Malicious actors may use Base64 encoded User-Agent strings to obfuscate their true identity and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity and mitigate advanced threats.
Detection Rule
title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
- id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
- 'Q2hyb21l' # Chrome Encoded with offset to not include padding
- 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
- 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
- 'TW96aWxsY' # Mozilla Encoded with offset to not include padding (as used by YamaBot)
condition: selection
falsepositives:
- Unknown
level: medium
imWebSession
| where HttpUserAgent startswith "Q2hyb21l" or HttpUserAgent startswith "QXBwbGVXZWJLaX" or HttpUserAgent startswith "RGFsdmlr" or HttpUserAgent startswith "TW96aWxsY"Scenario: A system administrator is using a tool like curl or wget to test a web service that requires a custom User-Agent string.
Filter/Exclusion: Exclude requests where the User-Agent contains known legitimate testing tools or strings (e.g., curl/7.68.0, wget/1.20.3, TestUserAgent).
Scenario: A scheduled job runs a script that uses base64 encoding to generate a User-Agent string for compatibility with an older API.
Filter/Exclusion: Exclude User-Agent strings that include base64-encoded content if the script is known and documented (e.g., script_name.sh or job_id_12345).
Scenario: A security tool like OSSEC or Logwatch generates alerts with base64-encoded User-Agent strings in its logs as part of its alert formatting.
Filter/Exclusion: Exclude logs originating from known security monitoring tools (e.g., ossec.log, logwatch.log, or processes with ossec or logwatch in the command line).
Scenario: A developer is using Postman or curl to simulate a User-Agent for API testing, including encoded values for testing purposes.
Filter/Exclusion: Exclude User-Agent strings that match known Postman or curl headers (e.g., PostmanRuntime/1.20.1, curl/7.68.0).
Scenario: A legitimate enterprise application, such as Jenkins or Ansible, uses base64 encoding in its User-Agent for internal communication or logging.
Filter/Exclusion: Exclude User-Agent strings that match known application headers (e.g., Jenkins/2.345, `Ansible/2.9.25