Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Sigma rule (View on GitHub)
1title: Change User Agents with WebRequest
2id: d4488827-73af-4f8d-9244-7b7662ef046e
3status: test
4description: |
5 Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
6 Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
9author: frack113
10date: 2022-01-23
11modified: 2023-01-02
12tags:
13 - attack.command-and-control
14 - attack.t1071.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains|all:
22 - 'Invoke-WebRequest'
23 - '-UserAgent '
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern