title: Suspicious Windows Strings In URI
id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
status: experimental
description: Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication
author: Nasreddine Bencherchali
date: 2022/06/06
references:
    - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '=C:/Users'
            - '=C:/Program%20Files'
            - '=C:/Windows'
            - '=C%3A%5CUsers'
            - '=C%3A%5CProgram%20Files'
            - '=C%3A%5CWindows'
    condition: selection
falsepositives:
    - Legitimate application and websites that use windows paths in their URL
level: high
tags:
    - attack.persistence
    - attack.exfiltration
    - attack.t1505.003