Malware User Agent

Status: test
Severity: high
Log source: category proxy
Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: github.com/SigmaHQ/sigma

Detects suspicious user agent strings used by malware in proxy logs

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1071.001` Application Layer Protocol: Web Protocols

Rule body yaml

title: Malware User Agent
id: 5c84856b-55a5-45f1-826f-13f37250cf4e
status: test
description: Detects suspicious user agent strings used by malware in proxy logs
references:
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
    - http://www.botopedia.org/search?searchword=scan&searchphrase=all
    - https://networkraptor.blogspot.com/2015/01/user-agent-strings.html
    - https://perishablepress.com/blacklist/ua-2013.txt
    - https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents
    - https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q
    - https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large
    - https://twitter.com/crep1x/status/1635034100213112833
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-07-08
modified: 2024-04-14
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent:
            # RATs
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0' # DragonOK
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)' # Used by PlugX - base-lining recommended - https://community.rsa.com/thread/185439
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)' # Used by PlugX - old - https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
            - 'HttpBrowser/1.0' # HTTPBrowser RAT
            - '*<|>*' # Houdini / Iniduoh / njRAT
            - 'nsis_inetc (mozilla)' # ZeroAccess
            - 'Wget/1.9+cvs-stable (Red Hat modified)' # Dyre / Upatre
            # Ghost419 https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
            # Malware
            - '*zeroup*' # W32/Renos.Downloader
            - 'Mozilla/5.0 (Windows NT 5.1 ; v.*' # Kazy
            - '* adlib/*'
            - '* tiny' # Trojan Downloader
            - '* BGroom *' # Trojan Downloader
            - '* changhuatong'
            - '* CholTBAgent'
            - 'Mozilla/5.0 WinInet'
            - 'RookIE/1.0'
            - 'M' # HkMain
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' # Egamipload - old UA - probable prone to false positives
            - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)' # Yakes
            - 'backdoorbot'
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)' # Sality
            - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)' # Sality
            - 'Opera' # Trojan Keragany
            - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)' # Fareit
            - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)' # Webshell's back connect
            - 'MSIE' # Toby web shell
            - '*(Charon; Inferno)' # Loki Bot
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://www.virustotal.com/gui/file/8abbef8e58f012d45a7cb46c3c2729dcd33cf53e721ff8c59e238862aa0a9e0e/detection
            - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://www.virustotal.com/gui/file/d60f61f1f03a5011a0240694e110c6d370bf68a92753093186c6d14e26a15428/detection https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' # used by Zebrocy malware https://app.any.run/tasks/7d7fa4a0-6970-4428-828b-29572abf9ceb/
            # Ursnif
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
            # Emotet
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)' # https://twitter.com/webbthewombat/status/1225827092132179968
            # Lockbit (https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q)
            - 'Mozilla/5.0 (Windows NT 6.1)'
            - 'AppleWebkit/587.38 (KHTML, like Gecko)'
            - 'Chrome/91.0.4472.77'
            - 'Safari/537.36'
            - 'Edge/91.0.864.37'
            - 'Firefox/89.0'
            - 'Gecko/20100101'
            # Others
            - '* pxyscand*'
            - '* asd'
            - '* mdms'
            - 'sample'
            - 'nocase'
            - 'Moxilla'
            - 'Win32 *'
            - '*Microsoft Internet Explorer*'
            - 'agent *'
            - 'AutoIt' # Suspicious - base-lining recommended
            - 'IczelionDownLoad'
            - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # https://unit42.paloaltonetworks.com/thor-plugx-variant/
            - 'record' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'mozzzzzzzzzzz' # https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/
            - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0' # Quasar RAT UA https://twitter.com/malmoeb/status/1559994820692672519?s=20&t=g3tkNL09dZZWbFN10qDVjg
            - 'Havana/0.1' # https://www.cybereason.com/blog/threat-alert-havanacrypt-ransomware-masquerading-as-google-update
            - 'antSword/v2.1' # AntSword Webshell UA
            - 'rqwrwqrqwrqw'  # Racoon Stealer
            - 'qwrqrwrqwrqwr'  # Racoon Stealer
            - 'rc2.0/client'  # Racoon Stealer
            - 'TakeMyPainBack'  # Racoon Stealer
            - 'xxx' # Racoon Stealer
            - '20112211' # Racoon Stealer
            - '23591' # Racoon Stealer
            - '901785252112' # Racoon Stealer
            - '1235125521512' # Racoon Stealer
            - '125122112551' # Racoon Stealer
            - 'B1D3N_RIM_MY_ASS' # Racoon Stealer
            - 'AYAYAYAY1337' # Racoon Stealer
            - 'iMightJustPayMySelfForAFeature' # Racoon Stealer
            - 'ForAFeature' # Racoon Stealer
            - 'Ares_ldr_v_*' # AresLoader
            # - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106' # seen used by AresLoader
            - 'Microsoft Internet Explorer' # https://github.com/silence-is-best/c2db
            - 'CLCTR' # https://github.com/silence-is-best/c2db
            - 'uploader' # https://github.com/silence-is-best/c2db
            - 'agent' # https://github.com/silence-is-best/c2db
            - 'License' # https://github.com/silence-is-best/c2db
            - 'vb wininet' # https://github.com/silence-is-best/c2db
            - 'Client' # https://github.com/silence-is-best/c2db
            - 'Lilith-Bot/3.0' # Lilith Stealer - https://twitter.com/suyog41/status/1558051450797690880
            - 'svc/1.0' # SVC Loader - https://twitter.com/suyog41/status/1558051450797690880
            - 'WSHRAT' # WSHRAT - https://twitter.com/suyog41/status/1558051450797690880
            - 'ZeroStresser Botnet/1.5' # Zerobot - https://twitter.com/suyog41/status/1558051450797690880
            - 'OK' # Nymaim - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1sqlite' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'Project1' # DarkCloud - https://twitter.com/suyog41/status/1558051450797690880
            - 'DuckTales' # Racoon Stealer
            - 'Zadanie' # Racoon Stealer
            - 'GunnaWunnaBlueTips' # Racoon Stealer
            - 'Xlmst' # Racoon Stealer
            - 'GeekingToTheMoon' # Racoon Stealer
            - 'SunShineMoonLight' # Racoon Stealer
            - 'BunnyRequester' # BunnyStealer
            - 'BunnyTasks' # BunnyStealer
            - 'BunnyStealer' # BunnyStealer
            - 'BunnyLoader_Dropper' # BunnyStealer
            - 'BunnyLoader' # BunnyStealer
            - 'BunnyShell' # BunnyStealer
            - 'SPARK-COMMIT' # SparkRAT - https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/
            - '4B4DB4B3' # B4B3RAT - https://twitter.com/naumovax/status/1718956514491130301
            - 'SouthSide' # Racoon Stealer
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)' # Latrodectus loader
    condition: selection
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: `condition`

selection

Stage 1: `selection`

selection:
    c-useragent:
        - 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)'
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)'
        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)'
        - 'HttpBrowser/1.0'
        - '*<|>*'
        - 'nsis_inetc (mozilla)'
        - 'Wget/1.9+cvs-stable (Red Hat modified)'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)'
        - '*zeroup*'
        - 'Mozilla/5.0 (Windows NT 5.1 ; v.*'
        - '* adlib/*'
        - '* tiny'
        - '* BGroom *'
        - '* changhuatong'
        - '* CholTBAgent'
        - 'Mozilla/5.0 WinInet'
        - 'RookIE/1.0'
        - 'M'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'
        - 'Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)'
        - 'backdoorbot'
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)'
        - 'Opera/8.81 (Windows NT 6.0; U; en)'
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)'
        - 'Opera'
        - 'Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)'
        - 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'
        - 'MSIE'
        - '*(Charon; Inferno)'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)'
        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
        - 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)'
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)'
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)'
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)'
        - 'Mozilla/5.0 (Windows NT 6.1)'
        - 'AppleWebkit/587.38 (KHTML, like Gecko)'
        - 'Chrome/91.0.4472.77'
        - 'Safari/537.36'
        - 'Edge/91.0.864.37'
        - 'Firefox/89.0'
        - 'Gecko/20100101'
        - '* pxyscand*'
        - '* asd'
        - '* mdms'
        - 'sample'
        - 'nocase'
        - 'Moxilla'
        - 'Win32 *'
        - '*Microsoft Internet Explorer*'
        - 'agent *'
        - 'AutoIt'
        - 'IczelionDownLoad'
        - 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)'
        - 'record'
        - 'mozzzzzzzzzzz'
        - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0'
        - 'Havana/0.1'
        - 'antSword/v2.1'
        - 'rqwrwqrqwrqw'
        - 'qwrqrwrqwrqwr'
        - 'rc2.0/client'
        - 'TakeMyPainBack'
        - 'xxx'
        - '20112211'
        - '23591'
        - '901785252112'
        - '1235125521512'
        - '125122112551'
        - 'B1D3N_RIM_MY_ASS'
        - 'AYAYAYAY1337'
        - 'iMightJustPayMySelfForAFeature'
        - 'ForAFeature'
        - 'Ares_ldr_v_*'
        - 'Microsoft Internet Explorer'
        - 'CLCTR'
        - 'uploader'
        - 'agent'
        - 'License'
        - 'vb wininet'
        - 'Client'
        - 'Lilith-Bot/3.0'
        - 'svc/1.0'
        - 'WSHRAT'
        - 'ZeroStresser Botnet/1.5'
        - 'OK'
        - 'Project1sqlite'
        - 'Project1'
        - 'DuckTales'
        - 'Zadanie'
        - 'GunnaWunnaBlueTips'
        - 'Xlmst'
        - 'GeekingToTheMoon'
        - 'SunShineMoonLight'
        - 'BunnyRequester'
        - 'BunnyTasks'
        - 'BunnyStealer'
        - 'BunnyLoader_Dropper'
        - 'BunnyLoader'
        - 'BunnyShell'
        - 'SPARK-COMMIT'
        - '4B4DB4B3'
        - 'SouthSide'
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`c-useragent`	eq	`* BGroom ` ` CholTBAgent` `* adlib/` ` asd` `* changhuatong` `* mdms` `* pxyscand` ` tiny` `(Charon; Inferno)` `<\|>` `Microsoft Internet Explorer` `zeroup` `1235125521512` `125122112551` `20112211` `23591` `4B4DB4B3` `901785252112` `AYAYAYAY1337` `AppleWebkit/587.38 (KHTML, like Gecko)` `Ares_ldr_v_` `AutoIt` `B1D3N_RIM_MY_ASS` `BunnyLoader` `BunnyLoader_Dropper` `BunnyRequester` `BunnyShell` `BunnyStealer` `BunnyTasks` `CLCTR` `Chrome/91.0.4472.77` `Client` `DuckTales` `Edge/91.0.864.37` `Firefox/89.0` `ForAFeature` `Gecko/20100101` `GeekingToTheMoon` `GunnaWunnaBlueTips` `Havana/0.1` `HttpBrowser/1.0` `IczelionDownLoad` `License` `Lilith-Bot/3.0` `M` `MSIE` `Microsoft Internet Explorer` `Moxilla` `Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)` `Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)` `Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)` `Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)` `Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)` `Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)` `Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; InfoPath.3)` `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)` `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)` `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)` `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)` `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)` `Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)` `Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)` `Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)` `Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)` `Mozilla/5.0 (Windows NT 10.0; Win64; x64)` `Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0` `Mozilla/5.0 (Windows NT 5.1 ; v.` `Mozilla/5.0 (Windows NT 6.1)` `Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0` `Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)` `Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)` `Mozilla/5.0 WinInet` `OK` `Opera` `Opera/8.81 (Windows NT 6.0; U; en)` `Project1` `Project1sqlite` `RookIE/1.0` `SPARK-COMMIT` `Safari/537.36` `SouthSide` `SunShineMoonLight` `TakeMyPainBack` `WSHRAT` `Wget/1.9+cvs-stable (Red Hat modified)` `Win32 ` `Xlmst` `Zadanie` `ZeroStresser Botnet/1.5` `agent` `agent *` `antSword/v2.1` `backdoorbot` `iMightJustPayMySelfForAFeature` `mozzzzzzzzzzz` `nocase` `nsis_inetc (mozilla)` `qwrqrwrqwrqwr` `rc2.0/client` `record` `rqwrwqrqwrqw` `sample` `svc/1.0` `uploader` `vb wininet` `xxx`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Malware User Agent

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection`

Indicators

Keyboard shortcuts

Search operators

Malware User Agent

MITRE ATT&CK coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection

Indicators

Stage 0: `condition`

Stage 1: `selection`