069. Hunting for Suspicious URL Files
Hello everyone! Let's talk about another interesting file type leveraged by adversaries for gaining initial access. I'm talking about .url files.
For example, look at Blind Eagle. The adversary uses such files in a series of ongoing campaigns targeting Colombian institutions and government entities. If we look at file names, we can notice that many of them have double or even triple extension (DOCUMENTO_PDF_CON_INFORMACIÓN_PRUEBA_COVID_19.pdf.zip (1).url). Detecting such files is quite easy, for example:
event_type: "filecreate"
AND
file_name: ("pdf" AND "url")
At the same time, some file have single extension (Documento Judicial Nº 00223 - Sentencia 003948 Vigente 28 de enero.url). Thankfully, such files are not very common and you still can search for creation events during your hunting missions!
See you tomorrow!
Comments
Post a Comment