Santa dropped some user agents on the DFIR/RCE community today.
It is similar to other lists shared before:
- https://www.hexacorn.com/blog/2014/12/23/santas-bag-full-of-mutants/
- https://www.hexacorn.com/blog/2015/04/05/the-easter-bunny-comes-with-a-bag-full-of-events/
- https://www.hexacorn.com/blog/2015/02/19/year-of-sheep-starts-with-a-bag-full-of-atoms/
The list includes over 6K user agents used by samples I sandboxed. There is no guarantee all of them are malicious, so be aware that adding them blindly to some block lists will cause a lot of issues.
If you find any mistakes, please let me know. As mentioned above, this list SHOULD NOT be taken at its face value as there are a lot of ways for it to get contaminated.
Note: the list contains variables (I hope they are self-explanatory 🙂 ):
- <COMPUTER NAME>
- <IP>
- <MAC>
- <SAMPLE NAME>
- <USER NAME>