Downloaded URL Files

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in
11phishing campaigns.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Downloaded URL Files"
18risk_score = 21
19rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Execution",
26    "Data Source: Elastic Defend",
27    "Rule Type: BBR",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33file where host.os.type == "windows" and event.type == "creation" and file.extension == "url"
34   and file.Ext.windows.zone_identifier > 1 and not process.name : "explorer.exe"
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1204"
42name = "User Execution"
43reference = "https://attack.mitre.org/techniques/T1204/"
44
45
46[rule.threat.tactic]
47id = "TA0002"
48name = "Execution"
49reference = "https://attack.mitre.org/tactics/TA0002/"
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1566"
54name = "Phishing"
55reference = "https://attack.mitre.org/techniques/T1566/"
56[[rule.threat.technique.subtechnique]]
57id = "T1566.001"
58name = "Spearphishing Attachment"
59reference = "https://attack.mitre.org/techniques/T1566/001/"
60
61[[rule.threat.technique.subtechnique]]
62id = "T1566.002"
63name = "Spearphishing Link"
64reference = "https://attack.mitre.org/techniques/T1566/002/"
65
66
67
68[rule.threat.tactic]
69id = "TA0001"
70name = "Initial Access"
71reference = "https://attack.mitre.org/tactics/TA0001/"