rules/proxy/proxy_ua_hacktool.yml

title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
author: Florian Roth
references:
  - https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb
  - http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
date: 2017/07/08
modified: 2021/11/27
logsource:
  category: proxy
detection:
  selection:
    c-useragent|contains:
            # Vulnerability scanner and brute force tools
      - '(hydra)'
      - ' arachni/'
      - ' BFAC '
      - ' brutus '
      - ' cgichk '
      - 'core-project/1.0'
      - ' crimscanner/'
      - 'datacha0s'
      - 'dirbuster'
      - 'domino hunter'
      - 'dotdotpwn'
      - 'FHScan Core'
      - 'floodgate'
      - 'get-minimal'
      - 'gootkit auto-rooter scanner'
      - 'grendel-scan'
      - ' inspath '
      - 'internet ninja'
      - 'jaascois'
      - ' zmeu '
      - 'masscan'
      - ' metis '
      - 'morfeus fucking scanner'
      - 'n-stealth'
      - 'nsauditor'
      - 'pmafind'
      - 'security scan'
      - 'springenwerk'
      - 'teh forest lobster'
      - 'toata dragostea'
      - ' vega/'
      - 'voideye'
      - 'webshag'
      - 'webvulnscan'
      - ' whcc/'

            # SQL Injection
      - ' Havij'
      - 'absinthe'
      - 'bsqlbf'
      - 'mysqloit'
      - 'pangolin'
      - 'sql power injector'
      - 'sqlmap'
      - 'sqlninja'
      - 'uil2pn'

            # Hack tool
      - 'ruler'        # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
      - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'        # SQLi Dumper
  condition: selection
fields:
  - ClientIP
  - c-uri
  - c-useragent
falsepositives:
  - Unknown
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - attack.credential_access
  - attack.t1110
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`title: Hack Tool User Agent`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: c42a3073-30fb-48ae-8c99-c23ada84b103`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`description: Detects suspicious user agent strings user by hack tools in proxy logs`
			`author: Florian Roth`
Second round 2020-09-15 07:02:30 -06:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- https://github.com/fastly/waf_testbed/blob/master/templates/default/scanners-user-agents.data.erb`
			`- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules`
			`date: 2017/07/08`
			`modified: 2021/11/27`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`category: proxy`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`c-useragent\|contains:`
Spelling Errors on Rules 2021-08-18 18:58:20 +00:00			`# Vulnerability scanner and brute force tools`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- '(hydra)'`
			`- ' arachni/'`
			`- ' BFAC '`
			`- ' brutus '`
			`- ' cgichk '`
			`- 'core-project/1.0'`
			`- ' crimscanner/'`
			`- 'datacha0s'`
			`- 'dirbuster'`
			`- 'domino hunter'`
			`- 'dotdotpwn'`
			`- 'FHScan Core'`
			`- 'floodgate'`
			`- 'get-minimal'`
			`- 'gootkit auto-rooter scanner'`
			`- 'grendel-scan'`
			`- ' inspath '`
			`- 'internet ninja'`
			`- 'jaascois'`
			`- ' zmeu '`
			`- 'masscan'`
			`- ' metis '`
			`- 'morfeus fucking scanner'`
			`- 'n-stealth'`
			`- 'nsauditor'`
			`- 'pmafind'`
			`- 'security scan'`
			`- 'springenwerk'`
			`- 'teh forest lobster'`
			`- 'toata dragostea'`
			`- ' vega/'`
			`- 'voideye'`
			`- 'webshag'`
			`- 'webvulnscan'`
			`- ' whcc/'`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00
Merge branch 'oscd' 2021-03-02 22:48:55 +03:00			`# SQL Injection`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- ' Havij'`
			`- 'absinthe'`
			`- 'bsqlbf'`
			`- 'mysqloit'`
			`- 'pangolin'`
			`- 'sql power injector'`
			`- 'sqlmap'`
			`- 'sqlninja'`
			`- 'uil2pn'`
'ruler' User Agent 2017-07-22 09:24:45 -06:00
Merge branch 'oscd' 2021-03-02 22:48:55 +03:00			`# Hack tool`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/`
			`- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper`
			`condition: selection`
Added field names to first rules 2017-09-12 23:54:04 +02:00			`fields:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- ClientIP`
			`- c-uri`
			`- c-useragent`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Unknown`
User-Agent rules split up in separate files 2017-07-08 09:59:05 -06:00			`level: high`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.initial_access`
			`- attack.t1190`
			`- attack.credential_access`
			`- attack.t1110`