User agent associated with penetration testing tool observed

Classification:

attack

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a penetration testing tool user agent is observed.

Strategy

This rule monitors cloud audit logs for requests with a user agent correlating to a penetration testing tool. While these tools may be used legitimately by an organization to assess their security posture, they can also be used by attackers as a means of discovery once they have gained unauthorized access to your cloud environment.

Triage and response

  1. Determine if your organization used any of the tools observed for its own security assessment.
  2. If the tool was used by your organization, consider adding a suppression for the penetration tool’s identity or IP address. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the tool was not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential or identity.
    • Investigate any actions taken by the identity.