detection.wiki

Detection rules › Panther

Slack Potentially Malicious File Shared

Severity
critical
Log types
Slack.AuditLogs
Tags
Slack, Initial Access, Phishing, Spearphishing Attachment, Malware, Execution
Reference
https://docs.datadoghq.com/security/default_rules/def-003-oxv/
Source
github.com/panther-labs/panther-analysis

Detects when Slack's automated security scanning identifies malicious files uploaded to the workspace, indicating malware delivery or phishing attempts. Slack scans for executable malware, ransomware, phishing documents, malicious scripts, and files matching threat actor signatures. This detection indicates compromised accounts, insider threats, or successful phishing attacks where users uploaded infected files.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment
ExecutionT1204.002 User Execution: Malicious File
ImpactT1486 Data Encrypted for Impact

Rule body yaml

AnalysisType: rule
Filename: slack_potentially_malicious_file_shared.py
RuleID: "Slack.AuditLogs.PotentiallyMaliciousFileShared"
DisplayName: "Slack Potentially Malicious File Shared"
Enabled: true
LogTypes:
  - Slack.AuditLogs
Tags:
  - Slack
  - Initial Access
  - Phishing
  - Spearphishing Attachment
  - Malware
  - Execution
Reports:
  MITRE ATT&CK:
    - TA0001:T1566.001
    - TA0002:T1204.002
    - TA0040:T1486
Severity: Critical
Description: >
  Detects when Slack's automated security scanning identifies malicious files uploaded to the workspace, indicating malware delivery or phishing attempts. Slack scans for executable malware, ransomware, phishing documents, malicious scripts, and files matching threat actor signatures. This detection indicates compromised accounts, insider threats, or successful phishing attacks where users uploaded infected files.
Reference: https://docs.datadoghq.com/security/default_rules/def-003-oxv/
Runbook: |
  1. Query Slack audit logs for file_downloaded events associated with the malicious file to identify all users who downloaded it before Slack detected the threat, then coordinate with IT to isolate their endpoints and scan for malware
  2. Review actor.user.email's complete Slack audit log activity in the 7 days before the upload to identify suspicious patterns such as logins from unusual locations, sharing multiple suspicious files, or mass direct messaging indicating account compromise
  3. Search the Slack workspace for other files with similar names, file types, or uploaded from the same context.ip_address to determine if this is part of a broader malware distribution campaign
DedupPeriodMinutes: 60
Threshold: 1
SummaryAttributes:
  - p_any_ip_addresses
  - p_any_emails
Tests:
  - Name: Malicious Content Detected
    ExpectedResult: true
    Log:
      {
        "action": "file_malicious_content_detected",
        "actor":
          {
            "type": "user",
            "user":
              {
                "email": "user@example.com",
                "id": "W012J3FEWAU",
                "name": "primary-owner",
                "team": "T01234N56GB",
              },
          },
        "context":
          {
            "ip_address": "1.2.3.4",
            "location":
              {
                "domain": "test-workspace-1",
                "id": "T01234N56GB",
                "name": "test-workspace-1",
                "type": "workspace",
              },
            "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
          },
      }
  - Name: User Logout
    ExpectedResult: false
    Log:
      {
        "action": "user_logout",
        "actor":
          {
            "type": "user",
            "user":
              {
                "email": "user@example.com",
                "id": "W012J3FEWAU",
                "name": "primary-owner",
                "team": "T01234N56GB",
              },
          },
        "context":
          {
            "ip_address": "1.2.3.4",
            "location":
              {
                "domain": "test-workspace-1",
                "id": "T01234N56GB",
                "name": "test-workspace-1",
                "type": "workspace",
              },
            "ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",
          },
        "date_create": "2022-07-28 15:22:32",
        "entity":
          {
            "type": "user",
            "user":
              {
                "email": "user@example.com",
                "id": "W012J3FEWAU",
                "name": "primary-owner",
                "team": "T01234N56GB",
              },
          },
        "id": "72cac009-9eb3-4dde-bac6-ee49a32a1789",
      }

Detection logic

Condition

action eq "file_malicious_content_detected"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
actioneq
  • file_malicious_content_detected

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
actor-nameactor.user.name
actor-emailactor.user.email
actor-ipcontext.ip_address
user-agentcontext.ua
domaincontext.location.domain