From 961753afb084f2f94afdc5ed5af2715fd9071d02 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 19 Jan 2025 21:42:40 +0100
Subject: [PATCH] Merge PR #5164 from @Neo23x0 - Update `Exploit Framework User
 Agent`

update: Exploit Framework User Agent - Add default Havoc C2 UA
---
 rules/web/proxy_generic/proxy_ua_frameworks.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/web/proxy_generic/proxy_ua_frameworks.yml b/rules/web/proxy_generic/proxy_ua_frameworks.yml
index c6b89bc3f..88bf367aa 100644
--- a/rules/web/proxy_generic/proxy_ua_frameworks.yml
+++ b/rules/web/proxy_generic/proxy_ua_frameworks.yml
@@ -6,7 +6,7 @@ references:
     - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
 author: Florian Roth (Nextron Systems)
 date: 2017-07-08
-modified: 2021-11-27
+modified: 2025-01-18
 tags:
     - attack.command-and-control
     - attack.t1071.001
@@ -48,6 +48,9 @@ detection:
         # Exploits
             - '*wordpress hash grabber*'
             - '*exploit*'
+
+        # Havoc
+            - 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36'  # https://github.com/HavocFramework/Havoc/issues/519
     condition: selection
 fields:
     - ClientIP