Detectionlowtest

Suspicious Network Communication With IPFS

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Gavin KnappCreated Thu Mar 16eb6c2004-1cef-427f-8885-9042974e5eb6web

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        cs-uri|re: '(?i)(ipfs\.io/|ipfs\.io\s).+\..+@.+\.[a-z]+'
    condition: selection

False Positives

Legitimate use of IPFS being used in the organisation. However the cs-uri regex looking for a user email will likely negate this.

References

Resolving title…

blog.talosintelligence.com

MITRE ATT&CK

Tactics

TA0009 · Collection TA0006 · Credential Access

Techniques

T1056 · Input Capture

Rule Metadata

Rule ID

eb6c2004-1cef-427f-8885-9042974e5eb6

Status

test

Level

low

Type

Detection

Created

Thu Mar 16

Author

Gavin Knapp

Path

rules/web/proxy_generic/proxy_susp_ipfs_cred_harvest.yml

Raw Tags

attack.collectionattack.credential-accessattack.t1056

View on GitHub