LoFP / unknown flash download locations

Techniques

Sample rules

Flash Player Update from Suspicious Location

source: sigma
technicques:
- t1036
- t1036.005
- t1189
- t1204
- t1204.002

Description

Detects a flashplayer update from an unofficial location

Detection logic

condition: selection and not filter
filter:
  cs-host|endswith: .adobe.com
selection:
- c-uri|contains: /flash_install.php
- c-uri|endswith: /install_flash_player.exe