Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Exploit Framework User Agent

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Sat Jul 08Updated Sat Jan 18fdd1bfb5-f60b-4a35-910e-f36ed3d0b32fweb
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic1 selector
detection:
    selection:
        c-useragent:
        # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
            - 'Internet Explorer *'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/

        # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
            - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
            - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
            - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
            - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
            - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
            - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
            - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads

        # Metasploit Update by Florian Roth 08.07.2017
            - 'Mozilla/5.0'
            - 'Mozilla/4.0 (compatible; SPIPE/1.0'
        # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'  # too many false positives expected
        # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'  # too many false positives expected
            - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
            - 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
            - 'X-FORWARDED-FOR'
            - 'DotDotPwn v2.1'
            - 'SIPDROID'
            - 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

        # Empire
            - 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205     Firefox/27.0 Iceweasel/25.3.0'

        # Exploits
            - '*wordpress hash grabber*'
            - '*exploit*'

        # Havoc
            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36'  # https://github.com/HavocFramework/Havoc/issues/519
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
blog.didierstevens.com
MITRE ATT&CK
Rule Metadata
Rule ID
fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
Status
test
Level
high
Type
Detection
Created
Sat Jul 08
Modified
Sat Jan 18
Author
Florian Roth (Nextron Systems)
Path
rules/web/proxy_generic/proxy_ua_frameworks.yml
Raw Tags
attack.command-and-controlattack.t1071.001
View on GitHub