Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

55 rules found

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Windows WebDAV User Agent

Detects WebDav DownloadCradle

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Fri Apr 06web
Detectionmediumtest

Download from Suspicious Dyndns Hosts

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1105 · Ingress Tool TransferT1568 · Dynamic Resolution
Florian Roth (Nextron Systems)Wed Nov 08web
Detectionlowtest

Download From Suspicious TLD - Blacklist

Detects download of certain file types from hosts in suspicious TLDs

Proxy Log
TA0001 · Initial AccessT1566 · PhishingTA0002 · ExecutionT1203 · Exploitation for Client Execution+1
Florian Roth (Nextron Systems)Tue Nov 07web
Detectionlowtest

Download From Suspicious TLD - Whitelist

Detects executable downloads from suspicious remote systems

Proxy Log
TA0001 · Initial AccessT1566 · PhishingTA0002 · ExecutionT1203 · Exploitation for Client Execution+1
Florian Roth (Nextron Systems)Mon Mar 13web
Detectionmediumtest

F5 BIG-IP iControl Rest API Command Execution - Proxy

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Application
Nasreddine Bencherchali (Nextron Systems)+1Wed Nov 08web
Detectionmediumexperimental

Potential Hello-World Scraper Botnet Activity

Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.

Proxy Log
TA0043 · ReconnaissanceT1595 · Active Scanning
Joseph A. M.Sat Aug 02web
Detectioncriticaltest

HackTool - BabyShark Agent Default URL Pattern

Detects Baby Shark C2 Framework default communication patterns

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Wed Jun 09web
Detectionhightest

HackTool - CobaltStrike Malleable Profile Patterns - Proxy

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Markus Neis+1Thu Feb 15web
Detectionhightest

HackTool - Empire UserAgent URI Combo

Detects user agent and URI paths used by empire agents

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Mon Jul 13web
Detectionmediumtest

PUA - Advanced IP/Port Scanner Update Check

Detect the update check performed by Advanced IP/Port Scanner utilities.

Proxy Log
TA0007 · DiscoveryTA0043 · ReconnaissanceT1590 · Gather Victim Network Information
Axel OlssonSun Aug 14web
Detectioncriticaltest

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsT1102.001 · Dead Drop ResolverT1102.003 · One-Way Communication
Florian Roth (Nextron Systems)Wed Apr 15web
Detectionhightest

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsT1102.001 · Dead Drop ResolverT1102.003 · One-Way Communication+1
Florian Roth (Nextron Systems)Thu Dec 05web
Detectionhightest

Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

Proxy Log
TA0001 · Initial AccessT1189 · Drive-by CompromiseTA0002 · ExecutionT1204.002 · Malicious File+2
Florian Roth (Nextron Systems)Wed Oct 25web
Detectionlowtest

Suspicious Network Communication With IPFS

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Proxy Log
TA0009 · CollectionTA0006 · Credential AccessT1056 · Input Capture
Gavin KnappThu Mar 16web
Detectionmediumtest

Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web ProtocolsT1102.002 · Bidirectional Communication
Florian Roth (Nextron Systems)Tue Jun 05web
Detectionhightest

APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)+1Tue Nov 12web
Detectionmediumtest

Suspicious Base64 Encoded User-Agent

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Nasreddine Bencherchali (Nextron Systems)Thu May 04web
Detectionhightest

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsTA0005 · Defense EvasionTA0003 · Persistence+2
Florian Roth (Nextron Systems)Fri Jun 10web
Detectionhightest

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsTA0005 · Defense EvasionTA0003 · Persistence+2
Florian Roth (Nextron Systems)+1Thu Mar 07web
Detectionhightest

Crypto Miner User Agent

Detects suspicious user agent strings used by crypto miners in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Mon Oct 21web
Detectionmediumtest

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionhightest

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionhightest

Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationTA0006 · Credential AccessT1110 · Brute Force
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionhightest

Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)+2Sat Jul 08web
Detectionmediumtest

Windows PowerShell User Agent

Detects Windows PowerShell Web Access

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Mon Mar 13web
Detectionmediumtest

Rclone Activity via Proxy

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Proxy Log
TA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage
Janantha MarasingheTue Oct 18web
Detectionhightest

Suspicious User Agent

Detects suspicious malformed user agent strings in proxy logs

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)Sat Jul 08web
Detectionmediumtest

Potential Base64 Encoded User-Agent

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocols
Florian Roth (Nextron Systems)+1Fri Jul 08web
Detectionhightest

Suspicious External WebDAV Execution

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Proxy Log
TA0001 · Initial AccessTA0042 · Resource DevelopmentT1584 · Compromise InfrastructureT1566 · Phishing
Ahmed FaroukFri May 10web
Emerging Threathightest

Chafer Malware URL Pattern

Detects HTTP request used by Chafer malware to receive data from its C2.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocolsdetection.emerging-threats
Florian Roth (Nextron Systems)Thu Jan 312019
Emerging Threatcriticalstable

Ursnif Malware C2 URL Pattern

Detects Ursnif C2 traffic.

Proxy Log
TA0001 · Initial AccessT1566.001 · Spearphishing AttachmentTA0002 · ExecutionT1204.002 · Malicious File+3
Thomas PatzkeThu Dec 192019
Emerging Threathighstable

Ursnif Malware Download URL Pattern

Detects download of Ursnif malware done by dropper documents.

Proxy Log
TA0011 · Command and ControlT1071.001 · Web Protocolsdetection.emerging-threats
Thomas PatzkeThu Dec 192019
Emerging Threathightest

APT40 Dropbox Tool User Agent

Detects suspicious user agent string of APT40 Dropbox tool

Proxy Log
TA0011 · Command and ControlT1071.001 · Web ProtocolsTA0010 · ExfiltrationT1567.002 · Exfiltration to Cloud Storage+1
Thomas PatzkeTue Nov 122019
Emerging Threathightest

ComRAT Network Communication

Detects Turla ComRAT network communication.

Proxy Log
TA0005 · Defense EvasionTA0011 · Command and ControlT1071.001 · Web ProtocolsG0010 · G0010+1
Florian Roth (Nextron Systems)Tue May 262020
Emerging Threathightest

Devil Bait Potential C2 Communication Traffic

Detects potential C2 communication related to Devil Bait malware

Proxy Log
TA0011 · Command and Controldetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Mon May 152021
Emerging Threathightest

Goofy Guineapig Backdoor Potential C2 Communication

Detects potential C2 communication related to Goofy Guineapig backdoor

Proxy Log
TA0011 · Command and Controldetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Sun May 142021
Emerging Threatcriticaltest

Small Sieve Malware Potential C2 Communication

Detects potential C2 communication related to Small Sieve malware

Proxy Log
TA0011 · Command and Controldetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Fri May 192021
Emerging Threathightest

Potential OWASSRF Exploitation Attempt - Proxy

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationdetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Thu Dec 222022
Emerging Threatcriticaltest

OWASSRF Exploitation Attempt Using Public POC - Proxy

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationdetection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Thu Dec 222022
Emerging Threatmediumtest

CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21

Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-1389detection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)+1Tue Jun 252023
Emerging Threatmediumtest

CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-22518detection.emerging-threats
Andreas Braathen (mnemonic.io)Tue Nov 142023
Emerging Threatcriticaltest

Potential CVE-2023-36884 Exploitation Pattern

Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884

Proxy Log
TA0011 · Command and Controlcve.2023-36884detection.emerging-threats
X__JuniorWed Jul 122023
Emerging Threathightest

Potential CVE-2303-36884 URL Request Pattern Traffic

Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884

Proxy Log
TA0011 · Command and Controlcve.2023-36884detection.emerging-threats
X__JuniorWed Jul 122023
Emerging Threatmediumtest

Potential CVE-2023-36884 Exploitation - File Downloads

Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884

Proxy Log
TA0011 · Command and Controlcve.2023-36884detection.emerging-threats
X__JuniorWed Jul 122023
Emerging Threathightest

Potential CVE-2023-36884 Exploitation - URL Marker

Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884

Proxy Log
TA0011 · Command and Controlcve.2023-36884detection.emerging-threats
X__JuniorWed Jul 122023
Emerging Threathightest

Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-43621detection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)+1Fri Oct 202023
Emerging Threathightest

CVE-2023-46747 Exploitation Activity - Proxy

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-46747detection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Wed Nov 082023
Emerging Threathightest

CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.

Proxy Log
TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-4966detection.emerging-threats
Nasreddine Bencherchali (Nextron Systems)Tue Nov 282023
12