Sign in Subscribe
1 min read Newsletter

Sources & Methods Newsletter #5 - January 2023

Happy New Year! I hope everyone enjoyed their holidays and feel ready (as you can be) to get back to it. Maybe this issue can provide some inspiration.

šŸ“ Sources

Abused Legitimate Services - This GitHub repository is a collection of legitimate web services that have been used for nefarious purposes like malware delivery, C2, and phishing.

Each entry provides a domain name for identifying traffic to the service, its malicious purpose, the name of a group known to misuse the service, and a source citation.

Depending on your environment and the service in question, you may find these to be good infrastructured-centered hunting leads, for example. Certainly worth trackingā€”and contributing, if you like!

šŸ“° Articles

Objective See - Mac Malware of 2022 #malware #analysis #macos

Jamie Collier - Eliminating Distraction with CTI #program

RedHat - Developing Priority Intelligence Requirements #requirements #howto

Cisco Talos - Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins #operational #analysis

Rob Dartnall - Conventional Intelligence Analysis in Cyber Threat Intelligence (Video) #tradecraft

Recorded Future - The Business of Fraud: An Overview of How Cybercrime Gets Monetized #ecosystems

šŸ›  Tools

typosquatting-finder by CIRCL.lu

typosquatting-finder.circl.lu

Free web-based tool for finding variations of a domain name that could be used in typosquatting attacks.

ExitGather

github.com/uforia/exitgather

Python script to generate a list of IP addresses being used as TOR and VPN exit nodes. It takes the online downloads of VPN config files from various providers, grabs the IPv4/IPv6 addresses and hostnames from those files and generates CSV output.

toutatis

github.com/megadose/toutatis

Use toutatis to gather information on an Instagram account.

Prelude Build

github.com/preludeorg/build

Prelude Build is a self-hostable IDE for writing automatable security tests.

yls

github.com/avast/yls

yls is a language server for YARA. If you use VS Code to write YARA rules, it gives you:

  • Syntax highlighting
  • Autocomplete
  • Function documentation
  • Code formatting
  • Signature help
  • Linting
  • Ability to jump to definitions and references

wtfis

github.com/pirxthepilot/wtfis

wtfis... is a Python CLI tool for passively gathering context on FQDNs, domain names, and IP addresses. Its sources are RiskIQ PassiveTotal, IP2WHOIS, VirusTotal, and Shodan; you'll need an API key for each.

šŸ’” Tip

The MISP project have shared some best practices in threat intelligence for analysis, tagging, sharing, and more, in the form of a short online book.

Published by:

Matthew Conway

You might also like...

Nov
15

Sources & Methods Newsletter #20 - November 2024

šŸ“ Sources OSSF Malicious Package Registry - theĀ Securing Critical Projects Working GroupĀ of theĀ Open Source Security Foundation (OpenSSF) maintains
2 min read
Jul
09

Sources & Methods Newsletter #19 - July 2024

Welcome to issue #19 of the Sources & Methods newsletter! I paused for a bit while visiting London and Dublin,
2 min read
Apr
28

Sources & Methods Newsletter #18 - April 2024

Welcome to the April 2024 issue of the Sources & Methods newsletter! This month, we dive into the importance of
2 min read
Mar
10

Sources & Methods Newsletter #17 - March 2024

šŸ“ Sources Cloud Threat Landscape - Cloud-focused compilation of incidents, targeted tech, threat groups, tools, and techniques. Maintained by Wiz, who
2 min read
Jan
29

Sources & Methods Newsletter #16 - January 2024

Happy New Year! I hope your holidays were restful and you're ready to get back to it. At
2 min read

Member discussion