From a3349823e50996290cd080f9204df53980fc09ad Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 30 Aug 2019 11:48:51 +0200
Subject: [PATCH] rule: implant teardown

---
 rules/proxy/proxy_implant_teardown.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 rules/proxy/proxy_implant_teardown.yml

diff --git a/rules/proxy/proxy_implant_teardown.yml b/rules/proxy/proxy_implant_teardown.yml
new file mode 100644
index 000000000..dd7d36307
--- /dev/null
+++ b/rules/proxy/proxy_implant_teardown.yml
@@ -0,0 +1,20 @@
+title: Teardown Implant URL Pattern
+status: experimental
+description: Detects URL pattern used by Teardown Implant
+references:
+    - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
+author: Florian Roth
+date: 2019/08/30
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-uri-query: '*/list/suc?name=*'
+    condition: selection
+fields:
+    - ClientIP
+    - URL
+    - UserAgent
+falsepositives:
+    - Unknown
+level: critical