HackTool - Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
Sigma rule (View on GitHub)
1title: HackTool - Empire UserAgent URI Combo
2id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
3status: test
4description: Detects user agent and URI paths used by empire agents
5references:
6 - https://github.com/BC-SECURITY/Empire
7author: Florian Roth (Nextron Systems)
8date: 2020-07-13
9modified: 2024-02-26
10tags:
11 - attack.defense-evasion
12 - attack.command-and-control
13 - attack.t1071.001
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
19 cs-uri:
20 - '/admin/get.php'
21 - '/news.php'
22 - '/login/process.php'
23 cs-method: 'POST'
24 condition: selection
25falsepositives:
26 - Valid requests with this exact user agent to server scripts of the defined names
27level: high
References
-
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. - BC-SECURITY/Empire
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- HTTP Request With Empty User Agent
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy