[metadata]
creation_date = "2023/10/15"

[rule]
author = ["Terguttac"]
description = "Using Zeek http data we're looking at .bat file extensions on any destination port that is not port 80."
from = "now-6m" # This is the default value. Change as needed.
name = "Bat files observed in HTTP traffic on unusual port"
risk_score = 30
severity = "low"
rule_id = "00000000-0000-0000-000000000004"
type = "query"

query = '''
event.dataset: zeek.http and url.extension: bat and not destination.port:80
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "Link to Mitre Doc here - https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"