title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
  - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
date: 2019/12/19
modified: 2021/08/09
logsource:
  category: proxy
detection:
  b64encoding:
    c-uri|contains:
      - '_2f'
      - '_2b'
  urlpatterns:
    c-uri|contains|all:
      - '.avi'
      - '/images/'
  condition: b64encoding and urlpatterns
fields:
  - c-ip
  - c-uri
  - sc-bytes
  - c-ua
falsepositives:
  - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.execution
    - attack.t1204.002
    - attack.command_and_control
    - attack.t1071.001