diff --git a/network/cves/2016/CVE-2016-3510.yaml b/network/cves/2016/CVE-2016-3510.yaml index f5caada073..104371c664 100644 --- a/network/cves/2016/CVE-2016-3510.yaml +++ b/network/cves/2016/CVE-2016-3510.yaml @@ -19,7 +19,7 @@ info: metadata: max-request: 1 verified: true - tags: cve,cve2016,weblogic,t3,rce,oast,deserialization,network + tags: cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network variables: start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000" diff --git a/network/cves/2020/CVE-2020-1938.yaml b/network/cves/2020/CVE-2020-1938.yaml index 80799cd570..df5ab42b42 100644 --- a/network/cves/2020/CVE-2020-1938.yaml +++ b/network/cves/2020/CVE-2020-1938.yaml @@ -24,7 +24,7 @@ info: product: geode shodan-query: title:"Apache Tomcat" vendor: apache - tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat + tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat,ajp tcp: - host: - "{{Hostname}}" diff --git a/network/cves/2022/CVE-2022-24706.yaml b/network/cves/2022/CVE-2022-24706.yaml index cdbcdaf7cf..7821f64d7f 100644 --- a/network/cves/2022/CVE-2022-24706.yaml +++ b/network/cves/2022/CVE-2022-24706.yaml @@ -27,7 +27,7 @@ info: shodan-query: product:"CouchDB" vendor: apache verified: "true" - tags: cve,cve2022,network,couch,rce,kev + tags: cve,cve2022,network,couch,rce,kev,couchdb variables: name_msg: "00156e00050007499c4141414141414041414141414141" challenge_reply: "00157201020304" diff --git a/network/detection/activemq-openwire-transport-detect.yaml b/network/detection/activemq-openwire-transport-detect.yaml index 197db2ec82..19a99251ec 100644 --- a/network/detection/activemq-openwire-transport-detect.yaml +++ b/network/detection/activemq-openwire-transport-detect.yaml @@ -10,7 +10,7 @@ info: max-request: 1 shodan-query: product:"ActiveMQ OpenWire transport" verified: true - tags: network,activemq,detect + tags: network,activemq,detect,openwire tcp: - inputs: diff --git a/network/detection/apache-activemq-detect.yaml b/network/detection/apache-activemq-detect.yaml index 8aa431a7fc..a46cb56fe8 100644 --- a/network/detection/apache-activemq-detect.yaml +++ b/network/detection/apache-activemq-detect.yaml @@ -10,7 +10,7 @@ info: max-request: 1 shodan-query: product:"Apache ActiveMQ" verified: true - tags: network,activemq,oss,detect + tags: network,activemq,oss,detect,apache tcp: - inputs: diff --git a/network/detection/axigen-mail-server-detect.yaml b/network/detection/axigen-mail-server-detect.yaml index ea671341ac..8ab6c4797e 100644 --- a/network/detection/axigen-mail-server-detect.yaml +++ b/network/detection/axigen-mail-server-detect.yaml @@ -11,7 +11,7 @@ info: max-request: 1 shodan-query: product:"Axigen" verified: true - tags: network,axigen,detect + tags: network,axigen,detect,smtp tcp: - inputs: diff --git a/network/detection/bgp-detect.yaml b/network/detection/bgp-detect.yaml index fd4d1ff722..33f1552e77 100644 --- a/network/detection/bgp-detect.yaml +++ b/network/detection/bgp-detect.yaml @@ -15,7 +15,7 @@ info: metadata: max-request: 1 shodan-query: product:"BGP" - tags: network,bgp + tags: network,bgp,detect tcp: - inputs: diff --git a/network/detection/cisco-finger-detect.yaml b/network/detection/cisco-finger-detect.yaml index 1ed69f9e91..8c5538c1eb 100644 --- a/network/detection/cisco-finger-detect.yaml +++ b/network/detection/cisco-finger-detect.yaml @@ -10,7 +10,7 @@ info: max-request: 1 shodan-query: product:"Cisco fingerd" verified: true - tags: network,finger,detect + tags: network,finger,detect,cisco tcp: - inputs: diff --git a/network/detection/dotnet-remoting-service-detect.yaml b/network/detection/dotnet-remoting-service-detect.yaml index 83d57c09e8..055cea6eea 100644 --- a/network/detection/dotnet-remoting-service-detect.yaml +++ b/network/detection/dotnet-remoting-service-detect.yaml @@ -13,7 +13,7 @@ info: max-request: 1 shodan-query: product:"MS .NET Remoting httpd" verified: true - tags: network,detect,microsoft + tags: network,detect,microsoft,dotnet tcp: - inputs: diff --git a/network/detection/expn-mail-detect.yaml b/network/detection/expn-mail-detect.yaml index 987ebc6f8c..259b8f044e 100644 --- a/network/detection/expn-mail-detect.yaml +++ b/network/detection/expn-mail-detect.yaml @@ -8,7 +8,7 @@ info: The "EXPN" can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list subscription lists are generally considered to be sensitive information. metadata: max-request: 1 - tags: mail,expn,network,detect + tags: mail,expn,network,detect,smtp tcp: - inputs: diff --git a/network/detection/iplanet-imap-detect.yaml b/network/detection/iplanet-imap-detect.yaml index fc3c0978b3..99b8183d29 100644 --- a/network/detection/iplanet-imap-detect.yaml +++ b/network/detection/iplanet-imap-detect.yaml @@ -12,7 +12,7 @@ info: metadata: fofa-query: app="iPlanet-Messaging-Server-5.2" && protocol="imap" max-request: 1 - tags: network,imap,detect + tags: network,imap,detect,iplanet tcp: - inputs: diff --git a/network/detection/riak-detect.yaml b/network/detection/riak-detect.yaml index 102d5ae655..507183ab50 100644 --- a/network/detection/riak-detect.yaml +++ b/network/detection/riak-detect.yaml @@ -9,7 +9,7 @@ info: max-request: 1 shodan-query: product:"Riak" verified: true - tags: network,oss,detect + tags: network,oss,detect,riak,nosql tcp: - inputs: diff --git a/network/detection/sap-router.yaml b/network/detection/sap-router.yaml index bfcafd63f0..0c9fa7f065 100644 --- a/network/detection/sap-router.yaml +++ b/network/detection/sap-router.yaml @@ -8,7 +8,7 @@ info: SAProuter is a software application that provides a remote connection between our customer's network and SAP. metadata: max-request: 1 - tags: network,sap,detect + tags: network,sap,detect,saprouter tcp: - inputs: diff --git a/network/detection/smtp-detect.yaml b/network/detection/smtp-detect.yaml index c0991c128a..1c74868817 100644 --- a/network/detection/smtp-detect.yaml +++ b/network/detection/smtp-detect.yaml @@ -8,7 +8,7 @@ info: SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks. metadata: max-request: 1 - tags: network,service,smtp,detect + tags: network,service,smtp,detect,mail tcp: - inputs: diff --git a/network/detection/starttls-mail-detect.yaml b/network/detection/starttls-mail-detect.yaml index 97cbbed6a1..5a46c7278c 100644 --- a/network/detection/starttls-mail-detect.yaml +++ b/network/detection/starttls-mail-detect.yaml @@ -8,7 +8,7 @@ info: STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one. metadata: max-request: 1 - tags: mail,starttls,network,detect + tags: mail,starttls,network,detect,smtp tcp: - inputs: diff --git a/network/detection/weblogic-iiop-detect.yaml b/network/detection/weblogic-iiop-detect.yaml index 2c838ac332..f58dc0718b 100644 --- a/network/detection/weblogic-iiop-detect.yaml +++ b/network/detection/weblogic-iiop-detect.yaml @@ -8,7 +8,7 @@ info: The IIOP (Internet Inter-ORB Protocol) protocol makes it possible for distributed programs written in different programming languages to communicate over the Internet. metadata: max-request: 1 - tags: network,weblogic,detect + tags: network,weblogic,detect,oracle,iiop tcp: - inputs: - data: "{{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}" diff --git a/network/detection/weblogic-t3-detect.yaml b/network/detection/weblogic-t3-detect.yaml index b8892d6b06..27a2328a6e 100644 --- a/network/detection/weblogic-t3-detect.yaml +++ b/network/detection/weblogic-t3-detect.yaml @@ -8,7 +8,7 @@ info: T3 is the protocol used to transport information between WebLogic servers and other types of Java programs. metadata: max-request: 2 - tags: network,weblogic,detect + tags: network,weblogic,detect,t3,oracle tcp: - inputs: - data: "t3 12.2.1 diff --git a/network/detection/ws_ftp-ssh-detect.yaml b/network/detection/ws_ftp-ssh-detect.yaml index 1d9a6714a9..eeaaf6ba8f 100644 --- a/network/detection/ws_ftp-ssh-detect.yaml +++ b/network/detection/ws_ftp-ssh-detect.yaml @@ -16,7 +16,7 @@ info: vendor: progress product: ws_ftp shodan-query: "WS_FTP port:22" - tags: network,ssh,ws_ftp + tags: network,ssh,ws_ftp,detect tcp: - host: diff --git a/network/enumeration/smtp-commands-enum.yaml b/network/enumeration/smtp/smtp-commands-enum.yaml similarity index 100% rename from network/enumeration/smtp-commands-enum.yaml rename to network/enumeration/smtp/smtp-commands-enum.yaml diff --git a/network/jarm/c2/cobalt-strike-c2-jarm.yaml b/network/jarm/c2/cobalt-strike-c2-jarm.yaml index 840ba40de3..2a4811bab0 100644 --- a/network/jarm/c2/cobalt-strike-c2-jarm.yaml +++ b/network/jarm/c2/cobalt-strike-c2-jarm.yaml @@ -12,7 +12,7 @@ info: verified: true max-request: 1 shodan-query: ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1+port:443 - tags: jarm,c2,ir,osint + tags: jarm,c2,ir,osint,cti,cobalt-strike tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/covenant-c2-jarm.yaml b/network/jarm/c2/covenant-c2-jarm.yaml index c2a16d0fa3..1be0a6629a 100644 --- a/network/jarm/c2/covenant-c2-jarm.yaml +++ b/network/jarm/c2/covenant-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://twitter.com/MichalKoczwara/status/1548685058403360770 metadata: max-request: 1 - tags: c2,ir,osint,covenant,jarm + tags: jarm,c2,ir,osint,cti,covenant tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/deimos-c2-jarm.yaml b/network/jarm/c2/deimos-c2-jarm.yaml index b1ffc8423f..0679b13c39 100644 --- a/network/jarm/c2/deimos-c2-jarm.yaml +++ b/network/jarm/c2/deimos-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://twitter.com/MichalKoczwara/status/1551632627387473920 metadata: max-request: 1 - tags: c2,ir,osint,deimos,jarm,network + tags: jarm,c2,ir,osint,cti,deimos,network tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/evilginx2-jarm.yaml b/network/jarm/c2/evilginx2-jarm.yaml index f27af3deeb..e3446bbe95 100644 --- a/network/jarm/c2/evilginx2-jarm.yaml +++ b/network/jarm/c2/evilginx2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/kgretzky/evilginx2 metadata: max-request: 1 - tags: evilginx2,c2,phishing,jarm + tags: jarm,c2,ir,osint,cti,evilginx2,phishing tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/generic-c2-jarm.yaml b/network/jarm/c2/generic-c2-jarm.yaml index 655f2b0a4f..6127577bf4 100644 --- a/network/jarm/c2/generic-c2-jarm.yaml +++ b/network/jarm/c2/generic-c2-jarm.yaml @@ -10,7 +10,7 @@ info: - https://github.com/MichaelKoczwara/C2JARM metadata: max-request: 1 - tags: network,c2,jarm,cti + tags: network,jarm,c2,ir,osint,cti tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/grat2-c2-jarm.yaml b/network/jarm/c2/grat2-c2-jarm.yaml index d18af002ec..ff6205e034 100644 --- a/network/jarm/c2/grat2-c2-jarm.yaml +++ b/network/jarm/c2/grat2-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/r3nhat/GRAT2 metadata: max-request: 1 - tags: shad0w,c2,osint,ir,jarm + tags: jarm,c2,ir,osint,cti,shad0w tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/havoc-c2-jarm.yaml b/network/jarm/c2/havoc-c2-jarm.yaml index 550e4eb3b9..a6e8743f46 100644 --- a/network/jarm/c2/havoc-c2-jarm.yaml +++ b/network/jarm/c2/havoc-c2-jarm.yaml @@ -13,7 +13,7 @@ info: verified: "true" max-request: 1 shodan-query: 'ssl:postalCode=3540 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e' - tags: c2,ir,osint,havoc,network + tags: jarm,c2,ir,osint,cti,havoc,network tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/mac-c2-jarm.yaml b/network/jarm/c2/mac-c2-jarm.yaml index d86ba7fa31..a07c812462 100644 --- a/network/jarm/c2/mac-c2-jarm.yaml +++ b/network/jarm/c2/mac-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/cedowens/MacC2 metadata: max-request: 1 - tags: c2,ir,osint,macc2,jarm + tags: jarm,c2,ir,osint,cti,macc2 tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/macshell-c2-jarm.yaml b/network/jarm/c2/macshell-c2-jarm.yaml index ae918f4edd..9b8a669413 100644 --- a/network/jarm/c2/macshell-c2-jarm.yaml +++ b/network/jarm/c2/macshell-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/cedowens/MacShellSwift metadata: max-request: 1 - tags: c2,ir,osint,macshell,jarm + tags: jarm,c2,ir,osint,cti,macshell tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/merlin-c2-jarm.yaml b/network/jarm/c2/merlin-c2-jarm.yaml index 6702bc7b33..b6defe3069 100644 --- a/network/jarm/c2/merlin-c2-jarm.yaml +++ b/network/jarm/c2/merlin-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://merlin-c2.readthedocs.io/en/latest/ metadata: max-request: 1 - tags: c2,ir,osint,merlin,jarm + tags: jarm,c2,ir,osint,cti,merlin tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/metasploit-c2-jarm.yaml b/network/jarm/c2/metasploit-c2-jarm.yaml index c0cc8a85e3..ad045a0fb6 100644 --- a/network/jarm/c2/metasploit-c2-jarm.yaml +++ b/network/jarm/c2/metasploit-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/ metadata: max-request: 1 - tags: c2,ir,osint,metasploit,jarm + tags: jarm,c2,ir,osint,cti,metasploit tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/mythic-c2-jarm.yaml b/network/jarm/c2/mythic-c2-jarm.yaml index 03ea791bb1..a8e1d9409a 100644 --- a/network/jarm/c2/mythic-c2-jarm.yaml +++ b/network/jarm/c2/mythic-c2-jarm.yaml @@ -12,7 +12,7 @@ info: - https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/ metadata: max-request: 1 - tags: c2,ir,osint,mythic,jarm + tags: jarm,c2,ir,osint,cti,mythic tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/posh-c2-jarm.yaml b/network/jarm/c2/posh-c2-jarm.yaml index cc16df7811..75827521fb 100644 --- a/network/jarm/c2/posh-c2-jarm.yaml +++ b/network/jarm/c2/posh-c2-jarm.yaml @@ -12,7 +12,7 @@ info: - https://poshc2.readthedocs.io/en/latest/ metadata: max-request: 1 - tags: c2,ir,osint,posh,jarm + tags: jarm,c2,ir,osint,cti,posh tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/shad0w-c2-jarm.yaml b/network/jarm/c2/shad0w-c2-jarm.yaml index e10beafe9d..b58d2d53b3 100644 --- a/network/jarm/c2/shad0w-c2-jarm.yaml +++ b/network/jarm/c2/shad0w-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/bats3c/shad0w metadata: max-request: 1 - tags: shad0w,c2,osint,ir,jarm + tags: jarm,c2,ir,osint,cti,shad0w tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/silenttrinity-c2-jarm.yaml b/network/jarm/c2/silenttrinity-c2-jarm.yaml index 9ac39b0f2e..888f17ad72 100644 --- a/network/jarm/c2/silenttrinity-c2-jarm.yaml +++ b/network/jarm/c2/silenttrinity-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/byt3bl33d3r/SILENTTRINITY metadata: max-request: 1 - tags: silenttrinity,c2,osint,ir,jarm + tags: jarm,c2,ir,osint,cti,silenttrinity tcp: - inputs: - data: 2E diff --git a/network/jarm/c2/sliver-c2-jarm.yaml b/network/jarm/c2/sliver-c2-jarm.yaml index 2d3e2a3dc5..a7d4021eca 100644 --- a/network/jarm/c2/sliver-c2-jarm.yaml +++ b/network/jarm/c2/sliver-c2-jarm.yaml @@ -11,7 +11,7 @@ info: - https://github.com/BishopFox/sliver metadata: max-request: 1 - tags: c2,ir,osint,sliver,jarm + tags: jarm,c2,ir,osint,cti,sliver tcp: - inputs: - data: 2E diff --git a/network/misconfig/printers-info-leak.yaml b/network/misconfig/printers-info-leak.yaml index 073d2ce232..7bb0947b3e 100644 --- a/network/misconfig/printers-info-leak.yaml +++ b/network/misconfig/printers-info-leak.yaml @@ -6,11 +6,11 @@ info: severity: info reference: - https://book.hacktricks.xyz/pentesting/9100-pjl - tags: network,iot,printer,misconfig description: | Unauthorized access to printers allows attackers to print, eavesdrop sensitive documents. metadata: max-request: 1 + tags: network,iot,printer,misconfig tcp: - inputs: diff --git a/network/misconfig/sap-router-info-leak.yaml b/network/misconfig/sap-router-info-leak.yaml index 74c500d39a..747d345434 100644 --- a/network/misconfig/sap-router-info-leak.yaml +++ b/network/misconfig/sap-router-info-leak.yaml @@ -10,7 +10,7 @@ info: - https://support.sap.com/en/tools/connectivity-tools/saprouter.html metadata: max-request: 1 - tags: network,sap,misconfig + tags: network,sap,misconfig,saprouter tcp: - inputs: diff --git a/ssl/c2/asyncrat-c2.yaml b/ssl/c2/asyncrat-c2.yaml index bb63fea9dc..445b17bcae 100644 --- a/ssl/c2/asyncrat-c2.yaml +++ b/ssl/c2/asyncrat-c2.yaml @@ -13,7 +13,7 @@ info: max-request: 1 shodan-query: ssl:"AsyncRAT Server" censys-query: services.tls.certificates.leaf_data.issuer.common_name:AsyncRat - tags: c2,ir,osint,malware + tags: c2,ir,osint,malware,ssl,asyncrat ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/bitrat-c2.yaml b/ssl/c2/bitrat-c2.yaml index 2c5ddda46e..75cacc7a9e 100644 --- a/ssl/c2/bitrat-c2.yaml +++ b/ssl/c2/bitrat-c2.yaml @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "BitRAT"' - tags: c2,ir,osint,bitrat,ssl + tags: c2,ir,osint,malware,ssl,bitrat ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/cobalt-strike-c2.yaml b/ssl/c2/cobalt-strike-c2.yaml index 60578c8a1d..c8abc0a984 100644 --- a/ssl/c2/cobalt-strike-c2.yaml +++ b/ssl/c2/cobalt-strike-c2.yaml @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 shodan-query: ssl.cert.serial:146473198 - tags: ssl,c2,ir,osint,panel + tags: c2,ir,osint,malware,ssl,panel,cobalt-strike ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/covenant-c2-ssl.yaml b/ssl/c2/covenant-c2-ssl.yaml index a9eb4d95a2..f0d7254b10 100644 --- a/ssl/c2/covenant-c2-ssl.yaml +++ b/ssl/c2/covenant-c2-ssl.yaml @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 shodan-query: ssl:”Covenant” http.component:”Blazor” - tags: c2,ir,osint,covenant,ssl + tags: c2,ir,osint,malware,ssl,covenant ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/dcrat-server-c2.yaml b/ssl/c2/dcrat-server-c2.yaml index 87e356eed4..4fdca129f3 100644 --- a/ssl/c2/dcrat-server-c2.yaml +++ b/ssl/c2/dcrat-server-c2.yaml @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "DcRat Server"' - tags: c2,ir,osint,dcrat,ssl + tags: c2,ir,osint,malware,ssl,dcrat ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/gozi-malware-c2.yaml b/ssl/c2/gozi-malware-c2.yaml index e24b81b658..da56bf2b86 100644 --- a/ssl/c2/gozi-malware-c2.yaml +++ b/ssl/c2/gozi-malware-c2.yaml @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"' - tags: c2,ir,osint,gozi,malware,ssl + tags: c2,ir,osint,malware,ssl,gozi ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/havoc-c2.yaml b/ssl/c2/havoc-c2.yaml index 3070ed20a5..41819e342d 100644 --- a/ssl/c2/havoc-c2.yaml +++ b/ssl/c2/havoc-c2.yaml @@ -13,7 +13,7 @@ info: verified: "true" max-request: 1 shodan-query: 'ssl:postalCode=3540 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e' - tags: c2,ir,osint,havoc,ssl + tags: c2,ir,osint,malware,ssl,havoc ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/icedid.yaml b/ssl/c2/icedid.yaml index 684a427206..d1f2178783 100644 --- a/ssl/c2/icedid.yaml +++ b/ssl/c2/icedid.yaml @@ -10,7 +10,7 @@ info: verified: "true" max-request: 1 censys-query: CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd - tags: c2,ir,osint,malware,bokbot,trojan + tags: c2,ir,osint,malware,ssl,bokbot,icedid ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/metasploit-c2.yaml b/ssl/c2/metasploit-c2.yaml index 89e5c8a203..3855cffd50 100644 --- a/ssl/c2/metasploit-c2.yaml +++ b/ssl/c2/metasploit-c2.yaml @@ -1,7 +1,7 @@ id: metasploit-c2 info: - name: Detect SSL Certificate Issuer + name: Metasploit C2 - Detect author: pussycat0x severity: info description: | @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 shodan-query: ssl:"MetasploitSelfSignedCA" - tags: c2,ir,osint,metasploit,panel + tags: c2,ir,osint,malware,ssl,metasploit ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/mythic-c2-ssl.yaml b/ssl/c2/mythic-c2-ssl.yaml index 1e27aa68e2..d032d55212 100644 --- a/ssl/c2/mythic-c2-ssl.yaml +++ b/ssl/c2/mythic-c2-ssl.yaml @@ -14,7 +14,7 @@ info: max-request: 1 shodan-query: ssl:"Mythic" censys-query: services.tls.certificates.leaf_data.issuer.common_name:Mythic - tags: c2,ir,osint,malware + tags: c2,ir,osint,malware,ssl,mythic ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/orcus-rat-c2.yaml b/ssl/c2/orcus-rat-c2.yaml index f565ef9cc1..eb8b2fa32a 100644 --- a/ssl/c2/orcus-rat-c2.yaml +++ b/ssl/c2/orcus-rat-c2.yaml @@ -12,7 +12,7 @@ info: verified: "true" max-request: 1 censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}' - tags: c2,ir,osint,orcus,ssl + tags: c2,ir,osint,malware,ssl,orcusrat ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/posh-c2.yaml b/ssl/c2/posh-c2.yaml index 81483eea05..9068686d22 100644 --- a/ssl/c2/posh-c2.yaml +++ b/ssl/c2/posh-c2.yaml @@ -13,7 +13,7 @@ info: verified: "true" max-request: 1 shodan-query: ssl:"P18055077" - tags: c2,ir,osint,posh,ssl + tags: c2,ir,osint,malware,ssl,posh ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/quasar-rat-c2.yaml b/ssl/c2/quasar-rat-c2.yaml index e82c2b961c..0bbd7cea02 100644 --- a/ssl/c2/quasar-rat-c2.yaml +++ b/ssl/c2/quasar-rat-c2.yaml @@ -13,7 +13,7 @@ info: max-request: 1 shodan-query: ssl.cert.subject.cn:"Quasar Server CA" censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}' - tags: c2,ir,osint,malware,quasar,rat + tags: c2,ir,osint,malware,ssl,quasar ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/c2/shadowpad-c2.yaml b/ssl/c2/shadowpad-c2.yaml index d997d1f438..2339c040b2 100644 --- a/ssl/c2/shadowpad-c2.yaml +++ b/ssl/c2/shadowpad-c2.yaml @@ -10,7 +10,7 @@ info: verified: "true" max-request: 1 censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer" - tags: c2,ir,osint,malware + tags: c2,ir,osint,malware,ssl,shadowpad ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/deprecated-tls.yaml b/ssl/deprecated-tls.yaml index 6304e53d9a..f69a9d73d5 100644 --- a/ssl/deprecated-tls.yaml +++ b/ssl/deprecated-tls.yaml @@ -13,7 +13,7 @@ info: metadata: max-request: 3 shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1 - tags: ssl + tags: ssl,tls ssl: - address: "{{Host}}:{{Port}}" diff --git a/ssl/detect-ssl-issuer.yaml b/ssl/detect-ssl-issuer.yaml index b8ab48b6d0..2768493b8d 100644 --- a/ssl/detect-ssl-issuer.yaml +++ b/ssl/detect-ssl-issuer.yaml @@ -8,7 +8,7 @@ info: Extract the issuer's organization from the target's certificate. Issuers are entities which sign and distribute certificates. metadata: max-request: 1 - tags: ssl + tags: ssl,tls ssl: - address: "{{Host}}:{{Port}}" diff --git a/ssl/expired-ssl.yaml b/ssl/expired-ssl.yaml index 79e03cebe7..bfda69d5ad 100644 --- a/ssl/expired-ssl.yaml +++ b/ssl/expired-ssl.yaml @@ -12,7 +12,7 @@ info: - https://www.acunetix.com/vulnerabilities/web/tls-ssl-certificate-about-to-expire/ metadata: max-request: 1 - tags: ssl + tags: ssl,tls ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/insecure-cipher-suite-detect.yaml b/ssl/insecure-cipher-suite-detect.yaml index cf69b33d4f..ac94a657a3 100644 --- a/ssl/insecure-cipher-suite-detect.yaml +++ b/ssl/insecure-cipher-suite-detect.yaml @@ -10,7 +10,7 @@ info: - https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/ metadata: max-request: 4 - tags: ssl + tags: ssl,tls ssl: - address: "{{Host}}:{{Port}}" min_version: tls10 diff --git a/ssl/revoked-ssl-certificate.yaml b/ssl/revoked-ssl-certificate.yaml index ea04bd1257..fe854c8dc2 100644 --- a/ssl/revoked-ssl-certificate.yaml +++ b/ssl/revoked-ssl-certificate.yaml @@ -11,7 +11,7 @@ info: - https://www.tenable.com/plugins/nnm/5837 metadata: max-request: 1 - tags: ssl,revoked + tags: ssl,revoked,tls ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/self-signed-ssl.yaml b/ssl/self-signed-ssl.yaml index 0699103f2a..17b2ec4da0 100644 --- a/ssl/self-signed-ssl.yaml +++ b/ssl/self-signed-ssl.yaml @@ -13,7 +13,7 @@ info: - https://www.rapid7.com/db/vulnerabilities/ssl-self-signed-certificate/ metadata: max-request: 1 - tags: ssl + tags: ssl,tls,self-signed ssl: - address: "{{Host}}:{{Port}}" matchers: diff --git a/ssl/ssl-dns-names.yaml b/ssl/ssl-dns-names.yaml index e32a3baaef..331df3aa78 100644 --- a/ssl/ssl-dns-names.yaml +++ b/ssl/ssl-dns-names.yaml @@ -8,7 +8,7 @@ info: Extract the Subject Alternative Name (SAN) from the target's certificate. SAN facilitates the usage of additional hostnames with the same certificate. metadata: max-request: 1 - tags: ssl + tags: ssl,tls ssl: - address: "{{Host}}:{{Port}}" diff --git a/ssl/tls-version.yaml b/ssl/tls-version.yaml index 69000bba1d..81eb3f187f 100644 --- a/ssl/tls-version.yaml +++ b/ssl/tls-version.yaml @@ -9,7 +9,7 @@ info: It is important to detect the TLS version in order to ensure secure communication between two computers or servers. metadata: max-request: 4 - tags: ssl + tags: ssl,tls ssl: - address: "{{Host}}:{{Port}}" min_version: tls10 diff --git a/ssl/untrusted-root-certificate.yaml b/ssl/untrusted-root-certificate.yaml index b41b221af7..df30c5c584 100644 --- a/ssl/untrusted-root-certificate.yaml +++ b/ssl/untrusted-root-certificate.yaml @@ -12,7 +12,7 @@ info: metadata: verified: true max-request: 1 - tags: ssl,untrusted + tags: ssl,untrusted,tls ssl: - address: "{{Host}}:{{Port}}" matchers: