mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
59 lines
1.2 KiB
YAML
59 lines
1.2 KiB
YAML
title: Ursnif Malware Download URL Pattern
|
|
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
|
|
status: stable
|
|
description: Detects download of Ursnif malware done by dropper documents.
|
|
author: Thomas Patzke
|
|
date: 2019/12/19
|
|
modified: 2020/09/03
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri: '*/*.php?l=*.cab'
|
|
sc-status: 200
|
|
condition: selection
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
- sc-bytes
|
|
- c-ua
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|
|
---
|
|
title: Ursnif Malware C2 URL Pattern
|
|
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
|
|
status: stable
|
|
description: Detects Ursnif C2 traffic.
|
|
references:
|
|
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
|
|
author: Thomas Patzke
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
b64encoding:
|
|
c-uri:
|
|
- "*_2f*"
|
|
- "*_2b*"
|
|
urlpatterns:
|
|
c-uri|all:
|
|
- "*.avi"
|
|
- "*/images/*"
|
|
condition: b64encoding and urlpatterns
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
- sc-bytes
|
|
- c-ua
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1566.001
|
|
- attack.t1193 # an old one
|
|
- attack.execution
|
|
- attack.t1204.002
|
|
- attack.t1204 # an old one
|
|
- attack.command_and_control
|
|
- attack.t1071.001 |