Rule: more malicious UAs

2024-11-06 17:35:19 +00:00 · 2019-02-05 14:32:29 +01:00 · 2019-02-05 14:32:29 +01:00 · abf5a5088e
commit abf5a5088e
parent 3ef930b094
3 changed files with 3 additions and 0 deletions
--- a/rules/proxy/proxy_ua_apt.yml
+++ b/rules/proxy/proxy_ua_apt.yml
@ -39,6 +39,7 @@ detection:
        - 'Mozilla/4.0 (compatible; RMS)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
        - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)'  # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
        - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
+        - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*'  # KerrDown UA https://goo.gl/s2WU6o
    condition: selection
 fields:
    - ClientIP
--- a/rules/proxy/proxy_ua_frameworks.yml
+++ b/rules/proxy/proxy_ua_frameworks.yml
@ -33,6 +33,7 @@ detection:
        - 'X-FORWARDED-FOR'
        - 'DotDotPwn v2.1'
        - 'SIPDROID'
+        - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)'  # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

        # Exploits
        - '*wordpress hash grabber*'
--- a/rules/proxy/proxy_ua_suspicious.yml
+++ b/rules/proxy/proxy_ua_suspicious.yml
@ -21,6 +21,7 @@ detection:
        - 'Mozila/*'  # single 'l'
        - '_'
        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
+        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
    falsepositives:
        UserAgent:
            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content