- title: Download EXE from Suspicious TLD
id: b5de2919-b74a-4805-91a7-5049accbaefe
status: experimental
description: Detects executable downloads from suspicious remote systems
author: Florian Roth
logsource:
category: proxy
product: null
service: null
detection:
selection:
c-uri-extension:
- exe
- vbs
- bat
- rar
- ps1
- doc
- docm
- xls
- xlsm
- pptm
- rtf
- hta
- dll
- ws
- wsf
- sct
- zip
filter:
r-dns:
- '*.com'
- '*.org'
- '*.net'
- '*.edu'
- '*.gov'
- '*.uk'
- '*.ca'
- '*.de'
- '*.jp'
- '*.fr'
- '*.au'
- '*.us'
- '*.ch'
- '*.it'
- '*.nl'
- '*.se'
- '*.no'
- '*.es'
condition: selection and not filter
fields:
- ClientIP
- c-uri
falsepositives:
- All kind of software downloads
level: low
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(c-uri-extension:("exe" OR "vbs" OR "bat" OR "rar" OR "ps1" OR "doc" OR "docm" OR "xls" OR "xlsm" OR "pptm" OR "rtf" OR "hta" OR "dll" OR "ws" OR "wsf" OR "sct" OR "zip") AND (NOT (r-dns.keyword:(*.com OR *.org OR *.net OR *.edu OR *.gov OR *.uk OR *.ca OR *.de OR *.jp OR *.fr OR *.au OR *.us OR *.ch OR *.it OR *.nl OR *.se OR *.no OR *.es))))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()