Rule Library

Sigma Rules

55 rules found

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Proxy Log

TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2023-4966detection.emerging-threats

Nasreddine Bencherchali (Nextron Systems)+1Tue Nov 282023

Emerging Threathightest

Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Proxy Log

TA0011 · Command and Controldetection.emerging-threats

Nasreddine Bencherchali (Nextron Systems)Wed Mar 292023

Emerging Threathightest

Potential Compromised 3CXDesktopApp ICO C2 File Download

Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository

Proxy Log

TA0011 · Command and Controldetection.emerging-threats

Nasreddine Bencherchali (Nextron Systems)Fri Mar 312023

Emerging Threathightest

Potential Operation Triangulation C2 Beaconing Activity - Proxy

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Proxy Log

TA0011 · Command and ControlG0020 · G0020detection.emerging-threats

Florian Roth (Nextron Systems)Thu Jun 012023

Emerging Threatmediumtest

Potential Peach Sandstorm APT C2 Communication Activity

Detects potential C2 communication activity related to Peach Sandstorm APT

Proxy Log

TA0011 · Command and Controldetection.emerging-threats

X__Junior (Nextron Systems)Mon Jan 152023

Emerging Threathighexperimental

Cisco ASA Exploitation Activity - Proxy

Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.

Proxy Log

TA0001 · Initial AccessT1190 · Exploit Public-Facing Applicationcve.2025-20333cve.2025-20362+1

Swachchhanda Shrawan Poudel (Nextron Systems)Thu Nov 202025

Threat Huntmediumtest

.Class Extension URI Ending Request

Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.

Proxy Log

TA0001 · Initial Accessdetection.threat-hunting

Andreas HunkelerTue Dec 21web

‹1 2 ›