HTTP Request to Low Reputation TLD or Suspicious File Extension

Rule Info

Name
HTTP Request to Low Reputation TLD or Suspicious File Extension
Author
@signalblur, Corelight
Description
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
Reference
https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
Date
2025-02-26 00:00:00
Modified
None
Id
68c2c604-92ad-468b-bf4a-aac49adad08c
Tags
attack.initial-access attack.command-and-control
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=68c2c604-92ad-468b-bf4a-aac49adad08c

Rule History

Author
Title
Date
Commit
signalblur
Merge PR #5214 from @signalblur - Add `HTTP Request to Low Reputation TLD or Suspicious File Extension`
2025-03-04
a61484efb
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022