The hypothesis is that an adversary is using a known exploit framework user agent to mask malicious network activity, leveraging proxy logs to exfiltrate data or establish command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early and prevent further lateral movement or data theft.
Detection Rule
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
imWebSession
| where HttpUserAgent in~ ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)", "Mozilla/4.0 (compatible; Metasploit RSPEC)", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N", "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)", "Mozilla/5.0", "Mozilla/4.0 (compatible; SPIPE/1.0", "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0", "Sametime Community Agent", "X-FORWARDED-FOR", "DotDotPwn v2.1", "SIPDROID", "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)", "Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36") or HttpUserAgent startswith "Internet Explorer " or HttpUserAgent contains "wordpress hash grabber" or HttpUserAgent contains "exploit"Scenario: Metasploit Framework Usage During Penetration Testing
Description: A security team is conducting a controlled penetration test using Metasploit, which generates user agent strings indicative of exploit frameworks.
Filter/Exclusion: user_agent NOT LIKE '%Metasploit%' OR source_ip IN (list of internal security team IPs)
Scenario: Scheduled Job for System Monitoring
Description: A scheduled job runs a system monitoring script that uses a user agent string resembling an exploit framework for logging purposes.
Filter/Exclusion: user_agent LIKE '%system_monitor%' OR request_path LIKE '/monitoring%'
Scenario: Admin Task for Log Analysis
Description: An administrator is manually analyzing logs using a tool that mimics an exploit frameworkâs user agent for forensic analysis.
Filter/Exclusion: user_agent LIKE '%log_analysis%' OR user == 'admin_user'
Scenario: CI/CD Pipeline with Security Scanning Tools
Description: A CI/CD pipeline includes a security scanning tool (e.g., OWASP ZAP) that uses a user agent string similar to exploit frameworks during automated scans.
Filter/Exclusion: user_agent LIKE '%OWASP ZAP%' OR request_path LIKE '/ci-cd/scans%'
Scenario: Internal Proxy with Custom User Agent Headers
Description: An internal proxy server is configured with custom user agent headers for internal traffic, which may resemble exploit framework strings.
Filter/Exclusion: source_ip IN (list of internal proxy IPs) OR request_header 'X-Proxy-Internal' = 'true'