title: Domestic Kitten FurBall Malware Pattern
id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1
status: experimental
description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
author: Florian Roth
references:
    - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
date: 2021/02/08
tags:
    - attack.command_and_control
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 
            - 'Get~~~AllBrowser'
            - 'Get~~~HardwareInfo'
            - 'Take~~RecordCall'
            - 'Reset~~~AllCommand'
    condition: selection
fields:
    - c-ip
    - c-uri
falsepositives:
    - Unlikely
level: high