Detectionmediumtest

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sat Jul 08Updated Sat Nov 2721e44d78-95e7-421b-a464-ffd8395659c4web

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
        c-useragent: ''
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0011 · Command and Control

Sub-techniques

T1071.001 · Web Protocols

Rule Metadata

Rule ID

21e44d78-95e7-421b-a464-ffd8395659c4

Status

test

Level

medium

Type

Detection

Created

Sat Jul 08

Modified

Sat Nov 27

Author

Florian Roth (Nextron Systems)

Path

rules/web/proxy_generic/proxy_ua_empty.yml

Raw Tags

attack.defense-evasionattack.command-and-controlattack.t1071.001

View on GitHub