Download from Suspicious TLD

Detects download of certain file types from hosts in suspicious TLDs

Rule Content

- title: Download from Suspicious TLD
  id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
  status: experimental
  description: Detects download of certain file types from hosts in suspicious TLDs
  references:
  - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
  - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
  - https://www.spamhaus.org/statistics/tlds/
  - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
  author: Florian Roth
  date: 2018/06/13
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-uri-extension:
      - exe
      - vbs
      - bat
      - rar
      - ps1
      - doc
      - docm
      - xls
      - xlsm
      - pptm
      - rtf
      - hta
      - dll
      - ws
      - wsf
      - sct
      - zip
      r-dns:
      - '*.country'
      - '*.stream'
      - '*.gdn'
      - '*.mom'
      - '*.xin'
      - '*.kim'
      - '*.men'
      - '*.loan'
      - '*.download'
      - '*.racing'
      - '*.online'
      - '*.science'
      - '*.ren'
      - '*.gb'
      - '*.win'
      - '*.top'
      - '*.review'
      - '*.vip'
      - '*.party'
      - '*.tech'
      - '*.xyz'
      - '*.date'
      - '*.faith'
      - '*.zip'
      - '*.cricket'
      - '*.space'
      - '*.info'
      - '*.vn'
      - '*.cm'
      - '*.am'
      - '*.cc'
      - '*.asia'
      - '*.ws'
      - '*.tk'
      - '*.biz'
      - '*.su'
      - '*.st'
      - '*.ro'
      - '*.ge'
      - '*.ms'
      - '*.pk'
      - '*.nu'
      - '*.me'
      - '*.ph'
      - '*.to'
      - '*.tt'
      - '*.name'
      - '*.tv'
      - '*.kz'
      - '*.tc'
      - '*.mobi'
      - '*.study'
      - '*.click'
      - '*.link'
      - '*.trade'
      - '*.accountant'
      - '*.cf'
      - '*.gq'
      - '*.ml'
      - '*.ga'
      - '*.pw'
    condition: selection
  fields:
  - ClientIP
  - c-uri
  falsepositives:
  - All kinds of software downloads
  level: low

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='(c-uri-extension:("exe" OR "vbs" OR "bat" OR "rar" OR "ps1" OR "doc" OR "docm" OR "xls" OR "xlsm" OR "pptm" OR "rtf" OR "hta" OR "dll" OR "ws" OR "wsf" OR "sct" OR "zip") AND r-dns.keyword:(*.country OR *.stream OR *.gdn OR *.mom OR *.xin OR *.kim OR *.men OR *.loan OR *.download OR *.racing OR *.online OR *.science OR *.ren OR *.gb OR *.win OR *.top OR *.review OR *.vip OR *.party OR *.tech OR *.xyz OR *.date OR *.faith OR *.zip OR *.cricket OR *.space OR *.info OR *.vn OR *.cm OR *.am OR *.cc OR *.asia OR *.ws OR *.tk OR *.biz OR *.su OR *.st OR *.ro OR *.ge OR *.ms OR *.pk OR *.nu OR *.me OR *.ph OR *.to OR *.tt OR *.name OR *.tv OR *.kz OR *.tc OR *.mobi OR *.study OR *.click OR *.link OR *.trade OR *.accountant OR *.cf OR *.gq OR *.ml OR *.ga OR *.pw))')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()