Rules: High risk file extension download without hostname and referrer
Although executable and dynamic-link libraries (.exe, .dll) are regularly downloaded from the Internet, benign ones are normally downloaded with the hostname and referrer fields populated. Thus, downloads from an IP address without referrer carry an elevated risk.
| Detail | Value |
|---|---|
| Type | Match |
| Category | Persistence |
| Apply Risk to Entities | srcDevice_ip, user_username, device_hostname |
| Signal Name | High risk file extension download without hostname and referrer |
| Summary Expression | High risk file from URL: {{http_url}} with no hostname or referer present |
| Score/Severity | Static: 4 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0002, _mitreAttackTactic:TA0001, _mitreAttackTechnique:T1204, _mitreAttackTechnique:T1190, _mitreAttackTechnique:T1566, _mitreAttackTechnique:T1566.002, _mitreAttackTechnique:T1204.003, _mitreAttackTechnique:T1204.002, _mitreAttackTechnique:T1204.001 |
- Bro - Bro
- CheckPoint - SmartDefense
- CheckPoint - URL Filtering
- Cisco Systems - ASA
- Cisco Systems - Firepower
- Cisco Systems - Meraki
- Cloudflare - Logpush
- Forcepoint - Web Security
- Fortinet - Fortigate
- Google - Google Cloud Platform
- Juniper - SRX Series Firewall
- Netskope - Security Cloud
- Palo Alto Networks - Next Generation Firewall
- Zscaler - Nanolog Streaming Service
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | dstDevice_ip_isInternal |
| Normalized Schema | http_hostname |
| Normalized Schema | http_referer |
| Normalized Schema | http_url_fqdn |
| Normalized Schema | http_url_path |
| Normalized Schema | http_url_rootDomain |
| Normalized Schema | listMatches |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |