PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Sigma rule (View on GitHub)
1title: PwnDrp Access
2id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
3status: test
4description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
5references:
6 - https://breakdev.org/pwndrop/
7author: Florian Roth (Nextron Systems)
8date: 2020-04-15
9modified: 2021-11-27
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13 - attack.t1102.001
14 - attack.t1102.003
15logsource:
16 category: proxy
17detection:
18 selection:
19 c-uri|contains: '/pwndrop/'
20 condition: selection
21fields:
22 - ClientIP
23 - c-uri
24 - c-useragent
25falsepositives:
26 - Unknown
27level: critical
References
-
Pwndrop is a self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
Read More
Related rules
- Raw Paste Service Access
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD