Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

Sigma rule (View on GitHub)

 1title: Flash Player Update from Suspicious Location
 2id: 4922a5dd-6743-4fc2-8e81-144374280997
 3status: test
 4description: Detects a flashplayer update from an unofficial location
 5references:
 6    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
 7author: Florian Roth (Nextron Systems)
 8date: 2017/10/25
 9modified: 2022/08/08
10tags:
11    - attack.initial_access
12    - attack.t1189
13    - attack.execution
14    - attack.t1204.002
15    - attack.defense_evasion
16    - attack.t1036.005
17logsource:
18    category: proxy
19detection:
20    selection:
21        - c-uri|contains: '/flash_install.php'
22        - c-uri|endswith: '/install_flash_player.exe'
23    filter:
24        cs-host|endswith: '.adobe.com'
25    condition: selection and not filter
26falsepositives:
27    - Unknown flash download locations
28level: high

References

Related rules

to-top