Download From Suspicious TLD - Whitelist
Detects executable downloads from suspicious remote systems
Sigma rule (View on GitHub)
1title: Download From Suspicious TLD - Whitelist
2id: b5de2919-b74a-4805-91a7-5049accbaefe
3related:
4 - id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
5 type: similar
6status: test
7description: Detects executable downloads from suspicious remote systems
8references:
9 - Internal Research
10author: Florian Roth (Nextron Systems)
11date: 2017-03-13
12modified: 2023-05-18
13tags:
14 - attack.initial-access
15 - attack.t1566
16 - attack.execution
17 - attack.t1203
18 - attack.t1204.002
19logsource:
20 category: proxy
21detection:
22 selection:
23 c-uri-extension:
24 - 'exe'
25 - 'vbs'
26 - 'bat'
27 - 'rar'
28 - 'ps1'
29 - 'doc'
30 - 'docm'
31 - 'xls'
32 - 'xlsm'
33 - 'pptm'
34 - 'rtf'
35 - 'hta'
36 - 'dll'
37 - 'ws'
38 - 'wsf'
39 - 'sct'
40 - 'zip'
41 # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
42 filter:
43 cs-host|endswith:
44 - '.com'
45 - '.org'
46 - '.net'
47 - '.edu'
48 - '.gov'
49 - '.uk'
50 - '.ca'
51 - '.de'
52 - '.jp'
53 - '.fr'
54 - '.au'
55 - '.us'
56 - '.ch'
57 - '.it'
58 - '.nl'
59 - '.se'
60 - '.no'
61 - '.es'
62 # Extend this list as needed
63 condition: selection and not filter
64fields:
65 - ClientIP
66 - c-uri
67falsepositives:
68 - All kind of software downloads
69level: low
References
Related rules
- Download From Suspicious TLD - Blacklist
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- Flash Player Update from Suspicious Location