- title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: experimental
description: Detects suspicious user agent strings used by exploit / pentest framworks
like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth
logsource:
category: proxy
product: null
service: null
detection:
selection:
c-useragent:
- Internet Explorer *
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)
- Mozilla/4.0 (compatible; Metasploit RSPEC)
- Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E};
SLCC1; .N
- Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML,
like Gecko) Chrome/4.0.221.6 Safari/525.13
- Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)
- Mozilla/5.0
- Mozilla/4.0 (compatible; SPIPE/1.0
- Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0
- Sametime Community Agent
- X-FORWARDED-FOR
- DotDotPwn v2.1
- SIPDROID
- Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)
- Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0
- '*wordpress hash grabber*'
- '*exploit*'
condition: selection
fields:
- ClientIP
- c-uri
- c-useragent
falsepositives:
- Unknown
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='c-useragent.keyword:(Internet\ Explorer\ * OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1;\ SV1;\ InfoPath.2\) OR Mozilla\/4.0\ \(compatible;\ Metasploit\ RSPEC\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.1;\ Windows\ NT\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 6.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.0;\ Trident\/4.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 6.0;\ Trident\/4.0;\ SIMBAR\=\{7DB0F6DE\-8DE7\-4841\-9084\-28FA914B0F2E\};\ SLCC1;\ .N OR Mozilla\/5.0\ \(compatible;\ Googlebot\/2.1;\ \+http\:\/\/www.google.com\/bot.html\) OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US\)\ AppleWebKit\/525.13\ \(KHTML,\ like\ Gecko\)\ Chrome\/4.0.221.6\ Safari\/525.13 OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/5.0;\ MAAU\) OR Mozilla\/5.0 OR Mozilla\/4.0\ \(compatible;\ SPIPE\/1.0 OR Mozilla\/5.0\ \(Windows\ NT\ 6.3;\ rv\:39.0\)\ Gecko\/20100101\ Firefox\/35.0 OR Sametime\ Community\ Agent OR X\-FORWARDED\-FOR OR DotDotPwn\ v2.1 OR SIPDROID OR Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win32;\ x32;\ rv\:60.0\) OR Mozilla\/6.0\ \(X11;\ Linux\ x86_64;\ rv\:24.0\)\ Gecko\/20140205\ \ \ \ \ Firefox\/27.0\ Iceweasel\/25.3.0 OR *wordpress\ hash\ grabber* OR *exploit*)')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()