Suspicious User Agent

calendar Oct 18, 2023 · attack.command_and_control attack.t1071.001  ·
Share on: linkedin copy

Detects suspicious malformed user agent strings in proxy logs

Sigma rule (View on GitHub)

 1title: Suspicious User Agent
 2id: 7195a772-4b3f-43a4-a210-6a003d65caa1
 3status: test
 4description: Detects suspicious malformed user agent strings in proxy logs
 5references:
 6    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
 7author: Florian Roth (Nextron Systems)
 8date: 2017/07/08
 9modified: 2022/10/31
10tags:
11    - attack.command_and_control
12    - attack.t1071.001
13logsource:
14    category: proxy
15detection:
16    selection1:
17        c-useragent|startswith:
18            - 'user-agent'  # User-Agent: User-Agent:
19            - 'Mozilla/3.0 '
20            - 'Mozilla/2.0 '
21            - 'Mozilla/1.0 '
22            - 'Mozilla '  # missing slash
23            - ' Mozilla/'  # leading space
24            - 'Mozila/'  # single 'l'
25            - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488
26    selection2:
27        c-useragent|contains:
28            - ' (compatible;MSIE '  # typical typo - missing space
29            - '.0;Windows NT '  # typical typo - missing space
30            - 'loader'  # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
31    selection3:
32        c-useragent:
33            - '_'
34            - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
35            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
36            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
37            - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
38            - 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a'  # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
39            - 'x'  # Use by Racoon Stealer but could be something else
40            - 'xxx'  # Use by Racoon Stealer but could be something else
41    falsepositives:
42        - c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
43        - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
44              - '.acrobat.com'
45              - '.adobe.com'
46              - '.adobe.io'
47    condition: 1 of selection* and not falsepositives
48falsepositives:
49    - Unknown
50level: high

References

Related rules

to-top