Rule: CertUtil UA

https://twitter.com/ItsReallyNick/status/1047151134501216258
2024-11-06 17:35:19 +00:00 · 2018-10-06 16:47:20 +02:00 · 2018-10-06 16:47:20 +02:00 · 54678fcb36
commit 54678fcb36
parent 4eeb07a736
1 changed files with 1 additions and 0 deletions
--- a/rules/proxy/proxy_ua_suspicious.yml
+++ b/rules/proxy/proxy_ua_suspicious.yml
@ -20,6 +20,7 @@ detection:
        - ' Mozilla/*'  # leading space 
        - 'Mozila/*'  # single 'l'
        - '_'
+        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
    falsepositives:
        UserAgent:
            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content