SigmaHQ/rules/proxy/proxy_download_susp_tlds_whitelist.yml
2020-10-15 23:22:57 -03:00

66 lines
1.5 KiB
YAML

title: Download EXE from Suspicious TLD
id: b5de2919-b74a-4805-91a7-5049accbaefe
status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
date: 2017/03/13
modified: 2020/09/03
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
r-dns|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
fields:
- ClientIP
- c-uri
falsepositives:
- All kind of software downloads
level: low
tags:
- attack.initial_access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.t1204 # an old one