HTTP Request With Empty User Agent

calendar Aug 12, 2024 · attack.defense-evasion attack.command-and-control attack.t1071.001  ·
Share on: linkedin copy

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Sigma rule (View on GitHub)

 1title: HTTP Request With Empty User Agent
 2id: 21e44d78-95e7-421b-a464-ffd8395659c4
 3status: test
 4description: |
 5    Detects a potentially suspicious empty user agent strings in proxy log.
 6    Could potentially indicate an uncommon request method.    
 7references:
 8    - https://twitter.com/Carlos_Perez/status/883455096645931008
 9author: Florian Roth (Nextron Systems)
10date: 2017-07-08
11modified: 2021-11-27
12tags:
13    - attack.defense-evasion
14    - attack.command-and-control
15    - attack.t1071.001
16logsource:
17    category: proxy
18detection:
19    selection:
20      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
21        c-useragent: ''
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top