Obfuscated IP Download
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Sigma rule (View on GitHub)
1title: Obfuscated IP Download
2id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
3status: experimental
4description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
5references:
6 - https://h.43z.one/ipconverter/
7 - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
8author: Florian Roth (Nextron Systems)
9date: 2022/08/03
10tags:
11 - attack.discovery
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 CommandLine|contains:
18 - 'Invoke-WebRequest'
19 - 'iwr '
20 - 'wget '
21 - 'curl '
22 - 'DownloadFile'
23 - 'DownloadString'
24 selection_ip:
25 - CommandLine|contains:
26 - '//0x'
27 - '.0x'
28 - '.00x'
29 - CommandLine|contains|all:
30 - 'http://%'
31 - '%2e'
32 condition: all of selection*
33falsepositives:
34 - Unknown
35level: medium