Hack Tool User Agent

calendar Feb 1, 2023 · attack.initial_access attack.t1190 attack.credential_access attack.t1110  ·
Share on: linkedin copy

Detects suspicious user agent strings user by hack tools in proxy logs

Sigma rule (View on GitHub)

 1title: Hack Tool User Agent
 2id: c42a3073-30fb-48ae-8c99-c23ada84b103
 3status: test
 4description: Detects suspicious user agent strings user by hack tools in proxy logs
 5references:
 6    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
 7    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
 8author: Florian Roth (Nextron Systems)
 9date: 2017/07/08
10modified: 2022/07/07
11tags:
12    - attack.initial_access
13    - attack.t1190
14    - attack.credential_access
15    - attack.t1110
16logsource:
17    category: proxy
18detection:
19    selection:
20        c-useragent|contains:
21            # Vulnerability scanner and brute force tools
22            - '(hydra)'
23            - ' arachni/'
24            - ' BFAC '
25            - ' brutus '
26            - ' cgichk '
27            - 'core-project/1.0'
28            - ' crimscanner/'
29            - 'datacha0s'
30            - 'dirbuster'
31            - 'domino hunter'
32            - 'dotdotpwn'
33            - 'FHScan Core'
34            - 'floodgate'
35            - 'get-minimal'
36            - 'gootkit auto-rooter scanner'
37            - 'grendel-scan'
38            - ' inspath '
39            - 'internet ninja'
40            - 'jaascois'
41            - ' zmeu '
42            - 'masscan'
43            - ' metis '
44            - 'morfeus fucking scanner'
45            - 'n-stealth'
46            - 'nsauditor'
47            - 'pmafind'
48            - 'security scan'
49            - 'springenwerk'
50            - 'teh forest lobster'
51            - 'toata dragostea'
52            - ' vega/'
53            - 'voideye'
54            - 'webshag'
55            - 'webvulnscan'
56            - ' whcc/'
57            # SQL Injection
58            - ' Havij'
59            - 'absinthe'
60            - 'bsqlbf'
61            - 'mysqloit'
62            - 'pangolin'
63            - 'sql power injector'
64            - 'sqlmap'
65            - 'sqlninja'
66            - 'uil2pn'
67            # Hack tool
68            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
69            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
70    condition: selection
71fields:
72    - ClientIP
73    - c-uri
74    - c-useragent
75falsepositives:
76    - Unknown
77level: high

References

Related rules

to-top