Ursnif Malware Download URL Pattern

calendar Feb 26, 2024 · attack.command_and_control attack.t1071.001  ·
Share on: linkedin copy

Detects download of Ursnif malware done by dropper documents.

Sigma rule (View on GitHub)

 1title: Ursnif Malware Download URL Pattern
 2id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
 3status: stable
 4description: Detects download of Ursnif malware done by dropper documents.
 5references:
 6    - https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
 7author: Thomas Patzke
 8date: 2019/12/19
 9modified: 2022/08/15
10logsource:
11    category: proxy
12tags:
13    - attack.command_and_control
14    - attack.t1071.001
15detection:
16    selection:
17        c-uri|contains|all:
18            - '/'
19            - '.php\?l='
20        c-uri|endswith: '.cab'
21        sc-status: 200
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top