Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potentially Suspicious File Download From ZIP TLD

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Thu May 180bb4bbeb-fe52-4044-b40c-430a04577ebewindows
Log Source
WindowsAlternate Data Stream
ProductWindows← raw: windows
CategoryAlternate Data Stream← raw: create_stream_hash
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Contents|contains: '.zip/'
        TargetFilename|contains:
            - '.bat:Zone'
            - '.dat:Zone'
            - '.dll:Zone'
            - '.doc:Zone'
            - '.docm:Zone'
            - '.exe:Zone'
            - '.hta:Zone'
            - '.pptm:Zone'
            - '.ps1:Zone'
            - '.rar:Zone'
            - '.rtf:Zone'
            - '.sct:Zone'
            - '.vbe:Zone'
            - '.vbs:Zone'
            - '.ws:Zone'
            - '.wsf:Zone'
            - '.xll:Zone'
            - '.xls:Zone'
            - '.xlsm:Zone'
            - '.zip:Zone'
    condition: selection
False Positives

Legitimate file downloads from a websites and web services that uses the ".zip" top level domain.

References
1
Resolving title…
twitter.com
2
Resolving title…
fabian-voith.de
MITRE ATT&CK
Rule Metadata
Rule ID
0bb4bbeb-fe52-4044-b40c-430a04577ebe
Status
test
Level
high
Type
Detection
Created
Thu May 18
Author
Florian Roth (Nextron Systems)
Path
rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml
Raw Tags
attack.defense-evasion
View on GitHub