austinsonger/0. Proof of Concept - Elastic Detection: VIP - Executive impersonation in subject (untrusted).md

## 0. Proof of Concept - Elastic Detection: VIP - Executive impersonation in subject (untrusted).md

      
    Raw
  

              0. Proof of Concept - Elastic Detection: VIP - Executive impersonation in subject (untrusted).md
            
          
    This detection rule is designed to identify emails where the sender's subject contains the display name of a VIP or executive from a predefined list (org_vips), and the sender has never been seen before. This rule is particularly useful for detecting Business Email Compromise (BEC) or fraud attempts targeting high-profile individuals within an organization.
Pre-requisites


org_vips List: A list of display names of VIPs or executives that must be manually connected to a VIP group of your upstream provider (Google Workspace).
Email Provider: Google Workspace.

Explanation of the Query


Basic Event Filtering:
event.category: "email" and
event.provider: "google_workspace" and

Filters events to only include emails from Google Workspace.


Check Subject for VIP Display Name:
any([org_vips.display_name], {{contains(email.subject, .)}}) and

Ensures the email subject contains any display name from the org_vips list.


Sender and Receiver Logic:
(
  length(email.recipients.to) > 0 or
  length(email.recipients.cc) > 0 or
  email.sender.display_name != email.receiver.display_name
) and

Ensures there are recipients or the sender's display name differs from the receiver's display name.


Exclude Common Automated Email Addresses:
not (email.sender.local_part: "*postmaster*" or
     email.sender.local_part: "*mailer-daemon*" or
     email.sender.local_part: "*administrator*") and

Excludes common automated email addresses.


Exclude Specific Attachment Types:
not any(email.attachments.content_type: "message/rfc822" or
       email.attachments.content_type: "message/delivery-status" or
       email.attachments.content_type: "text/calendar") and

Excludes emails with certain attachment types.


DMARC Authentication Check:
(
  (
    email.sender.domain.root_domain in org_domains and
    not email.headers.dmarc_result == "pass"
  ) or
  email.sender.domain.root_domain not in org_domains
) and
(
  (
    email.sender.domain.root_domain in high_trust_sender_root_domains and
    not email.headers.dmarc_result == "pass"
  ) or
  email.sender.domain.root_domain not in high_trust_sender_root_domains
) and

Checks the DMARC result for the sender's domain and considers organizational and high-trust domains.


Threat Level and Category:
(
  email.threat_level == "high" or
  email.threat_category == "spam"
)

Uses email.threat_level and email.threat_category fields to check for high-threat or spam-related emails.


## 1. Detection.yaml
name: "VIP / Executive impersonation in subject (untrusted)"
id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"
description: |
  Sender subject contains the display name of a user in the org_vips list, and the sender has never been seen before.

  The org_vips list must first be manually created in Elastic, and then connected to a VIP group of provider (Google
  Workspace) in order for this rule to work.

  This rule is to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting *any*
  message that matches the protected list of display names from a first-time or unsolicited sender.

  Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

type: "query"
severity: "medium"
query: |
  event.category: "email" and
  event.provider: "google_workspace" and
  any([org_vips.display_name], {{contains(email.subject, .)}}) and
  (
    length(email.recipients.to) > 0 or
    length(email.recipients.cc) > 0 or
    email.sender.display_name != email.receiver.display_name
  ) and
  not (email.sender.local_part: "*postmaster*" or
       email.sender.local_part: "*mailer-daemon*" or
       email.sender.local_part: "*administrator*") and
  not any(email.attachments.content_type: "message/rfc822" or
          email.attachments.content_type: "message/delivery-status" or
          email.attachments.content_type: "text/calendar") and
  (
    (
      email.sender.domain.root_domain in org_domains and
      not email.headers.dmarc_result == "pass"
    ) or
    email.sender.domain.root_domain not in org_domains
  ) and
  (
    (
      email.sender.domain.root_domain in high_trust_sender_root_domains and
      not email.headers.dmarc_result == "pass"
    ) or
    email.sender.domain.root_domain not in high_trust_sender_root_domains
  ) and
  (
    email.threat_level == "high" or
    email.threat_category == "spam"
  )

tags:
  - "Attack surface reduction"
attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Initial Access: Phishing: Spearphishing via Service (T1566.003)"
  - "Execution: User Execution: Malicious Link (T1204.001)"
  - "Execution: User Execution: Malicious Attachment (T1204.002)"
  - "Collection: Email Collection (T1114)"
  - "Impact: Data Manipulation: Business Process Compromise (T1565.002)"
detection_methods:
  - "Header analysis"
  - "Sender analysis"

## 2. Detection-ECS_Field_References.yaml
ECS_Field_References:
  - event.category: "The category of the event."
  - event.provider: "The provider of the event."
  - email.subject: "The subject of the email."
  - email.recipients.to: "The 'to' recipients of the email."
  - email.recipients.cc: "The 'cc' recipients of the email."
  - email.sender.display_name: "The display name of the email sender."
  - email.receiver.display_name: "The display name of the email receiver."
  - email.sender.local_part: "The local part of the sender's email address."
  - email.attachments.content_type: "The content type of email attachments."
  - email.sender.domain.root_domain: "The root domain of the sender's email address."
  - email.headers.dmarc_result: "The DMARC authentication result."
  - email.threat_level: "The threat level of the email."
  - email.threat_category: "The threat category of the email."
	name: "VIP / Executive impersonation in subject (untrusted)"
	id: "0a641fe5-70b9-5f4e-9c34-0d70eac11fae"
	description: \|
	Sender subject contains the display name of a user in the org_vips list, and the sender has never been seen before.

	The org_vips list must first be manually created in Elastic, and then connected to a VIP group of provider (Google
	Workspace) in order for this rule to work.

	This rule is to be used on a relatively small list of VIPs, and is meant to reduce attack surface by detecting any
	message that matches the protected list of display names from a first-time or unsolicited sender.

	Additional rule logic can be added to look for suspicious subjects, suspicious links, etc.

	type: "query"
	severity: "medium"
	query: \|
	event.category: "email" and
	event.provider: "google_workspace" and
	any([org_vips.display_name], {{contains(email.subject, .)}}) and
	(
	length(email.recipients.to) > 0 or
	length(email.recipients.cc) > 0 or
	email.sender.display_name != email.receiver.display_name
	) and
	not (email.sender.local_part: "postmaster" or
	email.sender.local_part: "mailer-daemon" or
	email.sender.local_part: "administrator") and
	not any(email.attachments.content_type: "message/rfc822" or
	email.attachments.content_type: "message/delivery-status" or
	email.attachments.content_type: "text/calendar") and
	(
	(
	email.sender.domain.root_domain in org_domains and
	not email.headers.dmarc_result == "pass"
	) or
	email.sender.domain.root_domain not in org_domains
	) and
	(
	(
	email.sender.domain.root_domain in high_trust_sender_root_domains and
	not email.headers.dmarc_result == "pass"
	) or
	email.sender.domain.root_domain not in high_trust_sender_root_domains
	) and
	(
	email.threat_level == "high" or
	email.threat_category == "spam"
	)

	tags:
	- "Attack surface reduction"
	attack_types:
	- "BEC/Fraud"
	tactics_and_techniques:
	- "Initial Access: Phishing: Spearphishing via Service (T1566.003)"
	- "Execution: User Execution: Malicious Link (T1204.001)"
	- "Execution: User Execution: Malicious Attachment (T1204.002)"
	- "Collection: Email Collection (T1114)"
	- "Impact: Data Manipulation: Business Process Compromise (T1565.002)"
	detection_methods:
	- "Header analysis"
	- "Sender analysis"
	ECS_Field_References:
	- event.category: "The category of the event."
	- event.provider: "The provider of the event."
	- email.subject: "The subject of the email."
	- email.recipients.to: "The 'to' recipients of the email."
	- email.recipients.cc: "The 'cc' recipients of the email."
	- email.sender.display_name: "The display name of the email sender."
	- email.receiver.display_name: "The display name of the email receiver."
	- email.sender.local_part: "The local part of the sender's email address."
	- email.attachments.content_type: "The content type of email attachments."
	- email.sender.domain.root_domain: "The root domain of the sender's email address."
	- email.headers.dmarc_result: "The DMARC authentication result."
	- email.threat_level: "The threat level of the email."
	- email.threat_category: "The threat category of the email."