Analytics Story: Suspicious User Agents
Description
Leverage advanced Splunk searches to detect and investigate suspicious user agent strings on the network, including malware, command and control frameworks, RMM software, and other unwanted programs.
Why it matters
It is a common for attackers of all types to leverage existing tools and frameworks to carry out activities on endpoints. Often less skilled adversaries forget to change some defaults, especially when it comes to things like user agents. Fortunately, there are a number of ways to monitor network data in Splunk to detect suspicious activity involving these default user agent strings.
Detections
| Name | Technique | Type |
|---|---|---|
| HTTP C2 Framework User Agent | Web Protocols | TTP |
| HTTP Malware User Agent | Web Protocols | TTP |
| HTTP PUA User Agent | Web Protocols | Anomaly |
| HTTP RMM User Agent | Web Protocols, Remote Access Tools | Anomaly |
| HTTP Scripting Tool User Agent | Web Protocols | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Nginx Access | Other | nginx:plus:kv |
/var/log/nginx/access.log |
| Suricata | Other | suricata |
suricata |
References
- https://github.com/BC-SECURITY/Malleable-C2-Profiles
- https://www.keysight.com/blogs/en/tech/nwvs/2021/07/28/koadic-c3-command-control-decoded
- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
Source: GitHub | Version: 1