Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Sigma rule (View on GitHub)
1title: Potentially Suspicious File Download From ZIP TLD
2id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe
3status: test
4description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
5references:
6 - https://twitter.com/cyb3rops/status/1659175181695287297
7 - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
8author: Florian Roth (Nextron Systems)
9date: 2023-05-18
10tags:
11 - attack.defense-evasion
12logsource:
13 product: windows
14 category: create_stream_hash
15detection:
16 selection:
17 Contents|contains: '.zip/'
18 TargetFilename|contains:
19 - '.bat:Zone'
20 - '.dat:Zone'
21 - '.dll:Zone'
22 - '.doc:Zone'
23 - '.docm:Zone'
24 - '.exe:Zone'
25 - '.hta:Zone'
26 - '.pptm:Zone'
27 - '.ps1:Zone'
28 - '.rar:Zone'
29 - '.rtf:Zone'
30 - '.sct:Zone'
31 - '.vbe:Zone'
32 - '.vbs:Zone'
33 - '.ws:Zone'
34 - '.wsf:Zone'
35 - '.xll:Zone'
36 - '.xls:Zone'
37 - '.xlsm:Zone'
38 - '.zip:Zone'
39 condition: selection
40falsepositives:
41 - Legitimate file downloads from a websites and web services that uses the ".zip" top level domain.
42level: high
References
-
A few days ago, the new version 11.10 of Sysinternals Sysmon was released. Despite the minor version increase from 11.0 it ships with an exciting new feature: Reading NTFS Alternate Data Streams (A...
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity