detection.wiki

Detection rules › Sublime MQL

Attachment: PowerShell content

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Recursively scans files and archives to detect PowerShell content. While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesMalware/Ransomware
Tactics and techniquesScripting

Event coverage

Message attribute
attachments (collection)
type

Rule body MQL

type.inbound
and any(attachments,
        (
          .file_extension in~ (
            // PowerShell related file extensions
            "ps1",
            "ps1xml",
            "psm1",
            "psd1",
            "pssc",
            "psrc",
            "cdxml",
            "ps2",
            "ps2xml",
            "psc2",
          )
          or .file_extension in~ $file_extensions_common_archives
        )
        and any(file.explode(.),
                .file_extension in~ (
                  "ps1",
                  "ps1xml",
                  "psm1",
                  "psd1",
                  "pssc",
                  "psrc",
                  "cdxml",
                  "ps2",
                  "ps2xml",
                  "psc2",
                )
        )
)

Detection logic

Scope: inbound message.

Recursively scans files and archives to detect PowerShell content. While scripts are often blocked by mail filtering, alternative file formats and archived content may be employed to bypass such controls.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension in ('ps1', 'ps1xml', 'psm1', 'psd1', 'pssc', 'psrc', 'cdxml', 'ps2', 'ps2xml', 'psc2')
      • .file_extension in $file_extensions_common_archives
    • any of file.explode(.) where:
      • .file_extension in ('ps1', 'ps1xml', 'psm1', 'psd1', 'pssc', 'psrc', 'cdxml', 'ps2', 'ps2xml', 'psc2')

Inspects: attachments[].file_extension, type.inbound. Sensors: file.explode. Reference lists: $file_extensions_common_archives.

Indicators matched (20)

FieldMatchValue
attachments[].file_extensionmemberps1
attachments[].file_extensionmemberps1xml
attachments[].file_extensionmemberpsm1
attachments[].file_extensionmemberpsd1
attachments[].file_extensionmemberpssc
attachments[].file_extensionmemberpsrc
attachments[].file_extensionmembercdxml
attachments[].file_extensionmemberps2
attachments[].file_extensionmemberps2xml
attachments[].file_extensionmemberpsc2
file.explode(attachments[])[].file_extensionmemberps1
file.explode(attachments[])[].file_extensionmemberps1xml
8 more
file.explode(attachments[])[].file_extensionmemberpsm1
file.explode(attachments[])[].file_extensionmemberpsd1
file.explode(attachments[])[].file_extensionmemberpssc
file.explode(attachments[])[].file_extensionmemberpsrc
file.explode(attachments[])[].file_extensionmembercdxml
file.explode(attachments[])[].file_extensionmemberps2
file.explode(attachments[])[].file_extensionmemberps2xml
file.explode(attachments[])[].file_extensionmemberpsc2