1 min read

Sources & Methods Newsletter #5 - January 2023

Happy New Year! I hope everyone enjoyed their holidays and feel ready (as you can be) to get back to it. Maybe this issue can provide some inspiration.

๐Ÿ“ Sources

Abused Legitimate Services - This GitHub repository is a collection of legitimate web services that have been used for nefarious purposes like malware delivery, C2, and phishing.

Each entry provides a domain name for identifying traffic to the service, its malicious purpose, the name of a group known to misuse the service, and a source citation.

Depending on your environment and the service in question, you may find these to be good infrastructured-centered hunting leads, for example. Certainly worth trackingโ€”and contributing, if you like!

๐Ÿ“ฐ Articles

Objective See - Mac Malware of 2022 #malware #analysis #macos

Jamie Collier - Eliminating Distraction with CTI #program

RedHat - Developing Priority Intelligence Requirements #requirements #howto

Cisco Talos - Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins #operational #analysis

Rob Dartnall - Conventional Intelligence Analysis in Cyber Threat Intelligence (Video) #tradecraft

Recorded Future - The Business of Fraud: An Overview of How Cybercrime Gets Monetized #ecosystems

๐Ÿ›  Tools

typosquatting-finder by CIRCL.lu


Free web-based tool for finding variations of a domain name that could be used in typosquatting attacks.



Python script to generate a list of IP addresses being used as TOR and VPN exit nodes. It takes the online downloads of VPN config files from various providers, grabs the IPv4/IPv6 addresses and hostnames from those files and generates CSV output.



Use toutatis to gather information on an Instagram account.

Prelude Build


Prelude Build is a self-hostable IDE for writing automatable security tests.



yls is a language server for YARA. If you use VS Code to write YARA rules, it gives you:

  • Syntax highlighting
  • Autocomplete
  • Function documentation
  • Code formatting
  • Signature help
  • Linting
  • Ability to jump to definitions and references



wtfis... is a Python CLI tool for passively gathering context on FQDNs, domain names, and IP addresses. Its sources are RiskIQ PassiveTotal, IP2WHOIS, VirusTotal, and Shodan; you'll need an API key for each.

๐Ÿ’ก Tip

The MISP project have shared some best practices in threat intelligence for analysis, tagging, sharing, and more, in the form of a short online book.