Skip to content

Update attachment_encrypted_pdf_cred_theft.yml #3087

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update attachment_encrypted_pdf_cred_theft.yml #3087

wants to merge 1 commit into from
+18 −0

Conversation

peterdj45
Copy link
Member

Description

adding suspicious keyword check to account for NLU misses

Associated samples

@peterdj45 peterdj45 requested a review from a team as a code owner August 15, 2025 00:33
@peterdj45 peterdj45 added the review-needed Indicates that a PR is waiting for review label Aug 15, 2025
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Aug 15, 2025
github-actions bot added a commit that referenced this pull request Aug 15, 2025
@github-actions
[PR #3087] changed rule: Attachment: Encrypted PDF with credential th…
8ded3d6 
…eft body
zoomequipd
zoomequipd reviewed Aug 15, 2025
View reviewed changes
detection-rules/attachment_encrypted_pdf_cred_theft.yml
or (
(
regex.icontains(body.current_thread.text,
'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'

PDF (Access OR Unlock OR Decrypt) (Passcode OR code)

zoomequipd
zoomequipd reviewed Aug 15, 2025
View reviewed changes
detection-rules/attachment_encrypted_pdf_cred_theft.yml
)
and any(body.previous_threads,
regex.icontains(.text,
'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'PDF(\s((Access|Unlock|Decrypt)\s?Code|Passcode))'
'PDF\s*(?:Access|Unlock|Decrypt)\s*(?:Pass)?code'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zoomequipd zoomequipd zoomequipd left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@peterdj45 @zoomequipd