HTTP ANALYSIS

analysts can utilize this analysis method to detect the following attacks that uses http protocol

Phishing pages
Web attacks
Data exfiltration
Command and control traffic (C2)

USER-AGENT ANALYSIS

security analysts shouldn't fully rely on the user-agent field alone to spot an anomaly as adversaries can modify the user-agent data. user-agent anomaly/threat detection/hunting is an additional data source that could be checked and is useful when there is an obvious anomaly. to effectively conduct this type of analysis, threat hunters should validate the anomaly against normal user-agent information such as the user-agent database.

Explore our database listing of User AgentsWhatIsMyBrowser.com

root@dco:~$ wireshark &

#step 1: get an overview
WireShark
 Filter: http.user_agent
 
#step 2: identify typically used adversary user-agent
WireShark
 Filter: lower((http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "wfuzz") or (http.user_agent contains "Nikto"))

 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers

PreviousFTP ANALYSIS NextLOG4J ANALYSIS

Last updated 4 months ago