Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
Sigma rule (View on GitHub)
1title: Empire UserAgent URI Combo
2id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
3status: test
4description: Detects user agent and URI paths used by empire agents
5references:
6 - https://github.com/BC-SECURITY/Empire
7author: Florian Roth (Nextron Systems)
8date: 2020/07/13
9modified: 2022/08/05
10tags:
11 - attack.defense_evasion
12 - attack.command_and_control
13 - attack.t1071.001
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
19 cs-uri:
20 - '/admin/get.php'
21 - '/news.php'
22 - '/login/process.php'
23 cs-method: 'POST'
24 condition: selection
25falsepositives:
26 - Valid requests with this exact user agent to server scripts of the defined names
27level: high
References
-
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. - GitHub - BC-SECURITY/Empire: Empire is a post-exploitation and adversary emu...
Read More
Related rules
- CobaltStrike Malleable Amazon Browsing Traffic Profile
- Bitsadmin to Uncommon IP Server Address
- Telegram API Access
- Bitsadmin to Uncommon TLD
- CobaltStrike Malformed UAs in Malleable Profiles