Skip to content

Hunting rules for Hex Staging Attack and HTML Phishing Attachment #5674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Hunting rules for Hex Staging Attack and HTML Phishing Attachment #5674

wants to merge 17 commits into from
+68 −0

Conversation

@skaynum
Copy link
Contributor

@skaynum skaynum commented Oct 2, 2025

Summary of the Pull Request

This pull requests contains new rules that detect the below:

  • Potential HTML Phishing Attachment campaigns

  • Potential Hex Staging Attack, that stages malicious payloads as detected in espionage campaigns in South East Asia.

Changelog

new: Potential Hex Staging Attack
new: Potential HTML Phishing Attachment Clicked

Example Log Event

Potential Hex Staging Attack sample event:
C:\windows\system32\cmd.exe /c >> C:\Users\test\malware.exe.tmp set /p="hex coded payload"

Potential HTML Phishing Attachment Clicked sample event
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\admin\Documents\MD564BJUY.htm

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Oct 2, 2025
swachchhanda000
swachchhanda000 requested changes Oct 9, 2025
View reviewed changes
@swachchhanda000 swachchhanda000 added the Author Input Required changes the require information from original author of the rules label Oct 9, 2025
@swachchhanda000 swachchhanda000 changed the title October Hunting rules Hunting rules for Hex Staging Attack and HTML Phishing Attachment Oct 14, 2025
@swachchhanda000 swachchhanda000 added 2nd Review Needed PR need a second approval and removed Author Input Required changes the require information from original author of the rules labels Oct 14, 2025
nasbench
nasbench requested changes Oct 15, 2025
View reviewed changes
@skaynum
Copy link
Contributor Author

skaynum commented Oct 16, 2025

Changes made.

@nasbench nasbench added the Author Input Required changes the require information from original author of the rules label Oct 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench requested changes

@swachchhanda000 swachchhanda000 swachchhanda000 approved these changes

+1 more reviewer

@david-syk david-syk david-syk left review comments

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

2nd Review Needed PR need a second approval Author Input Required changes the require information from original author of the rules Rules Windows Pull request add/update windows related rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@skaynum @nasbench @swachchhanda000 @david-syk