Sigma rules for CVE-2020-25574
11 rules · scoped to cve · back to CVE-2020-25574
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: test
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3000
condition: selection
falsepositives:
- Unlikely
level: high
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: test
description: |
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3001
condition: selection
falsepositives:
- Unlikely
level: high
title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
author: Florian Roth (Nextron Systems)
date: 2022-04-29
modified: 2022-07-14
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
DestinationPort:
- 80
- 443
condition: selection
falsepositives:
- Unknown
level: high
title: Potentially Suspicious Regsvr32 HTTP IP Pattern
id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
status: test
description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-24
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_ip:
CommandLine|contains:
- ' /i:http://1'
- ' /i:http://2'
- ' /i:http://3'
- ' /i:http://4'
- ' /i:http://5'
- ' /i:http://6'
- ' /i:http://7'
- ' /i:http://8'
- ' /i:http://9'
- ' /i:https://1'
- ' /i:https://2'
- ' /i:https://3'
- ' /i:https://4'
- ' /i:https://5'
- ' /i:https://6'
- ' /i:https://7'
- ' /i:https://8'
- ' /i:https://9'
- ' -i:http://1'
- ' -i:http://2'
- ' -i:http://3'
- ' -i:http://4'
- ' -i:http://5'
- ' -i:http://6'
- ' -i:http://7'
- ' -i:http://8'
- ' -i:http://9'
- ' -i:https://1'
- ' -i:https://2'
- ' -i:https://3'
- ' -i:https://4'
- ' -i:https://5'
- ' -i:https://6'
- ' -i:https://7'
- ' -i:https://8'
- ' -i:https://9'
condition: all of selection_*
falsepositives:
- FQDNs that start with a number such as "7-Zip"
level: high
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:httplogging'
- 'dontLog:true'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
related:
- id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
type: similar
status: test
description: |
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
references:
- https://twitter.com/M_haggis/status/1699056847154725107
- https://twitter.com/JAMESWT_MHT/status/1699042827261391247
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
- https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
- 'http'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration: '/system.webServer/httpLogging/@dontLog'
NewValue: 'true'
condition: selection
falsepositives:
- Unknown
level: high
title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
related:
- id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
type: similar
status: test
description: |
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
references:
- https://twitter.com/M_haggis/status/1699056847154725107
- https://twitter.com/JAMESWT_MHT/status/1699042827261391247
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
- https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
date: 2023-09-05
tags:
- attack.stealth
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
TargetObject|endswith:
- '\http'
- '\https'
Details|contains: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
title: HTTP Request to Low Reputation TLD or Suspicious File Extension
id: 68c2c604-92ad-468b-bf4a-aac49adad08c
status: experimental
description: |
Detects HTTP requests to low reputation TLDs (e.g. .xyz, .top, .ru) or ending in suspicious file extensions (.exe, .dll, .hta), which may indicate malicious activity.
references:
- https://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows
- https://www.spamhaus.org/reputation-statistics/cctlds/domains/
author: '@signalblur, Corelight'
date: 2025-02-26
tags:
- attack.initial-access
- attack.command-and-control
logsource:
product: zeek
service: http
detection:
# Suspicious TLD in the 'host' field OR malicious file extension in the 'uri' field.
selection_suspicious_tld:
host|endswith:
- '.bid'
- '.by'
- '.cf'
- '.click'
- '.cm'
- '.ga'
- '.gq'
- '.ir'
- '.kp'
- '.loan'
- '.ml'
- '.mm'
- '.party'
- '.pw'
- '.ru'
- '.su'
- '.sy'
- '.tk'
- '.top'
- '.tv'
- '.ve'
- '.work'
- '.xyz'
selection_malicious_ext:
uri|endswith:
- '.bat'
- '.bin'
- '.cmd'
- '.cpl'
- '.dll'
- '.dylib'
- '.elf'
- '.exe'
- '.hta'
- '.iso'
- '.jar'
- '.js'
- '.lnk'
- '.msi'
- '.pif'
- '.ps1'
- '.py'
- '.reg'
- '.scr'
- '.sh'
- '.so'
- '.vbs'
- '.wsf'
selection_malicious_mime:
resp_mime_types:
- 'application/vnd.microsoft.portable-executable'
- 'application/x-bat'
- 'application/x-dosexec'
- 'application/x-elf'
- 'application/x-iso9660-image'
- 'application/x-java-archive'
- 'application/x-ms-shortcut'
- 'application/x-msdos-program'
- 'application/x-msdownload'
- 'application/x-python-code'
- 'application/x-sh'
condition: selection_suspicious_tld and 1 of selection_malicious_*
falsepositives:
- Rare legitimate software downloads from low quality TLDs
level: medium
title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
id: 867356ee-9352-41c9-a8f2-1be690d78216
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2023-05-24
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_protocol:
CommandLine|contains:
- 'ftp'
- 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
references:
- https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
c-useragent: ''
condition: selection
falsepositives:
- Unknown
level: medium