-
-
Save 6t2/eda888e83da4190ea67f51819236d319 to your computer and use it in GitHub Desktop.
hunting query for suspicious powershell and negation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| web.endpoints.http.body=~`(powershell|PowerShell|Powershell)` and web.endpoints.http.body=~`(atob\s*\(|_0x[a-f0-9]{4}|eval\s*\(|String\.fromCharCode|-enc\s+[A-Za-z0-9+/=]{20,}|navigator\.clipboard)` and not web.threats: * | |
| and not web.hostname=~`.*\.shopify\.com$` and not web.hostname=~`.*\.myshopify\.com$` and not web.hostname=~`.*\.squarespace\.com$` and not web.hostname=~`.*\.wix\.com$` and not web.hostname=~`.*\.wixsite\.com$` and not web.hostname=~`.*\.webflow\.io$` and not web.hostname=~`.*\.godaddysites\.com$` and not web.hostname=~`.*\.weebly\.com$` and not web.hostname=~`.*\.wordpress\.com$` and not web.hostname=~`.*\.blogger\.com$` and not web.hostname=~`.*\.blogspot\.com$` and not web.hostname=~`.*\.jimdo\.com$` and not web.hostname=~`.*\.site123\.me$` and not web.hostname=~`.*\.strikingly\.com$` and not web.hostname=~`.*\.github\.io$` and not web.hostname=~`.*\.github\.com$` and not web.hostname=~`.*\.googleapis\.com$` and not web.hostname=~`.*\.azurewebsites\.net$` and not web.hostname=~`.*\.azure-api\.net$` and not web.hostname=~`.*\.herokuapp\.com$` and not web.hostname=~`.*\.netlify\.app$` and not web.hostname=~`.*\.vercel\.app$` and not web.hostname=~`.*\.pages\.dev$` and not web.hostname=~`.*\.workers\.dev$` and not web.hostname=~`.*\.firebaseapp\.com$` and not web.hostname=~`.*\.web\.app$` and not web.hostname=~`.*\.amplifyapp\.com$` and not web.hostname=~`.*\.onrender\.com$` and not web.hostname=~`.*\.cloudfront\.net$` and not web.hostname=~`.*\.akamaized\.net$` and not web.hostname=~`.*\.fastly\.net$` and not web.hostname=~`.*\.cdn\.cloudflare\.net$` and not web.hostname=~`.*\.edgekey\.net$` and not web.hostname=~`.*\.facebook\.com$` and not web.hostname=~`.*\.twitter\.com$` and not web.hostname=~`.*\.linkedin\.com$` and not web.hostname=~`.*\.youtube\.com$` and not web.hostname=~`.*\.instagram\.com$` and not web.hostname=~`.*\.tiktok\.com$` and not web.hostname=~`.*\.reddit\.com$` and not web.hostname=~`.*\.medium\.com$` and not web.hostname=~`.*\.outlook\.com$` and not web.hostname=~`.*\.office\.com$` and not web.hostname=~`.*\.google\.com$` and not web.hostname=~`.*\.microsoft\.com$` | |
| and not web.endpoints.http.status_code: {301, 302, 303, 307, 308, 400, 401, 403, 404, 406, 410, 412, 415, 421, 423, 429, 500, 502, 503, 504, 521, 522, 525, 526, 530} | |
| and not web.endpoints.http.html_title: { | |
| "400 The plain HTTP request was sent to HTTPS port", | |
| "", | |
| "page not found", | |
| "not found", | |
| "parked", | |
| "default page", | |
| "index of", | |
| "access denied", | |
| "forbidden", | |
| "under construction", | |
| "coming soon", | |
| "service unavailable", | |
| "temporarily unavailable", | |
| "unauthorized", | |
| "bad request", | |
| "request timeout", | |
| "gateway timeout", | |
| "too many requests", | |
| "welcome to nginx", | |
| "apache2 ubuntu default page", | |
| "iis windows server", | |
| "nginx error", | |
| "302 Found", | |
| "Error", | |
| "308 Permanent Redirect", | |
| "307 Temporary Redirect", | |
| "303 See Other", | |
| "406 Not Acceptable", | |
| "410 Gone", | |
| "421 Misdirected Request", | |
| "423 Locked", | |
| "429", | |
| "404", | |
| "493", | |
| "456", | |
| "555 Security Incident Detected", | |
| "415 Unsupported Media Type", | |
| "Redirect", | |
| "Redirect...", | |
| "Redirecting", | |
| "Redirecting...", | |
| "You are being redirected...", | |
| "Page Redirection", | |
| "Redirection", | |
| "Redireccionar", | |
| "Document Moved", | |
| "ドキュメント移動", | |
| "Loading", | |
| "Loading...", | |
| "正在加载...", | |
| "One moment, please...", | |
| "One moment...", | |
| "Just a moment...", | |
| "Pardon Our Interruption", | |
| "Human Verification", | |
| "Bot Verification", | |
| "CAPTCHA", | |
| "Client Challenge", | |
| "Making sure you're not a bot!", | |
| "Protected by cdndefend, verifying your browser...", | |
| "Please verify you are not a bot", | |
| "verifying your browser", | |
| "Request Rejected", | |
| "网站防火墙", | |
| "阿里云 Web应用防火墙", | |
| "当前网络访问异常,请验证是否真人访问", | |
| "安全检测...", | |
| "Sorry, the website has been stopped", | |
| "Sorry, there was a problem with the page", | |
| "The website could not be found", | |
| "This website is no longer available", | |
| "Website Unavailable", | |
| "Site Unavailable", | |
| "Site does not exist", | |
| "Unknown Domain", | |
| "Unknown Site", | |
| "没有找到站点", | |
| "無効なURLです", | |
| "暂时无法访问", | |
| "Halaman Tidak Dapat Diakses", | |
| "This website has been suspended!", | |
| "Account Suspended", | |
| "Domain has been suspended", | |
| "Your domain is suspended", | |
| "Your domain is expired", | |
| "Expired", | |
| "Suspended Domain", | |
| "Website Suspended", | |
| "Domain Suspension", | |
| "NameBright - Domain Expired", | |
| "Domain parking page", | |
| "Parking Page", | |
| "Namecheap Parking Page", | |
| "Domain For Sale", | |
| "This domain name for sale!", | |
| "porkbun.com | domain for sale", | |
| "Porkbun.com | Hosted Site", | |
| "STRATO - Domain reserved", | |
| "STRATO - Domain not available", | |
| "TransIP - Reserved domain", | |
| "抱歉,站点已暂停", | |
| "域名到期-域名续费提醒", | |
| "域名未配置", | |
| "域名已过期,无法正常使用", | |
| "域名已过期 - DNSPod-免费智能DNS解析服务商-电信_网通_教育网,智能DNS", | |
| "当前访问域名未绑定", | |
| "域名解析成功!但是没有绑定", | |
| "域名未绑定 - CDN系统", | |
| "域名售卖", | |
| "売り出し中のドメイン名です", | |
| "ドメイン登録済み", | |
| "ドメイン有効期限切れ", | |
| "– このドメインはお名前.comで取得されています。", | |
| "ICANN Verification Required", | |
| "Registrant WHOIS contact information verification ...", | |
| "Mikroot - Abonnement Expiré", | |
| "Default Site", | |
| "Default Website Page", | |
| "Default Content", | |
| "Default Parallels Plesk Panel Page", | |
| "Default Parallels Plesk Page", | |
| "Plesk Obsidian", | |
| "FASTPANEL", | |
| "HTTP Server Test Page", | |
| "Server Test Page", | |
| "Apache HTTP Server Test Page powered by CentOS", | |
| "Test Page for the Nginx HTTP Server on Red Hat Ent ...", | |
| "Test Page for the HTTP Server on AlmaLinux", | |
| "It works! Apache httpd", | |
| "Welcome to OpenResty!", | |
| "Welcome to CentOS", | |
| "Hello! Welcome to Synology Web Station!", | |
| "IIS7", | |
| "IIS Windows", | |
| "默认页面", | |
| "エックスサーバー サーバー初期ページ", | |
| "Página padrão", | |
| "Page par défaut", | |
| "Página por defecto", | |
| "This server is powered by PebbleHost!", | |
| "Server Installation Success", | |
| "Create Next App", | |
| "Vite App", | |
| "Vite + React", | |
| "Vite + React + TS", | |
| "React App", | |
| "Hello World", | |
| "Caddy works!", | |
| "Your Azure Function App is up and running.", | |
| "Microsoft Azure App Service - Welcome", | |
| "Welcome to your Strapi app", | |
| "Starter Template · Bootstrap", | |
| "This site is under development", | |
| "This site is brand new", | |
| "This domain is brand new", | |
| "Site is created successfully!", | |
| "Site is created successfully", | |
| "Website is ready. The content is to be added", | |
| "This site is temporarily closed for maintenance", | |
| "Site Maintenance", | |
| "Maintenance", | |
| "Site Offline", | |
| "Site en construction", | |
| "En construction", | |
| "Site en cours d'installation", | |
| "Prochainement disponible", | |
| "Próximamente", | |
| "Demnächst verfügbar", | |
| "Em breve", | |
| "近日中に公開", | |
| "精彩即将呈现,请稍等…", | |
| "恭喜,站点创建成功!", | |
| "Webcake | Chưa xuất bản", | |
| "My Blog", | |
| "My Blog - My WordPress Blog", | |
| "My blog – Just another WordPress site", | |
| "Just another WordPress site", | |
| "WordPress", | |
| "WordPress – Un site utilisant WordPress", | |
| "Untitled", | |
| "Untitled Document", | |
| "Site Title", | |
| "No Index", | |
| "Index", | |
| "index", | |
| "Title", | |
| ".", | |
| "-", | |
| "...", | |
| "/", | |
| "​", | |
| "Invalid SSL certificate", | |
| "SSL handshake failed", | |
| "Web server is down", | |
| "unrecognized host name", | |
| "Site Not SSL - CDN", | |
| "请使用域名访问", | |
| "sudun请使用域名访问", | |
| "自动解析到提醒页面", | |
| "站点未配置SSL证书 - CDN 3.0", | |
| "530 - 访问限制" | |
| } | |
| and not web.endpoints.http.html_title: { | |
| "400 Bad Request", | |
| "301 Moved Permanently", | |
| "403 Forbidden", | |
| "404 Not Found", | |
| "Error 301", | |
| "Error 502", | |
| "Attention Required! | Cloudflare", | |
| "请验证... / Please verify...", | |
| " 301 Moved Permanently", | |
| "Welcome to nginx!" | |
| } | |
| and not web.endpoints.http.html_title: { | |
| "welcome", | |
| "Welcome", | |
| "Welcome!", | |
| "Home", | |
| "Document", | |
| "Success!", | |
| "New API", | |
| "APP", | |
| "欢迎", | |
| "欢迎访问", | |
| "欢迎光临", | |
| "欢迎您", | |
| "首页", | |
| "我的网站", | |
| "终端", | |
| "应用平台", | |
| "后台管理系统", | |
| "正在加载中", | |
| "加载中...", | |
| "测试页 - IP 信息", | |
| "套餐到期", | |
| "网站维护中", | |
| "浏览器安全检查...", | |
| "欢迎使用ChineseStack", | |
| "414 Request-URI Too Large", | |
| "512 - 访问限制", | |
| "SoftEther VPN Server", | |
| "Roundcube Webmail :: Welcome to Roundcube Webmail", | |
| "Webmail Login", | |
| "WebKnight Application Firewall Alert", | |
| "Laravel", | |
| "SeoMS", | |
| "Kodomain Signature Entrance", | |
| " - - Hotel in - ", | |
| "11111Welcome to nginx!" | |
| } | |
| and not web.endpoints.http.html_title=~`.*\|\s(521: Web server is down|522: Connection timed out|525: SSL handshake failed|526: Invalid SSL certificate)$` | |
| and not web.endpoints.http.html_title=~`^Website .* is ready\. The content is to be added$` | |
| and not web.endpoints.http.html_title=~`^Game [A-Z]` | |
| and not web.endpoints.http.html_title: { | |
| "\"Game Almora Darkosen RPG", | |
| "\"Game Dungeon Ward: Souls & Dragons", | |
| "\"Game Transport Tycoon Empire: Stad", | |
| "\"Game Transport Tycoon Empire: City", | |
| "\"Game Polygon Fantasy: Action RPG", | |
| "\"Game Port City: Ship Simulator", | |
| "\"Game Puzzle Adventure: Escape Room", | |
| "\"Game Mystery Town: Adventure games", | |
| "Besttools games" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment