Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Unusual File Download from Direct IP Address

Detects the download of suspicious file type from URLs with IP

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)Created Wed Sep 07Updated Fri Feb 10025bd229-fd1f-4fdb-97ab-20006e1a5368windows
Log Source
WindowsAlternate Data Stream
ProductWindows← raw: windows
CategoryAlternate Data Stream← raw: create_stream_hash
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
        TargetFilename|contains:
            - '.ps1:Zone'
            - '.bat:Zone'
            - '.exe:Zone'
            - '.vbe:Zone'
            - '.vbs:Zone'
            - '.dll:Zone'
            - '.one:Zone'
            - '.cmd:Zone'
            - '.hta:Zone'
            - '.xll:Zone'
            - '.lnk:Zone'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
labs.withsecure.com
MITRE ATT&CK
Rule Metadata
Rule ID
025bd229-fd1f-4fdb-97ab-20006e1a5368
Status
test
Level
high
Type
Detection
Created
Wed Sep 07
Modified
Fri Feb 10
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Path
rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml
Raw Tags
attack.defense-evasionattack.t1564.004
View on GitHub