2017-07-08 09:59:05 -06:00
|
|
|
title: Exploit Framework User Agent
|
2019-11-12 23:12:27 +01:00
|
|
|
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2021-02-24 14:43:13 +00:00
|
|
|
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
|
2017-07-08 09:59:05 -06:00
|
|
|
author: Florian Roth
|
2020-09-15 07:02:30 -06:00
|
|
|
references:
|
2021-11-27 11:33:14 +01:00
|
|
|
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
|
|
|
|
|
date: 2017/07/08
|
|
|
|
|
modified: 2021/11/27
|
2017-07-08 09:59:05 -06:00
|
|
|
logsource:
|
2021-11-27 11:33:14 +01:00
|
|
|
category: proxy
|
2017-07-08 09:59:05 -06:00
|
|
|
detection:
|
2021-11-27 11:33:14 +01:00
|
|
|
selection:
|
|
|
|
|
c-useragent:
|
2017-07-08 09:59:05 -06:00
|
|
|
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
|
2021-11-27 11:33:14 +01:00
|
|
|
- 'Internet Explorer *'
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://goo.gl/f4H5Ez
|
2017-07-08 09:59:05 -06:00
|
|
|
|
|
|
|
|
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
|
2021-11-27 11:33:14 +01:00
|
|
|
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
|
|
|
|
|
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
|
|
|
|
|
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
|
|
|
|
|
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
|
|
|
|
|
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
|
2017-07-08 09:59:05 -06:00
|
|
|
|
|
|
|
|
# Metasploit Update by Florian Roth 08.07.2017
|
2021-11-27 11:33:14 +01:00
|
|
|
- 'Mozilla/5.0'
|
|
|
|
|
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
|
2017-07-08 09:59:05 -06:00
|
|
|
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
|
|
|
|
|
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
|
2021-11-27 11:33:14 +01:00
|
|
|
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
|
|
|
|
|
- 'Sametime Community Agent' # Unknown if prone to false positives - used in https://goo.gl/gHZkeR
|
|
|
|
|
- 'X-FORWARDED-FOR'
|
|
|
|
|
- 'DotDotPwn v2.1'
|
|
|
|
|
- 'SIPDROID'
|
|
|
|
|
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
|
2017-07-08 09:59:05 -06:00
|
|
|
|
2019-12-12 09:39:28 +01:00
|
|
|
# Empire
|
2021-11-27 11:33:14 +01:00
|
|
|
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
|
2019-12-12 09:39:28 +01:00
|
|
|
|
2017-07-08 09:59:05 -06:00
|
|
|
# Exploits
|
2021-11-27 11:33:14 +01:00
|
|
|
- '*wordpress hash grabber*'
|
|
|
|
|
- '*exploit*'
|
|
|
|
|
condition: selection
|
2017-09-12 23:54:04 +02:00
|
|
|
fields:
|
2021-11-27 11:33:14 +01:00
|
|
|
- ClientIP
|
|
|
|
|
- c-uri
|
|
|
|
|
- c-useragent
|
2017-07-08 09:59:05 -06:00
|
|
|
falsepositives:
|
2021-11-27 11:33:14 +01:00
|
|
|
- Unknown
|
2017-07-08 09:59:05 -06:00
|
|
|
level: high
|
2020-09-15 07:02:30 -06:00
|
|
|
tags:
|
2021-11-27 11:33:14 +01:00
|
|
|
- attack.command_and_control
|
|
|
|
|
- attack.t1071.001
|
