title: Download from Suspicious TLD id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19 status: experimental description: Detects download of certain file types from hosts in suspicious TLDs author: Florian Roth date: 2017/11/07 modified: 2020/09/03 references: - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf - https://www.spamhaus.org/statistics/tlds/ - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ logsource: category: proxy detection: selection: c-uri-extension: - 'exe' - 'vbs' - 'bat' - 'rar' - 'ps1' - 'doc' - 'docm' - 'xls' - 'xlsm' - 'pptm' - 'rtf' - 'hta' - 'dll' - 'ws' - 'wsf' - 'sct' - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ r-dns|endswith: # Symantec / Chris Larsen analysis - '.country' - '.stream' - '.gdn' - '.mom' - '.xin' - '.kim' - '.men' - '.loan' - '.download' - '.racing' - '.online' - '.science' - '.ren' - '.gb' - '.win' - '.top' - '.review' - '.vip' - '.party' - '.tech' - '.xyz' - '.date' - '.faith' - '.zip' - '.cricket' - '.space' # McAfee report - '.info' - '.vn' - '.cm' - '.am' - '.cc' - '.asia' - '.ws' - '.tk' - '.biz' - '.su' - '.st' - '.ro' - '.ge' - '.ms' - '.pk' - '.nu' - '.me' - '.ph' - '.to' - '.tt' - '.name' - '.tv' - '.kz' - '.tc' - '.mobi' # Spamhaus - '.study' - '.click' - '.link' - '.trade' - '.accountant' # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ - '.cf' - '.gq' - '.ml' - '.ga' # Custom - '.pw' condition: selection fields: - ClientIP - c-uri falsepositives: - All kinds of software downloads level: low tags: - attack.initial_access - attack.t1566 - attack.execution - attack.t1203 - attack.t1204.002 - attack.t1204 # an old one