HackTool - Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
Sigma rule (View on GitHub)
1title: HackTool - Empire UserAgent URI Combo
2id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
3status: test
4description: Detects user agent and URI paths used by empire agents
5references:
6 - https://github.com/BC-SECURITY/Empire
7author: Florian Roth (Nextron Systems)
8date: 2020-07-13
9modified: 2024-02-26
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13logsource:
14 category: proxy
15detection:
16 selection:
17 c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
18 cs-uri:
19 - '/admin/get.php'
20 - '/news.php'
21 - '/login/process.php'
22 cs-method: 'POST'
23 condition: selection
24falsepositives:
25 - Valid requests with this exact user agent to server scripts of the defined names
26level: high
References
-
Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers. - BC-SECURITY/Empire
Read More
Related rules
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- ComRAT Network Communication
- HTTP Request With Empty User Agent
- HackTool - CobaltStrike Malleable Profile Patterns - Proxy