Detections for default user agents #3842
Conversation
RavenTait
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
| attempting to interact with hosts on the network using known default configurations of command | ||
| and control tools. | ||
| data_source: | ||
| - Splunk Stream HTTP |
There was a problem hiding this comment.
can we remove Splunk Stream HTTP from here as we have not tested these detections against that dataset.
There was a problem hiding this comment.
I would also recommend that we create a new story file for these detections.
| rba: | ||
| message: A known C2 Framework user agent $http_user_agent$ was performing a request from $src$ to $dest$. | ||
| risk_objects: | ||
| - field: dest |
There was a problem hiding this comment.
i think in this case, the src machine is likely the Victim machine connecting to dest, hence the risk_object would only be src and we can remove dest from risk_object and consider adding dest to threat_object of type ip_address
and src risk_object would also be an ip address in Web logs
| - Splunk Stream HTTP | ||
| - Suricata | ||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime | ||
| from datamodel=Web by Web.http_user_agent Web.http_method, Web.url, Web.url_length Web.src, Web.dest |
There was a problem hiding this comment.
Just to optimize a bit the search can you add a http_user_agent != null or "" so at least we do not get weak logs into the mix so that later we drop them.
And do that for the rest of analytics as well.
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: A known malware user agent $http_user_agent$ was performing a request to $src$. |
There was a problem hiding this comment.
This needs to be RMM related I guess a copy paste typo
| @@ -1,6 +1,6 @@ | |||
| name: HTTP Suspicious Tool User Agent | |||
| name: HTTP Scripting Tool User Agent | |||
There was a problem hiding this comment.
Renames SUCK in Splunk hence the better approach here (unfortunately) is to deprecate the detection and create a new one with this new name.
I am inclined to think just because this was a relatively new analytic we can get away with just renaming, but would defer to @patel-bhavin on this.
| match_type: | ||
| - WILDCARD(malware_user_agents) | ||
| min_matches: 1 | ||
| case_sensitive_match: false |
There was a problem hiding this comment.
I think matches have to be case sensitive because we are tagging malware so it has to almost always right.
| match_type: | ||
| - WILDCARD(c2_user_agent) | ||
| min_matches: 1 | ||
| case_sensitive_match: false |
There was a problem hiding this comment.
Similar here because we are tagging C2 default we have to always be right. I suggest using exact match
3 participants
Details
Detection content around default user agents used by various programs and malware.
4 new detections:
HTTP C2 Framework User Agent
HTTP Malware User Agent
HTTP PUA User Agent
HTTP RMM User Agent
4 new lookups:
Malware User Agents
PUA User Agents
RMM User Agents
Suspicious C2 User Agents