Title Analyse user-agent
ID RA2117
Description Analyse an User-Agent request header for indications of suspicious activity
Author Patrick Abraham
Creation Date 2020/12/11
Category Network
Stage RS0002: Identification
  • DN_zeek_http_log


A User-Agent string is a piece of metadata associated with the header of a HTTP request and is used for content negotiation as outlined within RFC1945. User-agents may often be overlooked by adversaries, and as such provide a valuable point of investigation.

  1. Retrieve the user-agent from the HTTP header.
  2. Using the below methodology as a reference make a judgement as to whether the user-agent provided is suspicious or not.

Indications of suspicious user-agents based upon string analysis:

  • The user-agent is left empty.
  • The user-agent contains typos or deviations in capitilisation that are different from known good user-agents.
  • The user-agent contains a sequence of random characters or "gibberish" akin to those found within MITRE ATT&CK T1568.002.
  • The user-agent contains code that would execute an XSS or SQL Injection attack.

Indications of suspicious user-agents based upon reputational analysis:

  • The user-agent is not listed as a popular user-agent on reference materials such as WhatIsMyBrowser.
  • It should be noted that there is value in engaging with the community on particular User-Agents, and this can often be done by leveraging a search engine such as Google.

Contextualise your findings with knowledge from your environment.

  • Consider whether the user-agent is relevant for your SoE environment. For instance, the presence of Mac OS X user-agents in a Windows only environment.
  • Consider performing long-tail analysis or clustering to identify anomalies within your environment.

Important Considerations

  • User-Agents are client-side generated and can be easily spoofed. Many adversaries will default to leveraging known-good user-agents to hide activity.
  • User-Agent analysis should be combined with other analysis to improve the fidelity of the signal. It is well known that many legitimate applications (especially custom applications) will omit user-agent strings or utilise defaults associated with the popular libraries.