Reintroducing context feature.
parent
575ea833b6
commit
8d0b4c5e99
|
@ -15,7 +15,7 @@ info:
|
|||
- https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023
|
||||
metadata:
|
||||
verified: true
|
||||
tags: misc,defacement,spam,hacktivism,osint
|
||||
tags: misc,defacement,spam,hacktivism,fuzz
|
||||
|
||||
http:
|
||||
- method: GET
|
||||
|
@ -31,8 +31,8 @@ http:
|
|||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
name: defacement-signature
|
||||
regex:
|
||||
# Commom defacement signatures
|
||||
- '(?i)\bhack[e|3]d.?(by)?\b'
|
||||
- '(?i)\bwh(00|oo)pz\b'
|
||||
- '(?i)\bdefaced.?(by)?\b'
|
||||
|
@ -48,11 +48,10 @@ http:
|
|||
- '(?i)\bBUY.WEBSHELL\b'
|
||||
- '(?i)\bHello.Admin\b'
|
||||
- '(?i)\bShootz\b'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: spamdexing
|
||||
regex:
|
||||
- '(?i)\bTouched\sby\b'
|
||||
- '(?i)\bHas.*been.*hacked\b'
|
||||
- '(?i)\bStamped\sBy\b'
|
||||
# Spamdexing
|
||||
- '(?i)\bcialis\b'
|
||||
- '(?i)\btadacip\b'
|
||||
- '(?i)\bpurinethol\b'
|
||||
|
@ -92,11 +91,7 @@ http:
|
|||
- '(?i)\win.the.lottery\b'
|
||||
- '(?i)\bwin.the.lotto\b'
|
||||
- '(?i)\bcassino\b'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: zone-h-top-50
|
||||
regex:
|
||||
# Attackets - Zone-H Top 50
|
||||
- '(?i)\bHmei7\b'
|
||||
- '(?i)\bd3b~x\b'
|
||||
- '(?i)\bIndex Php\b'
|
||||
|
@ -146,11 +141,7 @@ http:
|
|||
- '(?i)\blinuXploit_crew\b'
|
||||
- '(?i)\bIr4dex 735\b'
|
||||
- '(?i)\bKingSam\b'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: other-groups-attacker
|
||||
regex:
|
||||
# Others groups or attackers
|
||||
- '(?i)\bLapsus$\b'
|
||||
- '(?i)\bLulzSec\b'
|
||||
- '(?i)\bmilw0rm\b'
|
||||
|
@ -160,11 +151,6 @@ http:
|
|||
- '(?i)\bAnonGhost\b'
|
||||
- '(?i)\bTeam.Insane\b'
|
||||
- '(?i)\bEagle Cyber\b'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: hacktivism-operation
|
||||
regex:
|
||||
- '(?i)\bOpIsrael\b'
|
||||
- '(?i)\bOpRussia\b'
|
||||
- '(?i)\bOpIran\b'
|
||||
|
@ -185,6 +171,160 @@ http:
|
|||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
name: defacement-signature
|
||||
regex:
|
||||
- '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bXploit\b.{0,5}'
|
||||
- '.{0,5}(?i)\brulez\b.{0,5}'
|
||||
- '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}'
|
||||
- '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHack.Team\b.{0,5}'
|
||||
- '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHello.Admin\b.{0,5}'
|
||||
- '.{0,5}(?i)\bShootz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTouched\sby\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}'
|
||||
- '.{0,5}(?i)\bStamped\sBy\b.{0,5}'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: spamdexing
|
||||
regex:
|
||||
- '.{0,5}(?i)\bcialis\b.{0,5}'
|
||||
- '.{0,5}(?i)\btadacip\b.{0,5}'
|
||||
- '.{0,5}(?i)\bpurinethol\b.{0,5}'
|
||||
- '.{0,5}(?i)\bbactrim\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfemale-cialis\b.{0,5}'
|
||||
- '.{0,5}(?i)\btoprol-xl\b.{0,5}'
|
||||
- '.{0,5}(?i)\bbupropion\b.{0,5}'
|
||||
- '.{0,5}(?i)\blevitra\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfeldene\b.{0,5}'
|
||||
- '.{0,5}(?i)\bapcalis\b.{0,5}'
|
||||
- '.{0,5}(?i)\batacand\b.{0,5}'
|
||||
- '.{0,5}(?i)\bzerit\b.{0,5}'
|
||||
- '.{0,5}(?i)\bisordil\b.{0,5}'
|
||||
- '.{0,5}(?i)\bviagra-soft\b.{0,5}'
|
||||
- '.{0,5}(?i)\bdanazol\b.{0,5}'
|
||||
- '.{0,5}(?i)\blasix\b.{0,5}'
|
||||
- '.{0,5}(?i)\bapcalis-sx\b.{0,5}'
|
||||
- '.{0,5}(?i)\btadalafil\b.{0,5}'
|
||||
- '.{0,5}(?i)\bviagra-jelly\b.{0,5}'
|
||||
- '.{0,5}(?i)\btadalis-sx\b.{0,5}'
|
||||
- '.{0,5}(?i)\btelmisartan\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcialis-soft\b.{0,5}'
|
||||
- '.{0,5}(?i)\brevia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcardura\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfempro\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfemale-viagra\b.{0,5}'
|
||||
- '.{0,5}(?i)\berectalis\b.{0,5}'
|
||||
- '.{0,5}(?i)\bforzest\b.{0,5}'
|
||||
- '.{0,5}(?i)\bisoptin-sr\b.{0,5}'
|
||||
- '.{0,5}(?i)\bkamagra-soft\b.{0,5}'
|
||||
- '.{0,5}(?i)\blioresal\b.{0,5}'
|
||||
- '.{0,5}(?i)\bneoral\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcytoxan\b.{0,5}'
|
||||
- '.{0,5}(?i)\bphenytoin\b.{0,5}'
|
||||
- '.{0,5}(?i)\bvibramycin\b.{0,5}'
|
||||
- '.{0,5}(?i)\binstant.fortune\b.{0,5}'
|
||||
- '.{0,5}(?i)\win.the.lottery\b.{0,5}'
|
||||
- '.{0,5}(?i)\bwin.the.lotto\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcassino\b.{0,5}'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: zone-h-top-50
|
||||
regex:
|
||||
- '.{0,5}(?i)\bHmei7\b.{0,5}'
|
||||
- '.{0,5}(?i)\bd3b~x\b.{0,5}'
|
||||
- '.{0,5}(?i)\bIndex Php\b.{0,5}'
|
||||
- '.{0,5}(?i)\biskorpitx\b.{0,5}'
|
||||
- '.{0,5}(?i)\bchinafans\b.{0,5}'
|
||||
- '.{0,5}(?i)\bSejeal\b.{0,5}'
|
||||
- '.{0,5}(?i)\b1923Turk\b.{0,5}'
|
||||
- '.{0,5}(?i)\bmuhmademad\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTeam_CC\b.{0,5}'
|
||||
- '.{0,5}(?i)\bimam\b.{0,5}'
|
||||
- '.{0,5}(?i)\bmisafir\b.{0,5}'
|
||||
- '.{0,5}(?i)\bZoRRoKiN\b.{0,5}'
|
||||
- '.{0,5}(?i)\bpanataran\b.{0,5}'
|
||||
- '.{0,5}(?i)\bGHoST61\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}'
|
||||
- '.{0,5}(?i)\bFatal Error\b.{0,5}'
|
||||
- '.{0,5}(?i)\bErrOr SquaD\b.{0,5}'
|
||||
- '.{0,5}(?i)\bw4l3xzy3\b.{0,5}'
|
||||
- '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}'
|
||||
- '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}'
|
||||
- '.{0,5}(?i)\bjok3r\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHighTech\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTheWayEnd\b.{0,5}'
|
||||
- '.{0,5}(?i)\bLUN4T1C0\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKaMtiEz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHolaKo\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMiSh\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMister Spy\b.{0,5}'
|
||||
- '.{0,5}(?i)\bClash Hackers\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKkK1337\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKuroi\b.{0,5}'
|
||||
- '.{0,5}(?i)\bBALA SNIPER\b.{0,5}'
|
||||
- '.{0,5}(?i)\bRayzky_\b.{0,5}'
|
||||
- '.{0,5}(?i)\bRXR\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTOP-TEAM\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMagelang6etar\b.{0,5}'
|
||||
- '.{0,5}(?i)\bifactoryx\b.{0,5}'
|
||||
- '.{0,5}(?i)\bthe_warri0r\b.{0,5}'
|
||||
- '.{0,5}(?i)\bRed Eye\b.{0,5}'
|
||||
- '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}'
|
||||
- '.{0,5}(?i)\bs13doeL\b.{0,5}'
|
||||
- '.{0,5}(?i)\bFallaga Team\b.{0,5}'
|
||||
- '.{0,5}(?i)\bulow\b.{0,5}'
|
||||
- '.{0,5}(?i)\bSPYKIDS\b.{0,5}'
|
||||
- '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}'
|
||||
- '.{0,5}(?i)\blinuXploit_crew\b.{0,5}'
|
||||
- '.{0,5}(?i)\bIr4dex 735\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKingSam\b.{0,5}'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: other-groups-attacker
|
||||
regex:
|
||||
- '.{0,5}(?i)\bLapsus$\b.{0,5}'
|
||||
- '.{0,5}(?i)\bLulzSec\b.{0,5}'
|
||||
- '.{0,5}(?i)\bmilw0rm\b.{0,5}'
|
||||
- '.{0,5}(?i)\bNoName05\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonymousSudan\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnon_by\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonGhost\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTeam.Insane\b.{0,5}'
|
||||
- '.{0,5}(?i)\bEagle Cyber\b.{0,5}'
|
||||
|
||||
- type: regex
|
||||
part: body
|
||||
name: hacktivism-operation
|
||||
regex:
|
||||
- '.{0,5}(?i)\bOpIsrael\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpRussia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpIran\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpPhilippines\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpAustralia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonymousItalia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bStopRussia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bStopInvasion\b.{0,5}'
|
||||
- '.{0,5}(?i)\bWe.are.legion\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonOps\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpGOP\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpStonewall\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTangoDown\b.{0,5}'
|
||||
|
||||
payloads:
|
||||
path:
|
||||
- /
|
||||
|
|
Loading…
Reference in New Issue