SigmaHQ/rules/proxy/proxy_ua_suspicious.yml

title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: experimental
description: Detects suspicious malformed user agent strings in proxy logs
author: Florian Roth
date: 2017/07/08
modified: 2020/09/03
references:
    - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
logsource:
    category: proxy
detection:
    selection:
      c-useragent:
        # Badly scripted UA
        - 'user-agent'  # User-Agent: User-Agent:
        - '* (compatible;MSIE *'  # typical typo - missing space
        - '*.0;Windows NT *'  # typical typo - missing space
        - 'Mozilla/3.0 *'
        - 'Mozilla/2.0 *'
        - 'Mozilla/1.0 *'
        - 'Mozilla *'  # missing slash
        - ' Mozilla/*'  # leading space
        - 'Mozila/*'  # single 'l'
        - '_'
        - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
        - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
        - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
    falsepositives:
        c-useragent:
            - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
    condition: selection and not falsepositives
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - Unknown
level: high
tags:
    - attack.command_and_control
    - attack.t1071.001