title: iOS Implant URL Pattern
status: experimental
description: Detects URL pattern used by iOS Implant
references:
    - https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html
    - https://twitter.com/craiu/status/1167358457344925696
author: Florian Roth
date: 2019/08/30
logsource:
    category: proxy
detection:
    selection:
        c-uri: '*/list/suc?name=*'
    condition: selection
fields:
    - ClientIP
    - URL
    - UserAgent
falsepositives:
    - Unknown
level: critical