Skip to content

Create link_multistage_buildin_ai.yml #2640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Create link_multistage_buildin_ai.yml #2640

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed61552
Create link_multistage_buildin_ai.yml
morriscode Apr 22, 2025
f43b48a
Auto add rule ID
Apr 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions detection-rules/link_multistage_buildin_ai.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: "Link: Multistage Landing - Abused Buildin.ai"
description: "Analyzes shared content links from buildin.ai domain that contain credential harvesting language with medium to high confidence in the display text."
type: "rule"
severity: "medium"
source: |
type.inbound

// filter to just buildin.ai
and any(filter(body.links,
(
.href_url.domain.root_domain == "buildin.ai"
and strings.icontains(.href_url.path, '/share')
// inspect display text
)
),
any(ml.nlu_classifier(ml.link_analysis(., mode="aggressive").final_dom.display_text
).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "URL analysis"
- "Natural Language Understanding"
id: "e0a79ef5-291e-5492-9449-c17d79f1cb23"