rules/web/proxy_generic/proxy_ua_susp.yml

title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: experimental
description: Detects suspicious malformed user agent strings in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017/07/08
modified: 2022/10/31
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection1:
        c-useragent|startswith:
            - 'user-agent'  # User-Agent: User-Agent:
            - 'Mozilla/3.0 '
            - 'Mozilla/2.0 '
            - 'Mozilla/1.0 '
            - 'Mozilla '  # missing slash
            - ' Mozilla/'  # leading space
            - 'Mozila/'  # single 'l'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488
    selection2:
        c-useragent|contains:
            - ' (compatible;MSIE '  # typical typo - missing space
            - '.0;Windows NT '  # typical typo - missing space
            - 'loader'  # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
    selection3:
        c-useragent:
            - '_'
            - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
            - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
            - 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a'  # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
            - 'x'  # Use by Racoon Stealer but could be something else
            - 'xxx'  # Use by Racoon Stealer but could be something else
    falsepositives:
        - c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
        - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
            - '.acrobat.com'
            - '.adobe.com'
            - '.adobe.io'
    condition: 1 of selection* and not falsepositives
fields:
    - ClientIP
    - c-uri
    - c-useragent
    - cs-host
falsepositives:
    - Unknown
level: high
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`title: Suspicious User Agent`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 7195a772-4b3f-43a4-a210-6a003d65caa1`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`status: experimental`
			`description: Detects suspicious malformed user agent strings in proxy logs`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`references:`
			`- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: Florian Roth (Nextron Systems)`
fix: fixed missing date fields in proxy rules 2020-01-30 15:20:52 +01:00			`date: 2017/07/08`
Racoon stealer UAs 2022-10-31 15:55:28 +01:00			`modified: 2022/10/31`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`tags:`
			`- attack.command_and_control`
			`- attack.t1071.001`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`logsource:`
Fixed rules 2017-09-11 00:35:52 +02:00			`category: proxy`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`detection:`
rule: reworked suspicious user agents 2020-09-10 10:33:11 +02:00			`selection1:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`c-useragent\|startswith:`
			`- 'user-agent' # User-Agent: User-Agent:`
			`- 'Mozilla/3.0 '`
			`- 'Mozilla/2.0 '`
			`- 'Mozilla/1.0 '`
			`- 'Mozilla ' # missing slash`
			`- ' Mozilla/' # leading space`
			`- 'Mozila/' # single 'l'`
			`- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488`
rule: reworked suspicious user agents 2020-09-10 10:33:11 +02:00			`selection2:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`c-useragent\|contains:`
			`- ' (compatible;MSIE ' # typical typo - missing space`
			`- '.0;Windows NT ' # typical typo - missing space`
			`- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg`
rule: reworked suspicious user agents 2020-09-10 10:33:11 +02:00			`selection3:`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`c-useragent:`
			`- '_'`
			`- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912`
			`- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/`
			`- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html`
			`- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880`
add new malicious user agent strings 2022-10-21 16:56:54 +02:00			`- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report`
Racoon stealer UAs 2022-10-31 15:55:28 +01:00			`- 'x' # Use by Racoon Stealer but could be something else`
			`- 'xxx' # Use by Racoon Stealer but could be something else`
Rule: Fixed false positive in suspicious UA rule 2018-09-04 11:33:05 +02:00			`falsepositives:`
Avoid Adobe related false-positives 2022-08-08 14:03:34 +02:00			`- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content`
Update to use cs-host instead of r-dns 2022-08-11 08:36:23 +02:00			`- cs-host\|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)`
$frack113$ Order yaml field 2022-10-25 10:08:58 +02:00			`- '.acrobat.com'`
			`- '.adobe.com'`
			`- '.adobe.io'`
Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00			`condition: 1 of selection* and not falsepositives`
Added field names to first rules 2017-09-12 23:54:04 +02:00			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-07 00:11:33 +01:00			`- c-uri`
			`- c-useragent`
Update to use cs-host instead of r-dns 2022-08-11 08:36:23 +02:00			`- cs-host`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`falsepositives:`
			`- Unknown`
			`level: high`