mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 01:45:21 +00:00
63 lines
1.3 KiB
YAML
63 lines
1.3 KiB
YAML
title: Ursnif Malware Download URL Pattern
|
|
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
|
|
status: stable
|
|
description: Detects download of Ursnif malware done by dropper documents.
|
|
author: Thomas Patzke
|
|
date: 2019/12/19
|
|
modified: 2020/11/28
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri|contains|all:
|
|
- '/'
|
|
- '.php?l='
|
|
c-uri|endswith: '.cab'
|
|
sc-status: 200
|
|
condition: selection
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
- sc-bytes
|
|
- c-ua
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|
|
---
|
|
title: Ursnif Malware C2 URL Pattern
|
|
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
|
|
status: stable
|
|
description: Detects Ursnif C2 traffic.
|
|
references:
|
|
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
|
|
author: Thomas Patzke
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
b64encoding:
|
|
c-uri|contains:
|
|
- "_2f"
|
|
- "_2b"
|
|
urlpatterns:
|
|
c-uri|contains|all:
|
|
- ".avi"
|
|
- "/images/"
|
|
condition: b64encoding and urlpatterns
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
- sc-bytes
|
|
- c-ua
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1566.001
|
|
- attack.t1193 # an old one
|
|
- attack.execution
|
|
- attack.t1204.002
|
|
- attack.t1204 # an old one
|
|
- attack.command_and_control
|
|
- attack.t1071.001
|