Techniques
Sample rules
HTTP Request to Low Reputation TLD or Suspicious File Extension
- source: sigma
- technicques:
Description
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Detection logic
condition: selection_suspicious_tld and 1 of selection_malicious_*
selection_malicious_ext:
uri|endswith:
- .bat
- .bin
- .cmd
- .cpl
- .dll
- .dylib
- .elf
- .exe
- .hta
- .iso
- .jar
- .js
- .lnk
- .msi
- .pif
- .ps1
- .py
- .reg
- .scr
- .sh
- .so
- .vbs
- .wsf
selection_malicious_mime:
resp_mime_types:
- application/vnd.microsoft.portable-executable
- application/x-bat
- application/x-dosexec
- application/x-elf
- application/x-iso9660-image
- application/x-java-archive
- application/x-ms-shortcut
- application/x-msdos-program
- application/x-msdownload
- application/x-python-code
- application/x-sh
selection_suspicious_tld:
host|endswith:
- .bid
- .by
- .cf
- .click
- .cm
- .ga
- .gq
- .ir
- .kp
- .loan
- .ml
- .mm
- .party
- .pw
- .ru
- .su
- .sy
- .tk
- .top
- .tv
- .ve
- .work
- .xyz