Detectionmediumtest
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Tim SheltonCreated Tue Jul 19Updated Mon Jan 0219aa4f58-94ca-45ff-bc34-92e533c0994aweb
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Detection Logic
Detection Logic1 selector
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'Wfuzz/'
- 'WPScan v'
- 'Recon-ng/v'
- 'GIS - AppSec Team - Project Vision'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
19aa4f58-94ca-45ff-bc34-92e533c0994a
Status
test
Level
medium
Type
Detection
Created
Tue Jul 19
Modified
Mon Jan 02
Path
rules/web/webserver_generic/web_susp_useragents.yml
Raw Tags
attack.initial-accessattack.t1190