Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious User Agent

Detects suspicious malformed user agent strings in proxy logs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Sat Jul 08Updated Mon Oct 317195a772-4b3f-43a4-a210-6a003d65caa1web
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic4 selectors
detection:
    selection1:
        c-useragent|startswith:
            - 'user-agent'  # User-Agent: User-Agent:
            - 'Mozilla/3.0 '
            - 'Mozilla/2.0 '
            - 'Mozilla/1.0 '
            - 'Mozilla '  # missing slash
            - ' Mozilla/'  # leading space
            - 'Mozila/'  # single 'l'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol'  # https://twitter.com/NtSetDefault/status/1303643299509567488
    selection2:
        c-useragent|contains:
            - ' (compatible;MSIE '  # typical typo - missing space
            - '.0;Windows NT '  # typical typo - missing space
            - 'loader'  # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
    selection3:
        c-useragent:
            - '_'
            - 'CertUtil URL Agent'  # https://twitter.com/stvemillertime/status/985150675527974912
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)'  # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0'  # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
            - 'HTTPS'  # https://twitter.com/stvemillertime/status/1204437531632250880
            - 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a'  # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
            - 'x'  # Use by Racoon Stealer but could be something else
            - 'xxx'  # Use by Racoon Stealer but could be something else
    falsepositives:
        - c-useragent: 'Mozilla/3.0 * Acrobat *'  # Acrobat with linked content
        - cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
              - '.acrobat.com'
              - '.adobe.com'
              - '.adobe.io'
    condition: 1 of selection* and not falsepositives
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
7195a772-4b3f-43a4-a210-6a003d65caa1
Status
test
Level
high
Type
Detection
Created
Sat Jul 08
Modified
Mon Oct 31
Author
Florian Roth (Nextron Systems)
Path
rules/web/proxy_generic/proxy_ua_susp.yml
Raw Tags
attack.command-and-controlattack.t1071.001
View on GitHub