From cb758bea3e7b0b31187752e02e45f32959b83680 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 29 Oct 2025 21:38:46 -0500 Subject: [PATCH 1/5] Create attachment_ics_non-gregorian.yml --- .../attachment_ics_non-gregorian.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 detection-rules/attachment_ics_non-gregorian.yml diff --git a/detection-rules/attachment_ics_non-gregorian.yml b/detection-rules/attachment_ics_non-gregorian.yml new file mode 100644 index 00000000000..56539aa4e48 --- /dev/null +++ b/detection-rules/attachment_ics_non-gregorian.yml @@ -0,0 +1,20 @@ +name: "Attachment: ICS file with non-Gregorian calendar scale" +description: "Detects ICS calendar attachments that use a non-standard calendar scale other than GREGORIAN, which may indicate malicious calendar files attempting to exploit calendar parsing vulnerabilities or bypass security filters." +type: "rule" +severity: "medium" +source: | + type.inbound + and any(attachments, + ( + .file_extension in~ ('ics') + or .content_type in ("application/ics", "text/calendar") + ) + and beta.file.parse_ics(.).scale != "GREGORIAN" + ) +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Evasion" +detection_methods: + - "File analysis" + - "Content analysis" From ebda4195efc4dcf4e8adafe42eb55a17510a2083 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Thu, 30 Oct 2025 02:40:41 +0000 Subject: [PATCH 2/5] Auto add rule ID --- detection-rules/attachment_ics_non-gregorian.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_ics_non-gregorian.yml b/detection-rules/attachment_ics_non-gregorian.yml index 56539aa4e48..d611bb8d5a4 100644 --- a/detection-rules/attachment_ics_non-gregorian.yml +++ b/detection-rules/attachment_ics_non-gregorian.yml @@ -18,3 +18,4 @@ tactics_and_techniques: detection_methods: - "File analysis" - "Content analysis" +id: "9315bbf5-c710-5ead-8a8e-5c7f8fb118dc" From 7ee1ba177a764b42b1d7056df7794d83845dfd0e Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 30 Oct 2025 22:19:10 -0500 Subject: [PATCH 3/5] Update attachment_ics_non-gregorian.yml --- detection-rules/attachment_ics_non-gregorian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_ics_non-gregorian.yml b/detection-rules/attachment_ics_non-gregorian.yml index d611bb8d5a4..23e42610de1 100644 --- a/detection-rules/attachment_ics_non-gregorian.yml +++ b/detection-rules/attachment_ics_non-gregorian.yml @@ -9,7 +9,7 @@ source: | .file_extension in~ ('ics') or .content_type in ("application/ics", "text/calendar") ) - and beta.file.parse_ics(.).scale != "GREGORIAN" + and beta.file.parse_ics(.).scale not in~ ('GREGORIAN', ' GREGORIAN') ) attack_types: - "Credential Phishing" From 3f597c8aa54f4ffbfdb6d85cf36766cfc3f2883a Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Tue, 4 Nov 2025 17:10:23 -0600 Subject: [PATCH 4/5] Update attachment_ics_non-gregorian.yml --- detection-rules/attachment_ics_non-gregorian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_ics_non-gregorian.yml b/detection-rules/attachment_ics_non-gregorian.yml index 23e42610de1..434995319ed 100644 --- a/detection-rules/attachment_ics_non-gregorian.yml +++ b/detection-rules/attachment_ics_non-gregorian.yml @@ -9,7 +9,7 @@ source: | .file_extension in~ ('ics') or .content_type in ("application/ics", "text/calendar") ) - and beta.file.parse_ics(.).scale not in~ ('GREGORIAN', ' GREGORIAN') + and not strings.contains(beta.file.parse_ics(.).scale, 'GREGORIAN') ) attack_types: - "Credential Phishing" From d8eeec7539c7ce446a5de04fb30bebdbe367bf73 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Tue, 4 Nov 2025 17:11:24 -0600 Subject: [PATCH 5/5] Update attachment_ics_non-gregorian.yml --- detection-rules/attachment_ics_non-gregorian.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_ics_non-gregorian.yml b/detection-rules/attachment_ics_non-gregorian.yml index 434995319ed..21b3b7e6acd 100644 --- a/detection-rules/attachment_ics_non-gregorian.yml +++ b/detection-rules/attachment_ics_non-gregorian.yml @@ -9,7 +9,7 @@ source: | .file_extension in~ ('ics') or .content_type in ("application/ics", "text/calendar") ) - and not strings.contains(beta.file.parse_ics(.).scale, 'GREGORIAN') + and not strings.icontains(beta.file.parse_ics(.).scale, 'GREGORIAN') ) attack_types: - "Credential Phishing"