Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
Sigma rule (View on GitHub)
1title: Unusual File Download from Direct IP Address
2id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
3status: test
4description: Detects the download of suspicious file type from URLs with IP
5references:
6 - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
7 - https://labs.withsecure.com/publications/detecting-onenote-abuse
8author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
9date: 2022-09-07
10modified: 2023-02-10
11tags:
12 - attack.defense-evasion
13 - attack.t1564.004
14logsource:
15 product: windows
16 category: create_stream_hash
17detection:
18 selection:
19 Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
20 TargetFilename|contains:
21 - '.ps1:Zone'
22 - '.bat:Zone'
23 - '.exe:Zone'
24 - '.vbe:Zone'
25 - '.vbs:Zone'
26 - '.dll:Zone'
27 - '.one:Zone'
28 - '.cmd:Zone'
29 - '.hta:Zone'
30 - '.xll:Zone'
31 - '.lnk:Zone'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- Execute From Alternate Data Streams
- Exports Registry Key To an Alternate Data Stream
- HackTool Named File Stream Created
- Hidden Executable In NTFS Alternate Data Stream
- Insensitive Subfolder Search Via Findstr.EXE