Flash Player Update from Suspicious Location

Aug 12, 2024 · attack.initial-access attack.t1189 attack.execution attack.t1204.002 attack.defense-evasion attack.t1036.005 ·

Share on:

Detects a flashplayer update from an unofficial location

Sigma rule (View on GitHub)

 1title: Flash Player Update from Suspicious Location
 2id: 4922a5dd-6743-4fc2-8e81-144374280997
 3status: test
 4description: Detects a flashplayer update from an unofficial location
 5references:
 6    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 7author: Florian Roth (Nextron Systems)
 8date: 2017-10-25
 9modified: 2022-08-08
10tags:
11    - attack.initial-access
12    - attack.t1189
13    - attack.execution
14    - attack.t1204.002
15    - attack.defense-evasion
16    - attack.t1036.005
17logsource:
18    category: proxy
19detection:
20    selection:
21        - c-uri|contains: '/flash_install.php'
22        - c-uri|endswith: '/install_flash_player.exe'
23    filter:
24        cs-host|endswith: '.adobe.com'
25    condition: selection and not filter
26falsepositives:
27    - Unknown flash download locations
28level: high

References

badrabbit-info.txt

badrabbit-info.txt. GitHub Gist: instantly share code, notes, and snippets.

Read More

Flash Player Update from Suspicious Location

Sigma rule (View on GitHub)

References

badrabbit-info.txt

Related rules