Download From Suspicious TLD - Whitelist

Detects executable downloads from suspicious remote systems

Sigma rule (View on GitHub)

 1title: Download From Suspicious TLD - Whitelist
 2id: b5de2919-b74a-4805-91a7-5049accbaefe
 3related:
 4    - id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
 5      type: similar
 6status: test
 7description: Detects executable downloads from suspicious remote systems
 8references:
 9    - Internal Research
10author: Florian Roth (Nextron Systems)
11date: 2017-03-13
12modified: 2023-05-18
13tags:
14    - attack.initial-access
15    - attack.t1566
16    - attack.execution
17    - attack.t1203
18    - attack.t1204.002
19logsource:
20    category: proxy
21detection:
22    selection:
23        c-uri-extension:
24            - 'exe'
25            - 'vbs'
26            - 'bat'
27            - 'rar'
28            - 'ps1'
29            - 'doc'
30            - 'docm'
31            - 'xls'
32            - 'xlsm'
33            - 'pptm'
34            - 'rtf'
35            - 'hta'
36            - 'dll'
37            - 'ws'
38            - 'wsf'
39            - 'sct'
40            - 'zip'
41            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
42    filter:
43        cs-host|endswith:
44            - '.com'
45            - '.org'
46            - '.net'
47            - '.edu'
48            - '.gov'
49            - '.uk'
50            - '.ca'
51            - '.de'
52            - '.jp'
53            - '.fr'
54            - '.au'
55            - '.us'
56            - '.ch'
57            - '.it'
58            - '.nl'
59            - '.se'
60            - '.no'
61            - '.es'
62            # Extend this list as needed
63    condition: selection and not filter
64fields:
65    - ClientIP
66    - c-uri
67falsepositives:
68    - All kind of software downloads
69level: low

References

Related rules

to-top