From e0754a55fa2d67ef5ed025d61158cc6236086e16 Mon Sep 17 00:00:00 2001 From: Czdam Date: Mon, 20 May 2024 10:26:33 +0200 Subject: [PATCH] =?UTF-8?q?add=20Roblox=20phishing=20=F0=9F=9A=80=20=20(#2?= =?UTF-8?q?52)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add files via upload * Update roblox-phishing-f254en7e.yml * Update and rename roblox-phishing-f254en7e.yml to roblox-phishing.yml * Edit and rename roblox-phishing.yml to roblox-phishing-8L0QMRN6 * Update and rename * Update roblox-phishing-8l0pamh6.yml Minor description and detection field names fixes * Update and rename roblox-phishing-8l0pamh6.yml to roblox-8l0pamh6.yml Fix rule filename --------- Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com> --- indicators/roblox-8l0pamh6.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 indicators/roblox-8l0pamh6.yml diff --git a/indicators/roblox-8l0pamh6.yml b/indicators/roblox-8l0pamh6.yml new file mode 100644 index 00000000..36f676ec --- /dev/null +++ b/indicators/roblox-8l0pamh6.yml @@ -0,0 +1,33 @@ +title: Roblox Phishing Kit 8l0pamh6 +description: | + Detects Roblox phishing sites using a Roblox specific strings + within the DOM. + + Usually at /controlPage/create you can create a "Beaming link" + These are often spread through Discord to victims. +references: + - https://www.youtube.com/watch?v=lUL2vgyhsw4 + - https://urlscan.io/result/c716b820-174e-4211-9c09-4663b4a7e47d/ + - https://urlscan.io/result/e76d7a2f-3e6d-455e-8da8-1a94ea6c222f/ + - https://urlscan.io/result/f9ccb8a3-624b-4cb1-b237-36dd81cef6e3/ + - https://urlscan.io/result/1a62439f-de11-4ee6-a0ed-9c482c0c1906/ + +detection: + + realDomains: + hostname|endswith: + - .roblox.com + - .rbxcdn.com + + rbxBodyId: + dom|contains: body id="rbx-body" + + rbxCDN: + dom|contains: rbxcdn + + + condition: rbxCDN and rbxBodyId and not realDomains + +tags: + - kit + - target.roblox