title: Download EXE from Suspicious TLD
status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension: 
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
    filter:
        r-dns: 
            - '*.com'
            - '*.org'
            - '*.net'
            - '*.edu'
            - '*.gov'
            - '*.uk'
            - '*.ca'
            - '*.de'
            - '*.jp'
            - '*.fr'
            - '*.au'
            - '*.us'
            - '*.ch'
            - '*.it'
            - '*.nl'
            - '*.se'
            - '*.no'
            - '*.es'
            # Extend this list as needed
    condition: selection and not filter
fields:
    - ClientIP
    - URL
falsepositives:
    - All kind of software downloads
level: low