2022-07-19 16:26:28 +01:00
|
|
|
title: Suspicious User-Agents Related To Recon Tools
|
|
|
|
|
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
|
|
|
|
|
status: experimental
|
|
|
|
|
description: Detects known suspicious (default) user-agents related to scanning/recon tools
|
2022-10-25 10:08:58 +02:00
|
|
|
references:
|
|
|
|
|
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
|
|
|
|
|
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
|
|
|
|
|
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
|
2023-02-01 11:14:59 +01:00
|
|
|
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
|
2022-07-19 16:26:28 +01:00
|
|
|
date: 2022/07/19
|
2023-01-02 16:39:55 +01:00
|
|
|
modified: 2023/01/02
|
2022-07-19 16:26:28 +01:00
|
|
|
tags:
|
|
|
|
|
- attack.initial_access
|
|
|
|
|
- attack.t1190
|
|
|
|
|
logsource:
|
|
|
|
|
category: webserver
|
|
|
|
|
detection:
|
|
|
|
|
selection:
|
2023-01-02 16:39:55 +01:00
|
|
|
cs-user-agent|contains:
|
2022-07-19 16:26:28 +01:00
|
|
|
# Add more tools as you see fit
|
|
|
|
|
- 'Wfuzz/'
|
|
|
|
|
- 'WPScan v'
|
|
|
|
|
- 'Recon-ng/v'
|
2022-07-21 19:28:10 +00:00
|
|
|
- 'GIS - AppSec Team - Project Vision'
|
2022-07-19 16:26:28 +01:00
|
|
|
condition: selection
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
2022-07-20 14:21:41 +02:00
|
|
|
level: medium
|
