SigmaHQ/rules/proxy/proxy_download_susp_tlds_blacklist.yml

title: Download from Suspicious TLD
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
status: experimental
description: Detects download of certain file types from hosts in suspicious TLDs
author: Florian Roth
date: 2017/11/07
modified: 2020/09/03
references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
        r-dns|endswith:
            # Symantec / Chris Larsen analysis
            - '.country'
            - '.stream'
            - '.gdn'
            - '.mom'
            - '.xin'
            - '.kim'
            - '.men'
            - '.loan'
            - '.download'
            - '.racing'
            - '.online'
            - '.science'
            - '.ren'
            - '.gb'
            - '.win'
            - '.top'
            - '.review'
            - '.vip'
            - '.party'
            - '.tech'
            - '.xyz'
            - '.date'
            - '.faith'
            - '.zip'
            - '.cricket'
            - '.space'
            # McAfee report
            - '.info'
            - '.vn'
            - '.cm'
            - '.am'
            - '.cc'
            - '.asia'
            - '.ws'
            - '.tk'
            - '.biz'
            - '.su'
            - '.st'
            - '.ro'
            - '.ge'
            - '.ms'
            - '.pk'
            - '.nu'
            - '.me'
            - '.ph'
            - '.to'
            - '.tt'
            - '.name'
            - '.tv'
            - '.kz'
            - '.tc'
            - '.mobi'
            # Spamhaus
            - '.study'
            - '.click'
            - '.link'
            - '.trade'
            - '.accountant'
            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
            - '.cf'
            - '.gq'
            - '.ml'
            - '.ga'
            # Custom
            - '.pw'
    condition: selection
fields:
    - ClientIP
    - c-uri
falsepositives:
    - All kinds of software downloads
level: low
tags:
    - attack.initial_access
    - attack.t1566
    - attack.execution
    - attack.t1203
    - attack.t1204.002
    - attack.t1204  # an old one