HTTP Request With Empty User Agent

calendar Feb 26, 2024 · attack.defense_evasion attack.command_and_control attack.t1071.001  ·
Share on: linkedin copy

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Sigma rule (View on GitHub)

 1title: HTTP Request With Empty User Agent
 2id: 21e44d78-95e7-421b-a464-ffd8395659c4
 3status: test
 4description: |
 5    Detects a potentially suspicious empty user agent strings in proxy log.
 6    Could potentially indicate an uncommon request method.    
 7references:
 8    - https://twitter.com/Carlos_Perez/status/883455096645931008
 9author: Florian Roth (Nextron Systems)
10date: 2017/07/08
11modified: 2021/11/27
12tags:
13    - attack.defense_evasion
14    - attack.command_and_control
15    - attack.t1071.001
16logsource:
17    category: proxy
18detection:
19    selection:
20      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
21        c-useragent: ''
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top