SigmaHQ/rules/proxy/proxy_ua_suspicious.yml

title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: experimental
description: Detects suspicious malformed user agent strings in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
author: Florian Roth
date: 2017/07/08
logsource:
    category: proxy
detection:
    selection:
      c-useragent:
        # Badly scripted UA
        - 'user-agent'  # User-Agent: User-Agent:
        - '* (compatible;MSIE *'  # typical typo - missing space
        - '*.0;Windows NT *'  # typical typo - missing space
        - 'Mozilla/3.0 *'
        - 'Mozilla/2.0 *'
        - 'Mozilla/1.0 *'
        - 'Mozilla *'  # missing slash
        - ' Mozilla/*'  # leading space
        - 'Mozila/*'  # single 'l'
        - '_'
        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
        - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
    falsepositives:
        c-useragent:
            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
    condition: selection and not falsepositives
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Unknown
level: high
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`title: Suspicious User Agent`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 7195a772-4b3f-43a4-a210-6a003d65caa1`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`status: experimental`
			`description: Detects suspicious malformed user agent strings in proxy logs`
Change "reference" to "references" to match new schema 2018-01-27 23:12:19 +00:00			`references:`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb`
			`author: Florian Roth`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`date: 2017/07/08`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`logsource:`
Fixed rules * Replaced unspecified logsource attribute 'type' with 'category' * Usage of service 'auth' for linux logs 2017-09-10 22:35:52 +00:00			`category: proxy`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`detection:`
			`selection:`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`c-useragent:`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`# Badly scripted UA`
			`- 'user-agent' # User-Agent: User-Agent:`
			`- '* (compatible;MSIE *' # typical typo - missing space`
			`- '.0;Windows NT ' # typical typo - missing space`
			`- 'Mozilla/3.0 *'`
			`- 'Mozilla/2.0 *'`
			`- 'Mozilla/1.0 *'`
			`- 'Mozilla *' # missing slash`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`- ' Mozilla/*' # leading space`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`- 'Mozila/*' # single 'l'`
			`- '_'`
Rule: CertUtil UA https://twitter.com/ItsReallyNick/status/1047151134501216258 2018-10-06 14:47:20 +00:00			`- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912`
Rule: more malicious UAs 2019-02-05 13:32:29 +00:00			`- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/`
rules: teardown implant, apt28 ua 2019-08-30 09:53:55 +00:00			`- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html`
fix: fixed missing date fields in proxy rules 2020-01-30 14:20:52 +00:00			`- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880`
Rule: Fixed false positive in suspicious UA rule 2018-09-04 09:33:05 +00:00			`falsepositives:`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`c-useragent:`
Rule: Fixed false positive in suspicious UA rule 2018-09-04 09:33:05 +00:00			`- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content`
			`condition: selection and not falsepositives`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`- c-uri`
			`- c-useragent`
User-Agent rules split up in separate files 2017-07-08 15:59:05 +00:00			`falsepositives:`
			`- Unknown`
			`level: high`