SigmaHQ/rules/proxy/proxy_ursnif_malware.yml

59 lines
1.2 KiB
YAML
Raw Normal View History

2019-12-09 15:02:10 +00:00
title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
author: Thomas Patzke
date: 2019/12/19
modified: 2020/09/03
2019-12-09 15:02:10 +00:00
logsource:
category: proxy
detection:
selection:
c-uri: '*/*.php?l=*.cab'
sc-status: 200
condition: selection
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
---
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
logsource:
category: proxy
detection:
b64encoding:
c-uri:
- "*_2f*"
- "*_2b*"
urlpatterns:
c-uri|all:
- "*.avi"
- "*/images/*"
condition: b64encoding and urlpatterns
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
2020-09-15 13:02:30 +00:00
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1193 # an old one
- attack.execution
- attack.t1204.002
- attack.t1204 # an old one
- attack.command_and_control
- attack.t1071.001