069. Hunting for Suspicious URL Files

Hello everyone! Let's talk about another interesting file type leveraged by adversaries for gaining initial access. I'm talking about .url files.

For example, look at Blind Eagle. The adversary uses such files in a series of ongoing campaigns targeting Colombian institutions and government entities. If we look at file names, we can notice that many of them have double or even triple extension (DOCUMENTO_PDF_CON_INFORMACIÓN_PRUEBA_COVID_19.pdf.zip (1).url). Detecting such files is quite easy, for example:

event_type: "filecreate"

AND

file_name: ("pdf" AND "url")

At the same time, some file have single extension (Documento Judicial Nº 00223 - Sentencia 003948 Vigente 28 de enero.url). Thankfully, such files are not very common and you still can search for creation events during your hunting missions!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!