Santa’s bag full of User Agents

December 20, 2015 in Batch Analysis, Clustering, Compromise Detection, Forensic Analysis, Incident Response, Proxy Logs Analysis

Santa dropped some user agents on the DFIR/RCE community today.

It is similar to other lists shared before:

The list includes over 6K user agents used by samples I sandboxed. There is no guarantee all of them are malicious, so be aware that adding them blindly to some block lists will cause a lot of issues.

If you find any mistakes, please let me know. As mentioned above, this list SHOULD NOT be taken at its face value as there are a lot of ways for it to get contaminated.

Note: the list contains variables (I hope they are self-explanatory 🙂 ):

  • <COMPUTER NAME>
  • <IP>
  • <MAC>
  • <SAMPLE NAME>
  • <USER NAME>
Share this :)

Comments are closed.