PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Sigma rule (View on GitHub)

 1title: PwnDrp Access
 2id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
 3status: test
 4description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
 5references:
 6    - https://breakdev.org/pwndrop/
 7author: Florian Roth (Nextron Systems)
 8date: 2020-04-15
 9modified: 2021-11-27
10tags:
11    - attack.command-and-control
12    - attack.t1071.001
13    - attack.t1102.001
14    - attack.t1102.003
15logsource:
16    category: proxy
17detection:
18    selection:
19        c-uri|contains: '/pwndrop/'
20    condition: selection
21fields:
22    - ClientIP
23    - c-uri
24    - c-useragent
25falsepositives:
26    - Unknown
27level: critical

References

Related rules

to-top