Netwatch example subdomains and emails

VirusTotal · Nov 24, 2023 · 056f75b · 056f75b
1 parent ecf66e1
commit 056f75b
Showing 1 changed file with 20 additions and 2 deletions.
diff --git a/examples/netwatch_templates/file.yara b/examples/netwatch_templates/file.yara
@@ -4,7 +4,9 @@ meta:
   target_entity = "file"
 condition:
   vt.metadata.new_file and
-  vt.metadata.itw.domain.root == "${domain}"
+  (vt.metadata.itw.domain.root == "${domain}" or
+   vt.metadata.itw.domain.raw iendswith ".${domain}"
+  )
 }
 
 
@@ -14,6 +16,22 @@ meta:
   target_entity = "file"
 condition:
   for any lookup in vt.behaviour.dns_lookups : (
-    lookup.hostname iequals "${domain}"
+    (lookup.hostname == "${domain}" or
+     lookup.hostname iendswith ".${domain}"
+    )
+  )
+}
+
+rule network_watch_email_embeds_${domain_escaped} : ${domain_escaped} {
+meta:
+  description = "New files containing ${domain}"
+  target_entity = "file"
+strings:
+  $domain = "${domain}"
+condition:
+  any of them and
+  vt.metadata.new_file and
+  (vt.metadata.file_type == vt.FileType.EMAIL or
+   vt.metadata.file_type == vt.FileType.OUTLOOK
   )
 }