黑客工具使用的User Agent列表 Hack Tool User Agent

黑客工具使用的User Agent列表 Hack Tool User Agent

hydra
arachni/
BFAC
brutus
cgichk
core-project/1.0
crimscanner/
datacha0s
dirbuster
dominohunter
dotdotpwn
FHScanCore
floodgate
get-minimal
gootkitauto-rooterscanner
grendel-scan
inspath
internetninja
jaascois
zmeu
masscan
metis
morfeusfuckingscanner
n-stealth
nsauditor
pmafind
securityscan
springenwerk
tehforestlobster
toatadragostea
vega/
voideye
webshag
webvulnscan
whcc/
Havij
absinthe
bsqlbf
mysqloit
pangolin
sqlpowerinjector
sqlmap
sqlninja
uil2pn
ruler
HTTrack
Apache-HttpClient
harvest
audit
nmap
sqln
hydra
Parser
libwww
BBBike
w3af
owasp
Nikto
fimap
BabyKrokodil
httperf
黑客工具使用的User Agent列表 Hack Tool User Agent

通过代理日志中的可疑的用户代理字符串检测黑客工具

QRadar AQL

SELECT 'sourceip', 'URL', 'UserAgent' from events where ("UserAgent" ilike '%(hydra)%' or "UserAgent" ilike '% arachni/%' or "UserAgent" ilike '% BFAC %' or "UserAgent" ilike '% brutus %' or "UserAgent" ilike '% cgichk %' or "UserAgent" ilike '%core-project/1.0%' or "UserAgent" ilike '% crimscanner/%' or "UserAgent" ilike '%datacha0s%' or "UserAgent" ilike '%dirbuster%' or "UserAgent" ilike '%domino hunter%' or "UserAgent" ilike '%dotdotpwn%' or "UserAgent" = 'FHScan Core' or "UserAgent" ilike '%floodgate%' or "UserAgent" ilike '%get-minimal%' or "UserAgent" ilike '%gootkit auto-rooter scanner%' or "UserAgent" ilike '%grendel-scan%' or "UserAgent" ilike '% inspath %' or "UserAgent" ilike '%internet ninja%' or "UserAgent" ilike '%jaascois%' or "UserAgent" ilike '% zmeu %' or "UserAgent" ilike '%masscan%' or "UserAgent" ilike '% metis %' or "UserAgent" ilike '%morfeus fucking scanner%' or "UserAgent" ilike '%n-stealth%' or "UserAgent" ilike '%nsauditor%' or "UserAgent" ilike '%pmafind%' or "UserAgent" ilike '%security scan%' or "UserAgent" ilike '%springenwerk%' or "UserAgent" ilike '%teh forest lobster%' or "UserAgent" ilike '%toata dragostea%' or "UserAgent" ilike '% vega/%' or "UserAgent" ilike '%voideye%' or "UserAgent" ilike '%webshag%' or "UserAgent" ilike '%webvulnscan%' or "UserAgent" ilike '% whcc/%' or "UserAgent" ilike '% Havij' or "UserAgent" ilike '%absinthe%' or "UserAgent" ilike '%bsqlbf%' or "UserAgent" ilike '%mysqloit%' or "UserAgent" ilike '%pangolin%' or "UserAgent" ilike '%sql power injector%' or "UserAgent" ilike '%sqlmap%' or "UserAgent" ilike '%sqlninja%' or "UserAgent" ilike '%uil2pn%' or "UserAgent" = 'ruler')

Splunk

(UserAgent="(hydra)" OR UserAgent="* arachni/" OR UserAgent=" BFAC " OR UserAgent=" brutus " OR UserAgent=" cgichk " OR UserAgent="core-project/1.0" OR UserAgent=" crimscanner/" OR UserAgent="datacha0s" OR UserAgent="dirbuster" OR UserAgent="domino hunter" OR UserAgent="dotdotpwn" OR UserAgent="FHScan Core" OR UserAgent="floodgate" OR UserAgent="get-minimal" OR UserAgent="gootkit auto-rooter scanner" OR UserAgent="grendel-scan" OR UserAgent=" inspath " OR UserAgent="internet ninja" OR UserAgent="jaascois" OR UserAgent=" zmeu " OR UserAgent="masscan" OR UserAgent=" metis " OR UserAgent="morfeus fucking scanner" OR UserAgent="n-stealth" OR UserAgent="nsauditor" OR UserAgent="pmafind" OR UserAgent="security scan" OR UserAgent="springenwerk" OR UserAgent="teh forest lobster" OR UserAgent="toata dragostea" OR UserAgent=" vega/" OR UserAgent="voideye" OR UserAgent="webshag" OR UserAgent="webvulnscan" OR UserAgent=" whcc/" OR UserAgent=" Havij" OR UserAgent="absinthe" OR UserAgent="bsqlbf" OR UserAgent="mysqloit" OR UserAgent="pangolin" OR UserAgent="sql power injector" OR UserAgent="sqlmap" OR UserAgent="sqlninja" OR UserAgent="uil2pn" OR UserAgent="ruler") | table ClientIP,URL,UserAgent

Elastic Query

user_agent.original.keyword:((hydra) OR \ arachni\/ OR *\ BFAC\ * OR *\ brutus\ * OR *\ cgichk\ * OR core-project\/1.0 OR \ crimscanner\/ OR datacha0s OR dirbuster OR domino\ hunter OR dotdotpwn OR "FHScan\ Core" OR floodgate OR get-minimal OR gootkit\ auto-rooter\ scanner OR grendel-scan OR *\ inspath\ * OR internet\ ninja OR jaascois OR *\ zmeu\ * OR masscan OR *\ metis\ * OR morfeus\ fucking\ scanner OR n-stealth OR nsauditor OR pmafind OR security\ scan OR springenwerk OR teh\ forest\ lobster OR toata\ dragostea OR \ vega\/ OR voideye OR webshag OR webvulnscan OR \ whcc\/ OR *\ Havij OR *absinthe* OR bsqlbf OR mysqloit OR pangolin OR sql\ power\ injector OR sqlmap OR sqlninja OR uil2pn OR "ruler")

EDR Carbon Black

(UserAgent:(hydra) OR UserAgent:arachni/ OR UserAgent:BFAC OR UserAgent:brutus OR UserAgent:cgichk OR UserAgent:core-project/1.0 OR UserAgent:crimscanner/ OR UserAgent:datacha0s OR UserAgent:dirbuster OR UserAgent:"domino hunter" OR UserAgent:dotdotpwn OR UserAgent:"FHScan Core" OR UserAgent:floodgate OR UserAgent:get-minimal OR UserAgent:"gootkit auto-rooter scanner" OR UserAgent:grendel-scan OR UserAgent:inspath OR UserAgent:"internet ninja" OR UserAgent:jaascois OR UserAgent:zmeu OR UserAgent:masscan OR UserAgent:metis OR UserAgent:"morfeus fucking scanner" OR UserAgent:n-stealth OR UserAgent:nsauditor OR UserAgent:pmafind OR UserAgent:"security scan" OR UserAgent:springenwerk OR UserAgent:"teh forest lobster" OR UserAgent:"toata dragostea" OR UserAgent:vega/ OR UserAgent:voideye OR UserAgent:webshag OR UserAgent:webvulnscan OR UserAgent:whcc/ OR UserAgent:Havij OR UserAgent:absinthe OR UserAgent:bsqlbf OR UserAgent:mysqloit OR UserAgent:pangolin OR UserAgent:"sql power injector" OR UserAgent:sqlmap OR UserAgent:sqlninja OR UserAgent:uil2pn OR UserAgent:ruler)

Windows PowerShell

Get-WinEvent | where {($_.message -match "UserAgent..(hydra)." -or $_.message -match "UserAgent..* arachni/." -or $_.message -match "UserAgent..* BFAC ." -or $_.message -match "UserAgent..* brutus ." -or $_.message -match "UserAgent..* cgichk ." -or $_.message -match "UserAgent..core-project/1.0." -or $_.message -match "UserAgent.. crimscanner/." -or $_.message -match "UserAgent..datacha0s." -or $_.message -match "UserAgent..dirbuster." -or $_.message -match "UserAgent..domino hunter." -or $_.message -match "UserAgent..dotdotpwn." -or $_.message -match "FHScan Core" -or $_.message -match "UserAgent..floodgate." -or $_.message -match "UserAgent..get-minimal." -or $_.message -match "UserAgent..gootkit auto-rooter scanner." -or $_.message -match "UserAgent..grendel-scan." -or $_.message -match "UserAgent..* inspath ." -or $_.message -match "UserAgent..internet ninja." -or $_.message -match "UserAgent..jaascois." -or $_.message -match "UserAgent..* zmeu ." -or $_.message -match "UserAgent..masscan." -or $_.message -match "UserAgent.. metis ." -or $_.message -match "UserAgent..morfeus fucking scanner." -or $_.message -match "UserAgent..n-stealth." -or $_.message -match "UserAgent..nsauditor." -or $_.message -match "UserAgent..pmafind." -or $_.message -match "UserAgent..security scan." -or $_.message -match "UserAgent..springenwerk." -or $_.message -match "UserAgent..teh forest lobster." -or $_.message -match "UserAgent..toata dragostea." -or $_.message -match "UserAgent..* vega/." -or $_.message -match "UserAgent..voideye." -or $_.message -match "UserAgent..webshag." -or $_.message -match "UserAgent..webvulnscan." -or $_.message -match "UserAgent.. whcc/." -or $_.message -match "UserAgent..* Havij" -or $_.message -match "UserAgent..absinthe." -or $_.message -match "UserAgent..bsqlbf." -or $_.message -match "UserAgent..mysqloit." -or $_.message -match "UserAgent..pangolin." -or $_.message -match "UserAgent..sql power injector." -or $_.message -match "UserAgent..sqlmap." -or $_.message -match "UserAgent..sqlninja." -or $_.message -match "UserAgent..uil2pn." -or $_.message -match "ruler") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Qualys

(*(hydra)* or * arachni/* or * BFAC * or * brutus * or * cgichk * or *core-project/1.0* or * crimscanner/* or *datacha0s* or *dirbuster* or *domino hunter* or *dotdotpwn* or FHScan Core or *floodgate* or *get-minimal* or *gootkit auto-rooter scanner* or *grendel-scan* or * inspath * or *internet ninja* or *jaascois* or * zmeu * or *masscan* or * metis * or *morfeus fucking scanner* or *n-stealth* or *nsauditor* or *pmafind* or *security scan* or *springenwerk* or *teh forest lobster* or *toata dragostea* or * vega/* or *voideye* or *webshag* or *webvulnscan* or * whcc/* or * Havij or *absinthe* or *bsqlbf* or *mysqloit* or *pangolin* or *sql power injector* or *sqlmap* or *sqlninja* or *uil2pn* or ruler)

from

转载请注明出处及链接

Leave a Reply

您的电子邮箱地址不会被公开。