Detectionmediumexperimental
HTTP Request to Low Reputation TLD or Suspicious File Extension
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Zeek (Bro)http
ProductZeek (Bro)← raw: zeek
Servicehttp← raw: http
Detection Logic
Detection Logic3 selectors
detection:
# Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.
selection_suspicious_tld:
host|endswith:
- '.bid'
- '.by'
- '.cf'
- '.click'
- '.cm'
- '.ga'
- '.gq'
- '.ir'
- '.kp'
- '.loan'
- '.ml'
- '.mm'
- '.party'
- '.pw'
- '.ru'
- '.su'
- '.sy'
- '.tk'
- '.top'
- '.tv'
- '.ve'
- '.work'
- '.xyz'
selection_malicious_ext:
uri|endswith:
- '.bat'
- '.bin'
- '.cmd'
- '.cpl'
- '.dll'
- '.dylib'
- '.elf'
- '.exe'
- '.hta'
- '.iso'
- '.jar'
- '.js'
- '.lnk'
- '.msi'
- '.pif'
- '.ps1'
- '.py'
- '.reg'
- '.scr'
- '.sh'
- '.so'
- '.vbs'
- '.wsf'
selection_malicious_mime:
resp_mime_types:
- 'application/vnd.microsoft.portable-executable'
- 'application/x-bat'
- 'application/x-dosexec'
- 'application/x-elf'
- 'application/x-iso9660-image'
- 'application/x-java-archive'
- 'application/x-ms-shortcut'
- 'application/x-msdos-program'
- 'application/x-msdownload'
- 'application/x-python-code'
- 'application/x-sh'
condition: selection_suspicious_tld and 1 of selection_malicious_*False Positives
Rare legitimate software downloads from low quality TLDs
MITRE ATT&CK
Rule Metadata
Rule ID
68c2c604-92ad-468b-bf4a-aac49adad08c
Status
experimental
Level
medium
Type
Detection
Created
Wed Feb 26
Author
Path
rules/network/zeek/zeek_http_susp_file_ext_from_susp_tld.yml
Raw Tags
attack.initial-accessattack.command-and-control