SigmaHQ/rules/proxy/proxy_download_susp_tlds_blacklist.yml

title: Download from Suspicious TLD
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
status: experimental
description: Detects download of certain file types from hosts in suspicious TLDs
references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth
date: 2017/11/07
modified: 2018/06/13
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
        r-dns:
            # Symantec / Chris Larsen analysis
            - '*.country'
            - '*.stream'
            - '*.gdn'
            - '*.mom'
            - '*.xin'
            - '*.kim'
            - '*.men'
            - '*.loan'
            - '*.download'
            - '*.racing'
            - '*.online'
            - '*.science'
            - '*.ren'
            - '*.gb'
            - '*.win'
            - '*.top'
            - '*.review'
            - '*.vip'
            - '*.party'
            - '*.tech'
            - '*.xyz'
            - '*.date'
            - '*.faith'
            - '*.zip'
            - '*.cricket'
            - '*.space'
            # McAfee report
            - '*.info'
            - '*.vn'
            - '*.cm'
            - '*.am'
            - '*.cc'
            - '*.asia'
            - '*.ws'
            - '*.tk'
            - '*.biz'
            - '*.su'
            - '*.st'
            - '*.ro'
            - '*.ge'
            - '*.ms'
            - '*.pk'
            - '*.nu'
            - '*.me'
            - '*.ph'
            - '*.to'
            - '*.tt'
            - '*.name'
            - '*.tv'
            - '*.kz'
            - '*.tc'
            - '*.mobi'
            # Spamhaus
            - '*.study'
            - '*.click'
            - '*.link'
            - '*.trade'
            - '*.accountant'
            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
            - '*.cf'
            - '*.gq'
            - '*.ml'
            - '*.ga'
            # Custom
            - '*.pw'
    condition: selection
fields:
    - ClientIP
    - c-uri
falsepositives:
    - All kinds of software downloads
level: low