Potentially Suspicious File Download From ZIP TLD

Rule Info

Tags
attack.defense_evasion DEMO
Name
Potentially Suspicious File Download From ZIP TLD
Id
0bb4bbeb-fe52-4044-b40c-430a04577ebe
Date
2023-05-18 00:00:00
Modified
None
Description
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Reference
https://twitter.com/cyb3rops/status/1659175181695287297
Author
Florian Roth (Nextron Systems)
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=0bb4bbeb-fe52-4044-b40c-430a04577ebe

Rule History

Title
Author
Commit
Date
feat: add more extensions and fix metadata
Nasreddine Bencherchali
d468c2fb3
2023-05-18
docs: add url
Florian Roth
11069e87c
2023-05-18
.zip domain stream hash - file type download
Florian Roth
8bad6f0eb
2023-05-18
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022