Techniques
Sample rules
Download From Suspicious TLD - Whitelist
- source: sigma
- technicques:
- t1203
- t1204
- t1204.002
- t1566
Description
Detects executable downloads from suspicious remote systems
Detection logic
condition: selection and not filter
filter:
cs-host|endswith:
- .com
- .org
- .net
- .edu
- .gov
- .uk
- .ca
- .de
- .jp
- .fr
- .au
- .us
- .ch
- .it
- .nl
- .se
- .no
- .es
selection:
c-uri-extension:
- exe
- vbs
- bat
- rar
- ps1
- doc
- docm
- xls
- xlsm
- pptm
- rtf
- hta
- dll
- ws
- wsf
- sct
- zip