diff --git a/detections/web/http_suspicious_tool_user_agent.yml b/detections/deprecated/http_suspicious_tool_user_agent.yml similarity index 99% rename from detections/web/http_suspicious_tool_user_agent.yml rename to detections/deprecated/http_suspicious_tool_user_agent.yml index 18edad51c2..494ffd4753 100644 --- a/detections/web/http_suspicious_tool_user_agent.yml +++ b/detections/deprecated/http_suspicious_tool_user_agent.yml @@ -1,9 +1,9 @@ name: HTTP Suspicious Tool User Agent id: 1ca76190-4997-4d19-b5bc-9e220b70c7d3 -version: 1 +version: 2 date: '2025-10-09' author: Raven Tait, Splunk -status: production +status: deprecated type: Anomaly description: This Splunk query analyzes web access logs to identify and categorize non-browser user agents, detecting various types of security tools, scripting languages, diff --git a/detections/network/http_c2_framework_user_agent.yml b/detections/network/http_c2_framework_user_agent.yml new file mode 100644 index 0000000000..1f7ef40276 --- /dev/null +++ b/detections/network/http_c2_framework_user_agent.yml @@ -0,0 +1,80 @@ +name: HTTP C2 Framework User Agent +id: 229dc225-6abe-4d28-89fd-edf874086162 +version: 1 +date: '2025-12-15' +author: Ravent Tait, Splunk +status: production +type: TTP +description: This Splunk query analyzes web logs to identify and categorize + user agents, detecting various types of c2 frameworks. This activity can signify malicious actors + attempting to interact with hosts on the network using known default configurations of command + and control tools. +data_source: +- Suricata +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest + | `drop_dm_object_name("Web")` + | lookup suspicious_c2_user_agents c2_user_agent AS http_user_agent OUTPUT tool, description + | where isnotnull(tool) + | stats count min(firstTime) as first_seen max(lastTime) as last_seen + by tool url http_user_agent src dest description + | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)` + | `http_c2_framework_user_agent_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: Filtering may be required in some instances depending on legacy system usage, filter as needed. +references: +- https://github.com/BC-SECURITY/Malleable-C2-Profiles +- https://www.keysight.com/blogs/en/tech/nwvs/2021/07/28/koadic-c3-command-control-decoded +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv +drilldown_searches: +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known C2 Framework user agent $http_user_agent$ was performing a request from $src$ to $dest$. + risk_objects: + - field: src + type: system + score: 60 + threat_objects: + - field: http_user_agent + type: http_user_agent + - field: dest + type: system +tags: + analytic_story: + - Cobalt Strike + - Brute Ratel C4 + - Tuoni + - Meterpreter + - Spearphishing Attachments + - Malicious PowerShell + - BishopFox Sliver Adversary Emulation Framework + - Suspicious User Agents + asset_type: Network + mitre_attack_id: + - T1071.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_c2.log + sourcetype: suricata + source: suricata diff --git a/detections/network/http_malware_user_agent.yml b/detections/network/http_malware_user_agent.yml new file mode 100644 index 0000000000..cf8685af10 --- /dev/null +++ b/detections/network/http_malware_user_agent.yml @@ -0,0 +1,73 @@ +name: HTTP Malware User Agent +id: 8c4866e4-f488-4253-8537-7dc4f954c292 +version: 1 +date: '2025-12-16' +author: Raven Tait, Splunk +status: production +type: TTP +description: This Splunk query analyzes web logs to identify and categorize + user agents, detecting various types of malware. This activity can signify possible + compromised hosts on the network. +data_source: +- Suricata +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest + | `drop_dm_object_name("Web")` + | lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware + | where isnotnull(malware) + | stats count min(firstTime) as first_seen max(lastTime) as last_seen + by malware url http_user_agent src dest + | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)` + | `http_malware_user_agent_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: Filtering may be required in some instances depending on legacy system usage, filter as needed. +references: +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv +drilldown_searches: +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known malware user agent $http_user_agent$ was performing a request from $src$. + risk_objects: + - field: src + type: system + score: 45 + threat_objects: + - field: http_user_agent + type: http_user_agent +tags: + analytic_story: + - Lokibot + - Lumma Stealer + - Meduza Stealer + - Crypto Stealer + - RedLine Stealer + - Suspicious User Agents + asset_type: Network + mitre_attack_id: + - T1071.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_malware.log + sourcetype: suricata + source: suricata diff --git a/detections/network/http_pua_user_agent.yml b/detections/network/http_pua_user_agent.yml new file mode 100644 index 0000000000..2e16e1e4df --- /dev/null +++ b/detections/network/http_pua_user_agent.yml @@ -0,0 +1,73 @@ +name: HTTP PUA User Agent +id: 21af5447-734f-4549-956b-7a255cb2b032 +version: 1 +date: '2025-12-17' +author: Raven Tait, Splunk +status: production +type: Anomaly +description: This Splunk query analyzes web logs to identify and categorize user agents, + detecting various types of unwanted applications. This activity can signify possible + compromised hosts on the network. +data_source: +- Suricata +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest + | `drop_dm_object_name("Web")` + | lookup pua_user_agents pua_user_agent AS http_user_agent OUTPUT tool + | where isnotnull(tool) + | stats count min(firstTime) as first_seen max(lastTime) as last_seen + by tool url http_user_agent src dest + | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)` + | `http_pua_user_agent_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: Noise and false positive can be seen if these programs + are allowed to be used within corporate network. In this case, a filter is + needed. +references: +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv +drilldown_searches: +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known user agent ($http_user_agent$) associated with unusual programs was performing a request from $src$. + risk_objects: + - field: src + type: system + score: 32 + threat_objects: + - field: http_user_agent + type: http_user_agent +tags: + analytic_story: + - Local Privilege Escalation With KrbRelayUp + - BlackSuit Ransomware + - Cactus Ransomware + - Suspicious User Agents + asset_type: Network + mitre_attack_id: + - T1071.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_pua.log + sourcetype: suricata + source: suricata diff --git a/detections/network/http_rmm_user_agent.yml b/detections/network/http_rmm_user_agent.yml new file mode 100644 index 0000000000..65a737d963 --- /dev/null +++ b/detections/network/http_rmm_user_agent.yml @@ -0,0 +1,71 @@ +name: HTTP RMM User Agent +id: 61884b02-0dcf-44c5-9094-db33bac09fa6 +version: 1 +date: '2025-12-18' +author: Raven Tait, Splunk +status: production +type: Anomaly +description: This Splunk query analyzes web logs to identify and categorize user agents, + detecting various types of Remote Monitoring and Mangement applications. This activity + can signify possible compromised hosts on the network. +data_source: +- Suricata +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest + | `drop_dm_object_name("Web")` + | lookup rmm_user_agents rmm_user_agent AS http_user_agent OUTPUT tool + | where isnotnull(tool) + | stats count min(firstTime) as first_seen max(lastTime) as last_seen + by tool url http_user_agent src dest + | `security_content_ctime(first_seen)` | `security_content_ctime(last_seen)`| `http_rmm_user_agent_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting + web or proxy logs, or ensure it is being filled by a proxy like device, into the + Web Datamodel. For additional filtering, allow list private IP space or restrict + by known good. +known_false_positives: Noise and false positive can be seen if these programs + are allowed to be used within corporate network. In this case, a filter is + needed. +references: +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv +drilldown_searches: +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known rmm user agent $http_user_agent$ was performing a request from $src$. + risk_objects: + - field: src + type: system + score: 44 + threat_objects: + - field: http_user_agent + type: http_user_agent +tags: + analytic_story: + - Remote Monitoring and Management Software + - Suspicious User Agents + asset_type: Network + mitre_attack_id: + - T1071.001 + - T1219 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_rmm.log + sourcetype: suricata + source: suricata diff --git a/detections/web/http_scripting_tool_user_agent.yml b/detections/web/http_scripting_tool_user_agent.yml new file mode 100644 index 0000000000..315ab611f7 --- /dev/null +++ b/detections/web/http_scripting_tool_user_agent.yml @@ -0,0 +1,78 @@ +name: HTTP Scripting Tool User Agent +id: 04430b4e-5ca8-4e88-98b5-d6bcf54f8393 +version: 1 +date: '2025-10-09' +author: Raven Tait, Splunk +status: production +type: Anomaly +description: This Splunk query analyzes web access logs to identify and categorize + non-browser user agents, detecting various types of security tools, scripting languages, + automation frameworks, and suspicious patterns. This activity can signify malicious actors + attempting to interact with web endpoints in non-standard ways. +data_source: +- Nginx Access +search: '`nginx_access_logs` + | eval http_user_agent = lower(http_user_agent) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `drop_dm_object_name(Web)` + | lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool + | where isnotnull(tool) + | rename dest_ip as dest + | stats count min(firstTime) as first_seen max(lastTime) as last_seen values(tool) as tool + by http_user_agent dest src_ip status + | `http_scripting_tool_user_agent_filter`' +how_to_implement: This analytic necessitates the collection of web data, which can + be achieved through Splunk Stream or by utilizing the Splunk Add-on for Apache Web + Server. No additional configuration is required for this analytic. +known_false_positives: False positives may be present if the activity is part of diagnostics + or testing. Filter as needed. +references: + - https://portswigger.net/web-security/request-smuggling#what-is-http-request-smuggling + - https://portswigger.net/research/http1-must-die + - https://www.vaadata.com/blog/what-is-http-request-smuggling-exploitations-and-security-best-practices/ + - https://www.securityweek.com/new-http-request-smuggling-attacks-impacted-cdns-major-orgs-millions-of-websites/ + - https://github.com/SigmaHQ/sigma/blob/master/rules/web/proxy_generic/proxy_ua_hacktool.yml + - https://help.aikido.dev/zen-firewall/miscellaneous/bot-protection-details +drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") + starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime + values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) + as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) + as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: Known scripting tool was used against a web request. + The source IP is $src_ip$ and the destination is $dest$. + risk_objects: + - field: dest + type: system + score: 31 + threat_objects: + - field: src_ip + type: ip_address +tags: + analytic_story: + - HTTP Request Smuggling + - Suspicious User Agents + asset_type: Network + mitre_attack_id: + - T1071.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/request_smuggling/nginx_scripting_tools.log + source: nginx:plus:kv + sourcetype: nginx:plus:kv diff --git a/lookups/malware_user_agents.csv b/lookups/malware_user_agents.csv new file mode 100644 index 0000000000..4e8ee93c9f --- /dev/null +++ b/lookups/malware_user_agents.csv @@ -0,0 +1,90 @@ +malware_user_agent,malware +User-Agent:Mozilla/*,9002RAT +JustKidding,Arbitrium-RAT +arkei/*,Arkei Stealer +NIKMOK,AsyncRAT +BunnyLoader,BunnyLoader +BunnyLoader_Dropper,BunnyLoader +BunnyRequester,BunnyLoader +BunnyShell,BunnyLoader +BunnyStealer,BunnyLoader +BunnyTasks,BunnyLoader +HeartBeat_Sender,BunnyLoader +Avast,BunnyLoader +AVG,BunnyLoader +ESET NOD32,BunnyLoader +ESET SECURITY,BunnyLoader +Google Chrome,BunnyLoader +McAffee,BunnyLoader +Windows Defender,BunnyLoader +mfo4engo2m,clipper-socket +hacked-by-matrix,Coin Miner +luna-owns-you,Coin Miner +uploader,Collector Stealer +condi-bbos,condi +WinHTTP Example/1.0,Cuba Ransomware +Project1sqlite,DarkCloud +Project1,DarkCloud +Mozilla FireFox,Donot Team +*da58bdb765904300581fe8a818c28cca7c0b62eabd7ce29f181924177c8f13c7*,DSLog backdoor +AE632AE3-FACB-4C1B-8906-FB65A13B01B4,ENIGMA STEALER +OnionWClient,Ethernity Clipper stealer +OnionWClient / 1.0,Ethernity Clipper stealer +HTTPREAD,fabookie +lkmns32Sf3lkn,fakebat +GameInfo,Gh0stRAT +b5c3d0b28619de70bf5588505f4061f2,Goonshell +Intrenet Explorer,Helpud +*katz-ontop*,Katz Stealer +Chnome,Kimsuky TA +Lilith-Bot*,Lilith +Loki/1.0,Loki +*(Charon; Inferno),Lokibot +TeslaBrowser/5.5,Lumma Stealer +HTTP/1.1,LummaStealer +CommonName Agent,Malware +Connector v1.2,Malware +contains loader,Malware +"Skype/8.69.0.77 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",Matanbuchus 3.0 +medusa-stealer,MeduzaStealer +Messiah/2.0,Mirai +KrebsOnSecurity,Mirai +"Hello, world",Mirai Botnet +Momentum,Mirai botnet +r00ts3c-owned-you,Mirai botnet +Tsunami/2.0,Mirai Botnet +MtmKilledYou,Mirai Botnet +fucking,Nitedrem +B,Nymaim Trojan +OK,Nymaim Trojan +*Windows NT 123.9*,Raccoon Stealer +*YAYAYAY*,Raccoon Stealer +AYAYAYAY1337,Raccoon Stealer +B1D3N_RIM_MY_ASS,Raccoon Stealer +DuckTales,Raccoon Stealer +GeekingToTheMoon,Raccoon Stealer +GunnaWunna,Raccoon Stealer +GunnaWunnaBlueTips,Raccoon Stealer +iMightJustPayMySelfForAFeature,Raccoon Stealer +MoonLight,Raccoon Stealer +mozzzzzzzzzzz,Raccoon Stealer +MrBidenNeverKnow,Raccoon Stealer +qwrqrwrqwrqwr,Raccoon Stealer +rc2.0/client,Raccoon Stealer +record,Raccoon Stealer +rqwrwqrqwrqw,Raccoon Stealer +SouthSide,Raccoon Stealer +SunShine,Raccoon Stealer +SunShineMoonLight,Raccoon Stealer +TakeMyPainBack,Raccoon Stealer +x,Raccoon Stealer +Xmlst,Raccoon Stealer +xmX*-AhKih-I-i5enQvO,Raccoon Stealer +xxx,Raccoon Stealer +Zadanie,Raccoon Stealer +AdvancedInstaller,RobotDropper +SSLoad/*,SSLoad +ace4956e-736e-11e6-9584-d7165ca591df,TrojanProxy +ClickAdsByIE,TrokanClicker +WSHRAT*,WSHRAT +PresidentPutin,ZLoader \ No newline at end of file diff --git a/lookups/malware_user_agents.yml b/lookups/malware_user_agents.yml new file mode 100644 index 0000000000..c0d38f7756 --- /dev/null +++ b/lookups/malware_user_agents.yml @@ -0,0 +1,11 @@ +name: malware_user_agents +date: 2025-12-16 +version: 1 +id: 3a1a501c-d65f-4a6c-95a3-3d2b9a8c43c3 +author: Raven Tait, Splunk +lookup_type: csv +description: A list of user agents used with known malware. +match_type: +- WILDCARD(malware_user_agents) +min_matches: 1 +case_sensitive_match: true diff --git a/lookups/pua_user_agents.csv b/lookups/pua_user_agents.csv new file mode 100644 index 0000000000..5f45e0bc9c --- /dev/null +++ b/lookups/pua_user_agents.csv @@ -0,0 +1,61 @@ +pua_user_agent,tool,description +AADInternals,AADInternals,Default user agent used by AADInternals +OWASP Amass,amass,Default user agent for amass recon tool +ArgusCrawler/1.0,Argus,User agent used by the Information Gathering Toolkit named Argus +ArgusDataLeakChecker/1.0,Argus,User agent used by the Information Gathering Toolkit named Argus +Argus-Scanner/1.0,Argus,User agent used by the Information Gathering Toolkit named Argus +Mozilla/5.0 (compatible; ArgusBot/1.0*,Argus,User agent used by the Information Gathering Toolkit named Argus +autocert,autocert,Provides automatic access to certificates from Let's Encrypt (used in sshamble) +azurehound*,AzureHound,AzureHound - Azure Data Exporter for BloodHound - default user agent +BAV2ROPC,BAV2ROPC,User agent commonly used by older email apps and devices that rely on basic authentication to access email accounts - often observed in Business email compromise +Box Edit/*,box,Used by box agent file host +Box/2.*,box,Used by box agent file host +ccminer*,ccminer,ccminer user-agent +Certipy,certipy,Default user agent for nltm lib of certipy +Cr3dOv3r-Framework,Cr3dOv3r,Default user agent used by Cr3dOv3r - ispwned.py +Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0,CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0,CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0,CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0,CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0,CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",CredMaster,Old user agent (from 2018-era or older) used by CredMaster credential access tool +FUCKUSA,Cryptominer,Used by cryptomining campaigns +Lomond/*,dataplicity,User agent used by lemond python package with the websocket request - used by dataplicity (enables connecting local systems to dataplicity cloud for remotely accessing them over the internet) +dirhunt,dirhunt,Default user agent for a tool used to find web directories without bruteforce +WebServices;eM Client/*,eM Client,Desktop-based email solution fully synchronized with O365 - abused for data exfiltration - observed in multiple BEC cases +*(Hackintosh*,Hackintosh OS,Default user agent for Hackintosh OS +KrbRelayUp/1.0,KrbRelayUp,KrbRelayUp default user-agent +Lemon-Duck-*,Lemon-Duck,cryptominer default user agent +*UCCAPI/16.0.13328.20130 OC/16.0.13426.20234*,lyncsmash,Default user agent used by lyncsmash.py - a collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations +MEGA/MEGAcmdUpdaterTask,MEGAcmd,Command Line Interactive and Scriptable Application to access MEGA +MEGAcmd/*,MEGAcmd,Command Line Interactive and Scriptable Application to access MEGA +MEGAupdater *,MEGASYNC,Used by MEGASYNC software when installed +Windows Installer,msiexec,Typically associated with .msi installation processes that perform HTTP downloads. While it can be legitimate - it may also indicate the use of remotely hosted malicious installers +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",Phishing Kit,Old version of legitimate Chrome browser used in phishing Kit +"Mozilla/5.0 (Windows NT 10.0; Win64; x64; WebView/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.22621",Phishing Kit,Old version of legitimate Chrome browser used in phishing Kit +PingCastleAutoUpdater*,Pingcastle,Default user agent used by Pingcastle (PingCastleAutoUpdater) +rclone/*,rclone,User agent used by rclone +Rubeus/1.0,Rubeus,User agent used by Rubeus +ShadowSpray.Kerb/1.0,ShadowSpray,Default user agent for the tool ShadowSpray (spray Shadow Credentials across an entire domain) +SharpBuster,SharpBuster,SharpBuster default UA +Valve/Steam HTTP Client ,Steam,Steam client (games) +subfinder,subfinder,subfinder subdomain passive enumeration tool default UA +syncthing v*,synchthing,Used by syncthing software +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36",TeamFiltration,Used in Teamfiltration default conf +* Toolbar *,Toolbars,Random toolbar software +*torrent*,Torrents,Many torrent clients use torrent in their user agent strings +*Your Moms Smart Vibrator*,TREVORspray,Default user agent for TREVORspray example module - a modular password sprayer with threading - clever proxying - loot modules and more +TruffleHog*,TruffleHog,Find - verify and analyze leaked credentials open source github project +VirtualBox *,Virtualbox,Default user agent seen during Virtualbox activities +*SearchToolbar*,wyzo,Browser with torrent search integrated + other junk softwares +XMRig*,xmrig,xmrig cryptominer user agent \ No newline at end of file diff --git a/lookups/pua_user_agents.yml b/lookups/pua_user_agents.yml new file mode 100644 index 0000000000..f6b44cc66f --- /dev/null +++ b/lookups/pua_user_agents.yml @@ -0,0 +1,11 @@ +name: pua_user_agents +date: 2025-12-16 +version: 1 +id: d7fe0258-349e-4557-89be-148d6d0abe87 +author: Raven Tait, Splunk +lookup_type: csv +description: A list of user agents used with unwanted applications. +match_type: +- WILDCARD(pua_user_agent) +min_matches: 1 +case_sensitive_match: true diff --git a/lookups/rmm_user_agents.csv b/lookups/rmm_user_agents.csv new file mode 100644 index 0000000000..9eff86091c --- /dev/null +++ b/lookups/rmm_user_agents.csv @@ -0,0 +1,21 @@ +rmm_user_agent,tool +LogMeIn/*,LogMeIn +*splashtop*,Splashtop +RemotePC *,Remotepc +* DesktopCentral Agent,Zoho Assist +NetSupport Manager/*,NetSupport +NetSupport Gateway/*,NetSupport +AnyDesk,Anydesk +AnyDesk/*,Anydesk +AnyDesk *,Anydesk +Fleet auto-approve,Fleetdm +Fleet average open time,Fleetdm +Fleet labels,Fleetdm +fleet story points,Fleetdm +Fleetie pie,Fleetdm +fleet-schema-builder,Fleetdm +Fleet-Standard-Query-Library,Fleetdm +nanodep-godep/0,Fleetdm +SensorsAnalytics CPP SDK 0.3,Aweray +Advanced Monitoring Agent HTTP Retriever 1.1,Nsight RMM +MeshCentral,MeshCentral \ No newline at end of file diff --git a/lookups/rmm_user_agents.yml b/lookups/rmm_user_agents.yml new file mode 100644 index 0000000000..21145f5820 --- /dev/null +++ b/lookups/rmm_user_agents.yml @@ -0,0 +1,11 @@ +name: rmm_user_agents +date: 2025-12-16 +version: 1 +id: 2e2a470c-8429-47df-91a2-acb233c42671 +author: Raven Tait, Splunk +lookup_type: csv +description: A list of user agents used with known user agents associated with RMM tools. +match_type: +- WILDCARD(rmm_user_agent) +min_matches: 1 +case_sensitive_match: true diff --git a/lookups/suspicious_c2_user_agents.csv b/lookups/suspicious_c2_user_agents.csv new file mode 100644 index 0000000000..1a91909e38 --- /dev/null +++ b/lookups/suspicious_c2_user_agents.csv @@ -0,0 +1,79 @@ +c2_user_agent,tool,description +antSword/v*,antSword,antSword webshell pentest tools abused by APT41 and other attackers +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",Brute Ratel,Default user agent string for Brute Ratel +CanisRufus,CanisRufus,A stealthy Python based Windows backdoor that uses Github as a command and control server +PologiyKolokol,CapLoader,CapLoader +sliverua,CloudflarePagesRedirector,CloudFlare C2 default examples UA +ligoloua,CloudflarePagesRedirector,CloudFlare C2 default examples UA +Microsoft Internet Explorer,Cobalt Strike,Default user agent string for pitty_tiger Malleable C2 Profile +Microsoft-CryptoAPI/6.1,Cobalt Strike,Default user agent string for oscp Malleable C2 Profile +Mozilla Firefox/4.0,Cobalt Strike,Default user agent string for formbook Malleable C2 Profile +Mozilla Firefox/4.0(compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0;SLC2; .NET CLD 3.5.30729; Media Center PC 6.0;),Cobalt Strike,Default user agent string for globeimposter Malleable C2 Profile +Mozilla/4.0,Cobalt Strike,Default user agent string for string_of_paerls Malleable C2 Profile +Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_11,Cobalt Strike,Default user agent string for fiesta Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1),Cobalt Strike,Default user agent string for comfoo Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914),Cobalt Strike,Default user agent string for asprox Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1),Cobalt Strike,Default user agent string for zeus Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729,Cobalt Strike,Default user agent string for covid19_koadic Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E ),Cobalt Strike,Default user agent string for chches_APT10 Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; Media Center PC 6.0),Cobalt Strike,Default user agent string for emotet Malleable C2 Profile +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729),Cobalt Strike,"Default user agent string for magnitude, taidoor Malleable C2 Profiles" +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; Media Center PC 6.0),Cobalt Strike,Default user agent string for POSeidon Malleable C2 Profile +Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko,Cobalt Strike,"Default user agent string for bazarloader, dukes_apt29, mayoclinic, randomized Malleable C2 Profiles" +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",Cobalt Strike,Default user agent string for bing_maps Malleable C2 Profile +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36",Cobalt Strike,Default user agent string for mscrl Malleable C2 Profile +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (XHTML, like Gecko) Chrome/87.0.4280.89 Safari/537.36",Cobalt Strike,Default user agent string for salesforce_api Malleable C2 Profile +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)",Cobalt Strike,"Default user agent string for iheartradio, office365_calendar, slack, trevor, youtube_video Malleable C2 Profiles" +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36",Cobalt Strike,Default user agent string for kronos Malleable C2 Profile +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",Cobalt Strike,"Default user agent string for reddit, stackoverflow Malleable C2 Profiles" +Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38,Cobalt Strike,Default user agent string for jasperloader Malleable C2 Profile +"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",Cobalt Strike,"Default user agent string for gotomeeting, msu_edu, template Malleable C2 Profiles" +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",Cobalt Strike,"Default user agent string for gandcrab, quantloader Malleable C2 Profiles" +Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko,Cobalt Strike,"Default user agent string for amazon, cnnvideo_getonly, googledrive_getonly, msnbcvideo_getonly, onedrive_getonly, pandora, safebrowsing, trick_ryuk, ursnif_IcedID, wikipedia_getonly Malleable C2 Profiles" +Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko),Cobalt Strike,Default user agent string for hancitor Malleable C2 Profile +Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0,Cobalt Strike,"Default user agent string for bluenoroff_rat, ratankba Malleable C2 Profiles" +Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0,Cobalt Strike,Default user agent string for backoff Malleable C2 Profile +"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36",Cobalt Strike,Default user agent string for zloader Malleable C2 Profile +Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0,Cobalt Strike,Default user agent string for sofacy Malleable C2 Profile +Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08,Cobalt Strike,Default user agent string for havex Malleable C2 Profile +"Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko",Cobalt Strike,Default user agent string for bingsearch_getonly Malleable C2 Profile +Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322),Cobalt Strike,Default user agent string for trickbot Malleable C2 Profile +Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0),Cobalt Strike,Default user agent string for etumbot Malleable C2 Profile +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET4.0E; QQBrowser/7.0.3698.400),Cobalt Strike,Default user agent string for xbash Malleable C2 Profile +"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104",Cobalt Strike,Default user agent string for zoom Malleable C2 Profile +Mozilla/5.2 (Windows NT 6.2; rv:50.2) Gecko/20200103 Firefox/50.2,Cobalt Strike,Default user agent string for jaff Malleable C2 Profile +Shockwave Flash,Cobalt Strike,Default user agent string for rtmp Malleable C2 Profile +Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40,Cobalt Strike,"Default user agent string for microsoftupdate_getonly, windows-updates Malleable C2 Profiles" +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0),Cobalt Strike,Default user agent string for Cobalt Strike +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS),Cobalt Strike,Default user agent string for Cobalt Strike +Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; XBLWP7; ZuneWP7),Cobalt Strike,Default user agent string for Cobalt Strike +Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; .NET4.0C; .NET4.0E),Cobalt Strike,Default user agent string for Cobalt Strike +Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5),Cobalt Strike / Koadic,Default user agent string for qakbot Malleable C2 Profile and Koadic Stage 1 +Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko,Cobalt Strike / Mythic C2,Default User-Agent string for Several C2 Frameworks +"Mozilla/6.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36",GraphStrike,Default User-Agent string for Cobaltstrike GraphStrike server (not a legitimate UA) +"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36",Havoc C2,Default user agent string for Havoc C2 HTTP Listener +Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729),Koadic,Default user agent string for Koadic Stage 0 and Stage 2 +Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko*,Multiple,"Default user agent string used by multpile C2 frameworks including Metasploit, Cobalt Strike, Merlin, and more" +dvadcat,netsupport RAT,netsupport RAT +Mozilla/5.0 (compatible; ngrok),ngrok,ngrok user agent +nimplant,nimplant,user agent default for a light-weight first-stage C2 implant written in Nim +NimPlant C2 Client,nimplant,user agent default for a light-weight first-stage C2 implant written in Nim +linux:feeds:v2 (by /u/pico-sh),picosh,hacker labs - open source and managed web services leveraging SSH +pivotnacci/*,pivotnacci,Pivotnacci allows you to create a socks server which communicates with HTTP agents +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36",PoshC2,Default user agent string for PoshC2 +azure-logic-apps/1.0,Power Automate,Power Automate user-agent also used by C2 NTT-Security-Japan/pac2 (LOLC2) +remoteit/*,remoteit,remoteit +C2FunctionAgent,ServerlessRedirector,ServerlessRedirector +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.8827.897 Safari/537.36",Sliver C2,Default user agent string for Sliver Windows agent +"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.8827.897 Safari/537.36",Sliver C2,Default user agent string for Sliver Linux agent +"Mozilla/5.0 (Macintosh; Intel Mac OS X %s) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.8827.897 Safari/537.36",Sliver C2,Default user agent string for Sliver Mac agent +Cat,SmartLoader,SmartLoader +SmartLoader,SmartLoader,SmartLoader +Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/7.0; Specula; Microsoft Outlook*,Specula,default user agent template for specula C2 +"Mozilla/5.0 (compatible, MSIE 11, Windows NT 6.3; Trident/7.0; rv:11.0) like TsunamiWave",Tsunami,Tsunami C2 framework default UA +tunnelto-client,tunnelto,tunnelto.dev client default user agent +"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0",Tuoni C2,Default user agent string for Tuoni C2 +*Dev-Tunnels-Service-*,vscode,could be used when accessing a vscode dev tunnel - abused by attackers as a C2 +Yakit/1.0.0,Yakit,WebShell +Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0,Empire,Empire default User agents +Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0,Empire,Empire default User agents \ No newline at end of file diff --git a/lookups/suspicious_c2_user_agents.yml b/lookups/suspicious_c2_user_agents.yml new file mode 100644 index 0000000000..9a9c9375bf --- /dev/null +++ b/lookups/suspicious_c2_user_agents.yml @@ -0,0 +1,11 @@ +name: suspicious_c2_user_agents +date: 2025-12-05 +version: 1 +id: b9b22033-2374-4483-87d0-0d7b969e762c +author: Raven Tait, Splunk +lookup_type: csv +description: A list of user agents used with known C2 frameworks and toolings. +match_type: +- WILDCARD(c2_user_agent) +min_matches: 1 +case_sensitive_match: true diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 9972fb7b48..2ef4979430 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,9 @@ detections: + - content: HTTP Suspicious Tool User Agent + removed_in_version: 5.24.0 + reason: Detection has been renamed for clarity + replacement_content: + - HTTP Scripting Tool User Agent - content: Cobalt Strike Named Pipes removed_in_version: 5.22.0 reason: Detection is now part of a larger collection of suspicious named pipes diff --git a/stories/suspicious_user_agents.yml b/stories/suspicious_user_agents.yml new file mode 100644 index 0000000000..e2530b01ef --- /dev/null +++ b/stories/suspicious_user_agents.yml @@ -0,0 +1,26 @@ +name: Suspicious User Agents +id: 34c760e1-d0f0-4e1e-ae42-8ad6ae1ddfe6 +version: 1 +status: production +date: '2026-01-05' +author: Raven Tait, Splunk +description: Leverage advanced Splunk searches to detect and investigate suspicious user agent strings + on the network, including malware, command and control frameworks, RMM software, and other unwanted + programs. +narrative: It is a common for attackers of all types to leverage existing + tools and frameworks to carry out activities on endpoints. Often less skilled adversaries + forget to change some defaults, especially when it comes to things like user agents. + Fortunately, there are a number of ways to monitor network data in Splunk + to detect suspicious activity involving these default user agent strings. +references: +- https://github.com/BC-SECURITY/Malleable-C2-Profiles +- https://www.keysight.com/blogs/en/tech/nwvs/2021/07/28/koadic-c3-command-control-decoded +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection