HTTP Request With Empty User Agent
Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Sigma rule (View on GitHub)
1title: HTTP Request With Empty User Agent
2id: 21e44d78-95e7-421b-a464-ffd8395659c4
3status: test
4description: |
5 Detects a potentially suspicious empty user agent strings in proxy log.
6 Could potentially indicate an uncommon request method.
7references:
8 - https://twitter.com/Carlos_Perez/status/883455096645931008
9author: Florian Roth (Nextron Systems)
10date: 2017-07-08
11modified: 2021-11-27
12tags:
13 - attack.command-and-control
14 - attack.t1071.001
15logsource:
16 category: proxy
17detection:
18 selection:
19 # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
20 c-useragent: ''
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy
- HackTool - Empire UserAgent URI Combo