SigmaHQ/rules/proxy/proxy_ursnif_malware.yml

63 lines
1.3 KiB
YAML
Raw Normal View History

2019-12-09 15:02:10 +00:00
title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
2020-11-28 18:09:07 +00:00
modified: 2020/11/28
2019-12-09 15:02:10 +00:00
logsource:
category: proxy
detection:
selection:
2020-11-28 18:09:07 +00:00
c-uri|contains|all:
- '/'
- '.php?l='
c-uri|endswith: '.cab'
2019-12-09 15:02:10 +00:00
sc-status: 200
condition: selection
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
---
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
logsource:
category: proxy
detection:
b64encoding:
2020-10-16 02:30:07 +00:00
c-uri|contains:
- "_2f"
- "_2b"
2019-12-09 15:02:10 +00:00
urlpatterns:
2020-10-16 02:30:07 +00:00
c-uri|contains|all:
- ".avi"
- "/images/"
2019-12-09 15:02:10 +00:00
condition: b64encoding and urlpatterns
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
2020-09-15 13:02:30 +00:00
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1193 # an old one
- attack.execution
- attack.t1204.002
- attack.t1204 # an old one
- attack.command_and_control
2020-10-16 02:30:07 +00:00
- attack.t1071.001