- title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: experimental
description: Detects suspicious user agent strings used by malware in proxy logs
references:
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
- http://www.botopedia.org/search?searchword=scan&searchphrase=all
- https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
- https://perishablepress.com/blacklist/ua-2013.txt
- https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
author: Florian Roth
logsource:
category: proxy
product: null
service: null
detection:
selection:
c-useragent:
- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
- HttpBrowser/1.0
- '*<|>*'
- nsis_inetc (mozilla)
- Wget/1.9+cvs-stable (Red Hat modified)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)
- '*zeroup*'
- Mozilla/5.0 (Windows NT 5.1 ; v.*
- '* adlib/*'
- '* tiny'
- '* BGroom *'
- '* changhuatong'
- '* CholTBAgent'
- Mozilla/5.0 WinInet
- RookIE/1.0
- M
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
- Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
- backdoorbot
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.1 (.NET CLR 3.5.30731)
- Opera/8.81 (Windows NT 6.0; U; en)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.1 (.NET CLR 3.5.30729)
- Opera
- Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
- Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
- MSIE
- '*(Charon; Inferno)'
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)
- Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
- Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)
- Mozilla/5.0 (Windows NT 10.0; Win64; x64)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)
- '* pxyscand*'
- '* asd'
- '* mdms'
- sample
- nocase
- Moxilla
- Win32 *
- '*Microsoft Internet Explorer*'
- agent *
- AutoIt
- IczelionDownLoad
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='c-useragent.keyword:(Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64;\ rv\:53.0\)\ Gecko\/20100101\ Chrome\ \/53.0 OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 5.1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 5.1;\ Trident\/4.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.0;\ .NET\ CLR\ \ 1.1.4322\) OR HttpBrowser\/1.0 OR *|* OR nsis_inetc\ \(mozilla\) OR Wget\/1.9\+cvs\-stable\ \(Red\ Hat\ modified\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Trident\/4.0;\ .NET\ CLR\ 1.1.4322\) OR *zeroup* OR Mozilla\/5.0\ \(Windows\ NT\ 5.1\ ;\ v.* OR *\ adlib\/* OR *\ tiny OR *\ BGroom\ * OR *\ changhuatong OR *\ CholTBAgent OR Mozilla\/5.0\ WinInet OR RookIE\/1.0 OR M OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 5.1;\ Trident\/4.0\) OR Mozilla\/4.0\ \(compatible;MSIE\ 7.0;Windows\ NT\ 6.0\) OR backdoorbot OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.3\)\ Gecko\/20100401\ Firefox\/3.6.1\ \(.NET\ CLR\ 3.5.30731\) OR Opera\/8.81\ \(Windows\ NT\ 6.0;\ U;\ en\) OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.3\)\ Gecko\/20100401\ Firefox\/3.6.1\ \(.NET\ CLR\ 3.5.30729\) OR Opera OR Mozilla\/4.0\ \(compatible;\ MSIE\ 5.0;\ Windows\ 98\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 5.01;\ Windows\ NT\ 5.0\) OR MSIE OR *\(Charon;\ Inferno\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 5.1;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.1;\ Windows\ NT\) OR Mozilla\/4.0\(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1\) OR Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 10.0;\ Win64;\ x64\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Win64;\ x64\) OR *\ pxyscand* OR *\ asd OR *\ mdms OR sample OR nocase OR Moxilla OR Win32\ * OR *Microsoft\ Internet\ Explorer* OR agent\ * OR AutoIt OR IczelionDownLoad)')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()