EXPLORE
← Back to Explore
sigmamediumHunting

Suspicious User-Agents Related To Recon Tools

Detects known suspicious (default) user-agents related to scanning/recon tools

MITRE ATT&CK

initial-access

Detection Query

selection:
  cs-user-agent|contains:
    - commix/
    - feroxbuster/
    - Fuzz Faster U Fool
    - GIS - AppSec Team - Project Vision
    - gobuster/
    - Nikto/
    - Nmap Scripting Engine
    - Recon-ng/v
    - sqlmap/
    - WhatWeb/
    - Wfuzz/
    - WPScan v
    - zgrab/
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems), Tim Shelton

Created

2022-07-19

Data Sources

webserver

Tags

attack.initial-accessattack.t1190
Raw Content
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
    - https://github.com/commixproject/commix/blob/c7f1447371524427bb30abe731235acc7386153b/src/utils/settings.py#L281
    - https://github.com/epi052/feroxbuster/blob/ffdf871abe0a358a1531ba4135e208d4dbe8fc31/src/config/utils.rs#L100
    - https://github.com/ffuf/ffuf/blob/ce3cf6bd733a24d3a9f024305234c1a6298198eb/pkg/runner/simple.go#L130
    - https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
    - https://github.com/nmap/nmap/blob/2e47fa87469fd358ef64689d2d2de7294e385eb8/nselib/http.lua#L160
    - https://github.com/OJ/gobuster/blob/d20300cc46096984565e82fb73a45bf8d281b990/libgobuster/helpers.go#L124
    - https://github.com/sqlmapproject/sqlmap/blob/be216041e2f255ae43b050d466bd5bf92681e665/lib/core/settings.py#L29
    - https://github.com/sullo/nikto/blob/999670cb6a939b6c93840ce666941756e4c5dcf5/program/plugins/nikto_core.plugin#L3515
    - https://github.com/urbanadventurer/WhatWeb/blob/d279d93042d034f3fd29d5a893d44ccc0595d3f8/lib/whatweb.rb#L68
    - https://github.com/wpscanteam/wpscan/blob/4f1ce142b9768044be3e35bd0cddf1052e35efe8/lib/wpscan/browser.rb#L32
    - https://github.com/xmendez/wfuzz/blob/2263cd0932fef333118cd197656f709141bab615/src/wfuzz/facade.py#L43
    - https://github.com/zmap/zgrab2/blob/e91fc9860ca6611eb7c6fe7d2fe2be70212a37ba/modules/http/scanner.go#L54
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2026-06-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    selection:
        cs-user-agent|contains:
            # Add more tools as you see fit
            - 'commix/'
            - 'feroxbuster/'
            - 'Fuzz Faster U Fool'
            - 'GIS - AppSec Team - Project Vision'
            - 'gobuster/'
            - 'Nikto/'
            - 'Nmap Scripting Engine'
            - 'Recon-ng/v'
            - 'sqlmap/'
            - 'WhatWeb/'
            - 'Wfuzz/'
            - 'WPScan v'
            - 'zgrab/'
    condition: selection
falsepositives:
    - Unknown
level: medium