Email Attachments With Lots Of Spaces-邮件附件带有大量空格
邮件附件攻击是常用的手段。比如Cryakl勒索病毒变种在国内有部分感染,该勒索病毒主要依靠恶意邮件传播,恶意邮件中包含zip附件,zip中包含恶意宏代码的doc文档,当接收者打开文档,启用宏情况下,便会触发恶意宏代码下载执行Cryakl勒索病毒,病毒将加密文件,并在文件名末尾添加.doubleoffset后缀。
攻击者经常使用空格来混淆附件的文件扩展名。 此搜索将查找带有电子邮件附件的邮件,这些邮件附件的文件名中包含很多空格。
Splunk查询:检测邮件附件文件名带过多空格,空格比率超过10%
| tstats `summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@"
earliest=-70m@m latest=-10m@m
攻击者经常使用空格来混淆附件的文件扩展名。 此搜索将查找带有电子邮件附件的邮件,这些邮件附件的文件名中包含很多空格。
Splunk查询:检测邮件附件文件名带过多空格,空格比率超过10%
| tstats `summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `ctime(firstTime)` | `ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@"
earliest=-70m@m latest=-10m@m
