- title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: experimental
description: Detects suspicious user agent strings used in APT malware in proxy
logs
references:
- Internal Research
author: Florian Roth, Markus Neis
logsource:
category: proxy
product: null
service: null
detection:
selection:
c-useragent:
- SJZJ (compatible; MSIE 6.0; Win32)
- Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;
SLCC'
- Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)
- webclient
- Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200
- Mozilla/4.0 (compatible; MSI 6.0;
- Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
- Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/
- Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2
- Mozilla/4.0
- Netscape
- Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719
Firefox/1.0.7
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13
GTB7.1
- Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;
.NETCLR 2.0.50727)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)
- Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)
- Mozilla/4.0 (compatible; MSIE 8.0; Win32)
- Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1
- Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)
- Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko
- Mozilla v5.1 *
- MSIE 8.0
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727;
.NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E;
InfoPath.2)
- Mozilla/4.0 (compatible; RMS)
- Mozilla/4.0 (compatible; MSIE 6.0; DynGate)
- O/9.27 (W; U; Z)
- Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*
- Mozilla/5.0 (Windows NT 9; *
- hots scot
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Old browsers
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='c-useragent.keyword:(SJZJ\ \(compatible;\ MSIE\ 6.0;\ Win32\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/20.0 OR User\-Agent\:\ Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Trident\/4.0;\ SLCC OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.4;\ Win32;32\-bit\) OR webclient OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ zh\-EN;\ rv\:1.7.12\)\ Gecko\/200 OR Mozilla\/4.0\ \(compatible;\ MSI\ 6.0; OR Mozilla\/5.0\ \(Windows\ NT\ 6.3;\ WOW64;\ rv\:28.0\)\ Gecko\/20100101\ Firefox\/28.0 OR Mozilla\/5.0\ \(Windows\ NT\ 6.2;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/ OR Mozilla\/5.0\ \(Windows\ NT\ 6.;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/2 OR Mozilla\/4.0 OR Netscape OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ zh\-EN;\ rv\:1.7.12\)\ Gecko\/20100719\ Firefox\/1.0.7 OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.13\)\ Firefox\/3.6.13\ GTB7.1 OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/4.0;\ SLCC2;\ .NETCLR\ 2.0.50727\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.0;\ SV1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 11.0;\ Windows\ NT\ 6.1;\ SV1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Win32\) OR Mozilla\ v5.1\ \(Windows\ NT\ 6.1;\ rv\:6.0.1\)\ Gecko\/20100101\ Firefox\/6.0.1 OR Mozilla\/6.1\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 5.3;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1;\ SV1;\ .NET\ CLR\ 1.1.4322;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.0.04506.30;\ .NET\ CLR\ 3.0.04506.648;\ InfoPath.1\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64\)\ WinHttp\/1.6.3.8\ \(WinHTTP\/5.1\)\ like\ Gecko OR Mozilla\ v5.1\ * OR MSIE\ 8.0 OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 6.1;\ SLCC2;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.5.30729;\ .NET\ CLR\ 3.0.30729;\ Media\ Center\ PC\ 6.0;\ .NET4.0C;\ .NET4.0E;\ InfoPath.2\) OR Mozilla\/4.0\ \(compatible;\ RMS\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ DynGate\) OR O\/9.27\ \(W;\ U;\ Z\) OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.0;\ Trident\/5.0;\ \ Trident\/5.0* OR Mozilla\/5.0\ \(Windows\ NT\ 9;\ * OR hots\ scot)')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()