detection.wiki

Detection rules › Sigma

Potentially Suspicious File Download From ZIP TLD

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Event coverage

ProviderEvent IDTitle
Sysmon15FileCreateStreamHash

Stages and Predicates

Stage 1: selection

or:
TargetFilename|contains: '.bat:Zone'
TargetFilename|contains: '.dat:Zone'
TargetFilename|contains: '.dll:Zone'
TargetFilename|contains: '.doc:Zone'
TargetFilename|contains: '.docm:Zone'
TargetFilename|contains: '.exe:Zone'
TargetFilename|contains: '.hta:Zone'
TargetFilename|contains: '.pptm:Zone'
TargetFilename|contains: '.ps1:Zone'
TargetFilename|contains: '.rar:Zone'
TargetFilename|contains: '.rtf:Zone'
TargetFilename|contains: '.sct:Zone'
TargetFilename|contains: '.vbe:Zone'
TargetFilename|contains: '.vbs:Zone'
TargetFilename|contains: '.ws:Zone'
TargetFilename|contains: '.wsf:Zone'
TargetFilename|contains: '.xll:Zone'
TargetFilename|contains: '.xls:Zone'
TargetFilename|contains: '.xlsm:Zone'
TargetFilename|contains: '.zip:Zone'
Contents|contains: '.zip/'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Contentsmatch
  • .zip/
TargetFilenamematch
  • .bat:Zone corpus 3 (sigma 3)
  • .dat:Zone
  • .dll:Zone corpus 3 (sigma 3)
  • .doc:Zone
  • .docm:Zone corpus 2 (sigma 2)
  • .exe:Zone corpus 3 (sigma 3)
  • .hta:Zone corpus 3 (sigma 3)
  • .pptm:Zone corpus 2 (sigma 2)
  • .ps1:Zone corpus 3 (sigma 3)
  • .rar:Zone
  • .rtf:Zone
  • .sct:Zone
  • .vbe:Zone corpus 3 (sigma 3)
  • .vbs:Zone corpus 3 (sigma 3)
  • .ws:Zone
  • .wsf:Zone
  • .xll:Zone corpus 3 (sigma 3)
  • .xls:Zone
  • .xlsm:Zone corpus 2 (sigma 2)
  • .zip:Zone