Detectionmediumexperimental

Potential Hello-World Scraper Botnet Activity

Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Joseph A. M.Created Sat Aug 021712bafe-be05-4a0e-89d4-17a3ed151bf5web

Log Source

Proxy Log

CategoryProxy Log← raw: proxy

Detection Logic

detection:
    selection:
        c-useragent: 'Hello-World/1.0'
        cs-method: 'GET'
    condition: selection

False Positives

Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.

Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

1712bafe-be05-4a0e-89d4-17a3ed151bf5

Status

experimental

Level

medium

Type

Detection

Created

Sat Aug 02

Author

Path

rules/web/proxy_generic/proxy_hello_world_user_agent.yml

Raw Tags

attack.reconnaissanceattack.t1595