sigmamediumHunting

HTTP Request With Empty User Agent

Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.

MITRE ATT&CK

T1071.001

defense-evasioncommand-and-control

Detection Query

selection:
  c-useragent: ""
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2017-07-08

Data Sources

proxy

References

https://twitter.com/Carlos_Perez/status/883455096645931008

Tags

attack.defense-evasionattack.command-and-controlattack.t1071.001

Raw Content

title: HTTP Request With Empty User Agent
id: 21e44d78-95e7-421b-a464-ffd8395659c4
status: test
description: |
    Detects a potentially suspicious empty user agent strings in proxy log.
    Could potentially indicate an uncommon request method.
references:
    - https://twitter.com/Carlos_Perez/status/883455096645931008
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2021-11-27
tags:
    - attack.defense-evasion
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
      # Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
        c-useragent: ''
    condition: selection
falsepositives:
    - Unknown
level: medium