SigmaHQ/rules/proxy/proxy_download_susp_tlds_whitelist.yml

title: Download EXE from Suspicious TLD
id: b5de2919-b74a-4805-91a7-5049accbaefe
status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
date: 2017/03/13
modified: 2020/09/03
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
    filter:
        r-dns|endswith:
            - '.com'
            - '.org'
            - '.net'
            - '.edu'
            - '.gov'
            - '.uk'
            - '.ca'
            - '.de'
            - '.jp'
            - '.fr'
            - '.au'
            - '.us'
            - '.ch'
            - '.it'
            - '.nl'
            - '.se'
            - '.no'
            - '.es'
            # Extend this list as needed
    condition: selection and not filter
fields:
    - ClientIP
    - c-uri
falsepositives:
    - All kind of software downloads
level: low
tags:
    - attack.initial_access
    - attack.t1566
    - attack.execution
    - attack.t1203
    - attack.t1204.002
    - attack.t1204  # an old one
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Download EXE from Suspicious TLD`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: b5de2919-b74a-4805-91a7-5049accbaefe`
Rule: Suspicious executable downloads 2017-03-13 15:11:43 +00:00			`status: experimental`
Rule: Proxy download whitelist bugfix and improvements 2017-11-07 13:02:56 +00:00			`description: Detects executable downloads from suspicious remote systems`
Rule: Suspicious executable downloads 2017-03-13 15:11:43 +00:00			`author: Florian Roth`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`date: 2017/03/13`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`modified: 2020/09/03`
Rule: Suspicious executable downloads 2017-03-13 15:11:43 +00:00			`logsource:`
Fixed rules * Replaced unspecified logsource attribute 'type' with 'category' * Usage of service 'auth' for linux logs 2017-09-10 22:35:52 +00:00			`category: proxy`
Rule: Suspicious executable downloads 2017-03-13 15:11:43 +00:00			`detection:`
			`selection:`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`c-uri-extension:`
Rule: Proxy download whitelist bugfix and improvements 2017-11-07 13:02:56 +00:00			`- 'exe'`
			`- 'vbs'`
			`- 'bat'`
			`- 'rar'`
			`- 'ps1'`
Rule: Extended proxy suspicious TLD white list rule 2017-11-07 23:38:26 +00:00			`- 'doc'`
			`- 'docm'`
			`- 'xls'`
			`- 'xlsm'`
			`- 'pptm'`
			`- 'rtf'`
			`- 'hta'`
			`- 'dll'`
			`- 'ws'`
			`- 'wsf'`
			`- 'sct'`
			`- 'zip'`
			`# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/`
Rule: Suspicious executable downloads 2017-03-13 15:11:43 +00:00			`filter:`
Update proxy_download_susp_tlds_whitelist.yml 2020-10-16 02:22:57 +00:00			`r-dns\|endswith:`
			`- '.com'`
			`- '.org'`
			`- '.net'`
			`- '.edu'`
			`- '.gov'`
			`- '.uk'`
			`- '.ca'`
			`- '.de'`
			`- '.jp'`
			`- '.fr'`
			`- '.au'`
			`- '.us'`
			`- '.ch'`
			`- '.it'`
			`- '.nl'`
			`- '.se'`
			`- '.no'`
			`- '.es'`
Rule: Extended proxy suspicious TLD white list rule 2017-11-07 23:38:26 +00:00			`# Extend this list as needed`
Rule: Proxy download whitelist bugfix and improvements 2017-11-07 13:02:56 +00:00			`condition: selection and not filter`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`- c-uri`
Rule: Suspicious executable downloads 2017-03-13 15:11:43 +00:00			`falsepositives:`
			`- All kind of software downloads`
			`level: low`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.initial_access`
			`- attack.t1566`
			`- attack.execution`
			`- attack.t1203`
			`- attack.t1204.002`
			`- attack.t1204 # an old one`