Add Defacement Detection Template
Ricardo Maia
parent
32044b70c1
commit
bb6d184317
|
|
@ -0,0 +1,403 @@
|
|||
id: defacement-detector
|
||||
|
||||
info:
|
||||
name: Defacement Content Detector
|
||||
author: ricardomaia
|
||||
severity: info
|
||||
description: |
|
||||
This template detects defacement content in the response body, using a list of commom paths as payload.
|
||||
It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.
|
||||
The URL paths and regex rules were based on research from several sources.
|
||||
Other rules are based in the author's experience and are not exhaustive.
|
||||
reference:
|
||||
- https://www.zone-h.org
|
||||
- https://zone-xsec.com
|
||||
- https://hax.or.id
|
||||
- https://www.haxor.id
|
||||
- https://www.defacer.net
|
||||
- https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023
|
||||
metadata:
|
||||
max-requests: 1
|
||||
tags: misc,monitoring,defacement,spam,hacktivism
|
||||
http:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}{{path}}"
|
||||
redirects: true
|
||||
max-redirects: 1
|
||||
|
||||
stop-at-first-match: true
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: regex
|
||||
part: body
|
||||
regex:
|
||||
# Commom defacement signatures
|
||||
- '(?i)\bhack[e|3]d.?(by)?\b'
|
||||
- '(?i)\bwh(00|oo)pz\b'
|
||||
- '(?i)\bdefaced.?(by)?\b'
|
||||
- '(?i)\bPa?wn(e|3)d.?(by)?\b'
|
||||
- '(?i)\b0wned.?(by)?\b'
|
||||
- '(?i)\bGreetz.?(to)?\b'
|
||||
- '(?i)\bXploit\b'
|
||||
- '(?i)\brulez\b'
|
||||
- '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b'
|
||||
- '(?i)\bh(a|4)x(o|0)r\b'
|
||||
- '(?i)\bHack.Team\b'
|
||||
- '(?i)\bpwnted.?(by)?\b'
|
||||
- '(?i)\bBUY.WEBSHELL\b'
|
||||
- '(?i)\bHello.Admin\b'
|
||||
- '(?i)\bShootz\b'
|
||||
- '(?i)\bTouched\sby\b' # Some false positives
|
||||
- '(?i)\bHas.*been.*hacked\b' # Some false positives
|
||||
- '(?i)\bStamped\sBy\b' # Some false positives
|
||||
# Spamdexing
|
||||
- '(?i)\bcialis\b'
|
||||
- '(?i)\btadacip\b'
|
||||
- '(?i)\bpurinethol\b'
|
||||
- '(?i)\bbactrim\b'
|
||||
- '(?i)\bfemale-cialis\b'
|
||||
- '(?i)\btoprol-xl\b'
|
||||
- '(?i)\bbupropion\b'
|
||||
- '(?i)\blevitra\b'
|
||||
- '(?i)\bfeldene\b'
|
||||
- '(?i)\bapcalis\b'
|
||||
- '(?i)\batacand\b'
|
||||
- '(?i)\bzerit\b'
|
||||
- '(?i)\bisordil\b'
|
||||
- '(?i)\bviagra-soft\b'
|
||||
- '(?i)\bdanazol\b'
|
||||
- '(?i)\blasix\b'
|
||||
- '(?i)\bapcalis-sx\b'
|
||||
- '(?i)\btadalafil\b'
|
||||
- '(?i)\bviagra-jelly\b'
|
||||
- '(?i)\btadalis-sx\b'
|
||||
- '(?i)\btelmisartan\b'
|
||||
- '(?i)\bcialis-soft\b'
|
||||
- '(?i)\brevia\b'
|
||||
- '(?i)\bcardura\b'
|
||||
- '(?i)\bfempro\b'
|
||||
- '(?i)\bfemale-viagra\b'
|
||||
- '(?i)\berectalis\b'
|
||||
- '(?i)\bforzest\b'
|
||||
- '(?i)\bisoptin-sr\b'
|
||||
- '(?i)\bkamagra-soft\b'
|
||||
- '(?i)\blioresal\b'
|
||||
- '(?i)\bneoral\b'
|
||||
- '(?i)\bcytoxan\b'
|
||||
- '(?i)\bphenytoin\b'
|
||||
- '(?i)\bvibramycin\b'
|
||||
- '(?i)\binstant.fortune\b'
|
||||
- '(?i)\win.the.lottery\b'
|
||||
- '(?i)\bwin.the.lotto\b'
|
||||
- '(?i)\bcassino\b'
|
||||
# Attackets - Zone-H Top 50
|
||||
- '(?i)\bHmei7\b'
|
||||
- '(?i)\bd3b~x\b'
|
||||
- '(?i)\bIndex Php\b'
|
||||
- '(?i)\biskorpitx\b'
|
||||
- '(?i)\bchinafans\b'
|
||||
- '(?i)\bSejeal\b'
|
||||
- '(?i)\b1923Turk\b'
|
||||
- '(?i)\bmuhmademad\b'
|
||||
- '(?i)\bTeam_CC\b'
|
||||
- '(?i)\bimam\b'
|
||||
- '(?i)\bmisafir\b'
|
||||
- '(?i)\bZoRRoKiN\b'
|
||||
- '(?i)\bpanataran\b'
|
||||
- '(?i)\bGHoST61\b'
|
||||
- '(?i)\bAshiyane Digital Security Team\b'
|
||||
- '(?i)\bFatal Error\b'
|
||||
- '(?i)\bErrOr SquaD\b'
|
||||
- '(?i)\bw4l3xzy3\b'
|
||||
- '(?i)\bBD GREY HAT HACKERS\b'
|
||||
- '(?i)\bSA3D HaCk3D\b'
|
||||
- '(?i)\bjok3r\b'
|
||||
- '(?i)\bHighTech\b'
|
||||
- '(?i)\bMr.Kro0oz\b'
|
||||
- '(?i)\bTheWayEnd\b'
|
||||
- '(?i)\bLUN4T1C0\b'
|
||||
- '(?i)\bKaMtiEz\b'
|
||||
- '(?i)\bHolaKo\b'
|
||||
- '(?i)\bMiSh\b'
|
||||
- '(?i)\bMister Spy\b'
|
||||
- '(?i)\bClash Hackers\b'
|
||||
- '(?i)\bKkK1337\b'
|
||||
- '(?i)\bKuroi\b'
|
||||
- '(?i)\bBALA SNIPER\b'
|
||||
- '(?i)\bRayzky_\b'
|
||||
- '(?i)\bRXR\b'
|
||||
- '(?i)\bTOP-TEAM\b'
|
||||
- '(?i)\bMagelang6etar\b'
|
||||
- '(?i)\bifactoryx\b'
|
||||
- '(?i)\bthe_warri0r\b'
|
||||
- '(?i)\bRed Eye\b'
|
||||
- '(?i)\bdarkshadow-tn\b'
|
||||
- '(?i)\bs13doeL\b'
|
||||
- '(?i)\bFallaga Team\b'
|
||||
- '(?i)\bulow\b'
|
||||
- '(?i)\bSPYKIDS\b'
|
||||
- '(?i)\bCyb3r_Sw0rd\b'
|
||||
- '(?i)\blinuXploit_crew\b'
|
||||
- '(?i)\bIr4dex 735\b'
|
||||
- '(?i)\bKingSam\b'
|
||||
# Others groups or attackers
|
||||
- '(?i)\bLapsus$\b'
|
||||
- '(?i)\bLulzSec\b'
|
||||
- '(?i)\bmilw0rm\b'
|
||||
- '(?i)\bNoName05\b'
|
||||
- '(?i)\bAnonymousSudan\b'
|
||||
- '(?i)\bAnon_by\b'
|
||||
- '(?i)\bAnonGhost\b'
|
||||
- '(?i)\bTeam.Insane\b'
|
||||
- '(?i)\bEagle Cyber\b'
|
||||
# Hacktivism Operations
|
||||
- '(?i)\bOpIsrael\b'
|
||||
- '(?i)\bOpRussia\b'
|
||||
- '(?i)\bOpIran\b'
|
||||
- '(?i)\bOpPhilippines\b'
|
||||
- '(?i)\bOpAustralia\b'
|
||||
- '(?i)\bAnonymousItalia\b'
|
||||
- '(?i)\bStopRussia\b'
|
||||
- '(?i)\bStopInvasion\b'
|
||||
- '(?i)\bWe.are.legion\b'
|
||||
- '(?i)\bAnonOps\b'
|
||||
- '(?i)\bOpGOP\b'
|
||||
- '(?i)\bOpStonewall\b'
|
||||
- '(?i)\bTangoDown\b'
|
||||
- '(?i)\bFREE_PALESTINE\b'
|
||||
- '(?i)\bFREE_AL-AQSA\b'
|
||||
|
||||
- type: status
|
||||
status:
|
||||
- 200
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body
|
||||
# Five characters before and after the match
|
||||
name: text-snippet
|
||||
regex:
|
||||
# Commom defacement signatures
|
||||
- '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bXploit\b.{0,5}'
|
||||
- '.{0,5}(?i)\brulez\b.{0,5}'
|
||||
- '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}'
|
||||
- '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHack.Team\b.{0,5}'
|
||||
- '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}'
|
||||
- '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHello.Admin\b.{0,5}'
|
||||
- '.{0,5}(?i)\bShootz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTouched\sby\b.{0,5}' # Some false positives
|
||||
- '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}' # Some false positives
|
||||
- '.{0,5}(?i)\bStamped\sBy\b.{0,5}' # Some false positives
|
||||
# Spamdexing
|
||||
- '.{0,5}(?i)\bcialis\b.{0,5}'
|
||||
- '.{0,5}(?i)\btadacip\b.{0,5}'
|
||||
- '.{0,5}(?i)\bpurinethol\b.{0,5}'
|
||||
- '.{0,5}(?i)\bbactrim\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfemale-cialis\b.{0,5}'
|
||||
- '.{0,5}(?i)\btoprol-xl\b.{0,5}'
|
||||
- '.{0,5}(?i)\bbupropion\b.{0,5}'
|
||||
- '.{0,5}(?i)\blevitra\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfeldene\b.{0,5}'
|
||||
- '.{0,5}(?i)\bapcalis\b.{0,5}'
|
||||
- '.{0,5}(?i)\batacand\b.{0,5}'
|
||||
- '.{0,5}(?i)\bzerit\b.{0,5}'
|
||||
- '.{0,5}(?i)\bisordil\b.{0,5}'
|
||||
- '.{0,5}(?i)\bviagra-soft\b.{0,5}'
|
||||
- '.{0,5}(?i)\bdanazol\b.{0,5}'
|
||||
- '.{0,5}(?i)\blasix\b.{0,5}'
|
||||
- '.{0,5}(?i)\bapcalis-sx\b.{0,5}'
|
||||
- '.{0,5}(?i)\btadalafil\b.{0,5}'
|
||||
- '.{0,5}(?i)\bviagra-jelly\b.{0,5}'
|
||||
- '.{0,5}(?i)\btadalis-sx\b.{0,5}'
|
||||
- '.{0,5}(?i)\btelmisartan\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcialis-soft\b.{0,5}'
|
||||
- '.{0,5}(?i)\brevia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcardura\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfempro\b.{0,5}'
|
||||
- '.{0,5}(?i)\bfemale-viagra\b.{0,5}'
|
||||
- '.{0,5}(?i)\berectalis\b.{0,5}'
|
||||
- '.{0,5}(?i)\bforzest\b.{0,5}'
|
||||
- '.{0,5}(?i)\bisoptin-sr\b.{0,5}'
|
||||
- '.{0,5}(?i)\bkamagra-soft\b.{0,5}'
|
||||
- '.{0,5}(?i)\blioresal\b.{0,5}'
|
||||
- '.{0,5}(?i)\bneoral\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcytoxan\b.{0,5}'
|
||||
- '.{0,5}(?i)\bphenytoin\b.{0,5}'
|
||||
- '.{0,5}(?i)\bvibramycin\b.{0,5}'
|
||||
- '.{0,5}(?i)\binstant.fortune\b.{0,5}'
|
||||
- '.{0,5}(?i)\win.the.lottery\b.{0,5}'
|
||||
- '.{0,5}(?i)\bwin.the.lotto\b.{0,5}'
|
||||
- '.{0,5}(?i)\bcassino\b.{0,5}'
|
||||
# Attackets - Zone-H Top 50
|
||||
- '.{0,5}(?i)\bHmei7\b.{0,5}'
|
||||
- '.{0,5}(?i)\bd3b~x\b.{0,5}'
|
||||
- '.{0,5}(?i)\bIndex Php\b.{0,5}'
|
||||
- '.{0,5}(?i)\biskorpitx\b.{0,5}'
|
||||
- '.{0,5}(?i)\bchinafans\b.{0,5}'
|
||||
- '.{0,5}(?i)\bSejeal\b.{0,5}'
|
||||
- '.{0,5}(?i)\b1923Turk\b.{0,5}'
|
||||
- '.{0,5}(?i)\bmuhmademad\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTeam_CC\b.{0,5}'
|
||||
- '.{0,5}(?i)\bimam\b.{0,5}'
|
||||
- '.{0,5}(?i)\bmisafir\b.{0,5}'
|
||||
- '.{0,5}(?i)\bZoRRoKiN\b.{0,5}'
|
||||
- '.{0,5}(?i)\bpanataran\b.{0,5}'
|
||||
- '.{0,5}(?i)\bGHoST61\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}'
|
||||
- '.{0,5}(?i)\bFatal Error\b.{0,5}'
|
||||
- '.{0,5}(?i)\bErrOr SquaD\b.{0,5}'
|
||||
- '.{0,5}(?i)\bw4l3xzy3\b.{0,5}'
|
||||
- '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}'
|
||||
- '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}'
|
||||
- '.{0,5}(?i)\bjok3r\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHighTech\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTheWayEnd\b.{0,5}'
|
||||
- '.{0,5}(?i)\bLUN4T1C0\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKaMtiEz\b.{0,5}'
|
||||
- '.{0,5}(?i)\bHolaKo\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMiSh\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMister Spy\b.{0,5}'
|
||||
- '.{0,5}(?i)\bClash Hackers\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKkK1337\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKuroi\b.{0,5}'
|
||||
- '.{0,5}(?i)\bBALA SNIPER\b.{0,5}'
|
||||
- '.{0,5}(?i)\bRayzky_\b.{0,5}'
|
||||
- '.{0,5}(?i)\bRXR\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTOP-TEAM\b.{0,5}'
|
||||
- '.{0,5}(?i)\bMagelang6etar\b.{0,5}'
|
||||
- '.{0,5}(?i)\bifactoryx\b.{0,5}'
|
||||
- '.{0,5}(?i)\bthe_warri0r\b.{0,5}'
|
||||
- '.{0,5}(?i)\bRed Eye\b.{0,5}'
|
||||
- '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}'
|
||||
- '.{0,5}(?i)\bs13doeL\b.{0,5}'
|
||||
- '.{0,5}(?i)\bFallaga Team\b.{0,5}'
|
||||
- '.{0,5}(?i)\bulow\b.{0,5}'
|
||||
- '.{0,5}(?i)\bSPYKIDS\b.{0,5}'
|
||||
- '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}'
|
||||
- '.{0,5}(?i)\blinuXploit_crew\b.{0,5}'
|
||||
- '.{0,5}(?i)\bIr4dex 735\b.{0,5}'
|
||||
- '.{0,5}(?i)\bKingSam\b.{0,5}'
|
||||
# Others groups or attackers
|
||||
- '.{0,5}(?i)\bLapsus$\b.{0,5}'
|
||||
- '.{0,5}(?i)\bLulzSec\b.{0,5}'
|
||||
- '.{0,5}(?i)\bmilw0rm\b.{0,5}'
|
||||
- '.{0,5}(?i)\bNoName05\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonymousSudan\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnon_by\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonGhost\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTeam.Insane\b.{0,5}'
|
||||
- '.{0,5}(?i)\bEagle Cyber\b.{0,5}'
|
||||
# Hacktivism Operations
|
||||
- '.{0,5}(?i)\bOpIsrael\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpRussia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpIran\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpPhilippines\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpAustralia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonymousItalia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bStopRussia\b.{0,5}'
|
||||
- '.{0,5}(?i)\bStopInvasion\b.{0,5}'
|
||||
- '.{0,5}(?i)\bWe.are.legion\b.{0,5}'
|
||||
- '.{0,5}(?i)\bAnonOps\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpGOP\b.{0,5}'
|
||||
- '.{0,5}(?i)\bOpStonewall\b.{0,5}'
|
||||
- '.{0,5}(?i)\bTangoDown\b.{0,5}'
|
||||
|
||||
payloads:
|
||||
path:
|
||||
# Commom paths
|
||||
- /
|
||||
- /old
|
||||
- /ssh
|
||||
- /tmp
|
||||
- /uploads
|
||||
# Commom defacement files
|
||||
- /index.html
|
||||
- /index.php
|
||||
- /indexx.html
|
||||
- /defaced.html
|
||||
- /readme.html
|
||||
- /readme.php
|
||||
- /kurd.html
|
||||
- /kurd1943.html
|
||||
- /evil.html
|
||||
- /ghost.htm
|
||||
- /pwnd.html
|
||||
- /pwn.html
|
||||
- /hacked.html
|
||||
- /hacked.txt
|
||||
- /1.php
|
||||
- /1.txt
|
||||
- /1.html
|
||||
- /a.htm
|
||||
- /a.html
|
||||
- /a.php
|
||||
- /V.txt
|
||||
- /0day.txt
|
||||
- /1337.txt
|
||||
- /r00t.php
|
||||
- /root.html
|
||||
- /id.htm
|
||||
- /by.html
|
||||
- /by.htm
|
||||
- /me.php
|
||||
- /o.htm
|
||||
- /O.html
|
||||
- /a.php
|
||||
- /a.html
|
||||
- /z.php
|
||||
- /zz.txt
|
||||
- /z.txt
|
||||
- /M.html
|
||||
- /ie.txt
|
||||
- /xxx.html
|
||||
- /x.txt
|
||||
- /logs.txt
|
||||
- /ownz.html
|
||||
- /update_note.txt
|
||||
- /k.html
|
||||
- /y.txt
|
||||
- /T.html
|
||||
- /ts.html
|
||||
- /tr.html
|
||||
- /core.html
|
||||
- /el.htm
|
||||
- /ie.htm
|
||||
- /si.html
|
||||
- /sad.html
|
||||
- /fake.html
|
||||
- /broken.html
|
||||
- /buy.html
|
||||
- /access.php
|
||||
- /info.php
|
||||
- /jquery.php
|
||||
- /news.php
|
||||
- /services.php
|
||||
- /boxed.php
|
||||
- /main.php
|
||||
- /pbw.txt
|
||||
- /aw.txt
|
||||
- /hx.txt
|
||||
- /vz.txt
|
||||
- /cl.html
|
||||
- /asi.html
|
||||
- /public
|
||||
- /cache
|
||||
- /info.txt
|
||||
- /ir.html
|
||||
- /me.html
|
||||
- /px.html
|
||||
- /px.php
|
||||
- /F.html
|
||||
- /frost.txt
|
||||
- /-.txt
|
||||
- /!.txt
|
||||
Loading…
Reference in New Issue