Suspicious Base64 Encoded User-Agent

calendar Mar 1, 2024 · attack.command_and_control attack.t1071.001  ·
Share on: linkedin copy

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Sigma rule (View on GitHub)

 1title: Suspicious Base64 Encoded User-Agent
 2id: d443095b-a221-4957-a2c4-cd1756c9b747
 3related:
 4    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
 5      type: derived
 6status: test
 7description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
 8references:
 9    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/05/04
12tags:
13    - attack.command_and_control
14    - attack.t1071.001
15logsource:
16    category: proxy
17detection:
18    selection:
19        c-useragent|startswith:
20            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
21            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
22            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
23            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

  • List of User-Agent strings

    The User-Agent (UA) string is contained in the HTTP headers and is intended to identify devices requesting online content. The User-Agent tells the server what the visiting device is (among many ot...


    Read More

Related rules

to-top