Hello,
during the analysis of the report of the Immediate Threats test “GLOBEIMPOSTER RANSOMWARE WITH MEDUSALOCKER SPREADING VIA RDP” we verified that the access to a malicious URL has been correctly blocked. The related event registered by the SIEM reports:
- The action is blocked because “Not allowed to use this browser”
- The useragent reported in the event is “useragent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36”
Our doubt is related to the fact that none of the reported browser version is currently installed on the host where the agent is running. We would like to ask if the agent uses an internal browser that is different from the default one used on the host?
Thank you in advance!
Lucio
Best answer by Shiraz
View original