Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
Sigma rule (View on GitHub)
1title: Potential Base64 Encoded User-Agent
2id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
3related:
4 - id: d443095b-a221-4957-a2c4-cd1756c9b747
5 type: derived
6status: test
7description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
8references:
9 - https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
10 - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
11author: Florian Roth (Nextron Systems), Brian Ingram (update)
12date: 2022-07-08
13modified: 2023-05-04
14tags:
15 - attack.command-and-control
16 - attack.t1071.001
17logsource:
18 category: proxy
19detection:
20 selection:
21 c-useragent|endswith: '='
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
-
The User-Agent (UA) string is contained in the HTTP headers and is intended to identify devices requesting online content. The User-Agent tells the server what the visiting device is (among many ot...
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern