Emerging Threathightest

Chafer Malware URL Pattern

Detects HTTP request used by Chafer malware to receive data from its C2.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Thu Jan 31Updated Thu Feb 15fb502828-2db0-438e-93e6-801c7548686d2019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-uri|contains: '/asp.asp\?ui='
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Sub-techniques

Other

detection.emerging-threats

Rule Metadata

Rule ID

fb502828-2db0-438e-93e6-801c7548686d

Status

test

Level

high

Type

Emerging Threat

Created

Thu Jan 31

Modified

Thu Feb 15

Author

Path

rules-emerging-threats/2019/Malware/Chafer/proxy_malware_chafer_url_pattern.yml

Raw Tags

attack.command-and-controlattack.t1071.001detection.emerging-threats