mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
56 lines
1.3 KiB
YAML
56 lines
1.3 KiB
YAML
title: Download from Suspicious TLD
|
|
status: experimental
|
|
description: Detects executable downloads from suspicious remote systems
|
|
author: Florian Roth
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri-extension:
|
|
- 'exe'
|
|
- 'vbs'
|
|
- 'bat'
|
|
- 'rar'
|
|
- 'ps1'
|
|
- 'doc'
|
|
- 'docm'
|
|
- 'xls'
|
|
- 'xlsm'
|
|
- 'pptm'
|
|
- 'rtf'
|
|
- 'hta'
|
|
- 'dll'
|
|
- 'ws'
|
|
- 'wsf'
|
|
- 'sct'
|
|
- 'zip'
|
|
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
|
|
filter:
|
|
r-dns:
|
|
- '*.com'
|
|
- '*.org'
|
|
- '*.net'
|
|
- '*.edu'
|
|
- '*.gov'
|
|
- '*.uk'
|
|
- '*.ca'
|
|
- '*.de'
|
|
- '*.jp'
|
|
- '*.fr'
|
|
- '*.au'
|
|
- '*.us'
|
|
- '*.ch'
|
|
- '*.it'
|
|
- '*.nl'
|
|
- '*.se'
|
|
- '*.no'
|
|
- '*.es'
|
|
# Extend this list as needed
|
|
condition: selection and not filter
|
|
fields:
|
|
- ClientIP
|
|
- URL
|
|
falsepositives:
|
|
- All kind of software downloads
|
|
level: low
|