Download From Suspicious TLD - Blacklist

calendar May 18, 2023 · attack.initial_access attack.t1566 attack.execution attack.t1203 attack.t1204.002  ·
Share on: linkedin copy

Detects download of certain file types from hosts in suspicious TLDs

Sigma rule (View on GitHub)

  1title: Download From Suspicious TLD - Blacklist
  2id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
  3related:
  4    - id: b5de2919-b74a-4805-91a7-5049accbaefe
  5      type: similar
  6status: test
  7description: Detects download of certain file types from hosts in suspicious TLDs
  8references:
  9    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
 10    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
 11    - https://www.spamhaus.org/statistics/tlds/
 12    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
 13author: Florian Roth (Nextron Systems)
 14date: 2017/11/07
 15modified: 2023/05/18
 16tags:
 17    - attack.initial_access
 18    - attack.t1566
 19    - attack.execution
 20    - attack.t1203
 21    - attack.t1204.002
 22logsource:
 23    category: proxy
 24detection:
 25    selection:
 26        c-uri-extension:
 27            - 'exe'
 28            - 'vbs'
 29            - 'bat'
 30            - 'rar'
 31            - 'ps1'
 32            - 'doc'
 33            - 'docm'
 34            - 'xls'
 35            - 'xlsm'
 36            - 'pptm'
 37            - 'rtf'
 38            - 'hta'
 39            - 'dll'
 40            - 'ws'
 41            - 'wsf'
 42            - 'sct'
 43            - 'zip'
 44            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
 45        cs-host|endswith:
 46            # Symantec / Chris Larsen analysis
 47            - '.country'
 48            - '.stream'
 49            - '.gdn'
 50            - '.mom'
 51            - '.xin'
 52            - '.kim'
 53            - '.men'
 54            - '.loan'
 55            - '.download'
 56            - '.racing'
 57            - '.online'
 58            - '.science'
 59            - '.ren'
 60            - '.gb'
 61            - '.win'
 62            - '.top'
 63            - '.review'
 64            - '.vip'
 65            - '.party'
 66            - '.tech'
 67            - '.xyz'
 68            - '.date'
 69            - '.faith'
 70            - '.zip'
 71            - '.cricket'
 72            - '.space'
 73            # McAfee report
 74            - '.info'
 75            - '.vn'
 76            - '.cm'
 77            - '.am'
 78            - '.cc'
 79            - '.asia'
 80            - '.ws'
 81            - '.tk'
 82            - '.biz'
 83            - '.su'
 84            - '.st'
 85            - '.ro'
 86            - '.ge'
 87            - '.ms'
 88            - '.pk'
 89            - '.nu'
 90            - '.me'
 91            - '.ph'
 92            - '.to'
 93            - '.tt'
 94            - '.name'
 95            - '.tv'
 96            - '.kz'
 97            - '.tc'
 98            - '.mobi'
 99            # Spamhaus
100            - '.study'
101            - '.click'
102            - '.link'
103            - '.trade'
104            - '.accountant'
105            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
106            - '.cf'
107            - '.gq'
108            - '.ml'
109            - '.ga'
110            # Custom
111            - '.pw'
112    condition: selection
113fields:
114    - ClientIP
115    - c-uri
116falsepositives:
117    - All kinds of software downloads
118level: low

References

Related rules

to-top