Adversaries may use malformed user agent strings to evade detection and mask their true identity during network activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance or initial access attempts that bypass standard detection mechanisms.
Detection Rule
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
imWebSession
| where ((HttpUserAgent startswith "user-agent" or HttpUserAgent startswith "Mozilla/3.0 " or HttpUserAgent startswith "Mozilla/2.0 " or HttpUserAgent startswith "Mozilla/1.0 " or HttpUserAgent startswith "Mozilla " or HttpUserAgent startswith " Mozilla/" or HttpUserAgent startswith "Mozila/" or HttpUserAgent startswith "Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol") or (HttpUserAgent contains " (compatible;MSIE " or HttpUserAgent contains ".0;Windows NT " or HttpUserAgent contains "loader") or (HttpUserAgent in~ ("_", "CertUtil URL Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)", "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0", "HTTPS", "Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a", "x", "xxx"))) and (not((HttpUserAgent matches regex "Mozilla/3\\.0 .* Acrobat .*" or (HttpHost endswith ".acrobat.com" or HttpHost endswith ".adobe.com" or HttpHost endswith ".adobe.io"))))Scenario: A system administrator is using a custom script to rotate SSL certificates, and the script includes a user agent string for API communication.
Filter/Exclusion: Exclude user agent strings containing "certbot" or "letsencrypt".
Scenario: A scheduled job runs a database backup using a command-line tool like mysqldump, which includes a user agent string in its HTTP request headers.
Filter/Exclusion: Exclude user agent strings containing "mysqldump" or "backup".
Scenario: A developer is testing a web application using Postman, and the tool sends requests with a custom user agent string for debugging purposes.
Filter/Exclusion: Exclude user agent strings containing "Postman" or "Chrome" (if known to be used in testing).
Scenario: An enterprise uses a load balancer or reverse proxy (e.g., NGINX) that logs requests with a default user agent string for internal traffic.
Filter/Exclusion: Exclude user agent strings containing "nginx" or "squid".
Scenario: A security tool like OSSEC or Splunk sends alerts via HTTP requests to a central server, and the request includes a fabricated user agent string.
Filter/Exclusion: Exclude user agent strings containing "OSSEC" or "Splunk" or matching known security tool patterns.