2017-07-08 15:59:05 +00:00
|
|
|
title: Malware User Agent
|
2019-11-12 22:12:27 +00:00
|
|
|
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
|
2017-07-08 15:59:05 +00:00
|
|
|
status: experimental
|
|
|
|
|
description: Detects suspicious user agent strings used by malware in proxy logs
|
2020-09-15 13:02:30 +00:00
|
|
|
author: Florian Roth
|
|
|
|
|
date: 2017/07/08
|
|
|
|
|
modified: 2020/09/03
|
2018-01-27 23:12:19 +00:00
|
|
|
references:
|
2017-07-08 15:59:05 +00:00
|
|
|
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
|
|
|
|
|
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
|
|
|
|
|
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
|
|
|
|
|
- https://perishablepress.com/blacklist/ua-2013.txt
|
|
|
|
|
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
|
|
|
|
|
logsource:
|
2017-09-10 22:35:52 +00:00
|
|
|
category: proxy
|
2017-07-08 15:59:05 +00:00
|
|
|
detection:
|
|
|
|
|
selection:
|
2019-12-06 23:11:33 +00:00
|
|
|
c-useragent:
|
2017-07-08 15:59:05 +00:00
|
|
|
# RATs
|
|
|
|
|
- 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DargonOK
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)' # Used by PlugX - old - https://goo.gl/Yfjtk5
|
|
|
|
|
- 'HttpBrowser/1.0' # HTTPBrowser RAT
|
|
|
|
|
- '*<|>*' # Houdini / Iniduoh / njRAT
|
|
|
|
|
- 'nsis_inetc (mozilla)' # ZeroAccess
|
|
|
|
|
- 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
|
2018-02-03 13:47:04 +00:00
|
|
|
# Ghost419 https://goo.gl/rW1yvZ
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
|
|
|
|
|
|
2017-07-08 15:59:05 +00:00
|
|
|
# Malware
|
|
|
|
|
- '*zeroup*' # W32/Renos.Downloader
|
|
|
|
|
- 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
|
|
|
|
|
- '* adlib/*' # https://goo.gl/gcAHoh
|
|
|
|
|
- '* tiny' # Trojan Downloader
|
|
|
|
|
- '* BGroom *' # Trojan Downloader
|
|
|
|
|
- '* changhuatong'
|
|
|
|
|
- '* CholTBAgent'
|
|
|
|
|
- 'Mozilla/5.0 WinInet'
|
|
|
|
|
- 'RookIE/1.0'
|
|
|
|
|
- 'M' # HkMain
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
|
|
|
|
|
- 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
|
|
|
|
|
- 'backdoorbot'
|
|
|
|
|
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
|
|
|
|
|
- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
|
|
|
|
|
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
|
|
|
|
|
- 'Opera' # Trojan Keragany
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
|
|
|
|
|
- 'MSIE' # Toby web shell
|
2018-02-12 09:08:32 +00:00
|
|
|
- '*(Charon; Inferno)' # Loki Bot
|
2018-03-01 08:28:04 +00:00
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
|
2018-10-10 13:27:44 +00:00
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs
|
2018-12-17 13:18:03 +00:00
|
|
|
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
|
2019-10-26 12:20:29 +00:00
|
|
|
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
|
2019-11-12 07:52:37 +00:00
|
|
|
# Ursnif
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
|
2020-02-08 09:37:56 +00:00
|
|
|
# Emotet
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
|
2020-01-30 14:20:52 +00:00
|
|
|
# Others
|
2017-07-08 15:59:05 +00:00
|
|
|
- '* pxyscand*'
|
|
|
|
|
- '* asd'
|
|
|
|
|
- '* mdms'
|
|
|
|
|
- 'sample'
|
|
|
|
|
- 'nocase'
|
|
|
|
|
- 'Moxilla'
|
|
|
|
|
- 'Win32 *'
|
|
|
|
|
- '*Microsoft Internet Explorer*'
|
|
|
|
|
- 'agent *'
|
|
|
|
|
- 'AutoIt' # Suspicious - base-lining recommended
|
|
|
|
|
- 'IczelionDownLoad'
|
2021-07-28 14:20:21 +00:00
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
|
2017-07-08 15:59:05 +00:00
|
|
|
condition: selection
|
2017-09-12 21:54:04 +00:00
|
|
|
fields:
|
|
|
|
|
- ClientIP
|
2019-12-06 23:11:33 +00:00
|
|
|
- c-uri
|
|
|
|
|
- c-useragent
|
2017-07-08 15:59:05 +00:00
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: high
|
2020-09-15 13:02:30 +00:00
|
|
|
tags:
|
|
|
|
|
- attack.command_and_control
|
|
|
|
|
- attack.t1071.001
|
