Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Sigma rule (View on GitHub)
1title: Suspicious Base64 Encoded User-Agent
2id: d443095b-a221-4957-a2c4-cd1756c9b747
3related:
4 - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
5 type: derived
6status: test
7description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
8references:
9 - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-05-04
12tags:
13 - attack.command-and-control
14 - attack.t1071.001
15logsource:
16 category: proxy
17detection:
18 selection:
19 c-useragent|startswith:
20 - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
21 - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
22 - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
23 - 'TW96aWxsY' # Mozilla Encoded with offset to not include padding (as used by YamaBot)
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
The User-Agent (UA) string is contained in the HTTP headers and is intended to identify devices requesting online content. The User-Agent tells the server what the visiting device is (among many ot...
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern