LoFP / legitimate application and websites that use windows paths in their url

Techniques

• t1505
• t1505.003

Sample rules

Suspicious Windows Strings In URI

• source: sigma
• technicques:
  • t1505
  • t1505.003

Description

Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication

Detection logic

condition: selection
selection:
  cs-uri-query|contains:
  - =C:/Users
  - =C:/Program%20Files
  - =C:/Windows
  - =C%3A%5CUsers
  - =C%3A%5CProgram%20Files
  - =C%3A%5CWindows