diff --git a/http/miscellaneous/defacement-detect.yaml b/http/miscellaneous/defacement-detect.yaml new file mode 100644 index 0000000000..238b44ea89 --- /dev/null +++ b/http/miscellaneous/defacement-detect.yaml @@ -0,0 +1,274 @@ +id: defacement-detect + +info: + name: Defacement Content - Detection + author: ricardomaia + severity: info + description: | + This template detects defacement content in the response body, using a list of commom paths as payload.It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.The URL paths and regex rules were based on research from several sources.Other rules are based in the author's experience and are not exhaustive. + reference: + - https://www.zone-h.org + - https://zone-xsec.com + - https://hax.or.id + - https://www.haxor.id + - https://www.defacer.net + - https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023 + metadata: + verified: true + tags: misc,defacement,spam,hacktivism,osint + +http: + - method: GET + path: + - "{{BaseURL}}{{path}}" + + redirects: true + max-redirects: 1 + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: regex + part: body + name: defacement-signature + regex: + - '(?i)\bhack[e|3]d.?(by)?\b' + - '(?i)\bwh(00|oo)pz\b' + - '(?i)\bdefaced.?(by)?\b' + - '(?i)\bPa?wn(e|3)d.?(by)?\b' + - '(?i)\b0wned.?(by)?\b' + - '(?i)\bGreetz.?(to)?\b' + - '(?i)\bXploit\b' + - '(?i)\brulez\b' + - '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b' + - '(?i)\bh(a|4)x(o|0)r\b' + - '(?i)\bHack.Team\b' + - '(?i)\bpwnted.?(by)?\b' + - '(?i)\bBUY.WEBSHELL\b' + - '(?i)\bHello.Admin\b' + - '(?i)\bShootz\b' + + - type: regex + part: body + name: spamdexing + regex: + - '(?i)\bcialis\b' + - '(?i)\btadacip\b' + - '(?i)\bpurinethol\b' + - '(?i)\bbactrim\b' + - '(?i)\bfemale-cialis\b' + - '(?i)\btoprol-xl\b' + - '(?i)\bbupropion\b' + - '(?i)\blevitra\b' + - '(?i)\bfeldene\b' + - '(?i)\bapcalis\b' + - '(?i)\batacand\b' + - '(?i)\bzerit\b' + - '(?i)\bisordil\b' + - '(?i)\bviagra-soft\b' + - '(?i)\bdanazol\b' + - '(?i)\blasix\b' + - '(?i)\bapcalis-sx\b' + - '(?i)\btadalafil\b' + - '(?i)\bviagra-jelly\b' + - '(?i)\btadalis-sx\b' + - '(?i)\btelmisartan\b' + - '(?i)\bcialis-soft\b' + - '(?i)\brevia\b' + - '(?i)\bcardura\b' + - '(?i)\bfempro\b' + - '(?i)\bfemale-viagra\b' + - '(?i)\berectalis\b' + - '(?i)\bforzest\b' + - '(?i)\bisoptin-sr\b' + - '(?i)\bkamagra-soft\b' + - '(?i)\blioresal\b' + - '(?i)\bneoral\b' + - '(?i)\bcytoxan\b' + - '(?i)\bphenytoin\b' + - '(?i)\bvibramycin\b' + - '(?i)\binstant.fortune\b' + - '(?i)\win.the.lottery\b' + - '(?i)\bwin.the.lotto\b' + - '(?i)\bcassino\b' + + - type: regex + part: body + name: zone-h-top-50 + regex: + - '(?i)\bHmei7\b' + - '(?i)\bd3b~x\b' + - '(?i)\bIndex Php\b' + - '(?i)\biskorpitx\b' + - '(?i)\bchinafans\b' + - '(?i)\bSejeal\b' + - '(?i)\b1923Turk\b' + - '(?i)\bmuhmademad\b' + - '(?i)\bTeam_CC\b' + - '(?i)\bimam\b' + - '(?i)\bmisafir\b' + - '(?i)\bZoRRoKiN\b' + - '(?i)\bpanataran\b' + - '(?i)\bGHoST61\b' + - '(?i)\bAshiyane Digital Security Team\b' + - '(?i)\bFatal Error\b' + - '(?i)\bErrOr SquaD\b' + - '(?i)\bw4l3xzy3\b' + - '(?i)\bBD GREY HAT HACKERS\b' + - '(?i)\bSA3D HaCk3D\b' + - '(?i)\bjok3r\b' + - '(?i)\bHighTech\b' + - '(?i)\bMr.Kro0oz\b' + - '(?i)\bTheWayEnd\b' + - '(?i)\bLUN4T1C0\b' + - '(?i)\bKaMtiEz\b' + - '(?i)\bHolaKo\b' + - '(?i)\bMiSh\b' + - '(?i)\bMister Spy\b' + - '(?i)\bClash Hackers\b' + - '(?i)\bKkK1337\b' + - '(?i)\bKuroi\b' + - '(?i)\bBALA SNIPER\b' + - '(?i)\bRayzky_\b' + - '(?i)\bRXR\b' + - '(?i)\bTOP-TEAM\b' + - '(?i)\bMagelang6etar\b' + - '(?i)\bifactoryx\b' + - '(?i)\bthe_warri0r\b' + - '(?i)\bRed Eye\b' + - '(?i)\bdarkshadow-tn\b' + - '(?i)\bs13doeL\b' + - '(?i)\bFallaga Team\b' + - '(?i)\bulow\b' + - '(?i)\bSPYKIDS\b' + - '(?i)\bCyb3r_Sw0rd\b' + - '(?i)\blinuXploit_crew\b' + - '(?i)\bIr4dex 735\b' + - '(?i)\bKingSam\b' + + - type: regex + part: body + name: other-groups-attacker + regex: + - '(?i)\bLapsus$\b' + - '(?i)\bLulzSec\b' + - '(?i)\bmilw0rm\b' + - '(?i)\bNoName05\b' + - '(?i)\bAnonymousSudan\b' + - '(?i)\bAnon_by\b' + - '(?i)\bAnonGhost\b' + - '(?i)\bTeam.Insane\b' + - '(?i)\bEagle Cyber\b' + + - type: regex + part: body + name: hacktivism-operation + regex: + - '(?i)\bOpIsrael\b' + - '(?i)\bOpRussia\b' + - '(?i)\bOpIran\b' + - '(?i)\bOpPhilippines\b' + - '(?i)\bOpAustralia\b' + - '(?i)\bAnonymousItalia\b' + - '(?i)\bStopRussia\b' + - '(?i)\bStopInvasion\b' + - '(?i)\bWe.are.legion\b' + - '(?i)\bAnonOps\b' + - '(?i)\bOpGOP\b' + - '(?i)\bOpStonewall\b' + - '(?i)\bTangoDown\b' + - '(?i)\bFREE_PALESTINE\b' + - '(?i)\bFREE_AL-AQSA\b' + + - type: status + status: + - 200 + + payloads: + path: + - / + - /old + - /ssh + - /tmp + - /uploads + - /index.html + - /index.php + - /indexx.html + - /defaced.html + - /readme.html + - /readme.php + - /kurd.html + - /kurd1943.html + - /evil.html + - /ghost.htm + - /pwnd.html + - /pwn.html + - /hacked.html + - /hacked.txt + - /1.php + - /1.txt + - /1.html + - /a.htm + - /a.html + - /a.php + - /V.txt + - /0day.txt + - /1337.txt + - /r00t.php + - /root.html + - /id.htm + - /by.html + - /by.htm + - /me.php + - /o.htm + - /O.html + - /a.php + - /a.html + - /z.php + - /zz.txt + - /z.txt + - /M.html + - /ie.txt + - /xxx.html + - /x.txt + - /logs.txt + - /ownz.html + - /update_note.txt + - /k.html + - /y.txt + - /T.html + - /ts.html + - /tr.html + - /core.html + - /el.htm + - /ie.htm + - /si.html + - /sad.html + - /fake.html + - /broken.html + - /buy.html + - /access.php + - /info.php + - /jquery.php + - /news.php + - /services.php + - /boxed.php + - /main.php + - /pbw.txt + - /aw.txt + - /hx.txt + - /vz.txt + - /cl.html + - /asi.html + - /public + - /cache + - /info.txt + - /ir.html + - /me.html + - /px.html + - /px.php + - /F.html + - /frost.txt + - /-.txt + - /!.txt diff --git a/http/miscellaneous/defacement-detector.yaml b/http/miscellaneous/defacement-detector.yaml deleted file mode 100644 index c0221f96dd..0000000000 --- a/http/miscellaneous/defacement-detector.yaml +++ /dev/null @@ -1,403 +0,0 @@ -id: defacement-detector - -info: - name: Defacement Content Detector - author: ricardomaia - severity: info - description: | - This template detects defacement content in the response body, using a list of commom paths as payload. - It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match. - The URL paths and regex rules were based on research from several sources. - Other rules are based in the author's experience and are not exhaustive. - reference: - - https://www.zone-h.org - - https://zone-xsec.com - - https://hax.or.id - - https://www.haxor.id - - https://www.defacer.net - - https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023 - metadata: - max-requests: 1 - tags: misc,monitoring,defacement,spam,hacktivism -http: - - method: GET - path: - - "{{BaseURL}}{{path}}" - redirects: true - max-redirects: 1 - - stop-at-first-match: true - matchers-condition: and - matchers: - - type: regex - part: body - regex: - # Commom defacement signatures - - '(?i)\bhack[e|3]d.?(by)?\b' - - '(?i)\bwh(00|oo)pz\b' - - '(?i)\bdefaced.?(by)?\b' - - '(?i)\bPa?wn(e|3)d.?(by)?\b' - - '(?i)\b0wned.?(by)?\b' - - '(?i)\bGreetz.?(to)?\b' - - '(?i)\bXploit\b' - - '(?i)\brulez\b' - - '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b' - - '(?i)\bh(a|4)x(o|0)r\b' - - '(?i)\bHack.Team\b' - - '(?i)\bpwnted.?(by)?\b' - - '(?i)\bBUY.WEBSHELL\b' - - '(?i)\bHello.Admin\b' - - '(?i)\bShootz\b' - - '(?i)\bTouched\sby\b' # Some false positives - - '(?i)\bHas.*been.*hacked\b' # Some false positives - - '(?i)\bStamped\sBy\b' # Some false positives - # Spamdexing - - '(?i)\bcialis\b' - - '(?i)\btadacip\b' - - '(?i)\bpurinethol\b' - - '(?i)\bbactrim\b' - - '(?i)\bfemale-cialis\b' - - '(?i)\btoprol-xl\b' - - '(?i)\bbupropion\b' - - '(?i)\blevitra\b' - - '(?i)\bfeldene\b' - - '(?i)\bapcalis\b' - - '(?i)\batacand\b' - - '(?i)\bzerit\b' - - '(?i)\bisordil\b' - - '(?i)\bviagra-soft\b' - - '(?i)\bdanazol\b' - - '(?i)\blasix\b' - - '(?i)\bapcalis-sx\b' - - '(?i)\btadalafil\b' - - '(?i)\bviagra-jelly\b' - - '(?i)\btadalis-sx\b' - - '(?i)\btelmisartan\b' - - '(?i)\bcialis-soft\b' - - '(?i)\brevia\b' - - '(?i)\bcardura\b' - - '(?i)\bfempro\b' - - '(?i)\bfemale-viagra\b' - - '(?i)\berectalis\b' - - '(?i)\bforzest\b' - - '(?i)\bisoptin-sr\b' - - '(?i)\bkamagra-soft\b' - - '(?i)\blioresal\b' - - '(?i)\bneoral\b' - - '(?i)\bcytoxan\b' - - '(?i)\bphenytoin\b' - - '(?i)\bvibramycin\b' - - '(?i)\binstant.fortune\b' - - '(?i)\win.the.lottery\b' - - '(?i)\bwin.the.lotto\b' - - '(?i)\bcassino\b' - # Attackets - Zone-H Top 50 - - '(?i)\bHmei7\b' - - '(?i)\bd3b~x\b' - - '(?i)\bIndex Php\b' - - '(?i)\biskorpitx\b' - - '(?i)\bchinafans\b' - - '(?i)\bSejeal\b' - - '(?i)\b1923Turk\b' - - '(?i)\bmuhmademad\b' - - '(?i)\bTeam_CC\b' - - '(?i)\bimam\b' - - '(?i)\bmisafir\b' - - '(?i)\bZoRRoKiN\b' - - '(?i)\bpanataran\b' - - '(?i)\bGHoST61\b' - - '(?i)\bAshiyane Digital Security Team\b' - - '(?i)\bFatal Error\b' - - '(?i)\bErrOr SquaD\b' - - '(?i)\bw4l3xzy3\b' - - '(?i)\bBD GREY HAT HACKERS\b' - - '(?i)\bSA3D HaCk3D\b' - - '(?i)\bjok3r\b' - - '(?i)\bHighTech\b' - - '(?i)\bMr.Kro0oz\b' - - '(?i)\bTheWayEnd\b' - - '(?i)\bLUN4T1C0\b' - - '(?i)\bKaMtiEz\b' - - '(?i)\bHolaKo\b' - - '(?i)\bMiSh\b' - - '(?i)\bMister Spy\b' - - '(?i)\bClash Hackers\b' - - '(?i)\bKkK1337\b' - - '(?i)\bKuroi\b' - - '(?i)\bBALA SNIPER\b' - - '(?i)\bRayzky_\b' - - '(?i)\bRXR\b' - - '(?i)\bTOP-TEAM\b' - - '(?i)\bMagelang6etar\b' - - '(?i)\bifactoryx\b' - - '(?i)\bthe_warri0r\b' - - '(?i)\bRed Eye\b' - - '(?i)\bdarkshadow-tn\b' - - '(?i)\bs13doeL\b' - - '(?i)\bFallaga Team\b' - - '(?i)\bulow\b' - - '(?i)\bSPYKIDS\b' - - '(?i)\bCyb3r_Sw0rd\b' - - '(?i)\blinuXploit_crew\b' - - '(?i)\bIr4dex 735\b' - - '(?i)\bKingSam\b' - # Others groups or attackers - - '(?i)\bLapsus$\b' - - '(?i)\bLulzSec\b' - - '(?i)\bmilw0rm\b' - - '(?i)\bNoName05\b' - - '(?i)\bAnonymousSudan\b' - - '(?i)\bAnon_by\b' - - '(?i)\bAnonGhost\b' - - '(?i)\bTeam.Insane\b' - - '(?i)\bEagle Cyber\b' - # Hacktivism Operations - - '(?i)\bOpIsrael\b' - - '(?i)\bOpRussia\b' - - '(?i)\bOpIran\b' - - '(?i)\bOpPhilippines\b' - - '(?i)\bOpAustralia\b' - - '(?i)\bAnonymousItalia\b' - - '(?i)\bStopRussia\b' - - '(?i)\bStopInvasion\b' - - '(?i)\bWe.are.legion\b' - - '(?i)\bAnonOps\b' - - '(?i)\bOpGOP\b' - - '(?i)\bOpStonewall\b' - - '(?i)\bTangoDown\b' - - '(?i)\bFREE_PALESTINE\b' - - '(?i)\bFREE_AL-AQSA\b' - - - type: status - status: - - 200 - - extractors: - - type: regex - part: body - # Five characters before and after the match - name: text-snippet - regex: - # Commom defacement signatures - - '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}' - - '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}' - - '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}' - - '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}' - - '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}' - - '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}' - - '.{0,5}(?i)\bXploit\b.{0,5}' - - '.{0,5}(?i)\brulez\b.{0,5}' - - '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}' - - '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}' - - '.{0,5}(?i)\bHack.Team\b.{0,5}' - - '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}' - - '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}' - - '.{0,5}(?i)\bHello.Admin\b.{0,5}' - - '.{0,5}(?i)\bShootz\b.{0,5}' - - '.{0,5}(?i)\bTouched\sby\b.{0,5}' # Some false positives - - '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}' # Some false positives - - '.{0,5}(?i)\bStamped\sBy\b.{0,5}' # Some false positives - # Spamdexing - - '.{0,5}(?i)\bcialis\b.{0,5}' - - '.{0,5}(?i)\btadacip\b.{0,5}' - - '.{0,5}(?i)\bpurinethol\b.{0,5}' - - '.{0,5}(?i)\bbactrim\b.{0,5}' - - '.{0,5}(?i)\bfemale-cialis\b.{0,5}' - - '.{0,5}(?i)\btoprol-xl\b.{0,5}' - - '.{0,5}(?i)\bbupropion\b.{0,5}' - - '.{0,5}(?i)\blevitra\b.{0,5}' - - '.{0,5}(?i)\bfeldene\b.{0,5}' - - '.{0,5}(?i)\bapcalis\b.{0,5}' - - '.{0,5}(?i)\batacand\b.{0,5}' - - '.{0,5}(?i)\bzerit\b.{0,5}' - - '.{0,5}(?i)\bisordil\b.{0,5}' - - '.{0,5}(?i)\bviagra-soft\b.{0,5}' - - '.{0,5}(?i)\bdanazol\b.{0,5}' - - '.{0,5}(?i)\blasix\b.{0,5}' - - '.{0,5}(?i)\bapcalis-sx\b.{0,5}' - - '.{0,5}(?i)\btadalafil\b.{0,5}' - - '.{0,5}(?i)\bviagra-jelly\b.{0,5}' - - '.{0,5}(?i)\btadalis-sx\b.{0,5}' - - '.{0,5}(?i)\btelmisartan\b.{0,5}' - - '.{0,5}(?i)\bcialis-soft\b.{0,5}' - - '.{0,5}(?i)\brevia\b.{0,5}' - - '.{0,5}(?i)\bcardura\b.{0,5}' - - '.{0,5}(?i)\bfempro\b.{0,5}' - - '.{0,5}(?i)\bfemale-viagra\b.{0,5}' - - '.{0,5}(?i)\berectalis\b.{0,5}' - - '.{0,5}(?i)\bforzest\b.{0,5}' - - '.{0,5}(?i)\bisoptin-sr\b.{0,5}' - - '.{0,5}(?i)\bkamagra-soft\b.{0,5}' - - '.{0,5}(?i)\blioresal\b.{0,5}' - - '.{0,5}(?i)\bneoral\b.{0,5}' - - '.{0,5}(?i)\bcytoxan\b.{0,5}' - - '.{0,5}(?i)\bphenytoin\b.{0,5}' - - '.{0,5}(?i)\bvibramycin\b.{0,5}' - - '.{0,5}(?i)\binstant.fortune\b.{0,5}' - - '.{0,5}(?i)\win.the.lottery\b.{0,5}' - - '.{0,5}(?i)\bwin.the.lotto\b.{0,5}' - - '.{0,5}(?i)\bcassino\b.{0,5}' - # Attackets - Zone-H Top 50 - - '.{0,5}(?i)\bHmei7\b.{0,5}' - - '.{0,5}(?i)\bd3b~x\b.{0,5}' - - '.{0,5}(?i)\bIndex Php\b.{0,5}' - - '.{0,5}(?i)\biskorpitx\b.{0,5}' - - '.{0,5}(?i)\bchinafans\b.{0,5}' - - '.{0,5}(?i)\bSejeal\b.{0,5}' - - '.{0,5}(?i)\b1923Turk\b.{0,5}' - - '.{0,5}(?i)\bmuhmademad\b.{0,5}' - - '.{0,5}(?i)\bTeam_CC\b.{0,5}' - - '.{0,5}(?i)\bimam\b.{0,5}' - - '.{0,5}(?i)\bmisafir\b.{0,5}' - - '.{0,5}(?i)\bZoRRoKiN\b.{0,5}' - - '.{0,5}(?i)\bpanataran\b.{0,5}' - - '.{0,5}(?i)\bGHoST61\b.{0,5}' - - '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}' - - '.{0,5}(?i)\bFatal Error\b.{0,5}' - - '.{0,5}(?i)\bErrOr SquaD\b.{0,5}' - - '.{0,5}(?i)\bw4l3xzy3\b.{0,5}' - - '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}' - - '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}' - - '.{0,5}(?i)\bjok3r\b.{0,5}' - - '.{0,5}(?i)\bHighTech\b.{0,5}' - - '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}' - - '.{0,5}(?i)\bTheWayEnd\b.{0,5}' - - '.{0,5}(?i)\bLUN4T1C0\b.{0,5}' - - '.{0,5}(?i)\bKaMtiEz\b.{0,5}' - - '.{0,5}(?i)\bHolaKo\b.{0,5}' - - '.{0,5}(?i)\bMiSh\b.{0,5}' - - '.{0,5}(?i)\bMister Spy\b.{0,5}' - - '.{0,5}(?i)\bClash Hackers\b.{0,5}' - - '.{0,5}(?i)\bKkK1337\b.{0,5}' - - '.{0,5}(?i)\bKuroi\b.{0,5}' - - '.{0,5}(?i)\bBALA SNIPER\b.{0,5}' - - '.{0,5}(?i)\bRayzky_\b.{0,5}' - - '.{0,5}(?i)\bRXR\b.{0,5}' - - '.{0,5}(?i)\bTOP-TEAM\b.{0,5}' - - '.{0,5}(?i)\bMagelang6etar\b.{0,5}' - - '.{0,5}(?i)\bifactoryx\b.{0,5}' - - '.{0,5}(?i)\bthe_warri0r\b.{0,5}' - - '.{0,5}(?i)\bRed Eye\b.{0,5}' - - '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}' - - '.{0,5}(?i)\bs13doeL\b.{0,5}' - - '.{0,5}(?i)\bFallaga Team\b.{0,5}' - - '.{0,5}(?i)\bulow\b.{0,5}' - - '.{0,5}(?i)\bSPYKIDS\b.{0,5}' - - '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}' - - '.{0,5}(?i)\blinuXploit_crew\b.{0,5}' - - '.{0,5}(?i)\bIr4dex 735\b.{0,5}' - - '.{0,5}(?i)\bKingSam\b.{0,5}' - # Others groups or attackers - - '.{0,5}(?i)\bLapsus$\b.{0,5}' - - '.{0,5}(?i)\bLulzSec\b.{0,5}' - - '.{0,5}(?i)\bmilw0rm\b.{0,5}' - - '.{0,5}(?i)\bNoName05\b.{0,5}' - - '.{0,5}(?i)\bAnonymousSudan\b.{0,5}' - - '.{0,5}(?i)\bAnon_by\b.{0,5}' - - '.{0,5}(?i)\bAnonGhost\b.{0,5}' - - '.{0,5}(?i)\bTeam.Insane\b.{0,5}' - - '.{0,5}(?i)\bEagle Cyber\b.{0,5}' - # Hacktivism Operations - - '.{0,5}(?i)\bOpIsrael\b.{0,5}' - - '.{0,5}(?i)\bOpRussia\b.{0,5}' - - '.{0,5}(?i)\bOpIran\b.{0,5}' - - '.{0,5}(?i)\bOpPhilippines\b.{0,5}' - - '.{0,5}(?i)\bOpAustralia\b.{0,5}' - - '.{0,5}(?i)\bAnonymousItalia\b.{0,5}' - - '.{0,5}(?i)\bStopRussia\b.{0,5}' - - '.{0,5}(?i)\bStopInvasion\b.{0,5}' - - '.{0,5}(?i)\bWe.are.legion\b.{0,5}' - - '.{0,5}(?i)\bAnonOps\b.{0,5}' - - '.{0,5}(?i)\bOpGOP\b.{0,5}' - - '.{0,5}(?i)\bOpStonewall\b.{0,5}' - - '.{0,5}(?i)\bTangoDown\b.{0,5}' - - payloads: - path: - # Commom paths - - / - - /old - - /ssh - - /tmp - - /uploads - # Commom defacement files - - /index.html - - /index.php - - /indexx.html - - /defaced.html - - /readme.html - - /readme.php - - /kurd.html - - /kurd1943.html - - /evil.html - - /ghost.htm - - /pwnd.html - - /pwn.html - - /hacked.html - - /hacked.txt - - /1.php - - /1.txt - - /1.html - - /a.htm - - /a.html - - /a.php - - /V.txt - - /0day.txt - - /1337.txt - - /r00t.php - - /root.html - - /id.htm - - /by.html - - /by.htm - - /me.php - - /o.htm - - /O.html - - /a.php - - /a.html - - /z.php - - /zz.txt - - /z.txt - - /M.html - - /ie.txt - - /xxx.html - - /x.txt - - /logs.txt - - /ownz.html - - /update_note.txt - - /k.html - - /y.txt - - /T.html - - /ts.html - - /tr.html - - /core.html - - /el.htm - - /ie.htm - - /si.html - - /sad.html - - /fake.html - - /broken.html - - /buy.html - - /access.php - - /info.php - - /jquery.php - - /news.php - - /services.php - - /boxed.php - - /main.php - - /pbw.txt - - /aw.txt - - /hx.txt - - /vz.txt - - /cl.html - - /asi.html - - /public - - /cache - - /info.txt - - /ir.html - - /me.html - - /px.html - - /px.php - - /F.html - - /frost.txt - - /-.txt - - /!.txt