From ec892dec93ef6bae20a90e8abb3f5274cefec7c2 Mon Sep 17 00:00:00 2001
From: Gavin Knapp <g.r.j.knapp@gmail.com>
Date: Fri, 24 Mar 2023 11:29:25 +0000
Subject: [PATCH] feat: new rule `proxy_susp_ipfs_cred_harvest.yml` (#4113)

---
 .../proxy_susp_ipfs_cred_harvest.yml          | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml

diff --git a/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml
new file mode 100644
index 000000000..0222e7bdb
--- /dev/null
+++ b/rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml
@@ -0,0 +1,22 @@
+title: Suspicious Network Communication With IPFS
+id: eb6c2004-1cef-427f-8885-9042974e5eb6
+status: experimental
+description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
+references:
+    - https://blog.talosintelligence.com/ipfs-abuse/
+    - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
+    - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
+author: Gavin Knapp
+date: 2023/03/16
+tags:
+    - attack.credential_access
+    - attack.t1056
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
+    condition: selection
+falsepositives:
+    - Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
+level: low