Downloaded URL Files

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in
13phishing campaigns.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.file-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Downloaded URL Files"
20risk_score = 21
21rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
22severity = "low"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"]
24timestamp_override = "event.ingested"
25type = "eql"
26
27query = '''
28file where host.os.type == "windows" and event.type == "creation" and file.extension == "url"
29   and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe"
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1204"
37name = "User Execution"
38reference = "https://attack.mitre.org/techniques/T1204/"
39
40
41[rule.threat.tactic]
42id = "TA0002"
43name = "Execution"
44reference = "https://attack.mitre.org/tactics/TA0002/"
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1566"
49name = "Phishing"
50reference = "https://attack.mitre.org/techniques/T1566/"
51[[rule.threat.technique.subtechnique]]
52id = "T1566.001"
53name = "Spearphishing Attachment"
54reference = "https://attack.mitre.org/techniques/T1566/001/"
55
56[[rule.threat.technique.subtechnique]]
57id = "T1566.002"
58name = "Spearphishing Link"
59reference = "https://attack.mitre.org/techniques/T1566/002/"
60
61
62
63[rule.threat.tactic]
64id = "TA0001"
65name = "Initial Access"
66reference = "https://attack.mitre.org/tactics/TA0001/"