SigmaHQ/rules/proxy/proxy_download_susp_tlds_whitelist.yml

56 lines
1.3 KiB
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: Download EXE from Suspicious TLD
2017-03-13 15:11:43 +00:00
status: experimental
description: Detects executable downloads from suspicious remote systems
2017-03-13 15:11:43 +00:00
author: Florian Roth
logsource:
category: proxy
2017-03-13 15:11:43 +00:00
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
2017-03-13 15:11:43 +00:00
filter:
r-dns:
- '*.com'
- '*.org'
- '*.net'
- '*.edu'
- '*.gov'
- '*.uk'
- '*.ca'
- '*.de'
- '*.jp'
- '*.fr'
- '*.au'
- '*.us'
- '*.ch'
- '*.it'
- '*.nl'
- '*.se'
- '*.no'
- '*.es'
# Extend this list as needed
condition: selection and not filter
2017-09-12 21:54:04 +00:00
fields:
- ClientIP
- URL
2017-03-13 15:11:43 +00:00
falsepositives:
- All kind of software downloads
level: low