Sigma Rules
41 rules found for "attack.T1071.001"
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
Wannacry Killswitch Domain
Detects wannacry killswitch domain dns queries
Windows WebDAV User Agent
Detects WebDav DownloadCradle
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Visual Studio Code Tunnel Execution
Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Shell Execution
Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
Renamed Visual Studio Code Tunnel Execution
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Service Installation
Detects the installation of VsCode tunnel (code-tunnel) as a service.
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
Ursnif Malware Download URL Pattern
Detects download of Ursnif malware done by dropper documents.
APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool
ComRAT Network Communication
Detects Turla ComRAT network communication.
Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
Axios NPM Compromise Malicious C2 Domain DNS Query
Detects DNS queries for the malicious C2 domain associated with the plain-crypto-js/Axios npm package supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. This detection detects endpoints attempting to resolve the attacker's C2 domain (sfrclak.com) used for command and control communication.
Curl.EXE Execution With Custom UserAgent
Detects execution of curl.exe with custom useragent options
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.