Suspicious Network Communication With IPFS
Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
Sigma rule (View on GitHub)
1title: Suspicious Network Communication With IPFS
2id: eb6c2004-1cef-427f-8885-9042974e5eb6
3status: test
4description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
5references:
6 - https://blog.talosintelligence.com/ipfs-abuse/
7 - https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11
8 - https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
9author: Gavin Knapp
10date: 2023/03/16
11tags:
12 - attack.credential_access
13 - attack.t1056
14logsource:
15 category: proxy
16detection:
17 selection:
18 cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
19 condition: selection
20falsepositives:
21 - Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.
22level: low
References
-
* The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors. * Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks. * IPFS is often used for legitimate
Read More -
Indicators of Compromise. Contribute to Cisco-Talos/IOCs development by creating an account on GitHub.
Read More -
Related rules
- Active Directory Database Snapshot Via ADExplorer
- CVE-2023-23397 Exploitation Attempt
- Potential MFA Bypass Using Legacy Client Authentication
- Suspicious Active Directory Database Snapshot Via ADExplorer
- Cisco Collect Data