title: Exploit Framework User Agent
status: experimental
description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs
references:
    - https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth
logsource:
    category: proxy
detection:
    selection:
      UserAgent:
        # Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
        - 'Internet Explorer *'
        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)'  # https://goo.gl/f4H5Ez

        # Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
        - 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
        - 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
        - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)'  # old browser, rare, base-lining needed
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'  # old browser, rare, base-lining needed
        - 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)'  # old browser, rare, base-lining needed
        - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
        - 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'  # only use in proxy logs - not for detection in web server logs
        - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'

        # Metasploit Update by Florian Roth 08.07.2017
        - 'Mozilla/5.0'
        - 'Mozilla/4.0 (compatible; SPIPE/1.0'
        # - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)'  # too many false positives expected
        # - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'  # too many false positives expected
        - 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
        - 'Sametime Community Agent'  # Unknown if prone to false positives - used in https://goo.gl/gHZkeR
        - 'X-FORWARDED-FOR'
        - 'DotDotPwn v2.1'
        - 'SIPDROID'

        # Exploits
        - '*wordpress hash grabber*'
        - '*exploit*'
    condition: selection
fields:
    - ClientIP
    - URL
    - UserAgent
falsepositives:
    - Unknown
level: high