#HTTP User-Agent Analysis
Purpose: Identify malware by analyzing the User-Agent strings they present
Data Required: HTTP proxy data; list of known-bad UAs (optional)
Analysis Techniques: Stack counting, String matching, tokenization, outlier detection
- Stack the entire UA string and look for rare occurrences. There may be a LOT of these, though. Every web plugin changes the UA string a bit, but that doesn't mean there's anything evil.
- Consider more detailed analysis, including
- tokenizing the string and focusing on strings with the lowest number of tokens, most unique tokens, or some combination
- Looking for abnormally short or long strings
- Look for list of known-bad UAs
Consider also doing this type of analysis for incoming HTTP transactions (in server logs) to identify potential recon or attack activity.
- Intrusion Hunting for the Masses, David Sharpe (HackMiami 2016)
- Threat Group 3390 Cyberespionage
- Detecting Network Traffic from Metasploit's Meterpreter Reverse HTTP Module, Didier Stevens
- The User Agent Field: Analyzing and Detecting the Abnormal or Malicious in your Organization, Darren Manners