APT User Agent | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use custom user agent strings to mask their malicious activity and evade detection in proxy logs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT campaigns early and prevent lateral movement or data exfiltration.

Detection Rule

Sigma (Original)

title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
    - Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
         # APT Related
            - 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
            - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
            - 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
            - 'webclient' # Naikon APT
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
            - 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
            - 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
            - 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
            - 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
            - 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
            - 'Netscape' # Unit78020 Malware
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
            - 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
            - 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
            - 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
            - 'Mozilla v5.1 *' # Sofacy Zebrocy samples
            - 'MSIE 8.0' # Sofacy Azzy Backdoor  from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
            - 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
            - 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
            - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*' # KerrDown UA
            - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
            - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
            - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
            - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
            - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
            - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001'  # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
    condition: selection
falsepositives:
    - Old browsers
level: high

KQL (Azure Sentinel)

imWebSession
| where HttpUserAgent in~ ("SJZJ (compatible; MSIE 6.0; Win32)", "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0", "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC", "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)", "webclient", "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200", "Mozilla/4.0 (compatible; MSI 6.0;", "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0", "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/", "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2", "Mozilla/4.0", "Netscape", "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)", "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)", "Mozilla/4.0 (compatible; MSIE 8.0; Win32)", "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1", "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)", "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko", "MSIE 8.0", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)", "Mozilla/4.0 (compatible; RMS)", "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)", "O/9.27 (W; U; Z)", "hots scot", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)", "Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36", "Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;", "Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0", "Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)", "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001") or HttpUserAgent startswith "Mozilla v5.1 " or HttpUserAgent startswith "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0" or HttpUserAgent startswith "Mozilla/5.0 (Windows NT 9; "

False Positive Guidance

Scenario: Legitimate System Monitoring Tool
Description: A system monitoring tool like Nagios or Zabbix uses a custom user agent string to report system metrics.
Filter/Exclusion: Exclude user agents containing "Nagios", "Zabbix", or "check_http".
Scenario: Scheduled Job for Log Rotation
Description: A scheduled job using logrotate or rsyslog may include a user agent string in its HTTP requests when interacting with a remote logging service.
Filter/Exclusion: Exclude requests with user agents containing "logrotate", "rsyslog", or "syslog-ng".
Scenario: Admin Task Using cURL for Configuration Sync
Description: An administrator may use cURL to manually sync configurations between servers, using a custom user agent string.
Filter/Exclusion: Exclude user agents containing "curl" or "Custom-User-Agent" if known.
Scenario: Web Application Firewall (WAF) Rule Testing
Description: A security team may test WAF rules by sending requests with custom user agents to simulate malicious traffic.
Filter/Exclusion: Exclude user agents containing "WAF Test", "OWASP", or "ModSecurity".
Scenario: Cloud Provider API Tool Usage
Description: Tools like AWS CLI or Azure CLI may send HTTP requests with user agent strings that resemble malicious patterns.
Filter/Exclusion: Exclude user agents containing "aws-cli", "azure-cli", or "cloud-api" if known.

MITRE ATT&CK Context

Tactic: Command and Control
Technique: T1071.001