- hacked – general search for the ‘hacked’ label.
- “hacked by” – another variation of the above search.
- http.title:”Hacked by” – another variation of the same search filter.
- http.title:”0wn3d by” – resourced labelled as ‘owned’ by a threat agent, hacker group, etc.
- “HACKED-ROUTER” – compromised routers, labelled accordingly.
- port:”27017″ “send_bitcoin_to_retrieve_the_data” – databases affected by ransomware, with the ransom demand still associated with them.
- bitcoin has_screenshot:true – searches for the ‘bitcoin’ keyword, where a screenshot is present (useful for RDP screens of endpoints infected with ransomware).
- port:4444 system32 – compromised legacy operating systems. Port 4444 is the default port for Meterpreter – a Metasploit attack payload with an interactive shell for remote code execution.
- “attention”+”encrypted”+port:3389 – ransomware infected RDP services.
- “HACKED-ROUTER-HELP-SOS-HAD-DEFAULT-PASSWORD” – compromised hosts with the name changed to that phrase.
- “HACKED FTP server” – compromised FTP servers.