security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rule: extended Proxy UA suspicious rule

Browse Source
This commit is contained in:
Florian Roth
2019-12-12 10:42:23 +01:00
parent c25b902add
commit 67dfd729fd
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/proxy/proxy_ua_suspicious.yml
+1
View File
@@ -24,6 +24,7 @@ detection:
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
falsepositives:
c-useragent:
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content