Sigma detection rules

Home/Sigma rules

Sigma

31 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

31 shown of 31

critical

HackTool - BabyShark Agent Default URL Pattern

Detects Baby Shark C2 Framework default communication patterns

status test author Florian Roth (Nextron Systems) id 304810ed-8853-437f-9e36-c4975c3dfd7e

view Sigma YAML

title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 'momyshark\?key='
    condition: selection
falsepositives:
    - Unlikely
level: critical

critical

PwnDrp Access

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

status test author Florian Roth (Nextron Systems) id 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e

view Sigma YAML

title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
    - https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: '/pwndrop/'
    condition: selection
falsepositives:
    - Unknown
level: critical

high

APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

status test author Florian Roth (Nextron Systems), Markus Neis id 6ec820f2-e963-4801-9127-d8b2dce4d31b

view Sigma YAML

title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
    - Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
         # APT Related
            - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
            - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
            - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
            - 'webclient' # Naikon APT
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
            - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
            - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
            - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
            - 'Netscape' # Unit78020 Malware
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
            - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
            - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
            - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
            - 'Mozilla v5.1 *' # Sofacy Zebrocy samples
            - 'MSIE 8.0' # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
            - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
            - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
            - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*' # KerrDown UA
            - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
            - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
            - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
            - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
            - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
            - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001'  # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
    condition: selection
falsepositives:
    - Old browsers
level: high

high

Bitsadmin to Uncommon IP Server Address

Detects Bitsadmin connections to IP addresses instead of FQDN names

status test author Florian Roth (Nextron Systems) id 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3

view Sigma YAML

title: Bitsadmin to Uncommon IP Server Address
id: 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
status: test
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
references:
    - https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
author: Florian Roth (Nextron Systems)
date: 2022-06-10
modified: 2022-08-24
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1071.001
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
        cs-host|endswith:
            - '1'
            - '2'
            - '3'
            - '4'
            - '5'
            - '6'
            - '7'
            - '8'
            - '9'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Bitsadmin to Uncommon TLD

Detects Bitsadmin connections to domains with uncommon TLDs

status test author Florian Roth (Nextron Systems), Tim Shelton id 9eb68894-7476-4cd6-8752-23b51f5883a7

view Sigma YAML

title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
    - https://twitter.com/jhencinski/status/1102695118455349248
    - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1071.001
    - attack.persistence
    - attack.t1197
    - attack.s0190
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft BITS/'
    falsepositives:
        cs-host|endswith:
            - '.com'
            - '.net'
            - '.org'
            - '.scdn.co' # spotify streaming
            - '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
    condition: selection and not falsepositives
falsepositives:
    - Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high

high

Crypto Miner User Agent

Detects suspicious user agent strings used by crypto miners in proxy logs

status test author Florian Roth (Nextron Systems) id fa935401-513b-467b-81f4-f9e77aa0dd78

view Sigma YAML

title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
        # XMRig
            - 'XMRig '
        # CCMiner
            - 'ccminer'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

status test author Florian Roth (Nextron Systems) id fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f

view Sigma YAML

title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
        # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
            - 'Internet Explorer *'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/

        # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
            - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
            - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads

        # Metasploit Update by Florian Roth 08.07.2017
            - 'Mozilla/5.0'
            - 'Mozilla/4.0 (compatible; SPIPE/1.0'
        # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'  # too many false positives expected
        # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'  # too many false positives expected
            - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
            - 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
            - 'X-FORWARDED-FOR'
            - 'DotDotPwn v2.1'
            - 'SIPDROID'
            - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

        # Empire
            - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205     Firefox/27.0 Iceweasel/25.3.0'

        # Exploits
            - '*wordpress hash grabber*'
            - '*exploit*'

        # Havoc
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36'  # https://github.com/HavocFramework/Havoc/issues/519
    condition: selection
falsepositives:
    - Unknown
level: high

high

HackTool - CobaltStrike Malleable Profile Patterns - Proxy

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

status test author Markus Neis, Florian Roth (Nextron Systems) id f3f21ce1-cdef-4bfc-8328-ed2e826f5fac

view Sigma YAML

title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
    - id: 953b895e-5cc9-454b-b183-7f3db555452e
      type: obsolete
    - id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
      type: obsolete
    - id: 37325383-740a-403d-b1a2-b2b4ab7992e7
      type: obsolete
    - id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
      type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
    - https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
    - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
    - https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection_amazon_1:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'GET'
        c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
        cs-host: 'www.amazon.com'
        cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
    selection_amazon_2:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-method: 'POST'
        c-uri: '/N4215/adj/amzn.us.sr.aps'
        cs-host: 'www.amazon.com'
    selection_generic_1:
        c-useragent:
            - 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
            - 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
    selection_generic_2:
        c-useragent|endswith: '; MANM; MANM)'
    selection_oscp:
        c-uri|contains: '/oscp/'
        cs-host: 'ocsp.verisign.com'
    selection_onedrive:
        cs-method: 'GET'
        c-uri|endswith: '\?manifest=wac'
        cs-host: 'onedrive.live.com'
    filter_main_onedrive:
        c-uri|startswith: 'http'
        c-uri|contains: '://onedrive.live.com/'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

high

HackTool - Empire UserAgent URI Combo

Detects user agent and URI paths used by empire agents

status test author Florian Roth (Nextron Systems) id b923f7d6-ac89-4a50-a71a-89fb846b4aa8

view Sigma YAML

title: HackTool - Empire UserAgent URI Combo
id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
status: test
description: Detects user agent and URI paths used by empire agents
references:
    - https://github.com/BC-SECURITY/Empire
author: Florian Roth (Nextron Systems)
date: 2020-07-13
modified: 2024-02-26
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
        cs-uri:
            - '/admin/get.php'
            - '/news.php'
            - '/login/process.php'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Valid requests with this exact user agent to server scripts of the defined names
level: high

high

Malware User Agent

Detects suspicious user agent strings used by malware in proxy logs

status test author Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 5c84856b-55a5-45f1-826f-13f37250cf4e

view Sigma YAML

title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
    - https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
            # RATs
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
            - 'HttpBrowser/1.0' # HTTPBrowser RAT
            - '*<|>*' # Houdini / Iniduoh / njRAT
            - 'nsis_inetc (mozilla)' # ZeroAccess
            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
            # Malware
            - '*zeroup*' # W32/Renos.Downloader
            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
            - '* adlib/*'
            - '* tiny' # Trojan Downloader
            - '* BGroom *' # Trojan Downloader
            - '* changhuatong'
            - '* CholTBAgent'
            - 'Mozilla/5.0 WinInet'
            - 'RookIE/1.0'
            - 'M' # HkMain
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
            - 'backdoorbot'
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
            - 'Opera' # Trojan Keragany
            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
            - 'MSIE' # Toby web shell
            - '*(Charon; Inferno)' # Loki Bot
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
            # Ursnif
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
            # Emotet
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
            - 'Mozilla/5.0 (Windows NT 6.1)'
            - 'AppleWebkit/587.38 (KHTML, like Gecko)'
            - 'Chrome/91.0.4472.77'
            - 'Safari/537.36'
            - 'Edge/91.0.864.37'
            - 'Firefox/89.0'
            - 'Gecko/20100101'
            # Others
            - '* pxyscand*'
            - '* asd'
            - '* mdms'
            - 'sample'
            - 'nocase'
            - 'Moxilla'
            - 'Win32 *'
            - '*Microsoft Internet Explorer*'
            - 'agent *'
            - 'AutoIt' # Suspicious - base-lining recommended
            - 'IczelionDownLoad'
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
            - 'antSword/v2.1' # AntSword Webshell UA
            - 'rqwrwqrqwrqw'  # Racoon Stealer
            - 'qwrqrwrqwrqwr'  # Racoon Stealer
            - 'rc2.0/client'  # Racoon Stealer
            - 'TakeMyPainBack'  # Racoon Stealer
            - 'xxx' # Racoon Stealer
            - '20112211' # Racoon Stealer
            - '23591' # Racoon Stealer
            - '901785252112' # Racoon Stealer
            - '1235125521512' # Racoon Stealer
            - '125122112551' # Racoon Stealer
            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
            - 'AYAYAYAY1337' # Racoon Stealer
            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer
            - 'ForAFeature' # Racoon Stealer
            - 'Ares_ldr_v_*' # AresLoader
            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
            - 'CLCTR' # https://github.com/silence-is-best/c2db
            - 'uploader' # https://github.com/silence-is-best/c2db
            - 'agent' # https://github.com/silence-is-best/c2db
            - 'License' # https://github.com/silence-is-best/c2db
            - 'vb wininet' # https://github.com/silence-is-best/c2db
            - 'Client' # https://github.com/silence-is-best/c2db
            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'DuckTales' # Racoon Stealer
            - 'Zadanie' # Racoon Stealer
            - 'GunnaWunnaBlueTips' # Racoon Stealer
            - 'Xlmst' # Racoon Stealer
            - 'GeekingToTheMoon' # Racoon Stealer
            - 'SunShineMoonLight' # Racoon Stealer
            - 'BunnyRequester' # BunnyStealer
            - 'BunnyTasks' # BunnyStealer
            - 'BunnyStealer' # BunnyStealer
            - 'BunnyLoader_Dropper' # BunnyStealer
            - 'BunnyLoader' # BunnyStealer
            - 'BunnyShell' # BunnyStealer
            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
            - 'SouthSide' # Racoon Stealer
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
    condition: selection
falsepositives:
    - Unknown
level: high

high

Outbound Network Connection Initiated By Microsoft Dialer

Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"

status test author CertainlyP id 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1

view Sigma YAML

title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: test
description: |
    Detects outbound network connection initiated by Microsoft Dialer.
    The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
    This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
    - https://tria.ge/240301-rk34sagf5x/behavioral2
    - https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
    - https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
    - https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024-04-26
tags:
    - attack.execution
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: ':\Windows\System32\dialer.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high

high

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

status test author Florian Roth (Nextron Systems) id 5468045b-4fcc-4d1a-973c-c9c9578edacb

view Sigma YAML

title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
    - https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - '.paste.ee/r/'
            - '.pastebin.com/raw/'
            - '.hastebin.com/raw/'
            - '.ghostbin.co/paste/*/raw/'
            - 'pastetext.net/'
            - 'pastebin.pl/'
            - 'paste.ee/'
    condition: selection
falsepositives:
    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high

high

Renamed Visual Studio Code Tunnel Execution

Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

status test author Nasreddine Bencherchali (Nextron Systems) id 2cf29f11-e356-4f61-98c0-1bdb9393d6da

view Sigma YAML

title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_image_only_tunnel:
        OriginalFileName: null
        CommandLine|endswith: '.exe tunnel'
    selection_image_tunnel_args:
        CommandLine|contains|all:
            - '.exe tunnel'
            - '--accept-server-license-terms'
    selection_image_tunnel_service:
        CommandLine|contains|all:
            - 'tunnel '
            - 'service'
            - 'internal-run'
            - 'tunnel-service.log'
    selection_parent_tunnel:
        ParentCommandLine|endswith: ' tunnel'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/d /c '
            - '\servers\Stable-'
            - 'code-server.cmd'
    filter_main_parent_code:
        ParentImage|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    filter_main_image_code:
        Image|endswith:
            - '\code-tunnel.exe'
            - '\code.exe'
    condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
    - Unknown
level: high

high

Suspicious User Agent

Detects suspicious malformed user agent strings in proxy logs

status test author Florian Roth (Nextron Systems) id 7195a772-4b3f-43a4-a210-6a003d65caa1

view Sigma YAML

title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection1:
        c-useragent|startswith:
            - 'user-agent'  # User-Agent: User-Agent:
            - 'Mozilla/3.0 '
            - 'Mozilla/2.0 '
            - 'Mozilla/1.0 '
            - 'Mozilla '  # missing slash
            - ' Mozilla/'  # leading space
            - 'Mozila/'  # single 'l'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488
    selection2:
        c-useragent|contains:
            - ' (compatible;MSIE '  # typical typo - missing space
            - '.0;Windows NT '  # typical typo - missing space
            - 'loader'  # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
    selection3:
        c-useragent:
            - '_'
            - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
            - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
            - 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a'  # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
            - 'x'  # Use by Racoon Stealer but could be something else
            - 'xxx'  # Use by Racoon Stealer but could be something else
    falsepositives:
        - c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
        - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
              - '.acrobat.com'
              - '.adobe.com'
              - '.adobe.io'
    condition: 1 of selection* and not falsepositives
falsepositives:
    - Unknown
level: high

high

Wannacry Killswitch Domain

Detects wannacry killswitch domain dns queries

status test author Mike Wade id 3eaf6218-3bed-4d8a-8707-274096f12a18

view Sigma YAML

title: Wannacry Killswitch Domain
id: 3eaf6218-3bed-4d8a-8707-274096f12a18
status: test
description: Detects wannacry killswitch domain dns queries
references:
    - https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
author: Mike Wade
date: 2020-09-16
modified: 2022-03-24
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: dns
detection:
    selection:
        query:
            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
            - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
            - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
    condition: selection
falsepositives:
    - Analyst testing
level: high

high

Windows WebDAV User Agent

Detects WebDav DownloadCradle

status test author Florian Roth (Nextron Systems) id e09aed7a-09e0-4c9a-90dd-f0d52507347e

view Sigma YAML

title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
        cs-method: 'GET'
    condition: selection
falsepositives:
    - Administrative scripts that download files from the Internet
    - Administrative scripts that retrieve certain website contents
    - Legitimate WebDAV administration
level: high

medium

Change User Agents with WebRequest

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

status test author frack113 id d4488827-73af-4f8d-9244-7b7662ef046e

view Sigma YAML

title: Change User Agents with WebRequest
id: d4488827-73af-4f8d-9244-7b7662ef046e
status: test
description: |
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
author: frack113
date: 2022-01-23
modified: 2025-07-18
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_webrequest:
        ScriptBlockText|contains:
            - 'Invoke-WebRequest'
            - 'Invoke-RestMethod'
            - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
            - 'iwr '
    selection_useragent:
        ScriptBlockText|contains: '-UserAgent '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

medium

Cloudflared Tunnels Related DNS Requests

Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

status test author Nasreddine Bencherchali (Nextron Systems) id a1d9eec5-33b2-4177-8d24-27fe754d0812

view Sigma YAML

title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
    - id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
      type: similar
status: test
description: |
    Detects DNS requests to Cloudflared tunnels domains.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium

medium

DNS Query To Devtunnels Domain

Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

status test author citron_ninja id 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b

view Sigma YAML

title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
status: test
description: |
    Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
    - https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1572
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|endswith: '.devtunnels.ms'
    condition: selection
falsepositives:
    - Legitimate use of Devtunnels will also trigger this.
level: medium

medium

DNS Query To Visual Studio Code Tunnels Domain

Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

status test author citron_ninja id b3e6418f-7c7a-4fad-993a-93b65027a9f1

view Sigma YAML

title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith: '.tunnels.api.visualstudio.com'
    condition: selection
falsepositives:
    - Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium

medium

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

status test author Florian Roth (Nextron Systems) id 21e44d78-95e7-421b-a464-ffd8395659c4

view Sigma YAML

title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
    Detects a potentially suspicious empty user agent strings in proxy log.
    Could potentially indicate an uncommon request method.
references:
    - https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
        c-useragent: ''
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Potential Base64 Encoded User-Agent

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

status test author Florian Roth (Nextron Systems), Brian Ingram (update) id 894a8613-cf12-48b3-8e57-9085f54aa0c3

view Sigma YAML

title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
    - id: d443095b-a221-4957-a2c4-cd1756c9b747
      type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
    - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|endswith: '='
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Suspicious Base64 Encoded User-Agent

Detects suspicious encoded User-Agent strings, as seen used by some malware.

status test author Nasreddine Bencherchali (Nextron Systems) id d443095b-a221-4957-a2c4-cd1756c9b747

view Sigma YAML

title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
      type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Suspicious Curl Change User Agents - Linux

Detects a suspicious curl process start on linux with set useragent options

status test author Nasreddine Bencherchali (Nextron Systems) id b86d356d-6093-443d-971c-9b07db583c68

view Sigma YAML

title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
    - id: 3286d37a-00fd-41c2-a624-a672dcd34e60
      type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        CommandLine|contains:
            - ' -A '
            - ' --user-agent '
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium

medium

Suspicious Installer Package Child Process

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

status test author Sohan G (D4rkCiph3r) id e0cfaecd-602d-41af-988d-f6ccebb2af26

view Sigma YAML

title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
    - https://redcanary.com/blog/clipping-silver-sparrows-wings/
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
    - attack.t1059
    - attack.t1059.007
    - attack.t1071
    - attack.t1071.001
    - attack.execution
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_installer:
        ParentImage|endswith:
            - '/package_script_service'
            - '/installer'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/dash'
            - '/python'
            - '/ruby'
            - '/perl'
            - '/php'
            - '/javascript'
            - '/osascript'
            - '/tclsh'
            - '/curl'
            - '/wget'
        CommandLine|contains:
            - 'preinstall'
            - 'postinstall'
    condition: selection_installer
falsepositives:
    - Legitimate software uses the scripts (preinstall, postinstall)
level: medium

medium

Telegram API Access

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

status test author Florian Roth (Nextron Systems) id b494b165-6634-483d-8c47-2026a6c52372

view Sigma YAML

title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
    - https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
    - https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
    - https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.002
logsource:
    category: proxy
detection:
    selection:
        cs-host: 'api.telegram.org' # Often used by Bots
    filter:
        c-useragent|contains:
            # Used https://core.telegram.org/bots/samples for this list
            - 'Telegram'
            - 'Bot'
    condition: selection and not filter
falsepositives:
    - Legitimate use of Telegram bots in the company
level: medium

medium

Visual Studio Code Tunnel Execution

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

status test author Nasreddine Bencherchali (Nextron Systems), citron_ninja id 90d6bd71-dffb-4989-8d86-a827fedd6624

view Sigma YAML

title: Visual Studio Code Tunnel Execution
id: 90d6bd71-dffb-4989-8d86-a827fedd6624
status: test
description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems), citron_ninja
date: 2023-10-25
modified: 2025-10-29
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1219
logsource:
    category: process_creation
    product: windows
detection:
    selection_only_tunnel:
        OriginalFileName: null
        CommandLine|endswith: '.exe tunnel'
    selection_tunnel_args:
        CommandLine|contains|all:
            - '.exe tunnel'
            - '--accept-server-license-terms'
    selection_parent_tunnel:
        ParentCommandLine|endswith: ' tunnel'
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - '/d /c '
            - '\servers\Stable-'
            - 'code-server.cmd'
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Visual Studio Code tunnel
level: medium

medium

Visual Studio Code Tunnel Service Installation

Detects the installation of VsCode tunnel (code-tunnel) as a service.

status test author Nasreddine Bencherchali (Nextron Systems) id 30bf1789-379d-4fdc-900f-55cd0a90a801

view Sigma YAML

title: Visual Studio Code Tunnel Service Installation
id: 30bf1789-379d-4fdc-900f-55cd0a90a801
status: test
description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'tunnel '
            - 'service'
            - 'internal-run'
            - 'tunnel-service.log'
    condition: selection
falsepositives:
    - Legitimate installation of code-tunnel as a service
level: medium

medium

Visual Studio Code Tunnel Shell Execution

Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

status test author Nasreddine Bencherchali (Nextron Systems) id f4a623c2-4ef5-4c33-b811-0642f702c9f1

view Sigma YAML

title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: test
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: '\servers\Stable-'
        ParentImage|endswith: '\server\node.exe'
        ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
    # Note: Child processes (ie: shells) can be whatever technically (with some efforts)
    selection_child_1:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
    selection_child_2:
        Image|endswith:
            - '\wsl.exe'
            - '\bash.exe'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate use of Visual Studio Code tunnel and running code from there
level: medium

medium

Windows PowerShell User Agent

Detects Windows PowerShell Web Access

status test author Florian Roth (Nextron Systems) id c8557060-9221-4448-8794-96320e6f3e74

view Sigma YAML

title: Windows PowerShell User Agent
id: c8557060-9221-4448-8794-96320e6f3e74
status: test
description: Detects Windows PowerShell Web Access
references:
    - https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains: ' WindowsPowerShell/'
    condition: selection
falsepositives:
    - Administrative scripts that download files from the Internet
    - Administrative scripts that retrieve certain website contents
level: medium

low

DNS Query Request By QuickAssist.EXE

Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.

status experimental author Muhammad Faisal (@faisalusuf) id 882e858a-3233-4ba8-855e-2f3d3575803d

view Sigma YAML

title: DNS Query Request By QuickAssist.EXE
id: 882e858a-3233-4ba8-855e-2f3d3575803d
status: experimental
description: |
    Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
    - https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
    - https://x.com/cyb3rops/status/1862406110365245506
    - https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
    - attack.command-and-control
    - attack.initial-access
    - attack.lateral-movement
    - attack.t1071.001
    - attack.t1210
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\QuickAssist.exe'
        QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
    condition: selection
falsepositives:
    - Legitimate use of Quick Assist in the environment.
level: low

Showing 1-31 of 31

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin