Techniques
Sample rules
Download From Suspicious TLD - Blacklist
- source: sigma
- technicques:
- t1203
- t1204
- t1204.002
- t1566
Description
Detects download of certain file types from hosts in suspicious TLDs
Detection logic
condition: selection
selection:
c-uri-extension:
- exe
- vbs
- bat
- rar
- ps1
- doc
- docm
- xls
- xlsm
- pptm
- rtf
- hta
- dll
- ws
- wsf
- sct
- zip
cs-host|endswith:
- .country
- .stream
- .gdn
- .mom
- .xin
- .kim
- .men
- .loan
- .download
- .racing
- .online
- .science
- .ren
- .gb
- .win
- .top
- .review
- .vip
- .party
- .tech
- .xyz
- .date
- .faith
- .zip
- .cricket
- .space
- .info
- .vn
- .cm
- .am
- .cc
- .asia
- .ws
- .tk
- .biz
- .su
- .st
- .ro
- .ge
- .ms
- .pk
- .nu
- .me
- .ph
- .to
- .tt
- .name
- .tv
- .kz
- .tc
- .mobi
- .study
- .click
- .link
- .trade
- .accountant
- .cf
- .gq
- .ml
- .ga
- .pw