2019-12-09 15:02:10 +00:00
|
|
|
title: Ursnif Malware Download URL Pattern
|
|
|
|
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
|
|
|
|
status: stable
|
|
|
|
description: Detects download of Ursnif malware done by dropper documents.
|
|
|
|
author: Thomas Patzke
|
2020-01-30 14:20:52 +00:00
|
|
|
date: 2019/12/19
|
2020-11-28 18:09:07 +00:00
|
|
|
modified: 2020/11/28
|
2019-12-09 15:02:10 +00:00
|
|
|
logsource:
|
|
|
|
category: proxy
|
|
|
|
detection:
|
|
|
|
selection:
|
2020-11-28 18:09:07 +00:00
|
|
|
c-uri|contains|all:
|
|
|
|
- '/'
|
|
|
|
- '.php?l='
|
|
|
|
c-uri|endswith: '.cab'
|
2019-12-09 15:02:10 +00:00
|
|
|
sc-status: 200
|
|
|
|
condition: selection
|
|
|
|
fields:
|
|
|
|
- c-ip
|
|
|
|
- c-uri
|
|
|
|
- sc-bytes
|
|
|
|
- c-ua
|
|
|
|
falsepositives:
|
|
|
|
- Unknown
|
|
|
|
level: critical
|
|
|
|
---
|
|
|
|
title: Ursnif Malware C2 URL Pattern
|
|
|
|
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
|
|
|
|
status: stable
|
|
|
|
description: Detects Ursnif C2 traffic.
|
|
|
|
references:
|
|
|
|
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
|
|
|
|
author: Thomas Patzke
|
|
|
|
logsource:
|
|
|
|
category: proxy
|
|
|
|
detection:
|
|
|
|
b64encoding:
|
2020-10-16 02:30:07 +00:00
|
|
|
c-uri|contains:
|
|
|
|
- "_2f"
|
|
|
|
- "_2b"
|
2019-12-09 15:02:10 +00:00
|
|
|
urlpatterns:
|
2020-10-16 02:30:07 +00:00
|
|
|
c-uri|contains|all:
|
|
|
|
- ".avi"
|
|
|
|
- "/images/"
|
2019-12-09 15:02:10 +00:00
|
|
|
condition: b64encoding and urlpatterns
|
|
|
|
fields:
|
|
|
|
- c-ip
|
|
|
|
- c-uri
|
|
|
|
- sc-bytes
|
|
|
|
- c-ua
|
|
|
|
falsepositives:
|
|
|
|
- Unknown
|
|
|
|
level: critical
|
2020-09-15 13:02:30 +00:00
|
|
|
tags:
|
|
|
|
- attack.initial_access
|
|
|
|
- attack.t1566.001
|
|
|
|
- attack.t1193 # an old one
|
|
|
|
- attack.execution
|
|
|
|
- attack.t1204.002
|
|
|
|
- attack.t1204 # an old one
|
|
|
|
- attack.command_and_control
|
2020-10-16 02:30:07 +00:00
|
|
|
- attack.t1071.001
|