tagging updates for SSL & network related templates
parent
b2a79787b3
commit
2bdfb18686
|
@ -19,7 +19,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
verified: true
|
verified: true
|
||||||
tags: cve,cve2016,weblogic,t3,rce,oast,deserialization,network
|
tags: cve,cve2016,oracle,weblogic,t3,rce,oast,deserialization,network
|
||||||
|
|
||||||
variables:
|
variables:
|
||||||
start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
|
start: "016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e64383f42a6d92c9e9af0f9472027973720078720178720278700000000c00000002000000000000000000000001007070707070700000000c00000002000000000000000000000001007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200094900056d616a6f724900056d696e6f7249000b706174636855706461746549000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000"
|
||||||
|
|
|
@ -24,7 +24,7 @@ info:
|
||||||
product: geode
|
product: geode
|
||||||
shodan-query: title:"Apache Tomcat"
|
shodan-query: title:"Apache Tomcat"
|
||||||
vendor: apache
|
vendor: apache
|
||||||
tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat
|
tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat,ajp
|
||||||
tcp:
|
tcp:
|
||||||
- host:
|
- host:
|
||||||
- "{{Hostname}}"
|
- "{{Hostname}}"
|
||||||
|
|
|
@ -27,7 +27,7 @@ info:
|
||||||
shodan-query: product:"CouchDB"
|
shodan-query: product:"CouchDB"
|
||||||
vendor: apache
|
vendor: apache
|
||||||
verified: "true"
|
verified: "true"
|
||||||
tags: cve,cve2022,network,couch,rce,kev
|
tags: cve,cve2022,network,couch,rce,kev,couchdb
|
||||||
variables:
|
variables:
|
||||||
name_msg: "00156e00050007499c4141414141414041414141414141"
|
name_msg: "00156e00050007499c4141414141414041414141414141"
|
||||||
challenge_reply: "00157201020304"
|
challenge_reply: "00157201020304"
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"ActiveMQ OpenWire transport"
|
shodan-query: product:"ActiveMQ OpenWire transport"
|
||||||
verified: true
|
verified: true
|
||||||
tags: network,activemq,detect
|
tags: network,activemq,detect,openwire
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"Apache ActiveMQ"
|
shodan-query: product:"Apache ActiveMQ"
|
||||||
verified: true
|
verified: true
|
||||||
tags: network,activemq,oss,detect
|
tags: network,activemq,oss,detect,apache
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"Axigen"
|
shodan-query: product:"Axigen"
|
||||||
verified: true
|
verified: true
|
||||||
tags: network,axigen,detect
|
tags: network,axigen,detect,smtp
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -15,7 +15,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"BGP"
|
shodan-query: product:"BGP"
|
||||||
tags: network,bgp
|
tags: network,bgp,detect
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"Cisco fingerd"
|
shodan-query: product:"Cisco fingerd"
|
||||||
verified: true
|
verified: true
|
||||||
tags: network,finger,detect
|
tags: network,finger,detect,cisco
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"MS .NET Remoting httpd"
|
shodan-query: product:"MS .NET Remoting httpd"
|
||||||
verified: true
|
verified: true
|
||||||
tags: network,detect,microsoft
|
tags: network,detect,microsoft,dotnet
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
The "EXPN" can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list subscription lists are generally considered to be sensitive information.
|
The "EXPN" can be used by attackers to learn about valid usernames on the target system. On some SMTP servers, EXPN can be used to show the subscribers of a mailing list subscription lists are generally considered to be sensitive information.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: mail,expn,network,detect
|
tags: mail,expn,network,detect,smtp
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
fofa-query: app="iPlanet-Messaging-Server-5.2" && protocol="imap"
|
fofa-query: app="iPlanet-Messaging-Server-5.2" && protocol="imap"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: network,imap,detect
|
tags: network,imap,detect,iplanet
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -9,7 +9,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: product:"Riak"
|
shodan-query: product:"Riak"
|
||||||
verified: true
|
verified: true
|
||||||
tags: network,oss,detect
|
tags: network,oss,detect,riak,nosql
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
SAProuter is a software application that provides a remote connection between our customer's network and SAP.
|
SAProuter is a software application that provides a remote connection between our customer's network and SAP.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: network,sap,detect
|
tags: network,sap,detect,saprouter
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks.
|
SMTP is part of the application layer of the TCP/IP protocol. Using a process called “store and forward,” SMTP moves your email on and across networks.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: network,service,smtp,detect
|
tags: network,service,smtp,detect,mail
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
|
STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: mail,starttls,network,detect
|
tags: mail,starttls,network,detect,smtp
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
The IIOP (Internet Inter-ORB Protocol) protocol makes it possible for distributed programs written in different programming languages to communicate over the Internet.
|
The IIOP (Internet Inter-ORB Protocol) protocol makes it possible for distributed programs written in different programming languages to communicate over the Internet.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: network,weblogic,detect
|
tags: network,weblogic,detect,oracle,iiop
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: "{{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}"
|
- data: "{{hex_decode('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')}}"
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.
|
T3 is the protocol used to transport information between WebLogic servers and other types of Java programs.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 2
|
max-request: 2
|
||||||
tags: network,weblogic,detect
|
tags: network,weblogic,detect,t3,oracle
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: "t3 12.2.1
|
- data: "t3 12.2.1
|
||||||
|
|
|
@ -16,7 +16,7 @@ info:
|
||||||
vendor: progress
|
vendor: progress
|
||||||
product: ws_ftp
|
product: ws_ftp
|
||||||
shodan-query: "WS_FTP port:22"
|
shodan-query: "WS_FTP port:22"
|
||||||
tags: network,ssh,ws_ftp
|
tags: network,ssh,ws_ftp,detect
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- host:
|
- host:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1+port:443
|
shodan-query: ssl.jarm:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1+port:443
|
||||||
tags: jarm,c2,ir,osint
|
tags: jarm,c2,ir,osint,cti,cobalt-strike
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://twitter.com/MichalKoczwara/status/1548685058403360770
|
- https://twitter.com/MichalKoczwara/status/1548685058403360770
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,covenant,jarm
|
tags: jarm,c2,ir,osint,cti,covenant
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://twitter.com/MichalKoczwara/status/1551632627387473920
|
- https://twitter.com/MichalKoczwara/status/1551632627387473920
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,deimos,jarm,network
|
tags: jarm,c2,ir,osint,cti,deimos,network
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/kgretzky/evilginx2
|
- https://github.com/kgretzky/evilginx2
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: evilginx2,c2,phishing,jarm
|
tags: jarm,c2,ir,osint,cti,evilginx2,phishing
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
- https://github.com/MichaelKoczwara/C2JARM
|
- https://github.com/MichaelKoczwara/C2JARM
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: network,c2,jarm,cti
|
tags: network,jarm,c2,ir,osint,cti
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/r3nhat/GRAT2
|
- https://github.com/r3nhat/GRAT2
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: shad0w,c2,osint,ir,jarm
|
tags: jarm,c2,ir,osint,cti,shad0w
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: 'ssl:postalCode=3540 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e'
|
shodan-query: 'ssl:postalCode=3540 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e'
|
||||||
tags: c2,ir,osint,havoc,network
|
tags: jarm,c2,ir,osint,cti,havoc,network
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/cedowens/MacC2
|
- https://github.com/cedowens/MacC2
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,macc2,jarm
|
tags: jarm,c2,ir,osint,cti,macc2
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/cedowens/MacShellSwift
|
- https://github.com/cedowens/MacShellSwift
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,macshell,jarm
|
tags: jarm,c2,ir,osint,cti,macshell
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://merlin-c2.readthedocs.io/en/latest/
|
- https://merlin-c2.readthedocs.io/en/latest/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,merlin,jarm
|
tags: jarm,c2,ir,osint,cti,merlin
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,metasploit,jarm
|
tags: jarm,c2,ir,osint,cti,metasploit
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
- https://www.socinvestigation.com/shodan-filters-to-hunt-adversaries-infrastructure-and-c2/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,mythic,jarm
|
tags: jarm,c2,ir,osint,cti,mythic
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
- https://poshc2.readthedocs.io/en/latest/
|
- https://poshc2.readthedocs.io/en/latest/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,posh,jarm
|
tags: jarm,c2,ir,osint,cti,posh
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/bats3c/shad0w
|
- https://github.com/bats3c/shad0w
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: shad0w,c2,osint,ir,jarm
|
tags: jarm,c2,ir,osint,cti,shad0w
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/byt3bl33d3r/SILENTTRINITY
|
- https://github.com/byt3bl33d3r/SILENTTRINITY
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: silenttrinity,c2,osint,ir,jarm
|
tags: jarm,c2,ir,osint,cti,silenttrinity
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://github.com/BishopFox/sliver
|
- https://github.com/BishopFox/sliver
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: c2,ir,osint,sliver,jarm
|
tags: jarm,c2,ir,osint,cti,sliver
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
- data: 2E
|
- data: 2E
|
||||||
|
|
|
@ -6,11 +6,11 @@ info:
|
||||||
severity: info
|
severity: info
|
||||||
reference:
|
reference:
|
||||||
- https://book.hacktricks.xyz/pentesting/9100-pjl
|
- https://book.hacktricks.xyz/pentesting/9100-pjl
|
||||||
tags: network,iot,printer,misconfig
|
|
||||||
description: |
|
description: |
|
||||||
Unauthorized access to printers allows attackers to print, eavesdrop sensitive documents.
|
Unauthorized access to printers allows attackers to print, eavesdrop sensitive documents.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
|
tags: network,iot,printer,misconfig
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
- https://support.sap.com/en/tools/connectivity-tools/saprouter.html
|
- https://support.sap.com/en/tools/connectivity-tools/saprouter.html
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: network,sap,misconfig
|
tags: network,sap,misconfig,saprouter
|
||||||
|
|
||||||
tcp:
|
tcp:
|
||||||
- inputs:
|
- inputs:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl:"AsyncRAT Server"
|
shodan-query: ssl:"AsyncRAT Server"
|
||||||
censys-query: services.tls.certificates.leaf_data.issuer.common_name:AsyncRat
|
censys-query: services.tls.certificates.leaf_data.issuer.common_name:AsyncRat
|
||||||
tags: c2,ir,osint,malware
|
tags: c2,ir,osint,malware,ssl,asyncrat
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "BitRAT"'
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "BitRAT"'
|
||||||
tags: c2,ir,osint,bitrat,ssl
|
tags: c2,ir,osint,malware,ssl,bitrat
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl.cert.serial:146473198
|
shodan-query: ssl.cert.serial:146473198
|
||||||
tags: ssl,c2,ir,osint,panel
|
tags: c2,ir,osint,malware,ssl,panel,cobalt-strike
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl:”Covenant” http.component:”Blazor”
|
shodan-query: ssl:”Covenant” http.component:”Blazor”
|
||||||
tags: c2,ir,osint,covenant,ssl
|
tags: c2,ir,osint,malware,ssl,covenant
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "DcRat Server"'
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: "DcRat Server"'
|
||||||
tags: c2,ir,osint,dcrat,ssl
|
tags: c2,ir,osint,malware,ssl,dcrat
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'
|
censys-query: 'services.tls.certificates.leaf_data.issuer_dn: "C=XX, ST=1, L=1, O=1, OU=1, CN=\*"'
|
||||||
tags: c2,ir,osint,gozi,malware,ssl
|
tags: c2,ir,osint,malware,ssl,gozi
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: 'ssl:postalCode=3540 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e'
|
shodan-query: 'ssl:postalCode=3540 ssl.jarm:3fd21b20d00000021c43d21b21b43de0a012c76cf078b8d06f4620c2286f5e'
|
||||||
tags: c2,ir,osint,havoc,ssl
|
tags: c2,ir,osint,malware,ssl,havoc
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
censys-query: CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
|
censys-query: CN=localhost, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
|
||||||
tags: c2,ir,osint,malware,bokbot,trojan
|
tags: c2,ir,osint,malware,ssl,bokbot,icedid
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
id: metasploit-c2
|
id: metasploit-c2
|
||||||
|
|
||||||
info:
|
info:
|
||||||
name: Detect SSL Certificate Issuer
|
name: Metasploit C2 - Detect
|
||||||
author: pussycat0x
|
author: pussycat0x
|
||||||
severity: info
|
severity: info
|
||||||
description: |
|
description: |
|
||||||
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl:"MetasploitSelfSignedCA"
|
shodan-query: ssl:"MetasploitSelfSignedCA"
|
||||||
tags: c2,ir,osint,metasploit,panel
|
tags: c2,ir,osint,malware,ssl,metasploit
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -14,7 +14,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl:"Mythic"
|
shodan-query: ssl:"Mythic"
|
||||||
censys-query: services.tls.certificates.leaf_data.issuer.common_name:Mythic
|
censys-query: services.tls.certificates.leaf_data.issuer.common_name:Mythic
|
||||||
tags: c2,ir,osint,malware
|
tags: c2,ir,osint,malware,ssl,mythic
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}'
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Orcus Server", "OrcusServerCertificate"}'
|
||||||
tags: c2,ir,osint,orcus,ssl
|
tags: c2,ir,osint,malware,ssl,orcusrat
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl:"P18055077"
|
shodan-query: ssl:"P18055077"
|
||||||
tags: c2,ir,osint,posh,ssl
|
tags: c2,ir,osint,malware,ssl,posh
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
|
shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
|
||||||
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}'
|
censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}'
|
||||||
tags: c2,ir,osint,malware,quasar,rat
|
tags: c2,ir,osint,malware,ssl,quasar
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
verified: "true"
|
verified: "true"
|
||||||
max-request: 1
|
max-request: 1
|
||||||
censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer"
|
censys-query: services.tls.certificates.leaf_data.subject_dn="C=CN, ST=myprovince, L=mycity, O=myorganization, OU=mygroup, CN=myServer"
|
||||||
tags: c2,ir,osint,malware
|
tags: c2,ir,osint,malware,ssl,shadowpad
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 3
|
max-request: 3
|
||||||
shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1
|
shodan-query: ssl.version:sslv2 ssl.version:sslv3 ssl.version:tlsv1 ssl.version:tlsv1.1
|
||||||
tags: ssl
|
tags: ssl,tls
|
||||||
|
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
Extract the issuer's organization from the target's certificate. Issuers are entities which sign and distribute certificates.
|
Extract the issuer's organization from the target's certificate. Issuers are entities which sign and distribute certificates.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: ssl
|
tags: ssl,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
|
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
- https://www.acunetix.com/vulnerabilities/web/tls-ssl-certificate-about-to-expire/
|
- https://www.acunetix.com/vulnerabilities/web/tls-ssl-certificate-about-to-expire/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: ssl
|
tags: ssl,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -10,7 +10,7 @@ info:
|
||||||
- https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/
|
- https://www.acunetix.com/vulnerabilities/web/tls-ssl-weak-cipher-suites/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 4
|
max-request: 4
|
||||||
tags: ssl
|
tags: ssl,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
min_version: tls10
|
min_version: tls10
|
||||||
|
|
|
@ -11,7 +11,7 @@ info:
|
||||||
- https://www.tenable.com/plugins/nnm/5837
|
- https://www.tenable.com/plugins/nnm/5837
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: ssl,revoked
|
tags: ssl,revoked,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -13,7 +13,7 @@ info:
|
||||||
- https://www.rapid7.com/db/vulnerabilities/ssl-self-signed-certificate/
|
- https://www.rapid7.com/db/vulnerabilities/ssl-self-signed-certificate/
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: ssl
|
tags: ssl,tls,self-signed
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
|
@ -8,7 +8,7 @@ info:
|
||||||
Extract the Subject Alternative Name (SAN) from the target's certificate. SAN facilitates the usage of additional hostnames with the same certificate.
|
Extract the Subject Alternative Name (SAN) from the target's certificate. SAN facilitates the usage of additional hostnames with the same certificate.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: ssl
|
tags: ssl,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ info:
|
||||||
It is important to detect the TLS version in order to ensure secure communication between two computers or servers.
|
It is important to detect the TLS version in order to ensure secure communication between two computers or servers.
|
||||||
metadata:
|
metadata:
|
||||||
max-request: 4
|
max-request: 4
|
||||||
tags: ssl
|
tags: ssl,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
min_version: tls10
|
min_version: tls10
|
||||||
|
|
|
@ -12,7 +12,7 @@ info:
|
||||||
metadata:
|
metadata:
|
||||||
verified: true
|
verified: true
|
||||||
max-request: 1
|
max-request: 1
|
||||||
tags: ssl,untrusted
|
tags: ssl,untrusted,tls
|
||||||
ssl:
|
ssl:
|
||||||
- address: "{{Host}}:{{Port}}"
|
- address: "{{Host}}:{{Port}}"
|
||||||
matchers:
|
matchers:
|
||||||
|
|
Loading…
Reference in New Issue