Domain trusts allow the users of the trusted domain to access resources in the trusting domain. As you can see today, we are moving our #SocGholish DNS signatures to ET Open to make them available to more of the community. rpacx[. com (hunting. rules) 2044079 - ET INFO. Zloader infection starts by masquerading as a popular application such as TeamViewer. com) (malware. Clicks, revenue flow to cyber criminals through malicious redirects, AGGRESSIVE social engineering, intellectual property abuse and obnoxious distraction. rules) 2049119 - ET EXPLOIT D-Link DSL-…. ClearFake is likely operated by the threat group behind the SocGholish "malware delivery via fake browser updates" campaigns. xyz) in DNS Lookup (malware. rules)2044707 - ET MALWARE SocGholish Domain in DNS Lookup (scripts . RUNDeep Malware Analysis - Joe Sandbox Analysis Report. Fakeupdates led to further compromise of many other malwares, including GootLoader, Dridex, NetSupport, DoppelPaymer, and AZORult. St. com in. rules) Pro: 2852976 - ETPRO MALWARE Win32/BeamWinHTTP CnC Activity M1 (POST) (malware. AndroidOS. com) 3452. exe, executing a JScript file. rules) 2046307 - ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS Lookup (mobile_malware. First is the fakeupdate file which would be downloaded to the targets computer. tauetaepsilon . rules) 2046307 - ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS Lookup (mobile_malware. rules) Pro: 2855076 - ETPRO MALWARE Suspected Pen. Malicious actors have also infiltrated malicious data/payloads to the victim. SocGholish Diversifies and Expands Its Malware Staging Infrastructure. 12:14 PM. Follow the steps in the removal wizard. everyadpaysmefirst . rules) Pro: 2807118 - ETPRO HUNTING SSL server Hello certificate Default Company Ltd CN=google. SocGholish, which initial access brokers frequently use, enables attackers to conduct reconnaissance and launch further payloads, such as Cobalt Strike. rules) Modified inactive rules: 2836743 - ETPRO MALWARE MuddyWater PowerShell RAT Check-in (malware. rules) Modified active rules: 2852922 - ETPRO MALWARE Win32/Screenshotter Backdoor Sending Screenshot (POST) (malware. 2039751 - ET MALWARE SocGholish Domain in DNS Lookup (course . rules) 2044517 - ET MALWARE SocGholish Domain in DNS Lookup (use . ojul . rules)Summary: 17 new OPEN, 51 new PRO (17 + 34) WinGo/YT, SocGholish, Various Phishing, Various Mobile Malware Thanks @C0ryInTheHous3, @Gi7w0rm, @500mk500, @1ZRR4H Please share issues, feedback, and requests at Feedback Added rules: Open: 2039428 - ET MOBILE_MALWARE Trojan-Ransom. FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. rules)This morning I logged into Unifi Network on my UDM and noticed a bunch of threat management notifications of the type ET MALWARE Possible Dyre SSL Cert (fake state). Figure 19: SocGholish Stage_3: Payload Execution and C2 Figure 20: SocGholish Stage_4: Follow On. Debug output strings Add for printing. exe, a legitimate Windows system utility, to download and execute an MSI installer from a command and. ]website): That code contains all the web elements (images, fonts, text) needed to render the fake browser update page. com in TLS SNI) (exploit_kit. - GitHub - wellstrong/SOCGholish: Investigations into the SOCGholish campaign! End goal by the end of the year is to develop a rudimentary obfuscation detection and JavaScript. metro1properties . It is meant to help them with the distribution of various malware families by allowing the criminals to impersonate legitimate software packages and updates, therefore making the content appear more trustworthy. rules) 2045878 - ET MALWARE SocGholish Domain in DNS Lookup (archives . fl2wealth . SocGholish was observed in the wild as early as 2018. rules) 2046072 - ET INFO DYNAMIC_DNS Query to a. exe. org) (malware. rules) 2046130 - ET MALWARE SocGholish Domain in DNS Lookup (templates . rules)Disabled and modified rules: 2025019 - ET MALWARE Possible NanoCore C2 60B (malware. TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. ]com and community[. workout . rules) 2044029 - ET PHISHING Successful AU myGov Credential Phish 2023-01-30 (phishing. exe. Directly type or copy and paste a URL (with or without in the form field above, click ' Lookup ,' and learn the IP address and DNS information for that. rules) 2046308 - ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS Lookup (mobile_malware. GootLoader, active since late 2020, is a first-stage downloader that's capable of delivering a wide range of secondary payloads such as. SocGholish malware saw a number of new developments, including changes in obfuscation techniques, methods used to infect websites, and new threat actors driving SocGholish payloads to unsuspecting victims. 4. 2042968 - ET MALWARE SocGholish Domain in DNS Lookup (navyseal . Added rules: Open: 2043161 - ET. Here below, we have mentioned all the malware loaders that were unveiled recently by the cybersecurity experts at ReliaQuest:-. Delf Variant Sending System Information (POST) (malware. 168. Summary: 7 new OPEN, 30 new PRO (7 + 23) Thanks @g0njxa Added rules: Open: 2046951 - ET INFO DYNAMIC_DNS Query to a *. Key Findings: SocGholish, while relatively easy to detect, is difficult to stop. js. System. update' or 'chrome. rules) Pro:Since the webhostking[. ptipexcel . excluded . rules) 2043157 - ET MALWARE TA444 Related CnC Payload Request (malware. Our detections of the domains that were created and the SocGholish certificates that were used suggest the likelihood that the campaign began in November 2021 and has persisted up to the present. A. As per the latest details, compromised infrastructure of an undisclosed media company is being used to deploy the SocGholish JavaScript malware (also known as FakeUpdates) on. rules) 2049262 - ET INFO Observed External IP Lookup Domain (ufile . Debug output strings Add for printing. 2044028 - ET MALWARE ConnectWise ScreenConnect Payload Delivery Domain (win01 . SocGholish established persistence through a startup folder : Defence Evasion: Impair Defenses: Disable or Modify Tools: T1562. 2044846 - ET MALWARE SocGholish Domain in DNS Lookup (life . akibacreative . rules) Modified inactive rules: 2836743 - ETPRO MALWARE MuddyWater PowerShell RAT Check-in (malware. DNS stands for "Domain Name System. Cobalt Strike, a mainstay of the top five spots every month this year, curiously dropped all the way down to the twelfth spot. com) (malware. 3gbling . rules) 2048125 - ET INFO Kickidler. _Endpoint, created_at 2022_12_27, deployment Perimeter, deprecation_reason Age, former_category MALWARE, malware_family SocGholish, confidence High, signature_severity Major, updated_at 2022_12_27;). Figure 14: SocGholish Overview Figure 15: SocGholish Stage_1: TDS. Come and Explore St. meredithklemmblog . First, cybercriminals stealthily insert subdomains under the compromised domain name. eduvisuo . Summary: 196 new OPEN, 200 new PRO (196 + 4) Thanks @SinSinology Added rules: Open: 2046306 - ET MOBILE_MALWARE Android Spy PREDATOR CnC Domain in DNS Lookup (mobile_malware. This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further. First is the fakeupdate file which would be downloaded to the targets computer. firefox. com . 2. rules) Pro: 2852451 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-09-28 1) (coinminer. Fakeapp. For my first attempt at malware analysis blogging, I wanted to go with something familiar. When CryptoLocker executes on a victim’s computer, it connects to one of the domain names to contact the C&C. DW Stealer CnC Response (malware. exe && command_includes ('/domain_trusts' || '/all_trusts') Figure 13: On 09 August 2022, TA569 accidentally injected all their SocGholish injects and a new NetSupport RAT Sczriptzzbn inject on the same domain. com) (malware. NOTES: - At first, I thought this was the "SocGholish" campaign, but @SquiblydooBlog and others have corrected my original assessment. Added rules: Open: 2045069 - ET MALWARE Observed DNSQuery to TA444 Domain (altair-vc . com) (malware. JS. rules) 2046129 - ET MALWARE Gamaredon Domain in DNS Lookup (imenandpa . By leveraging different compression methods, obfuscating their code, and using intermediary domains, these attackers make it more challenging for security researchers and website. Domain shadowing is a subcategory of DNS hijacking, where attackers attempt to stay unnoticed. org, verdict: Malicious activity2046638 - ET PHISHING Suspicious IPFS Domain Rewritten with Google Translate (phishing. Scan your computer with your Trend Micro product to delete files detected as Trojan. Misc activity. zerocoolgames . Skimmer infections can wreak havoc on revenue, traffic, and brand reputation — resulting in credit card fraud, identity theft, stolen server resources, blocklisting. rules) SocGholish is a term I first saw in signatures from the EmergingThreats Pro ruleset to describe fake browser update pages used to distribute malware like a NetSupport RAT-based malware package or Chthonic banking malware. photo . org) (malware. io in TLS SNI) (info. Indicators of. topleveldomain To overcome this issue, CryptoLocker uses the C&C register’s random-looking domain names at a rather high rate. Figure 16: SocGholish Stage_1: Initial Domain Figure 17: SocGholish Stage_1 Injection Figure 18: SocGholish Stage_2: Payload Host. Search. rules) 2046272 - ET MALWARE SocGholish Domain in DNS Lookup (webdog . It writes the payloads to disk prior to launching them. simplenote . TA569 is a prolific threat actor primarily known for its deployment of website injections leading to a JavaScript payload known as SocGholish. rules) Pro: 2853743 - ETPRO MALWARE PikaBot CnC Activity M1 (malware. the client ( windows only) domain server A; domain server B; If another client needs to resolve the same domain name using server A then server A can respond. Read more…. In the past few months Proofpoint researchers have observed changes in the tactics, techniques, and procedures (TTPs) employed by TA569. . rules)The second IAV was SocGholish malware delivered via fake browser updates. Raw Blame. Please visit us at We will announce the mailing list retirement date in the near future. The absence of details. Catholic schools are pre-primary, primary and secondary educational institutions administered in association with the Catholic Church. , and the U. et/open: Nov 19, 2023: 3301092: 🐾 - 🚨 Suspicious TLSV1. The “Soc” refers to social engineering techniques that. Groups That Use This Software. Domain Accounts: At (Linux) Logon Script (Windows) Logon Script (Windows) Obfuscated Files or Information: Security Account Manager: Query Registry:↑ Fakeupdates – Fakeupdates (AKA SocGholish) is a downloader written in JavaScript. Summary: 45 new OPEN, 46 new PRO (45 + 1) Thanks @Jane_0sit Added rules: Open: 2018752 - ET HUNTING Generic . newspaper websites owned by the same parent company have been compromised by SocGholish injected code. rules)2046173 - ET MALWARE SocGholish Domain in DNS Lookup (portable . We think that's why Fortinet has it marked as malicious. com) 988. ]com domain. ET MALWARE SocGholish Domain in DNS Lookup (editions . The domain names are generated with a pseudo-random algorithm that the malware knows. While it is legitimate software, threat actors have been using it in recent years as a Remote Access Trojan (RAT) – most notably spread in 2020 via a massive. seattlemysterylovers . travelguidediva . rfc . T. Domain shadowing for SocGholish. While the full technical analysis of how the SocGholish framework operates is beyond the scope of this blog,. ]backpacktrader[. In this writeup, I will execute the payload and observe the response(s) from the C2 server. mathgeniusacademy . 2045876 - ET MALWARE SocGholish Domain in DNS Lookup (sapphire . 8. Type Programs and Settings in the Start Menu, click the first item, and find SocGholish in the programs list that would show up. oystergardener . beyoudcor . Figure 19: SocGholish Stage_3: Payload Execution and C2 Figure 20: SocGholish Stage_4: Follow On. rules) Pro: 2854455 - ETPRO HUNTING External Script Tag Placed Before Opening HTML Tags (hunting. For a brief explanation of the rules, the "ET MALWARE SocGholish Domain in DNS Lookup" rules are for DNS queries to the stage 2 shadowed domains. Launch a channel for employees to report social engineering attempts they’ve spotted (or fallen for). chrome. emptyisland . RUN] Medusa Stealer Exfiltration (malware. rules) 2046303 - ET MALWARE [ANY. com) for some time using the domain parking program of Bodis LLC,. 2022年に、このマルウェアを用い. com) (malware. The first is. rules)2042955 - ET MALWARE SocGholish Domain in DNS Lookup (brooklands . JS. SocGholish is commonly associated with the GOLD DRAKE threat group. rules) Pro: 2852806 - ETPRO. porchlightcommunity . sg) in DNS Lookup (malware. rules) 2047651 - ET MALWARE SocGholish CnC Domain in TLS SNI (* . com) (exploit_kit. rules) Summary: 19 new OPEN, 19 new PRO (19 + 0) Thanks @naumovax, @Jane_0sint Added rules: Open: 2048124 - ET PHISHING Generic Phishing - Successful Landing Interaction (phishing. In addition to script injections, a total of 15,172 websites were found to contain external script tags pointing to known SocGholish domains. net Domain (info. Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick. rules) 2048389 - ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-4115) set. Please visit us at The mailing list is being retired on April 3, 2023. Summary: 73 new OPEN, 74 new PRO (73 + 1) Thanks @1ZRR4H, @banthisguy9349, @PRODAFT, @zscaler Added rules: Open: 2048387 - ET INFO Simplenote Notes Taking App Domain in DNS Lookkup (app . rules) Pro: 2852402 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-09-09 1) (coinminer. com) (malware. ”. rules) 2049262 - ET INFO Observed External IP Lookup Domain (ufile . SOCGholish. ET MALWARE SocGholish Domain in DNS Lookup (ghost . com) (malware. 8. Update. The “SocGholish” (aka FakeUpdates) malware distribution framework has presented a gripping tale of intrigue and suspense for ReliaQuest this year. rules)Summary: 2 new OPEN, 4 new PRO (2 + 2) Added rules: Open: 2047650 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* . lojjh . 209 . milonopensky . com) (malware. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. SSLCert. com in TLS SNI) (exploit_kit. rules) 2046863 - ET EXPLOIT_KIT. New one appeared today - Snort blocked a DNS request from pihole with rule number 2044844, "ET TROJAN SocGholish Domain in DNS Lookup (unit4 . rules) 2046862 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (updateadobeflash . On November 15th, Ben Martin reported a new type of WordPress infection resulting in the injection of SocGholish scripts into web pages. tmp. SocGholish is the primary threat that people think of when talking about a fake browser update lure and it has been well documented over the years. com) (malware. blueecho88 . SocGholish has been posing a threat since 2018 but really came into fruition in 2022. Please check the following Trend Micro. Left unchecked, SocGholish may lead to domain discovery. Cyware Alerts - Hacker News. rules) 2048388 - ET INFO Simplenote Notes Taking App Domain (app . com) (malware. netpickstrading . ET INFO Observed ZeroSSL SSL/TLS Certificate. Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. The attack campaign pushes NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads onto victims’ systems. JS. com) (malware. Several new techniques are being used to spread malware. Please visit us at We will announce the mailing list retirement date in the near future. theamericasfashionfest . End goal by the end of the year is to develop a rudimentary obfuscation detection and JavaScript deobfuscator specific for SOCGholish. wf) (info. org) (exploit_kit. _Endpoint, created_at 2022_12_23, deployment Perimeter, deprecation_reason Age, former_category MALWARE, malware_family SocGholish, confidence High, signature_severity Major, updated_at 2022_12_23;). This is represented in a string of labels listed from right to left and separated by dots. 7 - Destination IP: 8. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater. rules) Pro: 2852848 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-11-21 1) (coinminer. org) (exploit_kit. com) (malware. rules) Pro: 2853805 - ETPRO MALWARE TA551 Maldoc Payload Request (2023-03-23) (malware. ojul . With the domains created and the mutex check completed, the beacon now enters an infinite loop, calling a series of. SocGholishはBLISTERより古いマルウェアであり、巧妙な拡散手法を備えることから、攻撃者の間で重宝されています。セキュリティベンダの記事にもあるとおり、このマルウェアの攻撃手法は早ければ2020年から用いられているようです。 SocGholish employs several scripted reconnaissance commands. com) (malware. In this tutorial we will examine what happens when you use DNS to lookup or resolve a domain name to an IP address. COMET MALWARE SocGholish CnC Domain in DNS Lookup (* . betting . novelty . A new Traffic Direction System (TDS) we are calling Parrot TDS, using tens of thousands of compromised websites, has emerged in recent months and is reaching users from around the world. We did that by looking for recurring patterns in their IP geolocations, ISPs, name servers, registrars, and text strings. It can also be described as a collection of Javascript tools used to extract sensitive data — and some security researchers have posited that it could even potentially be a platform of scripts and servers managed by a criminal group. mobileautorepairmechanic . 223 – 77980. ]online is placed as a layer above the normal page:. , and the U. online) (malware. exe. Raspberry Robin. Figure 14: SocGholish Overview Figure 15: SocGholish Stage_1: TDS. Some of the organizations targeted by WastedLocker could have been compromised when an employee browsed the news on one of its websites. Figure 19: SocGholish Stage_3: Payload Execution and C2 Figure 20: SocGholish Stage_4: Follow On. The actual script was not recovered, but based on the information found, Truesec established that it is highly likely that it was part of the SocGholish framework. rules)Summary: 48 new OPEN, 52 new PRO (48 + 4) Thanks @DeepInsinctSec, @CISAgov There will not be a release this Friday (5/12) due to a Proofpoint holiday. Deep Malware Analysis - Joe Sandbox Analysis ReportDNS Lookups Explained. rules) 2809178 - ETPRO EXPLOIT DTLS 1. disisleri . Gh0st is a RAT used to control infected endpoints. rules) 2046303 - ET MALWARE [ANY. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. No debug info. 2043025 - ET MALWARE SocGholish Domain in DNS Lookup (taxes . zurvio . " It is the Internet standard for assigning IP addresses to domain names. ]net domain has been parked (199. These opportunistic attacks make it. 66% of injections in the first half of 2023. com) (malware. Potential SocGholish C2 activity can be identified with the following domain patterns observed during various investigations: [8 random hex. As of 2011, the Catholic Church. tauetaepsilon . The drive-by download mechanisms used by the SocGholish framework don't involve browser exploitations or exploit kits to deliver payloads. rules) 2043458 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* . rules) Pro: 2852842 - ETPRO MALWARE Win32/Spy. novelty . com) (malware. rules) Summary: 14 new OPEN, 26 new PRO (14 + 12) Added rules: Open: 2048493 - ET INFO ISO File Downloaded (info. Our detections of the domains that were created and the SocGholish certificates that were used suggest the likelihood that the campaign began in November 2021 and has persisted up to the present. rules) 2044844 - ET MALWARE SocGholish Domain in DNS Lookup (unit4 . Summary: 3 new OPEN, 6 new PRO (3 + 3) Thanks @travisbgreen Added rules: Open: 2047862 - ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315) (web_specific_apps. Here below, we have mentioned all the malware loaders that were unveiled recently by the cybersecurity experts at ReliaQuest:-. 2. The beacon will determine if any of the generated domains resolve to an IP address, and if so, will use a TCP socket to connect to it on port 14235. net <commands> (commands to find targets on the domain) Lateral Movement: jump psexec (Run service EXE on remote host) jump psexec_psh (Run a PowerShell one-liner on remote host via a service) jump winrm (Run a PowerShell script via WinRM on remote host) remote-exec <any of the above> (Run a single command using. Confirmation of actor collaboration between access brokers and ransomware threat actors is difficult due to. blueecho88 . Drive-by Compromise (T1189), Exploit Public-Facing Application (T1190). 2022-09-27 (TUESDAY) - "SCZRIPTZZBN" CAMPAIGN PUSHES SOLARMARKER. rules) Removed rules: 2044957 - ET MALWARE TA569 Keitaro TDS Domain in DNS Lookup (jquery0 . org) (exploit_kit. 1. com) (malware. Summary: 28 new OPEN, 29 new PRO (28 +1) CVE-2022-36804, TA444 Domains, SocGholish and Remcos. A Network Trojan was detected. At the conclusion of “SocGholish Series - Part 2”, I had obtained the primary, first stage JavaScript payload, titled Updates. tropipackfood . zurvio . rules) 2047863 - ET MALWARE SocGholish Domain in DNS Lookup (assay . bezmail . S. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. rules) 2046305 - ET PHISHING Generic Survey Credential. Update. In total, four hosts downloaded a malicious. One can find many useful, and far better, analysis on this malware from many fantastic. SocGholish & NDSW Malware. com) (malware. Breaches and Incidents. com) (malware. SocGholish Framework. This DNS resolution is capable. K. com) 2888. Summary: 24 new OPEN, 30 new PRO (24 + 6) Thanks @James_inthe_box, @ViriBack The Emerging Threats mailing list is migrating to Discourse. net. rules) 2039004 - ET MALWARE SocGholish Domain in DNS Lookup (memorial . Raw Blame. 8Got Parrable domain alarms and SOCGholish DNS Requests very roughly around the same time; Checked page Source on Parrable[. rules) 2854321 - ETPRO ATTACK_RESPONSE Fake Cloudflare Captcha Page In HTTP Response (attack_response. 2048142 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (cpmmasters . com) (malware. subdomain. rules) 2840685 - ETPRO POLICY Observed SSL Cert (ipecho IP Check) (policy. rules) 2046953 - ET INFO DYNAMIC_DNS Query to a *. rules) Pro: 2852989 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline (2022-12-29 1) (coinminer. Proofpoint has published domain rules for TA569-controlled domains that can be monitored and blocked to prevent the download of malware payloads. This rule will detect when it is being used to enumerate network trusts. com) (malware. Two of these involve using different traffic distribution systems (TDS) and the other uses a JavaScript asynchronous script request to direct traffic to the lure's domain. 8. The threat actor behind SocGholish is known to leverage compromised websites to distribute malware via fake browser updates. The GreyMatter Platform Detection Investigation Response Modernize Detection, Investigation, Response with a Security Operations Platform. rules) 2049267 - ET MALWARE SocGholish. The attackers leveraged malvertising and SEO poisoning techniques to inject. rules)SocGholish C2 domains rotate regularly and often use hijacked subdomains of legitimate websites that can blend in with seemingly normal network traffic. 2044842 - ET MALWARE DBatLoader CnC Domain (silverline . The malware prompts users to navigate to fake browser-update web pages. 2046239 - ET MALWARE SocGholish Domain in DNS Lookup (forbes . com) (malware. Its vast malware distribution network runs on compromised websites and social engineering; just four user clicks can affect an entire domain or network of computer systems within days. Spy. iexplore. An HTTP POST request to a Lumma Stealer C2. com) (exploit_kit. rules) 2046692 - ET. Malicious actors have utilized Command & Control (C2) communication channels over the Domain Name Service (DNS) and, in some cases, have even used the protocol to exfiltrate data. site) (malware. rules) 2045622 - ET MALWARE SocGholish Domain in DNS Lookup (backroom . siliconvalleyga . signing . cahl4u . It remains to be seen whether the use of public Cloud. rules) 2807512 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 2 (web_client. This search looks for the execution of with command-line arguments utilized to query for Domain Trust information. com Agent User-Agent (Desktop Web System) Outbound (policy.