mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 09:25:17 +00:00
66 lines
1.5 KiB
YAML
66 lines
1.5 KiB
YAML
title: Download EXE from Suspicious TLD
|
|
id: b5de2919-b74a-4805-91a7-5049accbaefe
|
|
status: experimental
|
|
description: Detects executable downloads from suspicious remote systems
|
|
author: Florian Roth
|
|
date: 2017/03/13
|
|
modified: 2020/09/03
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1566
|
|
- attack.execution
|
|
- attack.t1203
|
|
- attack.t1204.002
|
|
- attack.t1204 # an old one
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri-extension:
|
|
- 'exe'
|
|
- 'vbs'
|
|
- 'bat'
|
|
- 'rar'
|
|
- 'ps1'
|
|
- 'doc'
|
|
- 'docm'
|
|
- 'xls'
|
|
- 'xlsm'
|
|
- 'pptm'
|
|
- 'rtf'
|
|
- 'hta'
|
|
- 'dll'
|
|
- 'ws'
|
|
- 'wsf'
|
|
- 'sct'
|
|
- 'zip'
|
|
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
|
|
filter:
|
|
r-dns:
|
|
- '*.com'
|
|
- '*.org'
|
|
- '*.net'
|
|
- '*.edu'
|
|
- '*.gov'
|
|
- '*.uk'
|
|
- '*.ca'
|
|
- '*.de'
|
|
- '*.jp'
|
|
- '*.fr'
|
|
- '*.au'
|
|
- '*.us'
|
|
- '*.ch'
|
|
- '*.it'
|
|
- '*.nl'
|
|
- '*.se'
|
|
- '*.no'
|
|
- '*.es'
|
|
# Extend this list as needed
|
|
condition: selection and not filter
|
|
fields:
|
|
- ClientIP
|
|
- c-uri
|
|
falsepositives:
|
|
- All kind of software downloads
|
|
level: low
|