Techniques
Sample rules
HTTP Malware User Agent
- source: splunk
- technicques:
- T1071.001
Description
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of malware. This activity can signify possible compromised hosts on the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware
| where isnotnull(malware)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen by malware url http_user_agent src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_malware_user_agent_filter`
HTTP C2 Framework User Agent
- source: splunk
- technicques:
- T1071.001
Description
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of c2 frameworks. This activity can signify malicious actors attempting to interact with hosts on the network using known default configurations of command and control tools.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup suspicious_c2_user_agents c2_user_agent AS http_user_agent OUTPUT tool, description
| where isnotnull(tool)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen by tool url http_user_agent src dest description
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_c2_framework_user_agent_filter`