Obfuscated IP Download

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

Sigma rule (View on GitHub)

 1title: Obfuscated IP Download
 2id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
 3status: experimental
 4description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
 5references:
 6    - https://h.43z.one/ipconverter/
 7    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
 8author: Florian Roth (Nextron Systems)
 9date: 2022/08/03
10tags:
11    - attack.discovery
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection_img:
17        CommandLine|contains:
18            - 'Invoke-WebRequest'
19            - 'iwr '
20            - 'wget '
21            - 'curl '
22            - 'DownloadFile'
23            - 'DownloadString'
24    selection_ip:
25        - CommandLine|contains:
26            - '//0x'
27            - '.0x'
28            - '.00x'
29        - CommandLine|contains|all:
30            - 'http://%'
31            - '%2e'
32    condition: all of selection*
33falsepositives:
34    - Unknown
35level: medium

Related rules

to-top