This detection rule identifies suspicious Base64 encoded User-Agent strings that can indicate the presence of malware or malicious activities. The rule focuses on patterns observed in specific encoded User-Agent requests emanating from a proxy environment. Encodings of concern include sequences starting with specific strings that signify potential command-and-control (C2) behavior, often leveraged by attackers to obscure the true nature of their HTTP requests. This rule is crucial in environments where traffic is proxied and assists in combating threats that utilize HTTP client-agent deception to bypass security measures. To mitigate false positives, the rule is designed to trigger only on recognized sequences, reducing the likelihood of benign applications being flagged erroneously. The underlying data source for this detection is proxy logs, making it relevant for web traffic monitoring and analysis.