Emerging Threatcriticalstable

Ursnif Malware C2 URL Pattern

Detects Ursnif C2 traffic.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Thomas PatzkeCreated Thu Dec 19Updated Mon Aug 09932ac737-33ca-4afd-9869-0d48b391fcc92019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    b64encoding:
        c-uri|contains:
            - '_2f'
            - '_2b'
    urlpatterns:
        c-uri|contains|all:
            - '.avi'
            - '/images/'
    condition: b64encoding and urlpatterns

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

fortinet.com

MITRE ATT&CK

Tactics

TA0001 · Initial Access TA0002 · Execution TA0011 · Command and Control

Sub-techniques

T1566.001 · Spearphishing Attachment T1204.002 · Malicious File T1071.001 · Web Protocols

Other

detection.emerging-threats

Rule Metadata

Rule ID

932ac737-33ca-4afd-9869-0d48b391fcc9

Status

stable

Level

critical

Type

Emerging Threat

Created

Thu Dec 19

Modified

Mon Aug 09

Author

Thomas Patzke

Path

rules-emerging-threats/2019/Malware/Ursnif/proxy_malware_ursnif_c2_url.yml

Raw Tags

attack.initial-accessattack.t1566.001attack.executionattack.t1204.002attack.command-and-controlattack.t1071.001detection.emerging-threats

View on GitHub