noise and false positive can be seen if these programs are allowed to be used within corporate network. in this case, a filter is needed.

Techniques

Sample rules

HTTP RMM User Agent

source: splunk
technicques:
- T1071.001
- T1219

Description

This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of Remote Monitoring and Mangement applications. This activity can signify possible compromised hosts on the network.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest 
| `drop_dm_object_name("Web")` 
| lookup rmm_user_agents rmm_user_agent AS http_user_agent OUTPUT tool 
| where isnotnull(tool) 
| stats count min(firstTime) as first_seen max(lastTime) as last_seen by tool url http_user_agent src dest 
| `security_content_ctime(first_seen)` 
| `security_content_ctime(last_seen)`
| `http_rmm_user_agent_filter`

HTTP PUA User Agent

source: splunk
technicques:
- T1071.001

Description

This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of unwanted applications. This activity can signify possible compromised hosts on the network.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_user_agent != null by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest 
| `drop_dm_object_name("Web")` 
| lookup pua_user_agents pua_user_agent AS http_user_agent OUTPUT tool 
| where isnotnull(tool) 
| stats count min(firstTime) as first_seen max(lastTime) as last_seen by tool url http_user_agent src dest 
| `security_content_ctime(first_seen)` 
| `security_content_ctime(last_seen)` 
| `http_pua_user_agent_filter`