Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Sigma rule (View on GitHub)
1title: Exploit Framework User Agent
2id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
3status: test
4description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
5references:
6 - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
7author: Florian Roth (Nextron Systems)
8date: 2017-07-08
9modified: 2021-11-27
10tags:
11 - attack.command-and-control
12 - attack.t1071.001
13logsource:
14 category: proxy
15detection:
16 selection:
17 c-useragent:
18 # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
19 - 'Internet Explorer *'
20 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
21
22 # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
23 - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
24 - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
25 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
26 - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
27 - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
28 - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
29 - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
30 - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
31 - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
32
33 # Metasploit Update by Florian Roth 08.07.2017
34 - 'Mozilla/5.0'
35 - 'Mozilla/4.0 (compatible; SPIPE/1.0'
36 # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
37 # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
38 - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
39 - 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
40 - 'X-FORWARDED-FOR'
41 - 'DotDotPwn v2.1'
42 - 'SIPDROID'
43 - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
44
45 # Empire
46 - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
47
48 # Exploits
49 - '*wordpress hash grabber*'
50 - '*exploit*'
51 condition: selection
52fields:
53 - ClientIP
54 - c-uri
55 - c-useragent
56falsepositives:
57 - Unknown
58level: high
References
-
I searched through the Metasploit source code for User Agent Strings (starting with Mozilla/). This is what I found: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Mozilla/4.0 (compatible; MSIE…
Read More
Related rules
- APT User Agent
- APT40 Dropbox Tool User Agent
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD
- Chafer Malware URL Pattern