Sign in Subscribe
1 min read Newsletter

Sources & Methods Newsletter #5 - January 2023

Happy New Year! I hope everyone enjoyed their holidays and feel ready (as you can be) to get back to it. Maybe this issue can provide some inspiration.

๐Ÿ“ Sources

Abused Legitimate Services - This GitHub repository is a collection of legitimate web services that have been used for nefarious purposes like malware delivery, C2, and phishing.

Each entry provides a domain name for identifying traffic to the service, its malicious purpose, the name of a group known to misuse the service, and a source citation.

Depending on your environment and the service in question, you may find these to be good infrastructured-centered hunting leads, for example. Certainly worth trackingโ€”and contributing, if you like!

๐Ÿ“ฐ Articles

Objective See - Mac Malware of 2022 #malware #analysis #macos

Jamie Collier - Eliminating Distraction with CTI #program

RedHat - Developing Priority Intelligence Requirements #requirements #howto

Cisco Talos - Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins #operational #analysis

Rob Dartnall - Conventional Intelligence Analysis in Cyber Threat Intelligence (Video) #tradecraft

Recorded Future - The Business of Fraud: An Overview of How Cybercrime Gets Monetized #ecosystems

๐Ÿ›  Tools

typosquatting-finder by CIRCL.lu

typosquatting-finder.circl.lu

Free web-based tool for finding variations of a domain name that could be used in typosquatting attacks.

ExitGather

github.com/uforia/exitgather

Python script to generate a list of IP addresses being used as TOR and VPN exit nodes. It takes the online downloads of VPN config files from various providers, grabs the IPv4/IPv6 addresses and hostnames from those files and generates CSV output.

toutatis

github.com/megadose/toutatis

Use toutatis to gather information on an Instagram account.

Prelude Build

github.com/preludeorg/build

Prelude Build is a self-hostable IDE for writing automatable security tests.

yls

github.com/avast/yls

yls is a language server for YARA. If you use VS Code to write YARA rules, it gives you:

  • Syntax highlighting
  • Autocomplete
  • Function documentation
  • Code formatting
  • Signature help
  • Linting
  • Ability to jump to definitions and references

wtfis

github.com/pirxthepilot/wtfis

wtfis... is a Python CLI tool for passively gathering context on FQDNs, domain names, and IP addresses. Its sources are RiskIQ PassiveTotal, IP2WHOIS, VirusTotal, and Shodan; you'll need an API key for each.

๐Ÿ’ก Tip

The MISP project have shared some best practices in threat intelligence for analysis, tagging, sharing, and more, in the form of a short online book.

Published by:

Matthew Conway

You might also like...

Mar
10

Sources & Methods Newsletter #17 - March 2024

๐Ÿ“ Sources Cloud Threat Landscape - Cloud-focused compilation of incidents, targeted tech, threat groups, tools, and techniques. Maintained by Wiz, who
2 min read
Jan
29

Sources & Methods Newsletter #16 - January 2024

Happy New Year! I hope your holidays were restful and you're ready to get back to it. At
2 min read
Dec
22

Sources & Methods Newsletter #15 - December 2023

I hope everyone had a great yearโ€”it was for Sources & Methods: * Moved the newsletter to Ghost.io to
3 min read
Nov
22

Sources & Methods Newsletter #14 - November 2023

Have questions or suggestions? Send them my way at sources.methods@protonmail.com. Thanks for reading, Matthew Conway (@mattreduce) ๐Ÿ“ Sources
2 min read
Oct
17

Sources & Methods Newsletter #13 - October 2023

๐Ÿ“ Sources Living off the Foreign Land Cmdlets and Binaries - In the style of LOLBins, a collection of trusted Microsoft
2 min read

Member discussion