This section displays SIGMA rules belonging to category Proxy. It updates itself automatically when new commits are available in quasarops.
Title | APT40 Dropbox Tool User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_apt40.yml |
author | Thomas Patzke |
status | experimental |
date | 2019/11/12 |
description | Detects suspicious user agent string of APT40 Dropbox tool |
tags |
Title | Chafer Malware URL Pattern |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_chafer_malware.yml |
author | Florian Roth |
status | experimental |
date | 2019/01/31 |
description | Detects HTTP requests used by Chafer malware |
tags |
Title | CobaltStrike Malleable Amazon Browsing Traffic Profile |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_cobalt_amazon.yml |
author | Markus Neis |
status | experimental |
date | 2019/11/12 |
description | Detects Malleable Amazon Profile |
tags | attack.t1102 |
Title | CobaltStrike Malleable (OCSP) Profile |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_cobalt_ocsp.yml |
author | Markus Neis |
status | experimental |
date | 2019/11/12 |
description | Detects Malleable (OCSP) Profile with Typo (OSCP) in URL |
tags | attack.t1102 |
Title | CobaltStrike Malleable OneDrive Browsing Traffic Profile |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_cobalt_onedrive.yml |
author | Markus Neis |
status | experimental |
date | 2019/11/12 |
description | Detects Malleable OneDrive Profile |
tags | attack.t1102 |
Title | Download from Suspicious Dyndns Hosts |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_download_susp_dyndns.yml |
author | Florian Roth |
status | experimental |
date | 2017/11/08 |
description | Detects download of certain file types from hosts with dynamic DNS names (selected list) |
tags |
Title | Download from Suspicious TLD |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml |
author | Florian Roth |
status | experimental |
date | 2017/11/07 |
description | Detects download of certain file types from hosts in suspicious TLDs |
tags |
Title | Download EXE from Suspicious TLD |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml |
author | Florian Roth |
status | experimental |
date | 2017/03/13 |
description | Detects executable downloads from suspicious remote systems |
tags |
Title | Windows WebDAV User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_downloadcradle_webdav.yml |
author | Florian Roth |
status | experimental |
date | 2018/04/06 |
description | Detects WebDav DownloadCradle |
tags |
Title | Empty User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_empty_ua.yml |
author | Florian Roth |
status | experimental |
date | 2017/07/08 |
description | Detects suspicious empty user agent strings in proxy logs |
tags |
Title | iOS Implant URL Pattern |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ios_implant.yml |
author | Florian Roth |
status | experimental |
date | 2019/08/30 |
description | Detects URL pattern used by iOS Implant |
tags |
Title | Windows PowerShell User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_powershell_ua.yml |
author | Florian Roth |
status | experimental |
date | 2017/03/13 |
description | Detects Windows PowerShell Web Access |
tags |
Title | Raw Paste Service Access |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_raw_paste_service_access.yml |
author | Florian Roth |
status | experimental |
date | 2019/12/05 |
description | Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form |
tags | attack.t1102 attack.defense_evasion |
Title | Flash Player Update from Suspicious Location |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_susp_flash_download_loc.yml |
author | Florian Roth |
status | experimental |
date | 2017/10/25 |
description | Detects a flashplayer update from an unofficial location |
tags |
Title | Telegram API Access |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_telegram_api.yml |
author | Florian Roth |
status | experimental |
date | 2018/06/05 |
description | Detects suspicious requests to Telegram API without the usual Telegram User-Agent |
tags |
Title | APT User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_apt.yml |
author | Florian Roth, Markus Neis |
status | experimental |
date | 2019/11/12 |
description | Detects suspicious user agent strings used in APT malware in proxy logs |
tags |
Title | Bitsadmin to Uncommon TLD |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml |
author | Florian Roth |
status | experimental |
date | 2019/03/07 |
description | Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ |
tags |
Title | Crypto Miner User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_cryptominer.yml |
author | Florian Roth |
status | experimental |
date | 2019/10/21 |
description | Detects suspicious user agent strings used by crypto miners in proxy logs |
tags |
Title | Exploit Framework User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_frameworks.yml |
author | Florian Roth |
status | experimental |
date | 2017/07/08 |
description | Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs |
tags |
Title | Hack Tool User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_hacktool.yml |
author | Florian Roth |
status | experimental |
date | 2017/07/08 |
description | Detects suspicious user agent strings user by hack tools in proxy logs |
tags |
Title | Malware User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_malware.yml |
author | Florian Roth |
status | experimental |
date | 2017/07/08 |
description | Detects suspicious user agent strings used by malware in proxy logs |
tags |
Title | Suspicious User Agent |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ua_suspicious.yml |
author | Florian Roth |
status | experimental |
date | 2017/07/08 |
description | Detects suspicious malformed user agent strings in proxy logs |
tags |
Title | Ursnif Malware Download URL Pattern |
---|---|
rule_category | proxy |
rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/proxy/proxy_ursnif_malware.yml |
author | Thomas Patzke |
status | stable |
date | 2019/12/19 |
description | Detects download of Ursnif malware done by dropper documents. |
tags |