A host may be executing a hacking tool by sending web requests with known malicious user agent strings, indicating potential remote code execution or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity leveraging web-based tools.
KQL Query
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
id: 3f0c20d5-6228-48ef-92f3-9ff7822c1954
name: A host is potentially running a hacking tool (ASIM Web Session schema)
description: |
'This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.<br>You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
severity: Medium
tags:
- ParentName: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml
version: 1.0.0
- Schema: ASimWebSession
SchemaVersion: 0.2.1
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- Discovery
- LateralMovement
- Collection
- CommandAndControl
- Exfiltration
relevantTechniques:
- T1059
- T1046
- T1021
- T1557
- T1102
- T1020
query: |
let threatCategory="Hacking Tool";
let knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)
[ @"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv"]
with(format="csv", ignoreFirstRecord=True));
let knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let customUserAgents=toscalar(_GetWatchlist("UnusualUserAgents") | where SearchKey==threatCategory | extend UserAgent=column_ifexists("UserAgent","") | where isnotempty(UserAgent) | summarize make_list(UserAgent));
let fullUAList = array_concat(knownUserAgents,customUserAgents);
_Im_WebSession(httpuseragent_has_any=fullUAList)
| project SrcIpAddr, Url, TimeGenerated, HttpUserAgent, SrcUsername
| extend AccountName = tostring(split(SrcUsername, "@")[0]), AccountUPNSuffix = tostring(split(SrcUsername, "@")[1])
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: SrcUsername
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
alertDetailsOverride:
alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running a hacking tool'
alertDescriptionFormat: 'The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}.Scenario: System Administrator Using a Known Hacking Tool User-Agent for Debugging Purposes
Description: A sysadmin is testing a web application using a tool like curl or wget with a user-agent string that matches a known hacking tool.
Filter/Exclusion: Check for presence of admin credentials in the request, or filter by source IP of known internal admin hosts.
Scenario: Legitimate Web Server Using a Hacking Tool User-Agent for Compatibility
Description: A web server or reverse proxy (e.g., Nginx, Apache) is configured to use a user-agent string that matches a known hacking tool for compatibility with certain client systems.
Filter/Exclusion: Filter by destination IP matching known web server hosts, or check for presence of server headers like Server: Apache/2.4.41.
Scenario: Scheduled Job or Automation Script Using a Hacking Tool User-Agent
Description: A scheduled job or automation script (e.g., using curl or Invoke-WebRequest in PowerShell) is configured to use a user-agent string that matches a known hacking tool.
Filter/Exclusion: Filter by process name (e.g., cron, systemd, task scheduler), or check for presence of job scheduling headers or timestamps.
Scenario: User-Agent Spoofing by Legitimate Users for Bypassing Access Controls
Description: A legitimate user is spoofing a user-agent string (e.g., mimicking Mozilla or curl) to bypass access control mechanisms or to test application behavior.
Filter/Exclusion: Filter by presence of authentication tokens, session cookies, or IP address whitelists.
Scenario: Security Tool or SIEM System Using a Hacking Tool User-Agent for Monitoring
Description: A security tool (e.g., `OS