From 67dfd729fd0945cce6528fc23e0dd4c9788ae835 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Thu, 12 Dec 2019 10:42:23 +0100
Subject: [PATCH] rule: extended Proxy UA suspicious rule

---
 rules/proxy/proxy_ua_suspicious.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rules/proxy/proxy_ua_suspicious.yml b/rules/proxy/proxy_ua_suspicious.yml
index 19e5ea4ab..1caec5485 100644
--- a/rules/proxy/proxy_ua_suspicious.yml
+++ b/rules/proxy/proxy_ua_suspicious.yml
@@ -24,6 +24,7 @@ detection:
         - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
         - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
         - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
+        - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880 
     falsepositives:
         c-useragent:
             - 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content