daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

C2 - NT

patch-1
pussycat0x 2024-04-01 15:41:09 +05:30
parent a7fcc6a76a
commit c38d4930ac
7 changed files with 206 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
network/c2/darkcomet-trojan.yaml Normal file
View File

@ -0,0 +1,30 @@
id: darkcomet-trojan
info:
name: DarkComet Trojan - Detect
author: pussycat0x
severity: info
description: |
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc[2]), an independent programmer and computer security coder from France. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'DarkComet Trojan'
tags: network,c2,ir,osint,cti,darkcomet
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
port: 1604
read-size: 1024
matchers:
- type: word
words:
- "BF7CAB464EFB"

30
network/c2/darktrack-rat-trojan.yaml Normal file
View File

@ -0,0 +1,30 @@
id: darktrack-rat-trojan
info:
name: DarkTrack RAT Trojan - Detect
author: pussycat0x
severity: info
description: |
DarkTrack is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. The level of control these programs have varies, however, some can allow user-level manipulation of the affected machine.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'DarkTrack RAT Trojan'
tags: network,c2,ir,osint,cti,darktrack,rat
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
port: 60129
read-size: 1024
matchers:
- type: word
words:
- "Ga"

29
network/c2/gh0st-rat-trojan.yaml Normal file
View File

@ -0,0 +1,29 @@
id: gh0st-rat-trojan
info:
name: Gh0st RAT Trojan - Detect
author: pussycat0x
severity: info
description: |
Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into many sensitive computer networks
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'Gh0st RAT Trojan'
tags: network,c2,ir,osint,cti,gh0st,rat
tcp:
- inputs:
- data: "\n"
host:
- "{{Hostname}}"
port: 443
read-size: 1024
matchers:
- type: word
words:
- "X"

28
network/c2/nanocore-rat-trojan.yaml Normal file
View File

@ -0,0 +1,28 @@
id: xtremerat-trojan
info:
name: XtremeRAT Trojan - Detect
author: pussycat0x
severity: info
description: |
The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums..
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
max-request: 1
shodan-query: product:'NanoCore RAT Trojan'
tags: network,c2,ir,osint,cti,nanocore,rat
tcp:
- inputs:
- data: "\n"
host:
- "{{Hostname}}"
port: 54984
read-size: 1024
matchers:
- type: word
words:
- "X"

30
network/c2/orcus-rat-trojan.yaml Normal file
View File

@ -0,0 +1,30 @@
id: orcus-rat-trojan
info:
name: Orcus RAT Trojan - Detect
author: pussycat0x
severity: info
description: |
Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'Orcus RAT Trojan'
tags: network,c2,ir,osint,cti,orcus,rat
tcp:
- inputs:
- data: 160301007e0100007a03036609c7af2b4c85eaf3675a276eeee7025342c2e03855f07f7622645e02f49fb1000010130113021303002f000a00130039000401000041002b0009080303030203040300000d001a0018040106010403060308040806080708080809080b02010203003300020000000a000c000a001700180019001d0100
type: hex
host:
- "{{Hostname}}"
port: 10134
read-size: 1024
matchers:
- type: word
words:
- "OrcusServerCertificate0"

29
network/c2/remcospro-rat-trojan.yaml Normal file
View File

@ -0,0 +1,29 @@
id: remcospro-rat-trojan
info:
name: Remcos Pro RAT Trojan - Detect
author: pussycat0x
severity: info
description: |
DarkTrack is a malicious program classified as a Remote Access Trojan (RAT). This type of malware enables remote access and control over an infected device. The level of control these programs have varies, however, some can allow user-level manipulation of the affected machine.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
max-request: 1
shodan-query: product:'Remcos Pro RAT Trojan'
tags: network,c2,ir,osint,cti,remcos,rat
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
port: 1604
read-size: 1024
matchers:
- type: word
words:
- "BF7CAB464EFB"

30
network/c2/xtremerat-trojan.yaml Normal file
View File

@ -0,0 +1,30 @@
id: xtremerat-trojan
info:
name: XtremeRAT Trojan - Detect
author: pussycat0x
severity: info
description: |
Xtreme Rat is a Remote Access Trojan that can steal information. This RAT has been used in attacks targeting Israeli and Syrian governments last 2012.
reference:
- https://github.com/montysecurity/C2-Tracker/blob/main/tracker.py
metadata:
verified: true
max-request: 1
shodan-query: product:'XtremeRAT Trojan'
tags: network,c2,ir,osint,cti,xtreamerat
tcp:
- inputs:
- data: 2E
type: hex
host:
- "{{Hostname}}"
port: 10001
read-size: 1024
matchers:
- type: word
words:
- "X"