Detectionlowtest
Download From Suspicious TLD - Blacklist
Detects download of certain file types from hosts in suspicious TLDs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Tue Nov 07Updated Thu May 1800d0b5ab-1f55-4120-8e83-487c0a7baf19web
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic1 selector
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
# Symantec / Chris Larsen analysis
- '.country'
- '.stream'
- '.gdn'
- '.mom'
- '.xin'
- '.kim'
- '.men'
- '.loan'
- '.download'
- '.racing'
- '.online'
- '.science'
- '.ren'
- '.gb'
- '.win'
- '.top'
- '.review'
- '.vip'
- '.party'
- '.tech'
- '.xyz'
- '.date'
- '.faith'
- '.zip'
- '.cricket'
- '.space'
# McAfee report
- '.info'
- '.vn'
- '.cm'
- '.am'
- '.cc'
- '.asia'
- '.ws'
- '.tk'
- '.biz'
- '.su'
- '.st'
- '.ro'
- '.ge'
- '.ms'
- '.pk'
- '.nu'
- '.me'
- '.ph'
- '.to'
- '.tt'
- '.name'
- '.tv'
- '.kz'
- '.tc'
- '.mobi'
# Spamhaus
- '.study'
- '.click'
- '.link'
- '.trade'
- '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- '.cf'
- '.gq'
- '.ml'
- '.ga'
# Custom
- '.pw'
condition: selectionFalse Positives
All kinds of software downloads
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
00d0b5ab-1f55-4120-8e83-487c0a7baf19
Status
test
Level
low
Type
Detection
Created
Tue Nov 07
Modified
Thu May 18
Path
rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml
Raw Tags
attack.initial-accessattack.t1566attack.executionattack.t1203attack.t1204.002