User agent associated with penetration testing tool observed

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1059-command-and-scripting-interpreter

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a penetration testing tool user agent is observed.

Strategy

This rule monitors cloud audit logs for requests with a user agent correlating to a penetration testing tool. While these tools may be used legitimately by an organization to assess their security posture, they can also be used by attackers as a means of discovery once they have gained unauthorized access to your cloud environment.

Triage and response

  1. Determine if your organization used any of the tools observed for its own security assessment.
  2. If the tool was used by your organization, consider adding a suppression for the penetration tool’s identity or IP address. See Best practices for creating detection rules with Datadog Cloud SIEM for more information.
  3. If the tool was not used by your organization, begin your company’s incident response process and an investigation.
    • If appropriate, disable or rotate the affected credential or identity.
    • Investigate any actions taken by the identity.

Changelog

  • 23 July 2025 - Update case naming to indicate cloud provider in the signal naming.