Working with URLs

Common behavior among malware is downloading additional parts of malware or malware configuration data from publicly available data sharing services such as pastebin.com. We want to monitor each access to pastebin.com. We need to filter out valid cases, such as a user browsing the internet on purpose, and we can choose to use the popularity property.

Rule

<?xml version="1.0" encoding="utf-8"?>
<rule>
<body>
<name>Unpopular process made http query to pastebin.com [D520]</name>
<severity>Information</severity>
<process>
<condition component="LiveGrid" property="Popularity" condition="less" value="400" />
</process>
<operations>
<operation type="HttpRequest">
<condition component="Network" property="Url" condition="contains" value="pastebin.com" />
</operation>
</operations>
</body>
</rule>

Things to notice in the rule example above:

1.As pastebin.com may have different IPs associated, we are matching URL pastebin.com directly.

˄˅