Suspicious Windows Strings In URI

Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication

Sigma rule (View on GitHub)

 1title: Suspicious Windows Strings In URI
 2id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
 3status: test
 4description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
 5references:
 6    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-06-06
 9modified: 2023-01-02
10tags:
11    - attack.persistence
12    - attack.exfiltration
13    - attack.t1505.003
14logsource:
15    category: webserver
16detection:
17    selection:
18        cs-uri-query|contains:
19            - '=C:/Users'
20            - '=C:/Program%20Files'
21            - '=C:/Windows'
22            - '=C%3A%5CUsers'
23            - '=C%3A%5CProgram%20Files'
24            - '=C%3A%5CWindows'
25    condition: selection
26falsepositives:
27    - Legitimate application and websites that use windows paths in their URL
28level: high

References

Related rules

to-top