User agents ending with an equal sign may indicate base64 encoding used to obfuscate malicious payloads, suggesting potential command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that could evade traditional detection methods.
Detection Rule
title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
- id: d443095b-a221-4957-a2c4-cd1756c9b747
type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
- https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|endswith: '='
condition: selection
falsepositives:
- Unknown
level: medium
imWebSession
| where HttpUserAgent endswith "="Scenario: A legitimate system monitoring tool (e.g., Prometheus or Nagios) sends a user-agent string that includes base64-encoded data for metrics or logs.
Filter/Exclusion: Exclude traffic from known monitoring tools by IP or by checking the source port (e.g., 9090 for Prometheus).
Scenario: A scheduled job (e.g., cron or Task Scheduler) runs a script that outputs a base64-encoded string as part of its logging or debugging output.
Filter/Exclusion: Exclude logs from known scheduled jobs by checking the process name or command line arguments.
Scenario: An admin task (e.g., PowerShell or bash script) generates a user-agent string for testing or automation purposes that ends with an equal sign.
Filter/Exclusion: Exclude traffic originating from admin workstations or specific user accounts used for automation.
Scenario: A legitimate web application (e.g., WordPress or Jenkins) uses a custom user-agent string that includes base64 encoding for internal communication or data transfer.
Filter/Exclusion: Exclude traffic from known internal services by checking the source IP range or domain.
Scenario: A security tool (e.g., CrowdStrike or Microsoft Defender) sends a user-agent string with base64 encoding for internal reporting or data transmission.
Filter/Exclusion: Exclude traffic from known security tool IPs or by checking the user-agent string against a whitelist of known security tool signatures.