From 8d0b4c5e99263853b1792ec5352a3a2a09a75ed7 Mon Sep 17 00:00:00 2001 From: Ricardo Maia Date: Mon, 22 Jan 2024 14:02:29 -0300 Subject: [PATCH] Reintroducing context feature. --- http/miscellaneous/defacement-detect.yaml | 186 +++++++++++++++++++--- 1 file changed, 163 insertions(+), 23 deletions(-) diff --git a/http/miscellaneous/defacement-detect.yaml b/http/miscellaneous/defacement-detect.yaml index 238b44ea89..d54fc490fb 100644 --- a/http/miscellaneous/defacement-detect.yaml +++ b/http/miscellaneous/defacement-detect.yaml @@ -15,7 +15,7 @@ info: - https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023 metadata: verified: true - tags: misc,defacement,spam,hacktivism,osint + tags: misc,defacement,spam,hacktivism,fuzz http: - method: GET @@ -31,8 +31,8 @@ http: matchers: - type: regex part: body - name: defacement-signature regex: + # Commom defacement signatures - '(?i)\bhack[e|3]d.?(by)?\b' - '(?i)\bwh(00|oo)pz\b' - '(?i)\bdefaced.?(by)?\b' @@ -48,11 +48,10 @@ http: - '(?i)\bBUY.WEBSHELL\b' - '(?i)\bHello.Admin\b' - '(?i)\bShootz\b' - - - type: regex - part: body - name: spamdexing - regex: + - '(?i)\bTouched\sby\b' + - '(?i)\bHas.*been.*hacked\b' + - '(?i)\bStamped\sBy\b' + # Spamdexing - '(?i)\bcialis\b' - '(?i)\btadacip\b' - '(?i)\bpurinethol\b' @@ -92,11 +91,7 @@ http: - '(?i)\win.the.lottery\b' - '(?i)\bwin.the.lotto\b' - '(?i)\bcassino\b' - - - type: regex - part: body - name: zone-h-top-50 - regex: + # Attackets - Zone-H Top 50 - '(?i)\bHmei7\b' - '(?i)\bd3b~x\b' - '(?i)\bIndex Php\b' @@ -144,13 +139,9 @@ http: - '(?i)\bSPYKIDS\b' - '(?i)\bCyb3r_Sw0rd\b' - '(?i)\blinuXploit_crew\b' - - '(?i)\bIr4dex 735\b' + - '(?i)\bIr4dex 735\b' - '(?i)\bKingSam\b' - - - type: regex - part: body - name: other-groups-attacker - regex: + # Others groups or attackers - '(?i)\bLapsus$\b' - '(?i)\bLulzSec\b' - '(?i)\bmilw0rm\b' @@ -160,11 +151,6 @@ http: - '(?i)\bAnonGhost\b' - '(?i)\bTeam.Insane\b' - '(?i)\bEagle Cyber\b' - - - type: regex - part: body - name: hacktivism-operation - regex: - '(?i)\bOpIsrael\b' - '(?i)\bOpRussia\b' - '(?i)\bOpIran\b' @@ -185,6 +171,160 @@ http: status: - 200 + extractors: + - type: regex + part: body + name: defacement-signature + regex: + - '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}' + - '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}' + - '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}' + - '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}' + - '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}' + - '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}' + - '.{0,5}(?i)\bXploit\b.{0,5}' + - '.{0,5}(?i)\brulez\b.{0,5}' + - '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}' + - '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}' + - '.{0,5}(?i)\bHack.Team\b.{0,5}' + - '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}' + - '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}' + - '.{0,5}(?i)\bHello.Admin\b.{0,5}' + - '.{0,5}(?i)\bShootz\b.{0,5}' + - '.{0,5}(?i)\bTouched\sby\b.{0,5}' + - '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}' + - '.{0,5}(?i)\bStamped\sBy\b.{0,5}' + + - type: regex + part: body + name: spamdexing + regex: + - '.{0,5}(?i)\bcialis\b.{0,5}' + - '.{0,5}(?i)\btadacip\b.{0,5}' + - '.{0,5}(?i)\bpurinethol\b.{0,5}' + - '.{0,5}(?i)\bbactrim\b.{0,5}' + - '.{0,5}(?i)\bfemale-cialis\b.{0,5}' + - '.{0,5}(?i)\btoprol-xl\b.{0,5}' + - '.{0,5}(?i)\bbupropion\b.{0,5}' + - '.{0,5}(?i)\blevitra\b.{0,5}' + - '.{0,5}(?i)\bfeldene\b.{0,5}' + - '.{0,5}(?i)\bapcalis\b.{0,5}' + - '.{0,5}(?i)\batacand\b.{0,5}' + - '.{0,5}(?i)\bzerit\b.{0,5}' + - '.{0,5}(?i)\bisordil\b.{0,5}' + - '.{0,5}(?i)\bviagra-soft\b.{0,5}' + - '.{0,5}(?i)\bdanazol\b.{0,5}' + - '.{0,5}(?i)\blasix\b.{0,5}' + - '.{0,5}(?i)\bapcalis-sx\b.{0,5}' + - '.{0,5}(?i)\btadalafil\b.{0,5}' + - '.{0,5}(?i)\bviagra-jelly\b.{0,5}' + - '.{0,5}(?i)\btadalis-sx\b.{0,5}' + - '.{0,5}(?i)\btelmisartan\b.{0,5}' + - '.{0,5}(?i)\bcialis-soft\b.{0,5}' + - '.{0,5}(?i)\brevia\b.{0,5}' + - '.{0,5}(?i)\bcardura\b.{0,5}' + - '.{0,5}(?i)\bfempro\b.{0,5}' + - '.{0,5}(?i)\bfemale-viagra\b.{0,5}' + - '.{0,5}(?i)\berectalis\b.{0,5}' + - '.{0,5}(?i)\bforzest\b.{0,5}' + - '.{0,5}(?i)\bisoptin-sr\b.{0,5}' + - '.{0,5}(?i)\bkamagra-soft\b.{0,5}' + - '.{0,5}(?i)\blioresal\b.{0,5}' + - '.{0,5}(?i)\bneoral\b.{0,5}' + - '.{0,5}(?i)\bcytoxan\b.{0,5}' + - '.{0,5}(?i)\bphenytoin\b.{0,5}' + - '.{0,5}(?i)\bvibramycin\b.{0,5}' + - '.{0,5}(?i)\binstant.fortune\b.{0,5}' + - '.{0,5}(?i)\win.the.lottery\b.{0,5}' + - '.{0,5}(?i)\bwin.the.lotto\b.{0,5}' + - '.{0,5}(?i)\bcassino\b.{0,5}' + + - type: regex + part: body + name: zone-h-top-50 + regex: + - '.{0,5}(?i)\bHmei7\b.{0,5}' + - '.{0,5}(?i)\bd3b~x\b.{0,5}' + - '.{0,5}(?i)\bIndex Php\b.{0,5}' + - '.{0,5}(?i)\biskorpitx\b.{0,5}' + - '.{0,5}(?i)\bchinafans\b.{0,5}' + - '.{0,5}(?i)\bSejeal\b.{0,5}' + - '.{0,5}(?i)\b1923Turk\b.{0,5}' + - '.{0,5}(?i)\bmuhmademad\b.{0,5}' + - '.{0,5}(?i)\bTeam_CC\b.{0,5}' + - '.{0,5}(?i)\bimam\b.{0,5}' + - '.{0,5}(?i)\bmisafir\b.{0,5}' + - '.{0,5}(?i)\bZoRRoKiN\b.{0,5}' + - '.{0,5}(?i)\bpanataran\b.{0,5}' + - '.{0,5}(?i)\bGHoST61\b.{0,5}' + - '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}' + - '.{0,5}(?i)\bFatal Error\b.{0,5}' + - '.{0,5}(?i)\bErrOr SquaD\b.{0,5}' + - '.{0,5}(?i)\bw4l3xzy3\b.{0,5}' + - '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}' + - '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}' + - '.{0,5}(?i)\bjok3r\b.{0,5}' + - '.{0,5}(?i)\bHighTech\b.{0,5}' + - '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}' + - '.{0,5}(?i)\bTheWayEnd\b.{0,5}' + - '.{0,5}(?i)\bLUN4T1C0\b.{0,5}' + - '.{0,5}(?i)\bKaMtiEz\b.{0,5}' + - '.{0,5}(?i)\bHolaKo\b.{0,5}' + - '.{0,5}(?i)\bMiSh\b.{0,5}' + - '.{0,5}(?i)\bMister Spy\b.{0,5}' + - '.{0,5}(?i)\bClash Hackers\b.{0,5}' + - '.{0,5}(?i)\bKkK1337\b.{0,5}' + - '.{0,5}(?i)\bKuroi\b.{0,5}' + - '.{0,5}(?i)\bBALA SNIPER\b.{0,5}' + - '.{0,5}(?i)\bRayzky_\b.{0,5}' + - '.{0,5}(?i)\bRXR\b.{0,5}' + - '.{0,5}(?i)\bTOP-TEAM\b.{0,5}' + - '.{0,5}(?i)\bMagelang6etar\b.{0,5}' + - '.{0,5}(?i)\bifactoryx\b.{0,5}' + - '.{0,5}(?i)\bthe_warri0r\b.{0,5}' + - '.{0,5}(?i)\bRed Eye\b.{0,5}' + - '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}' + - '.{0,5}(?i)\bs13doeL\b.{0,5}' + - '.{0,5}(?i)\bFallaga Team\b.{0,5}' + - '.{0,5}(?i)\bulow\b.{0,5}' + - '.{0,5}(?i)\bSPYKIDS\b.{0,5}' + - '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}' + - '.{0,5}(?i)\blinuXploit_crew\b.{0,5}' + - '.{0,5}(?i)\bIr4dex 735\b.{0,5}' + - '.{0,5}(?i)\bKingSam\b.{0,5}' + + - type: regex + part: body + name: other-groups-attacker + regex: + - '.{0,5}(?i)\bLapsus$\b.{0,5}' + - '.{0,5}(?i)\bLulzSec\b.{0,5}' + - '.{0,5}(?i)\bmilw0rm\b.{0,5}' + - '.{0,5}(?i)\bNoName05\b.{0,5}' + - '.{0,5}(?i)\bAnonymousSudan\b.{0,5}' + - '.{0,5}(?i)\bAnon_by\b.{0,5}' + - '.{0,5}(?i)\bAnonGhost\b.{0,5}' + - '.{0,5}(?i)\bTeam.Insane\b.{0,5}' + - '.{0,5}(?i)\bEagle Cyber\b.{0,5}' + + - type: regex + part: body + name: hacktivism-operation + regex: + - '.{0,5}(?i)\bOpIsrael\b.{0,5}' + - '.{0,5}(?i)\bOpRussia\b.{0,5}' + - '.{0,5}(?i)\bOpIran\b.{0,5}' + - '.{0,5}(?i)\bOpPhilippines\b.{0,5}' + - '.{0,5}(?i)\bOpAustralia\b.{0,5}' + - '.{0,5}(?i)\bAnonymousItalia\b.{0,5}' + - '.{0,5}(?i)\bStopRussia\b.{0,5}' + - '.{0,5}(?i)\bStopInvasion\b.{0,5}' + - '.{0,5}(?i)\bWe.are.legion\b.{0,5}' + - '.{0,5}(?i)\bAnonOps\b.{0,5}' + - '.{0,5}(?i)\bOpGOP\b.{0,5}' + - '.{0,5}(?i)\bOpStonewall\b.{0,5}' + - '.{0,5}(?i)\bTangoDown\b.{0,5}' + payloads: path: - /