Rules: Hexadecimal User-Agent
User-Agent strings with hexadecimal values are often indicative of malware.
Detail | Value |
---|---|
Type | Match |
Category | Command and Control |
Apply Risk to Entities | device_ip, srcDevice_ip, dstDevice_ip, device_hostname, srcDevice_hostname, dstDevice_hostname |
Signal Name | Hexadecimal User-Agent |
Summary Expression | Hexadecimal detected in user-agent: {{http_userAgent}} |
Score/Severity | Static: 2 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0010, _mitreAttackTactic:TA0011, _mitreAttackTechnique:T1132, _mitreAttackTechnique:T1132.001, _mitreAttackTactic:TA0009, _mitreAttackTechnique:T1213, _mitreAttackTechnique:T1213.001 |
- Amazon AWS - Application Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- Cloudflare - Logpush
- Palo Alto Networks - Next Generation Firewall
Origin | Field |
---|---|
Normalized Schema | device_hostname |
Normalized Schema | device_ip |
Normalized Schema | dstDevice_hostname |
Normalized Schema | dstDevice_ip |
Normalized Schema | http_userAgent |
Normalized Schema | srcDevice_hostname |
Normalized Schema | srcDevice_ip |