Threat Huntmediumtest

.Class Extension URI Ending Request

Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Andreas HunkelerCreated Tue Dec 21Updated Mon Feb 2653c15703-b04c-42bb-9055-1937ddfb3392web

Hunting Hypothesis

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-uri|endswith: '.class'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

web.archive.org

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Other

detection.threat-hunting

Rule Metadata

Rule ID

53c15703-b04c-42bb-9055-1937ddfb3392

Status

test

Level

medium

Type

Threat Hunt

Created

Tue Dec 21

Modified

Mon Feb 26

Author

Andreas Hunkeler

Path

rules-threat-hunting/web/proxy_generic/proxy_susp_class_extension_request.yml

Raw Tags

attack.initial-accessdetection.threat-hunting

View on GitHub