HTTP C2 Framework User Agent

name: HTTP C2 Framework User Agent
id: 229dc225-6abe-4d28-89fd-edf874086162
version: 3
date: '2026-03-10'
author: Ravent Tait, Splunk
status: production
type: TTP
description: This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of c2 frameworks. This activity can signify malicious actors attempting to interact with hosts on the network using known default configurations of command and control tools.
data_source:
    - Suricata
search: |-
    | tstats  `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
      WHERE Web.http_user_agent != null
      BY Web.http_user_agent Web.http_method, Web.url,
         Web.url_length Web.src, Web.dest
    | `drop_dm_object_name("Web")`
    | lookup suspicious_c2_user_agents c2_user_agent AS http_user_agent OUTPUT tool, description
    | where isnotnull(tool)
    | stats count min(firstTime) as first_seen max(lastTime) as last_seen
      BY tool url http_user_agent
         src dest description
    | `security_content_ctime(first_seen)`
    | `security_content_ctime(last_seen)`
    | `http_c2_framework_user_agent_filter`
how_to_implement: To successfully implement this search, you need to be ingesting web or proxy logs, or ensure it is being filled by a proxy like device, into the Web Datamodel. For additional filtering, allow list private IP space or restrict by known good.
known_false_positives: Filtering may be required in some instances depending on legacy system usage, filter as needed.
references:
    - https://github.com/BC-SECURITY/Malleable-C2-Profiles
    - https://www.keysight.com/blogs/en/tech/nwvs/2021/07/28/koadic-c3-command-control-decoded
    - https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
drilldown_searches:
    - name: View the detection results for - "$src$"
      search: '%original_detection_search% | search  src = "$src$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: A known C2 Framework user agent $http_user_agent$ was performing a request from $src$ to $dest$.
    risk_objects:
        - field: src
          type: system
          score: 50
    threat_objects:
        - field: http_user_agent
          type: http_user_agent
        - field: dest
          type: system
tags:
    analytic_story:
        - Cobalt Strike
        - Brute Ratel C4
        - Tuoni
        - Meterpreter
        - Spearphishing Attachments
        - Malicious PowerShell
        - BishopFox Sliver Adversary Emulation Framework
        - Suspicious User Agents
    asset_type: Network
    mitre_attack_id:
        - T1071.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.001/http_user_agents/suricata_c2.log
          sourcetype: suricata
          source: not_applicable