smtp-inbound"
//$e1.about.file.file_type = "FILE_TYPE_PDF"
$e1.security_result.action != "BLOCK"
// Uses VirusTotal integration via entity graph, this section maps to principal process file hash
// $vt.graph.metadata.entity_type = "FILE"
//$vt.graph.metadata.source_type = "GLOBAL_CONTEXT"
//$vt.graph.metadata.vendor_name = "VirusTotal"
//$vt.graph.metadata.product_name = "VirusTotal Relationships"
//$vt.graph.entity.file.sha256 = $hash
// look for hashes of the files identified as likely remote access tools
$mati.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mati.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mati.graph.metadata.entity_type = "FILE"
$mati.graph.metadata.source_type = "GLOBAL_CONTEXT"
//$gcti.graph.metadata.threat.threat_feed_name = "Remote Access Tools"
$mati.graph.entity.file.sha256 = $hash
//or
// look for domains identified as likely remote access tools
//$mati.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
//$mati.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
//$mati.graph.metadata.entity_type = "DOMAIN_NAME"
//$mati.graph.metadata.source_type = "GLOBAL_CONTEXT"
//$gcti.graph.metadata.threat.threat_feed_name = "Remote Access Tools"
//$mati.graph.entity.administrative_domain = $dom
match:
$sender_email over 1h //15m
outcome:
$risk_score = max(
// Tag enrichment from VirusTotal file metadata
if($e1.target.file.tags = "via-tor" or $e1.target.file.tags = "malware" or $e1.target.file.tags = "crypto", 50) +
// File types enrichment from VirusTotal file metadata
if($e1.target.file.file_type = "FILE_TYPE_HTML", 5) +
if($e1.target.file.file_type = "FILE_TYPE_ELF", 10) +
if($e1.target.file.file_type = "FILE_TYPE_PE_DLL",15) +
if($e1.target.file.file_type = "FILE_TYPE_PE_EXE", 20)
)
$alerted_hash = array_distinct($hash)
$alerted_domain = array_distinct($dom)
condition:
$e1 and $mati
}
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.