Enrichment functions

MQL is highly extensible and can integrate virtually any tool or service to build better detection rules.

📘

Request a function!

Don't see a function you want? Let us know via email or Slack!

Attachments

beta.binexplode

beta.binexplode(input: Attachment) -> [BinExplodeOutput]

BinExplode uses Strelka, a file extraction and metadata collection system developed by Target.

Strelka uses a variety of scanners to parse files of a specific flavor and performs data collection and/or file extraction on them. Strelka can recursively extract nested files (like a Word doc within a Zip file), identify malicious scripts, suspicious executables and text, run analysis like OCR and Macro detection, and more. For more information on how Strelka works, see the official Strelka documentation.

For a list of all available scanners, see the Github repo or the official Strelka docs.

// detect HTML smuggling techniques
any(attachments, .file_extension in~ ('html', 'htm') and
  any(beta.binexplode(.), 
    any(.scan.javascript.identifiers, . == "unescape")) 
)

// detect encrypted zip files
any(attachments,
  any(beta.binexplode(.), 
    any(.flavors.yara, . == 'encrypted_zip'))
)

// detect attachments soliciting the user to enable macros using OCR
any(attachments,
  any(beta.binexplode(.),
    any(.scan.ocr.text, ilike(., "*please*"))
    and any(.scan.ocr.text, ilike(., "*enable*"))
    and any(.scan.ocr.text, ilike(., "*macros*")))
)

// detect macros with auto-open
any(attachments,
  any(beta.binexplode(.),
    any(.scan.vba.auto_exec, . == "AutoOpen"))
)

// detect macros calling an exe
any(attachments,
  any(beta.binexplode(.),
    any(.scan.vba.hex, ilike(., "*exe*")))
)

View detection rules that use this function

👍

Coming soon

  • YARA support
  • External API integrations, like VirusTotal
  • Analyze binaries from external URLs, like Google Drive and drive-by downloads

beta.oletools

beta.oletools(input: Attachment) -> OleToolsOutput

Oletools, developed by Philippe Lagadec, analyzes Microsoft OLE2 files such as Microsoft Office documents for malware and other suspicious indicators.

Use beta.oletools to analyze attachments for malware or suspicious indicators like VBA macros, remote OLE objects, encryption, and more.

// detect suspicious macros
any(attachments, beta.oletools(.).indicators.vba_macros.exists)
any(attachments, beta.oletools(.).indicators.vba_macros.risk == "high")

// detect potential attempts to exploit CVE-2021-40444  (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444)
any(attachments, any(beta.oletools(.).relationships, iregex_search(.target, ".*html:http.*")))

// detect external OLE object relationships
any(attachments, beta.oletools(.).indicators.external_relationships.count > 0)

// detect encrypted Office documents
any(attachments, beta.oletools(.).indicators.encryption.exists)

// detect macros that attempt to auto-execute when the document is opened
any(attachments, any(beta.oletools(.).macros.keywords, .type == "autoexec"))

// detect suspicious macro source code
any(attachments, iregex_search(beta.oletools(.).macros.vba_code_all_modules, ".*kernel32.*", ".*GetProcessId.*"))

View detection rules that use this function

beta.ml_macro_classifier

beta.ml_macro_classifier(input: File) → MLMacrosOutput

The Sublime Macro Classifier introduces machine learning in MQL to detect malicious VBA macro attachments. Combining ML and MQL allows users to combine the model output with custom detection logic to surface what matters most while reducing the noise commonly associated with black-box ML approaches.

The classifier uses XGBoost to analyze VBA keywords, file metadata, and Oletools output to predict whether an attachment is likely to cause harm.

Use beta.ml_macro_classifier to detect suspicious VBA macro attachments.

// detect malicious VBA macros in Office documents, high confidence
any(attachments, .file_extension in~ ("doc", "docm", "docx", "dot", "dotm", "pptm", "ppsm", "xlm", "xls", "xlsb", "xlsm", "xlt", "xltm", "zip")
    and beta.ml_macro_classifier(.).malicious
    and beta.ml_macro_classifier(.).confidence in ("high")
)

// detection malicious VBA macros in Office documents, low or medium confidence
any(attachments, .file_extension in~ ("doc", "docm", "docx", "dot", "dotm", "pptm", "ppsm", "xlm", "xls", "xlsb", "xlsm", "xlt", "xltm", "zip")
    and beta.ml_macro_classifier(.).malicious
    and beta.ml_macro_classifier(.).confidence in ("low", "medium")
)

View rules that use this function

beta.linkanalysis

beta.linkanalysis(input: Link) → LinkAnalysisOutput

LinkAnalysis analyzes a link and classifies them as benign or suspicious. The service sends suspicious URLs to a headless browser which resolves the effective URL and collects a screenshot. The screenshot is sent to an object detection model to detect brand logos, buttons, and input forms. We chose Phishpedia, an Open Source object detection project as our baseline model architecture.

If any logos are detected, those logos are cropped from the original screenshot and compared to a set of protected brand logos commonly used in credential phishing attacks. Discovered brands are available to MQL, along with summary information about login input boxes or captchas in the screenshot.

// detect links to credential phishing pages
any(body.links, 
    all([beta.linkanalysis(.)],
        .credphish.disposition == "phishing"
         and .credphish.brand.confidence in ("medium", "high")
     )
) 

// detect free subdomain links with a login or captcha
any(body.links, 
    all([beta.linkanalysis(.)], (
          .credphish.contains_login
          or .credphish.contains_captcha
     )
     and (
          .effective_url.domain.root_domain in $free_subdomain_hosts
          or .original_url.domain.root_domain in $free_subdomain_hosts
     ))
)

View rules that use this function