Detectionlowtest
Download From Suspicious TLD - Whitelist
Detects executable downloads from suspicious remote systems
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Mon Mar 13Updated Thu May 18b5de2919-b74a-4805-91a7-5049accbaefeweb
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic2 selectors
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filterFalse Positives
All kind of software downloads
References
1
Resolving title…
Internal ResearchMITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
b5de2919-b74a-4805-91a7-5049accbaefe
Status
test
Level
low
Type
Detection
Created
Mon Mar 13
Modified
Thu May 18
Path
rules/web/proxy_generic/proxy_download_susp_tlds_whitelist.yml
Raw Tags
attack.initial-accessattack.t1566attack.executionattack.t1203attack.t1204.002