Techniques
Sample rules
HackTool - Empire UserAgent URI Combo
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects user agent and URI paths used by empire agents
Detection logic
condition: selection
selection:
c-useragent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
cs-method: POST
cs-uri:
- /admin/get.php
- /news.php
- /login/process.php