#HTTP User-Agent Analysis

Purpose: Identify malware by analyzing the User-Agent strings they present

Data Required: HTTP proxy data; list of known-bad UAs (optional)

Collection Considerations:

Analysis Techniques: Stack counting, String matching, tokenization, outlier detection

Description

Stack the entire UA string and look for rare occurrences. There may be a LOT of these, though. Every web plugin changes the UA string a bit, but that doesn't mean there's anything evil.
Consider more detailed analysis, including
- tokenizing the string and focusing on strings with the lowest number of tokens, most unique tokens, or some combination
- Looking for abnormally short or long strings
Look for list of known-bad UAs

Other Notes

Consider also doing this type of analysis for incoming HTTP transactions (in server logs) to identify potential recon or attack activity.

Intrusion Hunting for the Masses, David Sharpe (HackMiami 2016)
Threat Group 3390 Cyberespionage
Detecting Network Traffic from Metasploit's Meterpreter Reverse HTTP Module, Didier Stevens
The User Agent Field: Analyzing and Detecting the Abnormal or Malicious in your Organization, Darren Manners