LoFP / false positives are limited to zscaler configuration.

Techniques

• T1566

Sample rules

Zscaler Employment Search Web Activity

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies web activity related to employment searches within a network. It leverages Zscaler web proxy logs, focusing on entries categorized as ‘Job/Employment Search’. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This detection is significant for SOCs as it helps monitor potential insider threats by identifying users who may be seeking new employment. If confirmed malicious, this activity could indicate a risk of data exfiltration or other insider threats, potentially leading to sensitive information leakage or other security breaches.

Detection logic

`zscaler_proxy` urlsupercategory="Job/Employment Search" 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_employment_search_web_activity_filter`

Zscaler Potentially Abused File Download

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies the download of potentially malicious file types, such as .scr, .dll, .bat, and .lnk, within a network. It leverages web proxy logs from Zscaler, focusing on blocked actions and analyzing fields like deviceowner, user, urlcategory, url, dest, and filename. This activity is significant as these file types are often used to spread malware, posing a threat to network security. If confirmed malicious, this activity could lead to malware execution, data compromise, or further network infiltration.

Detection logic

`zscaler_proxy` url IN ("*.scr", "*.dll", "*.bat", "*.lnk") 
| stats count min(_time) as firstTime max(_time) as lastTime by deviceowner user urlcategory url src filename dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_potentially_abused_file_download_filter`

Zscaler Scam Destinations Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies blocked scam-related activities detected by Zscaler within a network. It leverages web proxy logs to examine actions flagged as scam threats, focusing on data points such as device owner, user, URL category, destination URL, and IP. This detection is significant for SOC as it helps in the early identification and mitigation of scam activities, ensuring network safety. If confirmed malicious, this activity could indicate attempts to deceive users, potentially leading to data theft or financial loss.

Detection logic

`zscaler_proxy` action=blocked threatname=*scam* 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_scam_destinations_threat_blocked_filter`

Zscaler Exploit Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies potential exploit attempts involving command and script interpreters blocked by Zscaler. It leverages web proxy logs to detect incidents where actions are blocked due to exploit references. The detection compiles statistics by user, threat name, URL, hostname, file class, and filename. This activity is significant as it helps identify and mitigate exploit attempts, which are critical for maintaining security. If confirmed malicious, such activity could lead to unauthorized code execution, privilege escalation, or persistent access within the environment, posing a severe threat to organizational security.

Detection logic

`zscaler_proxy` action=blocked threatname=*exploit* 
| stats count min(_time) as firstTime max(_time) as lastTime  by user threatname src hostname fileclass filename url dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_exploit_threat_blocked_filter`

Zscaler CryptoMiner Downloaded Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies attempts to download cryptomining software that are blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with cryptominer threats, analyzing key data points such as device owner, user, URL category, destination URL, and IP. This activity is significant for a SOC as it helps in early identification and mitigation of cryptomining activities, which can compromise network integrity and resource availability. If confirmed malicious, this activity could lead to unauthorized use of network resources for cryptomining, potentially degrading system performance and increasing operational costs.

Detection logic

`zscaler_proxy` action=blocked threatname=*miner* 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_cryptominer_downloaded_threat_blocked_filter`

Zscaler Virus Download threat blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies attempts to download viruses that were blocked by Zscaler within a network. It leverages web proxy logs to detect blocked actions indicative of virus download attempts. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as it helps in early detection and remediation of potential virus threats, enhancing network security. If confirmed malicious, this activity could indicate an attempt to compromise the network, potentially leading to data breaches or further malware infections.

Detection logic

`zscaler_proxy` action=blocked threatname!="None" threatclass=Virus 
| stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_virus_download_threat_blocked_filter`

Zscaler Legal Liability Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies significant legal liability threats blocked by the Zscaler web proxy. It uses web proxy logs to track destinations, device owners, users, URL categories, and actions associated with legal liability. By leveraging statistics on unique fields, it ensures a precise focus on these threats. This activity is significant for SOC as it helps enforce legal compliance and risk management. If confirmed malicious, it could indicate attempts to access legally sensitive or restricted content, potentially leading to legal repercussions and compliance violations.

Detection logic

`zscaler_proxy` urlclass="Legal Liability" 
|  stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| dedup urlcategory 
| `zscaler_legal_liability_threat_blocked_filter`

Zscaler Privacy Risk Destinations Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies blocked destinations within a network that are deemed privacy risks by Zscaler. It leverages web proxy logs, focusing on entries marked as “Privacy Risk.” Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant for a SOC as it helps monitor and manage privacy risks, ensuring a secure network environment. If confirmed malicious, this activity could indicate attempts to access or exfiltrate sensitive information, posing a significant threat to data privacy and security.

Detection logic

`zscaler_proxy` action=blocked urlclass="Privacy Risk" 
|  stats count min(_time) as firstTime max(_time) as lastTime by action deviceowner user urlcategory url src dest 
| dedup urlcategory 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_privacy_risk_destinations_threat_blocked_filter`

Zscaler Adware Activities Threat Blocked

• source: splunk
• technicques:
  • T1566

Description

The following analytic identifies potential adware activity blocked by Zscaler. It leverages web proxy logs to detect blocked actions associated with adware threats. Key data points such as device owner, user, URL category, destination URL, and IP are analyzed. This activity is significant as adware can degrade system performance, lead to unwanted advertisements, and potentially expose users to further malicious content. If confirmed malicious, it could indicate an attempt to compromise user systems, necessitating further investigation and remediation to prevent potential data breaches or system exploitation.

Detection logic

`zscaler_proxy` action=blocked threatname=*adware* 
| stats count min(_time) as firstTime max(_time) as lastTime  by action deviceowner user urlcategory url src dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `zscaler_adware_activities_threat_blocked_filter`