EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Hack Tool User Agent

Detects suspicious user agent strings user by hack tools in proxy logs

MITRE ATT&CK

T1190T1110
initial-accesscredential-access

Detection Query

selection:
  c-useragent|contains:
    - (hydra)
    - " arachni/"
    - " BFAC "
    - " brutus "
    - " cgichk "
    - core-project/1.0
    - " crimscanner/"
    - datacha0s
    - dirbuster
    - domino hunter
    - dotdotpwn
    - FHScan Core
    - floodgate
    - get-minimal
    - gootkit auto-rooter scanner
    - grendel-scan
    - " inspath "
    - internet ninja
    - jaascois
    - " zmeu "
    - masscan
    - " metis "
    - morfeus fucking scanner
    - n-stealth
    - nsauditor
    - pmafind
    - security scan
    - springenwerk
    - teh forest lobster
    - toata dragostea
    - " vega/"
    - voideye
    - webshag
    - webvulnscan
    - " whcc/"
    - " Havij"
    - absinthe
    - bsqlbf
    - mysqloit
    - pangolin
    - sql power injector
    - sqlmap
    - sqlninja
    - uil2pn
    - ruler
    - Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729
      Firefox/3.5.2 (.NET CLR 3.5.30729)
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2017-07-08

Data Sources

proxy

References

Tags

attack.initial-accessattack.t1190attack.credential-accessattack.t1110
Raw Content
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
    - https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
    - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
    - attack.initial-access
    - attack.t1190
    - attack.credential-access
    - attack.t1110
logsource:
    category: proxy
detection:
    selection:
        c-useragent|contains:
            # Vulnerability scanner and brute force tools
            - '(hydra)'
            - ' arachni/'
            - ' BFAC '
            - ' brutus '
            - ' cgichk '
            - 'core-project/1.0'
            - ' crimscanner/'
            - 'datacha0s'
            - 'dirbuster'
            - 'domino hunter'
            - 'dotdotpwn'
            - 'FHScan Core'
            - 'floodgate'
            - 'get-minimal'
            - 'gootkit auto-rooter scanner'
            - 'grendel-scan'
            - ' inspath '
            - 'internet ninja'
            - 'jaascois'
            - ' zmeu '
            - 'masscan'
            - ' metis '
            - 'morfeus fucking scanner'
            - 'n-stealth'
            - 'nsauditor'
            - 'pmafind'
            - 'security scan'
            - 'springenwerk'
            - 'teh forest lobster'
            - 'toata dragostea'
            - ' vega/'
            - 'voideye'
            - 'webshag'
            - 'webvulnscan'
            - ' whcc/'
            # SQL Injection
            - ' Havij'
            - 'absinthe'
            - 'bsqlbf'
            - 'mysqloit'
            - 'pangolin'
            - 'sql power injector'
            - 'sqlmap'
            - 'sqlninja'
            - 'uil2pn'
            # Hack tool
            - 'ruler'  # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'  # SQLi Dumper
    condition: selection
falsepositives:
    - Unknown
level: high