The Hack Tool User Agent rule detects adversaries using custom user agent strings to mask the execution of malicious tools, leveraging proxy logs to evade standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activities or initial access attempts masked by stealthy user agents.
Detection Rule
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
- attack.initial-access
- attack.t1190
- attack.credential-access
- attack.t1110
logsource:
category: proxy
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
falsepositives:
- Unknown
level: high
imWebSession
| where HttpUserAgent contains "(hydra)" or HttpUserAgent contains " arachni/" or HttpUserAgent contains " BFAC " or HttpUserAgent contains " brutus " or HttpUserAgent contains " cgichk " or HttpUserAgent contains "core-project/1.0" or HttpUserAgent contains " crimscanner/" or HttpUserAgent contains "datacha0s" or HttpUserAgent contains "dirbuster" or HttpUserAgent contains "domino hunter" or HttpUserAgent contains "dotdotpwn" or HttpUserAgent contains "FHScan Core" or HttpUserAgent contains "floodgate" or HttpUserAgent contains "get-minimal" or HttpUserAgent contains "gootkit auto-rooter scanner" or HttpUserAgent contains "grendel-scan" or HttpUserAgent contains " inspath " or HttpUserAgent contains "internet ninja" or HttpUserAgent contains "jaascois" or HttpUserAgent contains " zmeu " or HttpUserAgent contains "masscan" or HttpUserAgent contains " metis " or HttpUserAgent contains "morfeus fucking scanner" or HttpUserAgent contains "n-stealth" or HttpUserAgent contains "nsauditor" or HttpUserAgent contains "pmafind" or HttpUserAgent contains "security scan" or HttpUserAgent contains "springenwerk" or HttpUserAgent contains "teh forest lobster" or HttpUserAgent contains "toata dragostea" or HttpUserAgent contains " vega/" or HttpUserAgent contains "voideye" or HttpUserAgent contains "webshag" or HttpUserAgent contains "webvulnscan" or HttpUserAgent contains " whcc/" or HttpUserAgent contains " Havij" or HttpUserAgent contains "absinthe" or HttpUserAgent contains "bsqlbf" or HttpUserAgent contains "mysqloit" or HttpUserAgent contains "pangolin" or HttpUserAgent contains "sql power injector" or HttpUserAgent contains "sqlmap" or HttpUserAgent contains "sqlninja" or HttpUserAgent contains "uil2pn" or HttpUserAgent contains "ruler" or HttpUserAgent contains "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"Scenario: Legitimate System Monitoring Tool Usage
Description: A system administrator is using a legitimate monitoring tool like Nagios or Zabbix which includes a custom user agent string.
Filter/Exclusion: Exclude user agents containing “Nagios” or “Zabbix” in the user_agent field.
Scenario: Scheduled Job with Custom User Agent
Description: A scheduled job (e.g., via cron or Task Scheduler) is configured to use a custom user agent string for API calls or log collection.
Filter/Exclusion: Exclude entries where the user_agent field contains “cron” or “Task Scheduler” in the request headers.
Scenario: Proxy Server with Default User Agent
Description: The enterprise proxy server uses a default user agent string (e.g., “Mozilla/5.0”) for logging purposes, which may match the rule’s suspicious pattern.
Filter/Exclusion: Exclude entries where the source IP is the internal proxy server IP or where the user_agent field matches known proxy default strings.
Scenario: Admin Task with Custom User Agent
Description: An administrator is performing a system cleanup or audit using a custom script or tool (e.g., Ansible or PowerShell) that includes a user agent string.
Filter/Exclusion: Exclude user agents containing “Ansible” or “PowerShell” in the user_agent field.
Scenario: Log Aggregation Tool with Modified User Agent
Description: A log aggregation tool like Graylog or ELK Stack is configured to use a modified user agent for internal communication.
Filter/Exclusion: Exclude entries where the user_agent field contains “Graylog” or “ELK” in the request headers.