valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a95c4347d9
SigmaHQ/rules/proxy/proxy_raw_paste_service_access.yml

29 lines
881 B
YAML
Raw Normal View History

rule: raw paste service access
2019-12-05 07:54:42 +00:00
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: experimental
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth
date: 2019/12/05
tags:
- attack.t1102
- attack.defense_evasion
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
Add hastebin raw URI to contains selection
2019-12-05 20:16:20 +00:00
- '.hastebin.com/raw/'
fixed regex syntax to wildcard syntax
2020-02-26 08:43:29 +00:00
- '.ghostbin.co/paste/*/raw/'
rule: raw paste service access
2019-12-05 07:54:42 +00:00
condition: selection
fields:
- ClientIP
Fixed proxy rule field names
2019-12-06 23:11:33 +00:00
- c-uri
- c-useragent
rule: raw paste service access
2019-12-05 07:54:42 +00:00
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
Reference in New Issue Copy Permalink