Download From Suspicious TLD - Blacklist

Title: Download From Suspicious TLD - Blacklist
Status: test
Description:Detects download of certain file types from hosts in suspicious TLDs
References:
  -https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
  -https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
  -https://www.spamhaus.org/statistics/tlds/
  -https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
Author: Florian Roth (Nextron Systems)
Date: 2017-11-07
modified:2023-05-18
Tags:

• -'attack.initial-access'
• -'attack.t1566'
• -'attack.execution'
• -'attack.t1203'
• -'attack.t1204.002'

Logsource:

• category: proxy

Detection:
  selection:
    c-uri-extension:
      -'exe'
      -'vbs'
      -'bat'
      -'rar'
      -'ps1'
      -'doc'
      -'docm'
      -'xls'
      -'xlsm'
      -'pptm'
      -'rtf'
      -'hta'
      -'dll'
      -'ws'
      -'wsf'
      -'sct'
      -'zip'

    cs-host|endswith:
      -'.country'
      -'.stream'
      -'.gdn'
      -'.mom'
      -'.xin'
      -'.kim'
      -'.men'
      -'.loan'
      -'.download'
      -'.racing'
      -'.online'
      -'.science'
      -'.ren'
      -'.gb'
      -'.win'
      -'.top'
      -'.review'
      -'.vip'
      -'.party'
      -'.tech'
      -'.xyz'
      -'.date'
      -'.faith'
      -'.zip'
      -'.cricket'
      -'.space'
      -'.info'
      -'.vn'
      -'.cm'
      -'.am'
      -'.cc'
      -'.asia'
      -'.ws'
      -'.tk'
      -'.biz'
      -'.su'
      -'.st'
      -'.ro'
      -'.ge'
      -'.ms'
      -'.pk'
      -'.nu'
      -'.me'
      -'.ph'
      -'.to'
      -'.tt'
      -'.name'
      -'.tv'
      -'.kz'
      -'.tc'
      -'.mobi'
      -'.study'
      -'.click'
      -'.link'
      -'.trade'
      -'.accountant'
      -'.cf'
      -'.gq'
      -'.ml'
      -'.ga'
      -'.pw'

  condition:selection
Falsepositives:
  -All kinds of software downloads
Level: low