detection.wiki

Detection rules › Equivalence class

eq_0006 — 2 rules with the same canonical form

Vendors: sigma (2). Stage count: 5. Correlation shape: single_event.

Members

Stages and predicates (per member)

Each member's stage rendered in its own native syntax (verbatim source where the IR captures it; falls back to the synthesised native form for the few stage types whose source segments aren't recoverable).

File Download From IP URL Via Curl.EXE — stage 1 all of selection_img

or:
Image|endswith: '\curl.exe'
OriginalFileName: curl.exe

File Download From IP URL Via Curl.EXE — stage 2 all of selection_ip

CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

File Download From IP URL Via Curl.EXE — stage 3 all of selection_http

CommandLine|contains: http

File Download From IP URL Via Curl.EXE — stage 4 all of selection_flag

or:
CommandLine|contains: ' -O'
CommandLine|contains: --output
CommandLine|contains: --remote-name

File Download From IP URL Via Curl.EXE — stage 5 not 1 of filter_main_ext

or:
CommandLine|endswith: .bat
CommandLine|endswith: '.bat'''
CommandLine|endswith: '.bat"'
CommandLine|endswith: .dat
CommandLine|endswith: '.dat'''
CommandLine|endswith: '.dat"'
CommandLine|endswith: .dll
CommandLine|endswith: '.dll'''
CommandLine|endswith: '.dll"'
CommandLine|endswith: .exe
CommandLine|endswith: '.exe'''
CommandLine|endswith: '.exe"'
CommandLine|endswith: .gif
CommandLine|endswith: '.gif'''
CommandLine|endswith: '.gif"'
CommandLine|endswith: .hta
CommandLine|endswith: '.hta'''
CommandLine|endswith: '.hta"'
CommandLine|endswith: .jpeg
CommandLine|endswith: '.jpeg'''
CommandLine|endswith: '.jpeg"'
CommandLine|endswith: .log
CommandLine|endswith: '.log'''
CommandLine|endswith: '.log"'
CommandLine|endswith: .msi
CommandLine|endswith: '.msi'''
CommandLine|endswith: '.msi"'
CommandLine|endswith: .png
CommandLine|endswith: '.png'''
CommandLine|endswith: '.png"'
CommandLine|endswith: .ps1
CommandLine|endswith: '.ps1'''
CommandLine|endswith: '.ps1"'
CommandLine|endswith: .psm1
CommandLine|endswith: '.psm1'''
CommandLine|endswith: '.psm1"'
CommandLine|endswith: .vbe
CommandLine|endswith: '.vbe'''
CommandLine|endswith: '.vbe"'
CommandLine|endswith: .vbs
CommandLine|endswith: '.vbs'''
CommandLine|endswith: '.vbs"'

Suspicious File Download From IP Via Curl.EXE — stage 6 all of selection_img

or:
Image|endswith: '\curl.exe'
OriginalFileName: curl.exe

Suspicious File Download From IP Via Curl.EXE — stage 7 all of selection_ip

CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

Suspicious File Download From IP Via Curl.EXE — stage 8 all of selection_http

CommandLine|contains: http

Suspicious File Download From IP Via Curl.EXE — stage 9 all of selection_flag

or:
CommandLine|contains: ' -O'
CommandLine|contains: --output
CommandLine|contains: --remote-name

Suspicious File Download From IP Via Curl.EXE — stage 10 all of selection_ext

or:
CommandLine|endswith: .bat
CommandLine|endswith: '.bat'''
CommandLine|endswith: '.bat"'
CommandLine|endswith: .dat
CommandLine|endswith: '.dat'''
CommandLine|endswith: '.dat"'
CommandLine|endswith: .dll
CommandLine|endswith: '.dll'''
CommandLine|endswith: '.dll"'
CommandLine|endswith: .exe
CommandLine|endswith: '.exe'''
CommandLine|endswith: '.exe"'
CommandLine|endswith: .gif
CommandLine|endswith: '.gif'''
CommandLine|endswith: '.gif"'
CommandLine|endswith: .hta
CommandLine|endswith: '.hta'''
CommandLine|endswith: '.hta"'
CommandLine|endswith: .jpeg
CommandLine|endswith: '.jpeg'''
CommandLine|endswith: '.jpeg"'
CommandLine|endswith: .log
CommandLine|endswith: '.log'''
CommandLine|endswith: '.log"'
CommandLine|endswith: .msi
CommandLine|endswith: '.msi'''
CommandLine|endswith: '.msi"'
CommandLine|endswith: .png
CommandLine|endswith: '.png'''
CommandLine|endswith: '.png"'
CommandLine|endswith: .ps1
CommandLine|endswith: '.ps1'''
CommandLine|endswith: '.ps1"'
CommandLine|endswith: .psm1
CommandLine|endswith: '.psm1'''
CommandLine|endswith: '.psm1"'
CommandLine|endswith: .vbe
CommandLine|endswith: '.vbe'''
CommandLine|endswith: '.vbe"'
CommandLine|endswith: .vbs
CommandLine|endswith: '.vbs'''
CommandLine|endswith: '.vbs"'

Indicators (across all members)

FieldKindValueMembersCorpus
CommandLineends_with.bat25
CommandLineends_with.bat"25
CommandLineends_with.bat'25
CommandLineends_with.dat27
CommandLineends_with.dat"25
CommandLineends_with.dat'25
CommandLineends_with.dll29
CommandLineends_with.dll"26
CommandLineends_with.dll'26
CommandLineends_with.exe26
CommandLineends_with.exe"25
CommandLineends_with.exe'25
CommandLineends_with.gif24
CommandLineends_with.gif"22
CommandLineends_with.gif'22
CommandLineends_with.hta26
CommandLineends_with.hta"25
CommandLineends_with.hta'25
CommandLineends_with.jpeg24
CommandLineends_with.jpeg"22
CommandLineends_with.jpeg'22
CommandLineends_with.log23
CommandLineends_with.log"22
CommandLineends_with.log'22
CommandLineends_with.msi25
CommandLineends_with.msi"25
CommandLineends_with.msi'25
CommandLineends_with.png24
CommandLineends_with.png"22
CommandLineends_with.png'22
CommandLineends_with.ps126
CommandLineends_with.ps1"25
CommandLineends_with.ps1'25
CommandLineends_with.psm126
CommandLineends_with.psm1"25
CommandLineends_with.psm1'25
CommandLineends_with.vbe27
CommandLineends_with.vbe"25
CommandLineends_with.vbe'25
CommandLineends_with.vbs27
CommandLineends_with.vbs"25
CommandLineends_with.vbs'25
CommandLinematch -O23
CommandLinematch--output23
CommandLinematch--remote-name23
CommandLinematchhttp231
CommandLineregex_match://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}25
Imageends_with\curl.exe219
OriginalFileNameeqcurl.exe211