title: Hack Tool User Agent

id: c42a3073-30fb-48ae-8c99-c23ada84b103

status: experimental

description: Detects suspicious user agent strings user by hack tools in proxy logs

author: Florian Roth

date: 2017/07/08

modified: 2020/09/03

references:

- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb

- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules

logsource:

category: proxy

detection:

selection:

c-useragent:

# Vulnerbility scanner and brute force tools

- '*(hydra)*'

- '* arachni/*'

- '* BFAC *'

- '* brutus *'

- '* cgichk *'

- '*core-project/1.0*'

- '* crimscanner/*'

- '*datacha0s*'

- '*dirbuster*'

- '*domino hunter*'

- '*dotdotpwn*'

- 'FHScan Core'

- '*floodgate*'

- '*get-minimal*'

- '*gootkit auto-rooter scanner*'

- '*grendel-scan*'

- '* inspath *'

- '*internet ninja*'

- '*jaascois*'

- '* zmeu *'

- '*masscan*'

- '* metis *'

- '*morfeus fucking scanner*'

- '*n-stealth*'

- '*nsauditor*'

- '*pmafind*'

- '*security scan*'

- '*springenwerk*'

- '*teh forest lobster*'

- '*toata dragostea*'

- '* vega/*'

- '*voideye*'

- '*webshag*'

- '*webvulnscan*'

- '* whcc/*'

# SQL Injection

- '* Havij'

- '*absinthe*'

- '*bsqlbf*'

- '*mysqloit*'

- '*pangolin*'

- '*sql power injector*'

- '*sqlmap*'

- '*sqlninja*'

- '*uil2pn*'

# Hack tool

- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/

- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper

condition: selection

fields:

- ClientIP

- c-uri

- c-useragent

falsepositives:

- Unknown

level: high

tags:

- attack.initial_access

- attack.t1190

- attack.credential_access

- attack.t1110