Change User Agents with WebRequest

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Sigma rule (View on GitHub)

 1title: Change User Agents with WebRequest
 2id: d4488827-73af-4f8d-9244-7b7662ef046e
 3status: test
 4description: |
 5    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
 6    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
 9author: frack113
10date: 2022-01-23
11modified: 2023-01-02
12tags:
13    - attack.command-and-control
14    - attack.t1071.001
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains|all:
22            - 'Invoke-WebRequest'
23            - '-UserAgent '
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top