Custom Threat Intelligence Feeds

Just like Malware signatures, Threat Intel feeds are going out fashion thanks to the rise of complex modern day malware. Attackers are increasingly using obscure attack methodology and infrastructure to evade analysis and in turn keeping their information away from blacklists.
With that said, there are many groups out there dedicated to serious malware research  and the information they pump out (usually for free) should not be ignored!

Open source or free Threat Intel Feeds can help you and your organisation clean up malicious activity earlier in the kill chain by identifying the first outbound connection to that Russian c&c or help your mail filter block the most recent complex phishing  senders. There are many possibilities!

Our SIEM is able to digest information from text files and add to alerts on the fly without human interaction.  This allows the perimeter deference to fluidly adapt to the known threats out there.
I understand that this isn’t as cool or advanced as AI behavioral tools or predictive security models but if you already have a SIEM this is a free no brainier.

The below  PowerShell scripts will pull threat intelligence information from the listed providers for free. There are many feeds out there but this should be enough to get your Threat Intel appetite going:

Talos IP feed
This script grabs the current Talos IP list and writes it to a text file named Talos.txt
This file will live in the same directory that the powershell script is executed from. To change the output location just change the $output variable.
Example:
$output = “$PSScriptRoot\Talos.txt”
could be changed to:
$output = “c:\threatfeeds\talos.txt”

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://talosintelligence.com/documents/ip-blacklist"
$output = "$PSScriptRoot\Talos.txt"
Invoke-WebRequest -Uri $url -OutFile $output
$content = Get-Content $output

TOR Exit Node List
Very similar to the method above expect this grabs a list of known TOR exit nodes.
You can change the output location using the same method as above.

$url = “https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1”
$output = “$PSScriptRoot\TorExitNode.txt”
Invoke-WebRequest -Uri $url -OutFile $output
$content = Get-Content $output

Shodan scanner IPs

The nice guys over at SANS maintain a list of Shodan scanner IPs.
I feed this list directly into our firewall to keep our infrastructure out of the Shodan database. Obviously this is of little yield because red teams can just run their own scan but staying out of Shodan seems worthwhile for the small amount of effort required.
Mike Hiltz has an interesting post on Shodan scanners here.

This script is slightly different to the two above because the Shodan list is formatted in XML. Luckily for us Powershell can handle XML files very well!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[xml]$XmlDocument = Invoke-WebRequest -Uri “https://isc.sans.edu/api/threatlist/shodan”
$XmlDocument.threatlist.shodan.ipv4 | Out-File “$PSScriptRoot\ShodanIP.txt”

 

Abuse.ch Ransomware Tracker

This list is created by the chaps at Abuse.ch and is free. This will help protect you from Ransomware such as Locky and others.
These guys provide lists for all things malicious but this script focuses on the Ransomware list. You can see their other lists here

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = “https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt”
$output = “$PSScriptRoot\AbuseCHRansom.txt”
Invoke-WebRequest -Uri $url -OutFile $output
$content = Get-Content $output
$content -notmatch ‘#.*#’ | Set-Content $output

Again this script is a little different to the others, the Abuse.ch list has a header containing titles.
Capture
Our SIEM wont take this information so some regex magic in the last line in the script:
cleans this up for us:
“$content -notmatch ‘#.*#’ | Set-Content $output”

 

I hope this information is useful for you but please note everything here is served as is and comes with no guarantee or warranty.
Blocking or acting against any of the information provided above is done so at your own risk!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s