Http User Agents

Date: 2023-12-16 ID: fdc85d57-acaf-4552-a363-1fd59a447f33 Author: Raven Tait, Splunk Environment: attack_range Directory: http_user_agents

Description

Attack data related to various http user agents

ID	Technique	Tactic
T1071.001	Web Protocols	Command And Control

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1071.001/http_user_agents/suricata_c2.log
Sourcetype: suricata
Source: suricata

Path: /datasets/attack_techniques/T1071.001/http_user_agents/suricata_malware.log
Sourcetype: suricata
Source: suricata

Path: /datasets/attack_techniques/T1071.001/http_user_agents/suricata_pua.log
Sourcetype: suricata
Source: suricata

Path: /datasets/attack_techniques/T1071.001/http_user_agents/suricata_rmm.log
Sourcetype: suricata
Source: suricata

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
HTTP RMM User Agent	`Anomaly`	Network	T1071.001, T1219	Remote Monitoring and Management Software, Suspicious User Agents
HTTP Malware User Agent	`TTP`	Network	T1071.001	Lokibot, Lumma Stealer, Meduza Stealer, Crypto Stealer, RedLine Stealer, Suspicious User Agents
HTTP C2 Framework User Agent	`TTP`	Network	T1071.001	Cobalt Strike, Brute Ratel C4, Tuoni, Meterpreter, Spearphishing Attachments, Malicious PowerShell, BishopFox Sliver Adversary Emulation Framework, Suspicious User Agents
HTTP PUA User Agent	`Anomaly`	Network	T1071.001	Local Privilege Escalation With KrbRelayUp, BlackSuit Ransomware, Cactus Ransomware, Suspicious User Agents

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1071.001/http_user_agents/suricata_c2.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0