Working with URLs
Common behavior among malware is downloading additional parts of malware or malware configuration data from publicly available data sharing services such as pastebin.com. We want to monitor each access to pastebin.com. We need to filter out valid cases, such as a user browsing the internet on purpose, and we can choose to use the popularity property.
Rule
<?xml version='1.0' encoding='UTF-8'?> <rule> <description> <name>Unpopular Process Makes HTTP Request to a PasteBin-like Site [E0505]</name> <category>Communication</category> <os>Windows</os> <severity>80</severity> <mitreattackid>T1102.001</mitreattackid> <explanation>Public Web services, including ones like pastebin.com(and similar), are typically accessed via web browser applications. The aim of this rule is to try catch instances where pastebin-like sites are accessed by unpopular processes that would likely be considered suspicious in the hopes it may highlight instances worth investigating amongst other pastebin-like activity. This rule may generate a number of initial false positives before being tuned</explanation> <benignCauses>Legit, unpopular executable is used to contact one of these domains; this still warrants investigation to verify.</benignCauses> <maliciousCauses>Process making a HTTP request to a PasteBin-like URL that contains: - C&C infrastructure information (domains, IPs, commands/instructions, etc.), - further malicious payload stages. The process could also be exfiltrating data to this site.</maliciousCauses> <recommendedActions>1. Evaluate the process tree lineage, its command line and surounding events. 2. Evaluate the local host, check events for the creation, modification, and execution of suspicious files. 3. Evaluate the other detections from this host to identify related activity. 4. If malicious activity is detected, start your incident response procedures (for example, isolate the computer from the internet, update your antivirus signatures and scan the computer for malware, send samples for analysis, block module, etc.).</recommendedActions> </description> <definition> <process> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000"/> <operator type="NOT"> <operator type="OR"> <condition component="Module" property="SignatureType" condition="is" value="Trusted"/> <condition component="Enterprise" property="Safe" condition="is" value="1"/> </operator> </operator> </operator> </process> <operations> <operation type="HttpRequest"> <operator type="OR"> <condition component="Network" property="Url" condition="contains" value="pastebin.com"/> <condition component="Network" property="Url" condition="contains" value="0bin.net"/> <condition component="Network" property="Url" condition="contains" value="pastie.org"/> <condition component="Network" property="Url" condition="contains" value="pastebin.pl"/> <condition component="Network" property="Url" condition="contains" value="hastebin.com"/> </operator> </operation> </operations> </definition> <maliciousTarget name="current"/> <actions> <action name="TriggerDetection"/> <action name="StoreEvent"/> <action name="SubmitParentToLiveGuard"/> </actions> </rule> |
Things to notice in the rule example above:
1.As pastebin.com may have different IPs associated, we are matching URL pastebin.com directly.