sigmacriticalHunting

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

MITRE ATT&CK

T1071.001 T1102.001 T1102.003

command-and-control

Detection Query

selection:
  c-uri|contains: /pwndrop/
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2020-04-15

Data Sources

proxy

References

https://breakdev.org/pwndrop/

Tags

attack.command-and-controlattack.t1071.001attack.t1102.001attack.t1102.003

Raw Content

title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
    - https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: '/pwndrop/'
    condition: selection
falsepositives:
    - Unknown
level: critical