Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects suspicious user agent strings used in APT malware in proxy logs

Read More

Detects Bitsadmin connections to IP addresses instead of FQDN names

Read More

Detects Bitsadmin connections to domains with uncommon TLDs

Read More

Detects suspicious user agent strings used by crypto miners in proxy logs

Read More

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Read More

Detects download of certain file types from hosts in suspicious TLDs

Read More

Detects executable downloads from suspicious remote systems

Read More

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Read More

Detects a flashplayer update from an unofficial location

Read More

Detects suspicious user agent strings user by hack tools in proxy logs

Read More

Detects Baby Shark C2 Framework default communication patterns

Read More

Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).

Read More

Detects user agent and URI paths used by empire agents

Read More

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Read More

Detects suspicious user agent strings used by malware in proxy logs

Read More

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

Read More

Detect the update check performed by Advanced IP/Port Scanner utilities.

Read More

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Read More

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Read More

Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string

Read More

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Read More

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Read More

Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.

Read More

Detects suspicious malformed user agent strings in proxy logs

Read More

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Read More

Detects Windows PowerShell Web Access

Read More

Detects WebDav DownloadCradle

Read More