APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

Rule Content

- title: APT User Agent
  id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
  status: experimental
  description: Detects suspicious user agent strings used in APT malware in proxy
    logs
  references:
  - Internal Research
  author: Florian Roth, Markus Neis
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-useragent:
      - SJZJ (compatible; MSIE 6.0; Win32)
      - Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
      - 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;
        SLCC'
      - Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)
      - webclient
      - Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200
      - Mozilla/4.0 (compatible; MSI 6.0;
      - Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
      - Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/
      - Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2
      - Mozilla/4.0
      - Netscape
      - Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719
        Firefox/1.0.7
      - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13
        GTB7.1
      - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
        .NETCLR 2.0.50727)
      - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)
      - Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)
      - Mozilla/4.0 (compatible; MSIE 8.0; Win32)
      - Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
      - Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)
      - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;
        .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)
      - Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko
      - Mozilla v5.1 *
      - MSIE 8.0
      - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727;
        .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E;
        InfoPath.2)
      - Mozilla/4.0 (compatible; RMS)
      - Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
      - O/9.27 (W; U; Z)
      - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0*
      - Mozilla/5.0 (Windows NT 9; *
      - hots scot
    condition: selection
  fields:
  - ClientIP
  - c-uri
  - c-useragent
  falsepositives:
  - Old browsers
  level: high

Querying Elasticsearch

Import Libraries


In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client


In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query


In [ ]:
s = searchContext.query('query_string', query='c-useragent.keyword:(SJZJ\ \(compatible;\ MSIE\ 6.0;\ Win32\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/20.0 OR User\-Agent\:\ Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Trident\/4.0;\ SLCC OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.4;\ Win32;32\-bit\) OR webclient OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ zh\-EN;\ rv\:1.7.12\)\ Gecko\/200 OR Mozilla\/4.0\ \(compatible;\ MSI\ 6.0; OR Mozilla\/5.0\ \(Windows\ NT\ 6.3;\ WOW64;\ rv\:28.0\)\ Gecko\/20100101\ Firefox\/28.0 OR Mozilla\/5.0\ \(Windows\ NT\ 6.2;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/ OR Mozilla\/5.0\ \(Windows\ NT\ 6.;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/2 OR Mozilla\/4.0 OR Netscape OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ zh\-EN;\ rv\:1.7.12\)\ Gecko\/20100719\ Firefox\/1.0.7 OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.13\)\ Firefox\/3.6.13\ GTB7.1 OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/4.0;\ SLCC2;\ .NETCLR\ 2.0.50727\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.0;\ SV1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 11.0;\ Windows\ NT\ 6.1;\ SV1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Win32\) OR Mozilla\ v5.1\ \(Windows\ NT\ 6.1;\ rv\:6.0.1\)\ Gecko\/20100101\ Firefox\/6.0.1 OR Mozilla\/6.1\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 5.3;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1;\ SV1;\ .NET\ CLR\ 1.1.4322;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.0.04506.30;\ .NET\ CLR\ 3.0.04506.648;\ InfoPath.1\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64\)\ WinHttp\/1.6.3.8\ \(WinHTTP\/5.1\)\ like\ Gecko OR Mozilla\ v5.1\ * OR MSIE\ 8.0 OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 6.1;\ SLCC2;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.5.30729;\ .NET\ CLR\ 3.0.30729;\ Media\ Center\ PC\ 6.0;\ .NET4.0C;\ .NET4.0E;\ InfoPath.2\) OR Mozilla\/4.0\ \(compatible;\ RMS\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ DynGate\) OR O\/9.27\ \(W;\ U;\ Z\) OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.0;\ Trident\/5.0;\ \ Trident\/5.0* OR Mozilla\/5.0\ \(Windows\ NT\ 9;\ * OR hots\ scot)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results


In [ ]:
df.head()