Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
Sigma rule (View on GitHub)
1title: Flash Player Update from Suspicious Location
2id: 4922a5dd-6743-4fc2-8e81-144374280997
3status: test
4description: Detects a flashplayer update from an unofficial location
5references:
6 - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
7author: Florian Roth (Nextron Systems)
8date: 2017/10/25
9modified: 2022/08/08
10tags:
11 - attack.initial_access
12 - attack.t1189
13 - attack.execution
14 - attack.t1204.002
15 - attack.defense_evasion
16 - attack.t1036.005
17logsource:
18 category: proxy
19detection:
20 selection:
21 - c-uri|contains: '/flash_install.php'
22 - c-uri|endswith: '/install_flash_player.exe'
23 filter:
24 cs-host|endswith: '.adobe.com'
25 condition: selection and not filter
26falsepositives:
27 - Unknown flash download locations
28level: high
References
Related rules
- Suspicious HWP Sub Processes
- NTFS Alternate Data Stream
- Potential PowerShell Downgrade Attack
- WinDbg/CDB LOLBIN Usage
- Suspicious User-Initiated Process Execution on External Drive (Old)