HTTP Request to Low Reputation TLD or Suspicious File Extension

calendar Mar 4, 2025 · attack.initial-access attack.command-and-control  ·
Share on: linkedin copy

Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.

Sigma rule (View on GitHub)

 1title: HTTP Request to Low Reputation TLD or Suspicious File Extension
 2id: 68c2c604-92ad-468b-bf4a-aac49adad08c
 3status: experimental
 4description: |
 5        Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
 6references:
 7    - https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
 8    - https://www.spamhaus.org/reputation-statistics/cctlds/domains/
 9author: '@signalblur, Corelight'
10date: 2025-02-26
11tags:
12    - attack.initial-access
13    - attack.command-and-control
14logsource:
15    product: zeek
16    service: http
17detection:
18    # Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.
19    selection_suspicious_tld:
20        host|endswith:
21            - '.bid'
22            - '.by'
23            - '.cf'
24            - '.click'
25            - '.cm'
26            - '.ga'
27            - '.gq'
28            - '.ir'
29            - '.kp'
30            - '.loan'
31            - '.ml'
32            - '.mm'
33            - '.party'
34            - '.pw'
35            - '.ru'
36            - '.su'
37            - '.sy'
38            - '.tk'
39            - '.top'
40            - '.tv'
41            - '.ve'
42            - '.work'
43            - '.xyz'
44    selection_malicious_ext:
45        uri|endswith:
46            - '.bat'
47            - '.bin'
48            - '.cmd'
49            - '.cpl'
50            - '.dll'
51            - '.dylib'
52            - '.elf'
53            - '.exe'
54            - '.hta'
55            - '.iso'
56            - '.jar'
57            - '.js'
58            - '.lnk'
59            - '.msi'
60            - '.pif'
61            - '.ps1'
62            - '.py'
63            - '.reg'
64            - '.scr'
65            - '.sh'
66            - '.so'
67            - '.vbs'
68            - '.wsf'
69    selection_malicious_mime:
70        resp_mime_types:
71            - 'application/vnd.microsoft.portable-executable'
72            - 'application/x-bat'
73            - 'application/x-dosexec'
74            - 'application/x-elf'
75            - 'application/x-iso9660-image'
76            - 'application/x-java-archive'
77            - 'application/x-ms-shortcut'
78            - 'application/x-msdos-program'
79            - 'application/x-msdownload'
80            - 'application/x-python-code'
81            - 'application/x-sh'
82    condition: selection_suspicious_tld and 1 of selection_malicious_*
83falsepositives:
84    - Rare legitimate software downloads from low quality TLDs
85level: medium

References

Related rules

to-top