rules/proxy/proxy_ursnif_malware_c2_url.yml

title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
  - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
date: 2019/12/19
modified: 2021/08/09
logsource:
  category: proxy
detection:
  b64encoding:
    c-uri|contains:
      - '_2f'
      - '_2b'
  urlpatterns:
    c-uri|contains|all:
      - '.avi'
      - '/images/'
  condition: b64encoding and urlpatterns
fields:
  - c-ip
  - c-uri
  - sc-bytes
  - c-ua
falsepositives:
  - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1204.002
    - attack.command_and_control
    - attack.t1071.001
Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00			`title: Ursnif Malware C2 URL Pattern`
			`id: 932ac737-33ca-4afd-9869-0d48b391fcc9`
			`status: stable`
			`description: Detects Ursnif C2 traffic.`
			`references:`
			`- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html`
			`author: Thomas Patzke`
$frack113$ Split PR 1802 fix net rules 2021-08-09 17:23:15 +02:00			`date: 2019/12/19`
			`modified: 2021/08/09`
Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00			`logsource:`
			`category: proxy`
			`detection:`
			`b64encoding:`
Update proxy_ursnif_malware.yml 2020-10-15 23:30:07 -03:00			`c-uri\|contains:`
$frack113$ Simple Quote 2022-01-11 13:40:53 +01:00			`- '_2f'`
			`- '_2b'`
Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00			`urlpatterns:`
Update proxy_ursnif_malware.yml 2020-10-15 23:30:07 -03:00			`c-uri\|contains\|all:`
$frack113$ Simple Quote 2022-01-11 13:40:53 +01:00			`- '.avi'`
			`- '/images/'`
Added Ursnif proxy detections 2019-12-09 16:02:10 +01:00			`condition: b64encoding and urlpatterns`
			`fields:`
			`- c-ip`
			`- c-uri`
			`- sc-bytes`
			`- c-ua`
			`falsepositives:`
			`- Unknown`
			`level: critical`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
			`- attack.initial_access`
			`- attack.t1566.001`
			`- attack.execution`
			`- attack.t1204.002`
			`- attack.command_and_control`
Update proxy_ursnif_malware.yml 2020-10-15 23:30:07 -03:00			`- attack.t1071.001`