sigmamediumHunting

Suspicious Base64 Encoded User-Agent

Detects suspicious encoded User-Agent strings, as seen used by some malware.

MITRE ATT&CK

command-and-control

Detection Query

selection:
  c-useragent|startswith:
    - Q2hyb21l
    - QXBwbGVXZWJLaX
    - RGFsdmlr
    - TW96aWxsY
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-05-04

Data Sources

proxy

References

https://deviceatlas.com/blog/list-of-user-agent-strings#desktop

Tags

attack.command-and-controlattack.t1071.001

Raw Content

title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
    - id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
      type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
    - https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
            - 'Q2hyb21l' # Chrome Encoded with offset to not include padding
            - 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
            - 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
            - 'TW96aWxsY'  # Mozilla Encoded with offset to not include padding (as used by YamaBot)
    condition: selection
falsepositives:
    - Unknown
level: medium