detection.wiki

Detection rules › Sigma

Unusual File Download from Direct IP Address

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Source
upstream

Detects the download of suspicious file type from URLs with IP

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1564.004 Hide Artifacts: NTFS File Attributes

Event coverage

ProviderEvent IDTitle
Sysmon15FileCreateStreamHash

Stages and Predicates

Stage 1: selection

or:
TargetFilename|contains: '.bat:Zone'
TargetFilename|contains: '.cmd:Zone'
TargetFilename|contains: '.dll:Zone'
TargetFilename|contains: '.exe:Zone'
TargetFilename|contains: '.hta:Zone'
TargetFilename|contains: '.lnk:Zone'
TargetFilename|contains: '.one:Zone'
TargetFilename|contains: '.ps1:Zone'
TargetFilename|contains: '.vbe:Zone'
TargetFilename|contains: '.vbs:Zone'
TargetFilename|contains: '.xll:Zone'
Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Contentsregex_match
  • http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
TargetFilenamematch
  • .bat:Zone corpus 3 (sigma 3)
  • .cmd:Zone corpus 2 (sigma 2)
  • .dll:Zone corpus 3 (sigma 3)
  • .exe:Zone corpus 3 (sigma 3)
  • .hta:Zone corpus 3 (sigma 3)
  • .lnk:Zone corpus 2 (sigma 2)
  • .one:Zone corpus 2 (sigma 2)
  • .ps1:Zone corpus 3 (sigma 3)
  • .vbe:Zone corpus 3 (sigma 3)
  • .vbs:Zone corpus 3 (sigma 3)
  • .xll:Zone corpus 3 (sigma 3)