External URL

Detects suspicious external URLs and potentially malicious domains

11 rules in external_urls.yml

HIGH: 2 | MEDIUM: 9

Rule ID	Severity	Title	Description	Refs
`gitlab_snippet_execution`	HIGH	GitLab Snippet Piped to Shell	Downloads a GitLab snippet and pipes it to a shell interpreter for execution	CWE-78 T1059.004 A03:2021 V15.2.4 CM-5 CIS-16.1
`suspicious_download_url`	HIGH	Suspicious Download URL	URL points to a link-shortener domain (bit.ly, tinyurl, t.co, goo.gl, etc.). Shorteners hide the real destination and are routinely used to evade allowlists.	CWE-494 T1105 A08:2021 V15.2.4 CM-5 CIS-16.1
`additional_paste_services`	MEDIUM	Additional Paste/File Sharing Service URL	URL pointing to paste or anonymous file sharing services commonly abused for payload hosting and data exfiltration	CWE-494 T1071.001 A08:2021 V15.2.4 CM-5 CIS-16.1
`bitbucket_raw_content`	MEDIUM	Raw Bitbucket Content Download	Pulls a raw or downloads URL from bitbucket.org. As with raw GitHub URLs, there is no commit pinning and an upstream force-push or branch rename redirects the next pull silently.	CWE-494 T1105 A08:2021 V15.2.4 CM-5 CIS-16.1
`codeberg_gitea_raw`	MEDIUM	Raw Codeberg/Gitea Content Download	Downloading raw content from Codeberg or self-hosted Gitea instances	CWE-494 T1105 A08:2021 V15.2.4 CM-5 CIS-16.1
`encrypted_paste_service`	MEDIUM	Encrypted Paste Service URL	URL pointing to encrypted/zero-knowledge paste services where content cannot be inspected by network controls	CWE-494 T1027 A08:2021 V15.2.4 CM-5 CIS-16.1
`gitlab_raw_content`	MEDIUM	Raw GitLab Content Download	Downloading raw content from GitLab repositories or snippets which could be modified at any time	CWE-494 T1105 A08:2021 V15.2.4 CM-5 CIS-16.1
`ip_address_url`	MEDIUM	URL uses public IP literal instead of hostname	A URL targets an external IP literal rather than a DNS name. IP-literal targets bypass DNSSEC / CAA protections and are a known signature of malware C2, exfil, and internal pivoting. This rule EXCLUDES loopback (`127.0.0.0/8`), RFC-1918 private ranges (`10/8`, `172.16/12`, `192.168/16`), link-local (`169.254/16`), and CGNAT (`100.64/10`) because those never traverse the internet in plaintext - they’re either loopback, site-local, or provider-internal. A real `https://8.8.8.8:443/` target in a playbook is the genuine signal.	CWE-319 T1071.001 A02:2021 V12.2.1 SC-8 CIS-12.2
`pastebin_like_service`	MEDIUM	Pastebin-like Service URL	URL pointing to pastebin-like services which could host malicious content	CWE-494 T1071.001 A08:2021 V15.2.4 CM-5 CIS-16.1
`raw_github_content`	MEDIUM	Raw GitHub Content Download	Pulls a file from raw.githubusercontent.com. The URL bypasses GitHub’s release/commit pinning UI - the upstream branch can be force-pushed and the next pull silently delivers different content.	CWE-494 T1105 A08:2021 V15.2.4 CM-5 CIS-16.1
`temporary_file_sharing`	MEDIUM	Temporary File Sharing Service	URL points to a temporary file-sharing service (transfer.sh, file.io, wetransfer, sendspace, mediafire). These services have no integrity guarantee and are a common malware-staging path.	CWE-494 T1071.001 A08:2021 V15.2.4 CM-5 CIS-16.1