SigmaHQ/rules/proxy/proxy_pwndrop.yml

title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: experimental
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
author: Florian Roth
date: 2020/04/15
modified: 2020/09/03
references:
    - https://breakdev.org/pwndrop/
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: '/pwndrop/'
    condition: selection
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001
    - attack.t1043  # an old one
    - attack.t1102.001
    - attack.t1102.003
    - attack.t1102  # an old one
rule: PwnDrp access 2020-04-17 06:55:40 +00:00			`title: PwnDrp Access`
			`id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e`
			`status: experimental`
			`description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity`
			`author: Florian Roth`
			`date: 2020/04/15`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`modified: 2020/09/03`
Second round 2020-09-15 13:02:30 +00:00			`references:`
			`- https://breakdev.org/pwndrop/`
rule: PwnDrp access 2020-04-17 06:55:40 +00:00			`logsource:`
			`category: proxy`
			`detection:`
			`selection:`
			`c-uri\|contains: '/pwndrop/'`
			`condition: selection`
			`fields:`
			`- ClientIP`
			`- c-uri`
			`- c-useragent`
			`falsepositives:`
			`- Unknown`
			`level: critical`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1071.001`
			`- attack.t1043 # an old one`
			`- attack.t1102.001`
			`- attack.t1102.003`
			`- attack.t1102 # an old one`