frack113
29 lines
602 B
YAML
29 lines
602 B
YAML
title: Ursnif Malware Download URL Pattern
|
|
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
|
|
status: stable
|
|
description: Detects download of Ursnif malware done by dropper documents.
|
|
author: Thomas Patzke
|
|
date: 2019/12/19
|
|
modified: 2022/08/15
|
|
logsource:
|
|
category: proxy
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1071.001
|
|
detection:
|
|
selection:
|
|
c-uri|contains|all:
|
|
- '/'
|
|
- '.php\?l='
|
|
c-uri|endswith: '.cab'
|
|
sc-status: 200
|
|
condition: selection
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
- sc-bytes
|
|
- c-ua
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|