Downloaded URL Files

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/06"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in
11phishing campaigns.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Downloaded URL Files"
18risk_score = 47
19rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
20severity = "medium"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Execution",
26    "Data Source: Elastic Defend"
27]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32file where host.os.type == "windows" and event.type == "creation" and file.extension == "url"
33   and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1204"
41name = "User Execution"
42reference = "https://attack.mitre.org/techniques/T1204/"
43
44
45[rule.threat.tactic]
46id = "TA0002"
47name = "Execution"
48reference = "https://attack.mitre.org/tactics/TA0002/"
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1566"
53name = "Phishing"
54reference = "https://attack.mitre.org/techniques/T1566/"
55[[rule.threat.technique.subtechnique]]
56id = "T1566.001"
57name = "Spearphishing Attachment"
58reference = "https://attack.mitre.org/techniques/T1566/001/"
59
60[[rule.threat.technique.subtechnique]]
61id = "T1566.002"
62name = "Spearphishing Link"
63reference = "https://attack.mitre.org/techniques/T1566/002/"
64
65
66
67[rule.threat.tactic]
68id = "TA0001"
69name = "Initial Access"
70reference = "https://attack.mitre.org/tactics/TA0001/"