Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Sigma rule (View on GitHub)
1title: Suspicious User-Agents Related To Recon Tools
2id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
3status: test
4description: Detects known suspicious (default) user-agents related to scanning/recon tools
5references:
6 - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
7 - https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
8 - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
9author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
10date: 2022/07/19
11modified: 2023/01/02
12tags:
13 - attack.initial_access
14 - attack.t1190
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-user-agent|contains:
20 # Add more tools as you see fit
21 - 'Wfuzz/'
22 - 'WPScan v'
23 - 'Recon-ng/v'
24 - 'GIS - AppSec Team - Project Vision'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- Apache Spark Shell Command Injection - Weblogs
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2021-41773 Exploitation Attempt
- CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
- CVE-2022-31659 VMware Workspace ONE Access RCE