83 строки
3.0 KiB
YAML
83 строки
3.0 KiB
YAML
id: 8d537f3c-094f-430c-a588-8a87da36ee3a
|
|
name: Cisco Umbrella - Hack Tool User-Agent Detected
|
|
description: |
|
|
'Detects suspicious user agent strings used by known hack tools'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: CiscoUmbrellaDataConnector
|
|
dataTypes:
|
|
- Cisco_Umbrella_proxy_CL
|
|
queryFrequency: 15m
|
|
queryPeriod: 15m
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- CommandAndControl
|
|
query: |
|
|
let timeframe = 15m;
|
|
let user_agents=dynamic([
|
|
'(hydra)',
|
|
' arachni/',
|
|
' BFAC ',
|
|
' brutus ',
|
|
' cgichk ',
|
|
'core-project/1.0',
|
|
' crimscanner/',
|
|
'datacha0s',
|
|
'dirbuster',
|
|
'domino hunter',
|
|
'dotdotpwn',
|
|
'FHScan Core',
|
|
'floodgate',
|
|
'get-minimal',
|
|
'gootkit auto-rooter scanner',
|
|
'grendel-scan',
|
|
' inspath ',
|
|
'internet ninja',
|
|
'jaascois',
|
|
' zmeu ',
|
|
'masscan',
|
|
' metis ',
|
|
'morfeus fucking scanner',
|
|
'n-stealth',
|
|
'nsauditor',
|
|
'pmafind',
|
|
'security scan',
|
|
'springenwerk',
|
|
'teh forest lobster',
|
|
'toata dragostea',
|
|
' vega/',
|
|
'voideye',
|
|
'webshag',
|
|
'webvulnscan',
|
|
' whcc/',
|
|
' Havij',
|
|
'absinthe',
|
|
'bsqlbf',
|
|
'mysqloit',
|
|
'pangolin',
|
|
'sql power injector',
|
|
'sqlmap',
|
|
'sqlninja',
|
|
'uil2pn',
|
|
'ruler',
|
|
'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'
|
|
]);
|
|
Cisco_Umbrella
|
|
| where EventType == "proxylogs"
|
|
| where TimeGenerated > ago(timeframe)
|
|
| where HttpUserAgentOriginal has_any (user_agents)
|
|
| extend Message = "Hack Tool User Agent"
|
|
| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal
|
|
entityMappings:
|
|
- entityType: URL
|
|
fieldMappings:
|
|
- identifier: Url
|
|
columnName: UrlOriginal
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: SrcIpAddr
|
|
version: 1.1.2
|
|
kind: Scheduled
|