HTTP ANALYSIS

analysts can utilize this analysis method to detect the following attacks that uses http protocol

• Phishing pages

• Web attacks

• Data exfiltration

• Command and control traffic (C2)

USER-AGENT ANALYSIS

security analysts shouldn't fully rely on the user-agent field alone to spot an anomaly as adversaries can modify the user-agent data. user-agent anomaly/threat detection/hunting is an additional data source that could be checked and is useful when there is an obvious anomaly. to effectively conduct this type of analysis, threat hunters should validate the anomaly against normal user-agent information such as the .

root@dco:~$ wireshark &

#step 1: get an overview
WireShark
 Filter: http.user_agent
 
#step 2: identify typically used adversary user-agent
WireShark
 Filter: lower((http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "wfuzz") or (http.user_agent contains "Nikto"))

 * be aware that sophisticated APTs or adversaries can modify the user-agent data to match legitimate user-agents used by web browsers