mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
66 lines
1.5 KiB
YAML
66 lines
1.5 KiB
YAML
title: Download EXE from Suspicious TLD
|
|
id: b5de2919-b74a-4805-91a7-5049accbaefe
|
|
status: experimental
|
|
description: Detects executable downloads from suspicious remote systems
|
|
author: Florian Roth
|
|
date: 2017/03/13
|
|
modified: 2020/09/03
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri-extension:
|
|
- 'exe'
|
|
- 'vbs'
|
|
- 'bat'
|
|
- 'rar'
|
|
- 'ps1'
|
|
- 'doc'
|
|
- 'docm'
|
|
- 'xls'
|
|
- 'xlsm'
|
|
- 'pptm'
|
|
- 'rtf'
|
|
- 'hta'
|
|
- 'dll'
|
|
- 'ws'
|
|
- 'wsf'
|
|
- 'sct'
|
|
- 'zip'
|
|
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
|
|
filter:
|
|
r-dns|endswith:
|
|
- '.com'
|
|
- '.org'
|
|
- '.net'
|
|
- '.edu'
|
|
- '.gov'
|
|
- '.uk'
|
|
- '.ca'
|
|
- '.de'
|
|
- '.jp'
|
|
- '.fr'
|
|
- '.au'
|
|
- '.us'
|
|
- '.ch'
|
|
- '.it'
|
|
- '.nl'
|
|
- '.se'
|
|
- '.no'
|
|
- '.es'
|
|
# Extend this list as needed
|
|
condition: selection and not filter
|
|
fields:
|
|
- ClientIP
|
|
- c-uri
|
|
falsepositives:
|
|
- All kind of software downloads
|
|
level: low
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1566
|
|
- attack.execution
|
|
- attack.t1203
|
|
- attack.t1204.002
|
|
- attack.t1204 # an old one
|