Detectioncriticaltest

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Wed Apr 15Updated Sat Nov 272b1ee7e4-89b6-4739-b7bb-b811b6607e5eweb

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-uri|contains: '/pwndrop/'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

2b1ee7e4-89b6-4739-b7bb-b811b6607e5e

Status

test

Level

critical

Type

Detection

Created

Wed Apr 15

Modified

Sat Nov 27

Author

Path

rules/web/proxy_generic/proxy_pwndrop.yml

Raw Tags

attack.command-and-controlattack.t1071.001attack.t1102.001attack.t1102.003