Santa dropped some user agents on the DFIR/RCE community today.
It is similar to other lists shared before:
The list includes over 6K user agents used by samples I sandboxed. There is no guarantee all of them are malicious, so be aware that adding them blindly to some block lists will cause a lot of issues.
If you find any mistakes, please let me know. As mentioned above, this list SHOULD NOT be taken at its face value as there are a lot of ways for it to get contaminated.
Note: the list contains variables (I hope they are self-explanatory 🙂 ):
- <COMPUTER NAME>
- <SAMPLE NAME>
- <USER NAME>