Efficient Detection of Vulnerability Scanning Traffic from Underground Tools via Machine Learning

Palo Alto Networks researchers uncovered a privately shared automated scanner called Swiss Army Suite (S.A.S) that focuses on SQL injection scanning and produces distinctive payload patterns that evade known signature profiles. Machine-learning SQLi detectors flagged these patterns, telemetry and cached search results confirmed widespread scanning, and an offline test against DVWA reproduced the injection behavior. #SwissArmySuite #PaloAltoNetworks

Keypoints

Discovery of S.A.S: a private, multifunctional automated scanner used to find SQL injection vulnerabilities on web targets.
Unusual payload patterns: ML detectors observed a recurring SQLi string pattern not matching known commercial scanners.
SQL injection emphasis: the tool’s SQL Vuln Scanner searches multiple parameters and supports up to 27 RDBMS targets.
Dork-based reconnaissance: S.A.S includes dork generator/checker features to enumerate target URLs via search engines.
Configurable scanning: supports proxy types (Proxyless, HTTP, SOCKS5), thread and timeout settings, and input files with target URLs.
Offline replication: researchers reproduced the scanner against DVWA, captured HTTP requests/responses showing DB errors, and validated results saved to log files (e.g., mysql.txt).
Telemetry & geography: ML triggers and cloud telemetry linked scan sources to multiple countries and produced sample hashes for blocking.

MITRE Techniques

[T1190] SQL Injection – Automated SQL injection probes target input parameters to execute arbitrary SQL; quote: (‘Utilizing automated tools to perform SQL injection attacks on web applications.’)
[T1210] Exploitation of Remote Services – Scanning and exploiting remote web application services to find and abuse SQL injection points using a custom tool; quote: (‘Scanning for vulnerabilities in web applications to exploit SQL injection points.’)

Indicators of Compromise

[File hashes] S.A.S samples observed in telemetry – 32e875834f7b1990680e666266fffd4dd8782b0621e57d1b07a99bf5bf810ded, 58136c339506f4e701ddead6740f72d6cd9091f308bdc64c0c29dd716d9febdd, and 6 more hashes.
[Payload pattern] ML-detected SQLi string – %27nvOpzp;%20AND%201=1%20OR%20(%3C%27%22%3EiKO)), used in scanning payloads and Google cache searches.
[Log file name] Scan result output – mysql.txt (tool generates dated folders and DB-specific result files listing vulnerable URLs).
[Report URL] Research source – https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/ (original analysis and sample context).

Palo Alto Networks’ ML-based SQLi detector first flagged a recurring, unusual payload structure (e.g., “%27nvOpzp; AND 1=1 OR (iKO))”) that did not match known scanner fingerprints. Researchers mapped this pattern across telemetry and public caches, found hundreds of thousands of indexed occurrences via Google dork results, and linked the strings to a private tool named Swiss Army Suite (S.A.S), which advertises dork generation, dork checking, SQL vulnerability scanning, proxy support (Proxyless/HTTP/SOCKS5), thread/timeouts, and output logging per RDBMS.

To characterize runtime behavior, the team replicated scans in a controlled environment using DVWA with the SQL injection module enabled. They ran S.A.S against target URLs (input file containing full URL+params), captured HTTP requests showing payloads injected into parameters (e.g., id= and Submit=), and observed database errors in responses (MariaDB/MySQL exceptions) confirming SQLi. The tool produces per-scan log directories and files (e.g., mysql.txt) listing vulnerable endpoints. Researchers also enumerated sample binaries/hashes from intelligence sources and validated that the Next-Generation Firewall with ATP machine learning detected and blocked the generated payloads as malicious.