Skip to content

new: RedTail Cryptominer User-Agent in webserver logs#5972

Open
marcopedrinazzi wants to merge 6 commits into
SigmaHQ:masterfrom
marcopedrinazzi:libredtail
Open

new: RedTail Cryptominer User-Agent in webserver logs#5972
marcopedrinazzi wants to merge 6 commits into
SigmaHQ:masterfrom
marcopedrinazzi:libredtail

Conversation

@marcopedrinazzi

@marcopedrinazzi marcopedrinazzi commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

A new rule to detect the user agent libredtail-http associated with RedTail cryptominer activity.

Changelog

new: RedTail Cryptominer User-Agent

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review labels Apr 30, 2026
@nasbench nasbench added this to the Sigma-May-Release milestone May 4, 2026
swachchhanda000
swachchhanda000 requested changes May 6, 2026
View reviewed changes

@swachchhanda000 swachchhanda000 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @marcopedrinazzi,

If you are writing the detections targeted at certain malware, TA or CVE, they should be Emerging Threats (ET) rule. Please move it there.

Comment thread rules-emerging-threats/2026/Malware/RedTail-Cryptominer/web_redtail_useragent.yml
Comment thread rules/web/webserver_generic/web_redtail_useragent.yml Outdated
@swachchhanda000 swachchhanda000 added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels May 6, 2026
marcopedrinazzi and others added 5 commits May 6, 2026 12:37
@marcopedrinazzi @swachchhanda000
Update rules/web/webserver_generic/web_redtail_useragent.yml
2c4936f 
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
@marcopedrinazzi @swachchhanda000
Update rules/web/webserver_generic/web_redtail_useragent.yml
b7d24df 
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
@swachchhanda000
Merge branch 'master' into libredtail
a5467af
@marcopedrinazzi
moved under ET
da2d41b
@marcopedrinazzi
detection tag
146c1cf
@marcopedrinazzi

marcopedrinazzi commented May 6, 2026

Copy link
Copy Markdown
Contributor Author

Hey @swachchhanda000 i've moved it under 2026/malware/redtail-cryptominer and i've applied the suggestions that you proposed. Thank you!

@swachchhanda000 swachchhanda000 added Ready to Merge and removed Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules Review Needed The PR requires review labels May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swachchhanda000 swachchhanda000 swachchhanda000 approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

Ready to Merge Rules

Projects

None yet

Milestone

Sigma-June-Release

Development

Successfully merging this pull request may close these issues.

3 participants

@marcopedrinazzi @swachchhanda000 @nasbench