Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
29 lines
1.0 KiB
YAML
29 lines
1.0 KiB
YAML
title: Suspicious User-Agents Related To Recon Tools
|
|
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
|
|
status: test
|
|
description: Detects known suspicious (default) user-agents related to scanning/recon tools
|
|
references:
|
|
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
|
|
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
|
|
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
|
|
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
|
|
date: 2022-07-19
|
|
modified: 2023-01-02
|
|
tags:
|
|
- attack.initial-access
|
|
- attack.t1190
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection:
|
|
cs-user-agent|contains:
|
|
# Add more tools as you see fit
|
|
- 'Wfuzz/'
|
|
- 'WPScan v'
|
|
- 'Recon-ng/v'
|
|
- 'GIS - AppSec Team - Project Vision'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|