54
3

Regular expression of Hack Tool User Agent

54

Detects suspicious user agent strings user by hack tools in proxy logs.

  • QRadar AQL
SELECT 'sourceip', 'URL', 'UserAgent' from events where ("UserAgent" ilike '%(hydra)%' or "UserAgent" ilike '% arachni/%' or "UserAgent" ilike '% BFAC %' or "UserAgent" ilike '% brutus %' or "UserAgent" ilike '% cgichk %' or "UserAgent" ilike '%core-project/1.0%' or "UserAgent" ilike '% crimscanner/%' or "UserAgent" ilike '%datacha0s%' or "UserAgent" ilike '%dirbuster%' or "UserAgent" ilike '%domino hunter%' or "UserAgent" ilike '%dotdotpwn%' or "UserAgent" = 'FHScan Core' or "UserAgent" ilike '%floodgate%' or "UserAgent" ilike '%get-minimal%' or "UserAgent" ilike '%gootkit auto-rooter scanner%' or "UserAgent" ilike '%grendel-scan%' or "UserAgent" ilike '% inspath %' or "UserAgent" ilike '%internet ninja%' or "UserAgent" ilike '%jaascois%' or "UserAgent" ilike '% zmeu %' or "UserAgent" ilike '%masscan%' or "UserAgent" ilike '% metis %' or "UserAgent" ilike '%morfeus fucking scanner%' or "UserAgent" ilike '%n-stealth%' or "UserAgent" ilike '%nsauditor%' or "UserAgent" ilike '%pmafind%' or "UserAgent" ilike '%security scan%' or "UserAgent" ilike '%springenwerk%' or "UserAgent" ilike '%teh forest lobster%' or "UserAgent" ilike '%toata dragostea%' or "UserAgent" ilike '% vega/%' or "UserAgent" ilike '%voideye%' or "UserAgent" ilike '%webshag%' or "UserAgent" ilike '%webvulnscan%' or "UserAgent" ilike '% whcc/%' or "UserAgent" ilike '% Havij' or "UserAgent" ilike '%absinthe%' or "UserAgent" ilike '%bsqlbf%' or "UserAgent" ilike '%mysqloit%' or "UserAgent" ilike '%pangolin%' or "UserAgent" ilike '%sql power injector%' or "UserAgent" ilike '%sqlmap%' or "UserAgent" ilike '%sqlninja%' or "UserAgent" ilike '%uil2pn%' or "UserAgent" = 'ruler')
  • Splunk
(UserAgent="(hydra)" OR UserAgent="* arachni/" OR UserAgent=" BFAC " OR UserAgent=" brutus " OR UserAgent=" cgichk " OR UserAgent="core-project/1.0" OR UserAgent=" crimscanner/" OR UserAgent="datacha0s" OR UserAgent="dirbuster" OR UserAgent="domino hunter" OR UserAgent="dotdotpwn" OR UserAgent="FHScan Core" OR UserAgent="floodgate" OR UserAgent="get-minimal" OR UserAgent="gootkit auto-rooter scanner" OR UserAgent="grendel-scan" OR UserAgent=" inspath " OR UserAgent="internet ninja" OR UserAgent="jaascois" OR UserAgent=" zmeu " OR UserAgent="masscan" OR UserAgent=" metis " OR UserAgent="morfeus fucking scanner" OR UserAgent="n-stealth" OR UserAgent="nsauditor" OR UserAgent="pmafind" OR UserAgent="security scan" OR UserAgent="springenwerk" OR UserAgent="teh forest lobster" OR UserAgent="toata dragostea" OR UserAgent=" vega/" OR UserAgent="voideye" OR UserAgent="webshag" OR UserAgent="webvulnscan" OR UserAgent=" whcc/" OR UserAgent=" Havij" OR UserAgent="absinthe" OR UserAgent="bsqlbf" OR UserAgent="mysqloit" OR UserAgent="pangolin" OR UserAgent="sql power injector" OR UserAgent="sqlmap" OR UserAgent="sqlninja" OR UserAgent="uil2pn" OR UserAgent="ruler") | table ClientIP,URL,UserAgent
  • Elastic Query
user_agent.original.keyword:((hydra) OR \ arachni\/ OR *\ BFAC\ * OR *\ brutus\ * OR *\ cgichk\ * OR core-project\/1.0 OR \ crimscanner\/ OR datacha0s OR dirbuster OR domino\ hunter OR dotdotpwn OR "FHScan\ Core" OR floodgate OR get-minimal OR gootkit\ auto-rooter\ scanner OR grendel-scan OR *\ inspath\ * OR internet\ ninja OR jaascois OR *\ zmeu\ * OR masscan OR *\ metis\ * OR morfeus\ fucking\ scanner OR n-stealth OR nsauditor OR pmafind OR security\ scan OR springenwerk OR teh\ forest\ lobster OR toata\ dragostea OR \ vega\/ OR voideye OR webshag OR webvulnscan OR \ whcc\/ OR *\ Havij OR *absinthe* OR bsqlbf OR mysqloit OR pangolin OR sql\ power\ injector OR sqlmap OR sqlninja OR uil2pn OR "ruler")
  • EDR Carbon Black
(UserAgent:(hydra) OR UserAgent:arachni/ OR UserAgent:BFAC OR UserAgent:brutus OR UserAgent:cgichk OR UserAgent:core-project/1.0 OR UserAgent:crimscanner/ OR UserAgent:datacha0s OR UserAgent:dirbuster OR UserAgent:"domino hunter" OR UserAgent:dotdotpwn OR UserAgent:"FHScan Core" OR UserAgent:floodgate OR UserAgent:get-minimal OR UserAgent:"gootkit auto-rooter scanner" OR UserAgent:grendel-scan OR UserAgent:inspath OR UserAgent:"internet ninja" OR UserAgent:jaascois OR UserAgent:zmeu OR UserAgent:masscan OR UserAgent:metis OR UserAgent:"morfeus fucking scanner" OR UserAgent:n-stealth OR UserAgent:nsauditor OR UserAgent:pmafind OR UserAgent:"security scan" OR UserAgent:springenwerk OR UserAgent:"teh forest lobster" OR UserAgent:"toata dragostea" OR UserAgent:vega/ OR UserAgent:voideye OR UserAgent:webshag OR UserAgent:webvulnscan OR UserAgent:whcc/ OR UserAgent:Havij OR UserAgent:absinthe OR UserAgent:bsqlbf OR UserAgent:mysqloit OR UserAgent:pangolin OR UserAgent:"sql power injector" OR UserAgent:sqlmap OR UserAgent:sqlninja OR UserAgent:uil2pn OR UserAgent:ruler)
  • Windows PowerShell
Get-WinEvent | where {($_.message -match "UserAgent..(hydra)." -or $_.message -match "UserAgent..* arachni/." -or $_.message -match "UserAgent..* BFAC ." -or $_.message -match "UserAgent..* brutus ." -or $_.message -match "UserAgent..* cgichk ." -or $_.message -match "UserAgent..core-project/1.0." -or $_.message -match "UserAgent.. crimscanner/." -or $_.message -match "UserAgent..datacha0s." -or $_.message -match "UserAgent..dirbuster." -or $_.message -match "UserAgent..domino hunter." -or $_.message -match "UserAgent..dotdotpwn." -or $_.message -match "FHScan Core" -or $_.message -match "UserAgent..floodgate." -or $_.message -match "UserAgent..get-minimal." -or $_.message -match "UserAgent..gootkit auto-rooter scanner." -or $_.message -match "UserAgent..grendel-scan." -or $_.message -match "UserAgent..* inspath ." -or $_.message -match "UserAgent..internet ninja." -or $_.message -match "UserAgent..jaascois." -or $_.message -match "UserAgent..* zmeu ." -or $_.message -match "UserAgent..masscan." -or $_.message -match "UserAgent.. metis ." -or $_.message -match "UserAgent..morfeus fucking scanner." -or $_.message -match "UserAgent..n-stealth." -or $_.message -match "UserAgent..nsauditor." -or $_.message -match "UserAgent..pmafind." -or $_.message -match "UserAgent..security scan." -or $_.message -match "UserAgent..springenwerk." -or $_.message -match "UserAgent..teh forest lobster." -or $_.message -match "UserAgent..toata dragostea." -or $_.message -match "UserAgent..* vega/." -or $_.message -match "UserAgent..voideye." -or $_.message -match "UserAgent..webshag." -or $_.message -match "UserAgent..webvulnscan." -or $_.message -match "UserAgent.. whcc/." -or $_.message -match "UserAgent..* Havij" -or $_.message -match "UserAgent..absinthe." -or $_.message -match "UserAgent..bsqlbf." -or $_.message -match "UserAgent..mysqloit." -or $_.message -match "UserAgent..pangolin." -or $_.message -match "UserAgent..sql power injector." -or $_.message -match "UserAgent..sqlmap." -or $_.message -match "UserAgent..sqlninja." -or $_.message -match "UserAgent..uil2pn." -or $_.message -match "ruler") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
  • Qualys
(*(hydra)* or * arachni/* or * BFAC * or * brutus * or * cgichk * or *core-project/1.0* or * crimscanner/* or *datacha0s* or *dirbuster* or *domino hunter* or *dotdotpwn* or FHScan Core or *floodgate* or *get-minimal* or *gootkit auto-rooter scanner* or *grendel-scan* or * inspath * or *internet ninja* or *jaascois* or * zmeu * or *masscan* or * metis * or *morfeus fucking scanner* or *n-stealth* or *nsauditor* or *pmafind* or *security scan* or *springenwerk* or *teh forest lobster* or *toata dragostea* or * vega/* or *voideye* or *webshag* or *webvulnscan* or * whcc/* or * Havij or *absinthe* or *bsqlbf* or *mysqloit* or *pangolin* or *sql power injector* or *sqlmap* or *sqlninja* or *uil2pn* or ruler)

Leave a Reply

Your email address will not be published.

3 thoughts on “Regular expression of Hack Tool User Agent

  1. · 26.09.2021 at 05:06

    Wow, incredible weblog layout! How lengthy have you ever been blogging for? you made running a blog look easy. The whole look of your web site is magnificent, as smartly as the content material!

  2. · 24.10.2021 at 04:11

    Wow, fantastic blog format! How lengthy have you ever been running a blog for? you make blogging glance easy. The full glance of your website is magnificent, as neatly as the content!

  3. I think this is one of the most important info for me.

    And i’m glad reading your article. But wanna remark on some
    general things, The web site style is perfect,
    the articles is really excellent : D. Good job, cheers