security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/web/proxy_generic/proxy_ursnif_malware_c2_url.yml
T

37 lines
820 B
YAML
Raw Normal View History

Added Ursnif proxy detections
2019-12-09 16:02:10 +01:00
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
Order yaml field
2022-10-25 10:08:58 +02:00
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
Added Ursnif proxy detections
2019-12-09 16:02:10 +01:00
author: Thomas Patzke
Split PR 1802 fix net rules
2021-08-09 17:23:15 +02:00
date: 2019/12/19
modified: 2021/08/09
Second round
2020-09-15 07:02:30 -06:00
tags:
- attack.initial_access
- attack.t1566.001
- attack.execution
- attack.t1204.002
- attack.command_and_control
Update proxy_ursnif_malware.yml
2020-10-15 23:30:07 -03:00
- attack.t1071.001
Order yaml field
2022-10-25 10:08:58 +02:00
logsource:
category: proxy
detection:
b64encoding:
c-uri|contains:
- '_2f'
- '_2b'
urlpatterns:
c-uri|contains|all:
- '.avi'
- '/images/'
condition: b64encoding and urlpatterns
fields:
- c-ip
- c-uri
- sc-bytes
- c-ua
falsepositives:
- Unknown
level: critical
Reference in New Issue Copy Permalink