valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
30955c4884
SigmaHQ/rules/proxy/proxy_ursnif_malware_c2_url.yml
frack113 fc64b8b937 Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00

39 lines
834 B
YAML
Raw Blame History

title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
date: 2019/12/19
modified: 2021/08/09
logsource:
category: proxy
detection:
b64encoding:
c-uri|contains:
- "_2f"
- "_2b"
urlpatterns:
c-uri|contains|all:
- ".avi"
- "/images/"
condition: b64encoding and urlpatterns
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
tags:
- attack.initial_access
- attack.t1566.001
- attack.t1193 # an old one
- attack.execution
- attack.t1204.002
- attack.t1204 # an old one
- attack.command_and_control
- attack.t1071.001
Reference in New Issue View Git Blame Copy Permalink