Change User Agents with WebRequest

calendar Jul 28, 2025 · attack.command-and-control attack.t1071.001  ·
Share on: linkedin copy

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Sigma rule (View on GitHub)

 1title: Change User Agents with WebRequest
 2id: d4488827-73af-4f8d-9244-7b7662ef046e
 3status: test
 4description: |
 5    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
 6    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
 9author: frack113
10date: 2022-01-23
11modified: 2025-07-18
12tags:
13    - attack.command-and-control
14    - attack.t1071.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection_webrequest:
21        ScriptBlockText|contains:
22            - 'Invoke-WebRequest'
23            - 'Invoke-RestMethod'
24            - ' irm ' # Space before and after to avoid false positives with 'irm' as a variable
25            - 'iwr '
26    selection_useragent:
27        ScriptBlockText|contains: '-UserAgent '
28    condition: all of selection_*
29falsepositives:
30    - Unknown
31level: medium

References

Related rules

to-top