Detectionhightest
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Sat Jul 08Updated Thu Jul 07c42a3073-30fb-48ae-8c99-c23ada84b103web
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic1 selector
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
c42a3073-30fb-48ae-8c99-c23ada84b103
Status
test
Level
high
Type
Detection
Created
Sat Jul 08
Modified
Thu Jul 07
Path
rules/web/proxy_generic/proxy_ua_hacktool.yml
Raw Tags
attack.initial-accessattack.t1190attack.credential-accessattack.t1110