SigmaHQ/rules/proxy/proxy_ua_suspicious.yml

title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: experimental
description: Detects suspicious malformed user agent strings in proxy logs
author: Florian Roth
date: 2017/07/08
modified: 2021/08/09
references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
logsource:
    category: proxy
detection:
    selection1:
      c-useragent|startswith:
        - 'user-agent'  # User-Agent: User-Agent:
        - 'Mozilla/3.0 '
        - 'Mozilla/2.0 '
        - 'Mozilla/1.0 '
        - 'Mozilla '  # missing slash
        - ' Mozilla/'  # leading space
        - 'Mozila/'  # single 'l'
        - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488
    selection2:
      c-useragent|contains:
        - ' (compatible;MSIE '  # typical typo - missing space
        - '.0;Windows NT '  # typical typo - missing space
    selection3:
      c-useragent:
        - '_'
        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
        - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
    falsepositives:
        c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
    condition: ( selection1 or selection2 or selection3 ) and not falsepositives
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Unknown
level: high
tags:
    - attack.command_and_control
    - attack.t1071.001
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`title: Suspicious User Agent`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 7195a772-4b3f-43a4-a210-6a003d65caa1`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`status: experimental`
			`description: Detects suspicious malformed user agent strings in proxy logs`
			`author: Florian Roth`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`date: 2017/07/08`
$frack113$ Split PR 1802 fix net rules 2021-08-09 15:23:15 +00:00			`modified: 2021/08/09`
Second round 2020-09-15 13:02:30 +00:00			`references:`
			`- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`logsource:`
Fixed rules * Replaced unspecified logsource attribute 'type' with 'category' * Usage of service 'auth' for linux logs 2017-09-10 22:35:52 +00:00			`category: proxy`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`detection:`
rule: reworked suspicious user agents 2020-09-10 08:33:11 +00:00			`selection1:`
			`c-useragent\|startswith:`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`- 'user-agent' # User-Agent: User-Agent:`
rule: reworked suspicious user agents 2020-09-10 08:33:11 +00:00			`- 'Mozilla/3.0 '`
			`- 'Mozilla/2.0 '`
			`- 'Mozilla/1.0 '`
			`- 'Mozilla ' # missing slash`
			`- ' Mozilla/' # leading space`
			`- 'Mozila/' # single 'l'`
			`- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488`
			`selection2:`
			`c-useragent\|contains:`
			`- ' (compatible;MSIE ' # typical typo - missing space`
			`- '.0;Windows NT ' # typical typo - missing space`
			`selection3:`
			`c-useragent:`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`- '_'`
Rule: CertUtil UA https://twitter.com/ItsReallyNick/status/1047151134501216258 2018-10-06 14:47:20 +00:00			`- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912`
Rule: more malicious UAs 2019-02-05 13:32:29 +00:00			`- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/`
rules: teardown implant, apt28 ua 2019-08-30 09:53:55 +00:00			`- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880`
Rule: Fixed false positive in suspicious UA rule 2018-09-04 09:33:05 +00:00			`falsepositives:`
$frack113$ Split PR 1802 fix net rules 2021-08-09 15:23:15 +00:00			`c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content`
rule: reworked suspicious user agents 2020-09-10 08:33:11 +00:00			`condition: ( selection1 or selection2 or selection3 ) and not falsepositives`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`- c-uri`
			`- c-useragent`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`falsepositives:`
			`- Unknown`
			`level: high`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1071.001`