Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
Sigma rule (View on GitHub)
1title: Katz Stealer Suspicious User-Agent
2id: 834c6d2f-5e98-4b2a-b453-0c4f234afedd
3status: experimental
4description: |
5 Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
6references:
7 - Internal Research
8author: Swachchhanda Shrawan Poudel (Nextron Systems)
9date: 2025-05-22
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13 - detection.emerging-threats
14logsource:
15 product: zeek
16 service: http
17detection:
18 selection:
19 user_agent|contains: 'katz-ontop'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: high
References
Related rules
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- DNS Query To Katz Stealer Domains
- DNS Query To Katz Stealer Domains - Network
- Outbound Network Connection Initiated By Microsoft Dialer
- Exploit Framework User Agent