Unusual Web User Agent

calendar Aug 22, 2023 · Use Case: Threat Detection Rule Type: ML Rule Type: Machine Learning Tactic: Command and Control  ·
Share on: linkedin copy

A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "network_traffic"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/27"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process
14other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user
15agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which
16are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools
17like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from
18local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or
19stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning
20activity.
21"""
22false_positives = [
23    """
24    Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or
25    rarely used program that calls web services may trigger this alert.
26    """,
27]
28from = "now-45m"
29interval = "15m"
30license = "Elastic License v2"
31machine_learning_job_id = "packetbeat_rare_user_agent"
32name = "Unusual Web User Agent"
33references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
34risk_score = 21
35rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0"
36severity = "low"
37tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"]
38type = "machine_learning"
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1071"
44name = "Application Layer Protocol"
45reference = "https://attack.mitre.org/techniques/T1071/"
46
47
48    [[rule.threat.technique.subtechnique]]
49    id = "T1071.001"
50    name = "Web Protocols"
51    reference = "https://attack.mitre.org/techniques/T1071/001/"
52
53
54[rule.threat.tactic]
55id = "TA0011"
56name = "Command and Control"
57reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top