Tomcat - Known malicious user agent
| Id | 5e77a818-5825-4ff6-a901-80891c4774d1 |
| Rulename | Tomcat - Known malicious user agent |
| Description | Detects known malicious user agents |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1190 T1133 |
| Required data connectors | CustomLogsAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatKnownMaliciousUserAgent.yaml |
| Version | 1.0.2 |
| Arm template | 5e77a818-5825-4ff6-a901-80891c4774d1.json |
let malicious_ua = dynamic(['Nikto', 'hydra', '.nasl', 'absinthe', 'advanced email extractor', 'arachni', 'autogetcontent', 'bilbo', 'BFAC', 'brutus', 'brutus/aet', 'bsqlbf', 'cgichk', 'cisco-torch', 'commix', 'core-project', 'crimscanner', 'datacha0s', 'dirbuster', 'domino hunter', 'dotdotpwn', 'email extractor', 'fhscan core', 'floodgate', 'get-minimal', 'gootkit auto-rooter scanner', 'grabber', 'grendel-scan', 'havij', 'inspath', 'internet ninja', 'jaascois', 'zmeu', 'masscan', 'metis', 'morfeus', 'mysqloit', 'n-stealth', 'nessus', 'netsparker', 'nmap nse', 'nmap scripting engine', 'nmap-nse', 'nsauditor', 'openvas', 'pangolin', 'paros', 'pmafind', 'prog.customcrawler', 'qualys was', 's.t.a.l.k.e.r.', 'security scan', 'springenwerk', 'sql power injector', 'sqlmap', 'sqlninja', 'teh forest lobster', 'this is an exploit', 'toata dragostea', 'toata dragostea mea pentru diavola', 'uil2pn', 'vega', 'voideye', 'w3af.sf.net', 'w3af.sourceforge.net', 'w3af.org', 'webbandit', 'webinspect', 'webshag', 'webtrends security analyzer', 'webvulnscan', 'whatweb', 'whcc', 'wordpress hash grabber', 'xmlrpc exploit', 'WPScan', 'XSpider', 'SF/', 'FooBar/42', 'ScanAlert', 'Webscanner', 'Webster', 'fantomCrew', 'fantomBrowser', 'visvo', 'magereport', 'ltx71', 'websiteprotection', 'BigCliqueBOT', 'BOT for JCE']);
TomcatEvent
| where HttpUserAgentOriginal has_any (malicious_ua)
| extend MalwareCustomEntity = HttpUserAgentOriginal
requiredDataConnectors:
- connectorId: CustomLogsAma
datatypes:
- Tomcat_CL
tactics:
- InitialAccess
description: |
'Detects known malicious user agents'
query: |
let malicious_ua = dynamic(['Nikto', 'hydra', '.nasl', 'absinthe', 'advanced email extractor', 'arachni', 'autogetcontent', 'bilbo', 'BFAC', 'brutus', 'brutus/aet', 'bsqlbf', 'cgichk', 'cisco-torch', 'commix', 'core-project', 'crimscanner', 'datacha0s', 'dirbuster', 'domino hunter', 'dotdotpwn', 'email extractor', 'fhscan core', 'floodgate', 'get-minimal', 'gootkit auto-rooter scanner', 'grabber', 'grendel-scan', 'havij', 'inspath', 'internet ninja', 'jaascois', 'zmeu', 'masscan', 'metis', 'morfeus', 'mysqloit', 'n-stealth', 'nessus', 'netsparker', 'nmap nse', 'nmap scripting engine', 'nmap-nse', 'nsauditor', 'openvas', 'pangolin', 'paros', 'pmafind', 'prog.customcrawler', 'qualys was', 's.t.a.l.k.e.r.', 'security scan', 'springenwerk', 'sql power injector', 'sqlmap', 'sqlninja', 'teh forest lobster', 'this is an exploit', 'toata dragostea', 'toata dragostea mea pentru diavola', 'uil2pn', 'vega', 'voideye', 'w3af.sf.net', 'w3af.sourceforge.net', 'w3af.org', 'webbandit', 'webinspect', 'webshag', 'webtrends security analyzer', 'webvulnscan', 'whatweb', 'whcc', 'wordpress hash grabber', 'xmlrpc exploit', 'WPScan', 'XSpider', 'SF/', 'FooBar/42', 'ScanAlert', 'Webscanner', 'Webster', 'fantomCrew', 'fantomBrowser', 'visvo', 'magereport', 'ltx71', 'websiteprotection', 'BigCliqueBOT', 'BOT for JCE']);
TomcatEvent
| where HttpUserAgentOriginal has_any (malicious_ua)
| extend MalwareCustomEntity = HttpUserAgentOriginal
id: 5e77a818-5825-4ff6-a901-80891c4774d1
triggerOperator: gt
relevantTechniques:
- T1190
- T1133
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatKnownMaliciousUserAgent.yaml
queryFrequency: 1h
severity: High
entityMappings:
- fieldMappings:
- columnName: MalwareCustomEntity
identifier: Name
entityType: Malware
name: Tomcat - Known malicious user agent
queryPeriod: 1h
kind: Scheduled
triggerThreshold: 0
version: 1.0.2
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5e77a818-5825-4ff6-a901-80891c4774d1')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5e77a818-5825-4ff6-a901-80891c4774d1')]",
"properties": {
"alertRuleTemplateName": "5e77a818-5825-4ff6-a901-80891c4774d1",
"customDetails": null,
"description": "'Detects known malicious user agents'\n",
"displayName": "Tomcat - Known malicious user agent",
"enabled": true,
"entityMappings": [
{
"entityType": "Malware",
"fieldMappings": [
{
"columnName": "MalwareCustomEntity",
"identifier": "Name"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Tomcat/Analytic Rules/TomcatKnownMaliciousUserAgent.yaml",
"query": "let malicious_ua = dynamic(['Nikto', 'hydra', '.nasl', 'absinthe', 'advanced email extractor', 'arachni', 'autogetcontent', 'bilbo', 'BFAC', 'brutus', 'brutus/aet', 'bsqlbf', 'cgichk', 'cisco-torch', 'commix', 'core-project', 'crimscanner', 'datacha0s', 'dirbuster', 'domino hunter', 'dotdotpwn', 'email extractor', 'fhscan core', 'floodgate', 'get-minimal', 'gootkit auto-rooter scanner', 'grabber', 'grendel-scan', 'havij', 'inspath', 'internet ninja', 'jaascois', 'zmeu', 'masscan', 'metis', 'morfeus', 'mysqloit', 'n-stealth', 'nessus', 'netsparker', 'nmap nse', 'nmap scripting engine', 'nmap-nse', 'nsauditor', 'openvas', 'pangolin', 'paros', 'pmafind', 'prog.customcrawler', 'qualys was', 's.t.a.l.k.e.r.', 'security scan', 'springenwerk', 'sql power injector', 'sqlmap', 'sqlninja', 'teh forest lobster', 'this is an exploit', 'toata dragostea', 'toata dragostea mea pentru diavola', 'uil2pn', 'vega', 'voideye', 'w3af.sf.net', 'w3af.sourceforge.net', 'w3af.org', 'webbandit', 'webinspect', 'webshag', 'webtrends security analyzer', 'webvulnscan', 'whatweb', 'whcc', 'wordpress hash grabber', 'xmlrpc exploit', 'WPScan', 'XSpider', 'SF/', 'FooBar/42', 'ScanAlert', 'Webscanner', 'Webster', 'fantomCrew', 'fantomBrowser', 'visvo', 'magereport', 'ltx71', 'websiteprotection', 'BigCliqueBOT', 'BOT for JCE']);\nTomcatEvent\n| where HttpUserAgentOriginal has_any (malicious_ua)\n| extend MalwareCustomEntity = HttpUserAgentOriginal\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1133",
"T1190"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}