Update proxy_ursnif_malware.yml
This commit is contained in:
yugoslavskiy
@@ -4,12 +4,15 @@ status: stable
|
||||
description: Detects download of Ursnif malware done by dropper documents.
|
||||
author: Thomas Patzke
|
||||
date: 2019/12/19
|
||||
modified: 2020/09/03
|
||||
modified: 2020/11/28
|
||||
logsource:
|
||||
category: proxy
|
||||
detection:
|
||||
selection:
|
||||
c-uri|endswith: '/*.php?l=*.cab'
|
||||
c-uri|contains|all:
|
||||
- '/'
|
||||
- '.php?l='
|
||||
c-uri|endswith: '.cab'
|
||||
sc-status: 200
|
||||
condition: selection
|
||||
fields:
|
||||
|
||||
Reference in New Issue
Block a user