Metasploit Framework UA

yara/gen_metasploit_payloads.yar

@@ -286,3 +286,17 @@ rule Msfpayloads_msf_ref {
    condition:
       5 of them
 }
+
+rule MAL_Metasploit_Framwork_UA {
+   meta:
+      description = "Detects User Agent used in Metasploit Framework"
+      author = "Florian Roth"
+      reference = "https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7"
+      date = "2018-08-16"
+      score = 65
+      hash1 = "1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29"
+   strings:
+      $s3 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)" fullword ascii
+   condition:
+      uint16(0) == 0x5a4d and filesize < 400KB and 1 of them
+}