User agent associated with penetration testing tool observed

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a penetration testing tool user agent is observed.

Strategy

This rule monitors cloud audit logs for requests with a user agent correlating to a penetration testing tool. While these tools may be used legitimately by an organization to assess their security posture, they can also be used by attackers as a means of discovery once they have gained unauthorized access to your cloud environment.

Triage and response

  1. Determine if your organization used any of the tools observed for its own security assessment.
  2. If the tool was used by your organization, consider adding a suppression for the penetration tool’s identity or IP address. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the tool was not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential or identity.
    • Investigate any actions taken by the identity.