From bf50bfce4927156734f4bd4de7d55a88bd118174 Mon Sep 17 00:00:00 2001 From: Sublime Rule Testing Bot Date: Thu, 2 Jan 2025 19:45:42 +0000 Subject: [PATCH] Sync from PR#2257 Create wordpress_abuse_cross_site_scripting.yml by @morriscode https://github.com/sublime-security/sublime-rules/pull/2257 Source SHA f3b6195b66b75eed6f8b5822a6699ad607810bab Triggered by @morriscode --- .../wordpress_abuse_cross_site_scripting.yml | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 detection-rules/wordpress_abuse_cross_site_scripting.yml diff --git a/detection-rules/wordpress_abuse_cross_site_scripting.yml b/detection-rules/wordpress_abuse_cross_site_scripting.yml new file mode 100644 index 00000000000..cb0306b7e10 --- /dev/null +++ b/detection-rules/wordpress_abuse_cross_site_scripting.yml @@ -0,0 +1,64 @@ +name: "Suspected WordPress abuse with Cross-Site Scripting (XSS) indicators" +description: "Detects inbound messages from likely compromised WordPress sites that exhibit indicators of cross-site scripting (XSS) attempts. The rule identifies potential script injection patterns within message bodies and/or subjects containing multiple suspicious JavaScript-related keywords or indicators." +type: "rule" +severity: "high" +source: | + type.inbound + and sender.email.local_part == "wordpress" + and ( + regex.icontains(body.current_thread.text, + 'document\.createElement.{0,9}script' + ) + or 2 of ( + strings.icount(subject.subject, "script") > 1, + strings.count(subject.subject, '%') > 4, + strings.count(subject.subject, '\') > 3, + strings.count(subject.subject, "/") > 3, + strings.icontains(subject.subject, "xss"), + strings.contains(subject.subject, "CharCode"), + strings.contains(subject.subject, 'onload'), + strings.contains(subject.subject, 'fetch('), + strings.contains(subject.subject, "OnFocus="), + strings.contains(subject.subject, 'javascript:fetch'), + strings.icontains(subject.subject, "src="), + strings.icontains(subject.subject, "iframe"), + strings.icontains(subject.subject, "embed"), + strings.icontains(subject.subject, "object"), + strings.icontains(subject.subject, "onerror"), + strings.icontains(subject.subject, "onclick"), + strings.icontains(subject.subject, "onmouseover"), + strings.icontains(subject.subject, "onmouseout"), + strings.icontains(subject.subject, "onkeydown"), + strings.icontains(subject.subject, "onkeypress"), + strings.icontains(subject.subject, "onkeyup"), + strings.icontains(subject.subject, "onchange"), + strings.icontains(subject.subject, "oninput"), + strings.icontains(subject.subject, "onsubmit"), + regex.icontains(subject.subject, 'eval\b'), + strings.icontains(subject.subject, "alert"), + strings.icontains(subject.subject, "document.cookie"), + strings.icontains(subject.subject, "document.write"), + strings.icontains(subject.subject, "window.location"), + strings.icontains(subject.subject, "setTimeout"), + strings.icontains(subject.subject, "setInterval"), + strings.icontains(subject.subject, "atob"), + strings.icontains(subject.subject, "innerHTML"), + strings.icontains(subject.subject, "outerHTML"), + strings.icontains(subject.subject, "XMLHttpRequest"), + regex.icontains(subject.subject, 'import\b'), + strings.icontains(subject.subject, "execCommand") + ) + ) +attack_types: + - "Malware/Ransomware" + - "Credential Phishing" +tactics_and_techniques: + - "Scripting" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" +id: "9c21225b-2dcf-5f72-b061-1c847129c319" +testing_pr: 2257 +testing_sha: f3b6195b66b75eed6f8b5822a6699ad607810bab