frack113
37 lines
768 B
YAML
37 lines
768 B
YAML
title: Ursnif Malware C2 URL Pattern
|
|
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
|
|
status: stable
|
|
description: Detects Ursnif C2 traffic.
|
|
references:
|
|
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
|
|
author: Thomas Patzke
|
|
date: 2019/12/19
|
|
modified: 2021/08/09
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
b64encoding:
|
|
c-uri|contains:
|
|
- '_2f'
|
|
- '_2b'
|
|
urlpatterns:
|
|
c-uri|contains|all:
|
|
- '.avi'
|
|
- '/images/'
|
|
condition: b64encoding and urlpatterns
|
|
fields:
|
|
- c-ip
|
|
- c-uri
|
|
- sc-bytes
|
|
- c-ua
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1566.001
|
|
- attack.execution
|
|
- attack.t1204.002
|
|
- attack.command_and_control
|
|
- attack.t1071.001
|