mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
34 lines
1.0 KiB
YAML
34 lines
1.0 KiB
YAML
title: Raw Paste Service Access
|
|
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
|
|
status: experimental
|
|
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
|
|
author: Florian Roth
|
|
date: 2019/12/05
|
|
modified: 2020/09/03
|
|
references:
|
|
- https://www.virustotal.com/gui/domain/paste.ee/relations
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri|contains:
|
|
- '.paste.ee/r/'
|
|
- '.pastebin.com/raw/'
|
|
- '.hastebin.com/raw/'
|
|
- '.ghostbin.co/paste/*/raw/'
|
|
condition: selection
|
|
fields:
|
|
- ClientIP
|
|
- c-uri
|
|
- c-useragent
|
|
falsepositives:
|
|
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
|
|
level: high
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1071.001
|
|
- attack.t1043 # an old one
|
|
- attack.t1102.001
|
|
- attack.t1102.003
|
|
- attack.defense_evasion
|
|
- attack.t1102 # an old one |