← Back to Explore
sigmamediumHunting
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Detection Query
selection:
cs-user-agent|contains:
- commix/
- feroxbuster/
- Fuzz Faster U Fool
- GIS - AppSec Team - Project Vision
- gobuster/
- Nikto/
- Nmap Scripting Engine
- Recon-ng/v
- sqlmap/
- WhatWeb/
- Wfuzz/
- WPScan v
- zgrab/
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems), Tim Shelton
Created
2022-07-19
Data Sources
webserver
References
- https://github.com/commixproject/commix/blob/c7f1447371524427bb30abe731235acc7386153b/src/utils/settings.py#L281
- https://github.com/epi052/feroxbuster/blob/ffdf871abe0a358a1531ba4135e208d4dbe8fc31/src/config/utils.rs#L100
- https://github.com/ffuf/ffuf/blob/ce3cf6bd733a24d3a9f024305234c1a6298198eb/pkg/runner/simple.go#L130
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
- https://github.com/nmap/nmap/blob/2e47fa87469fd358ef64689d2d2de7294e385eb8/nselib/http.lua#L160
- https://github.com/OJ/gobuster/blob/d20300cc46096984565e82fb73a45bf8d281b990/libgobuster/helpers.go#L124
- https://github.com/sqlmapproject/sqlmap/blob/be216041e2f255ae43b050d466bd5bf92681e665/lib/core/settings.py#L29
- https://github.com/sullo/nikto/blob/999670cb6a939b6c93840ce666941756e4c5dcf5/program/plugins/nikto_core.plugin#L3515
- https://github.com/urbanadventurer/WhatWeb/blob/d279d93042d034f3fd29d5a893d44ccc0595d3f8/lib/whatweb.rb#L68
- https://github.com/wpscanteam/wpscan/blob/4f1ce142b9768044be3e35bd0cddf1052e35efe8/lib/wpscan/browser.rb#L32
- https://github.com/xmendez/wfuzz/blob/2263cd0932fef333118cd197656f709141bab615/src/wfuzz/facade.py#L43
- https://github.com/zmap/zgrab2/blob/e91fc9860ca6611eb7c6fe7d2fe2be70212a37ba/modules/http/scanner.go#L54
Tags
attack.initial-accessattack.t1190
Raw Content
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
- https://github.com/commixproject/commix/blob/c7f1447371524427bb30abe731235acc7386153b/src/utils/settings.py#L281
- https://github.com/epi052/feroxbuster/blob/ffdf871abe0a358a1531ba4135e208d4dbe8fc31/src/config/utils.rs#L100
- https://github.com/ffuf/ffuf/blob/ce3cf6bd733a24d3a9f024305234c1a6298198eb/pkg/runner/simple.go#L130
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
- https://github.com/nmap/nmap/blob/2e47fa87469fd358ef64689d2d2de7294e385eb8/nselib/http.lua#L160
- https://github.com/OJ/gobuster/blob/d20300cc46096984565e82fb73a45bf8d281b990/libgobuster/helpers.go#L124
- https://github.com/sqlmapproject/sqlmap/blob/be216041e2f255ae43b050d466bd5bf92681e665/lib/core/settings.py#L29
- https://github.com/sullo/nikto/blob/999670cb6a939b6c93840ce666941756e4c5dcf5/program/plugins/nikto_core.plugin#L3515
- https://github.com/urbanadventurer/WhatWeb/blob/d279d93042d034f3fd29d5a893d44ccc0595d3f8/lib/whatweb.rb#L68
- https://github.com/wpscanteam/wpscan/blob/4f1ce142b9768044be3e35bd0cddf1052e35efe8/lib/wpscan/browser.rb#L32
- https://github.com/xmendez/wfuzz/blob/2263cd0932fef333118cd197656f709141bab615/src/wfuzz/facade.py#L43
- https://github.com/zmap/zgrab2/blob/e91fc9860ca6611eb7c6fe7d2fe2be70212a37ba/modules/http/scanner.go#L54
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2026-06-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'commix/'
- 'feroxbuster/'
- 'Fuzz Faster U Fool'
- 'GIS - AppSec Team - Project Vision'
- 'gobuster/'
- 'Nikto/'
- 'Nmap Scripting Engine'
- 'Recon-ng/v'
- 'sqlmap/'
- 'WhatWeb/'
- 'Wfuzz/'
- 'WPScan v'
- 'zgrab/'
condition: selection
falsepositives:
- Unknown
level: medium