Merge branch 'living-off-trusted-sites' of https://github.com/goodlandsecurity/misp-warninglists into goodlandsecurity-living-off-trusted-sites
commit
3f384370cf
|
@ -45,6 +45,7 @@ are reused in many other open source projects.
|
|||
- [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_
|
||||
- [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
|
||||
- [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_
|
||||
- [lots-project/list.json](./lists/lots-project/list.json) - **List of LOTS (Living Off Trusted Sites) Project Domains** - _Event contains one or more entries of known LOTS Project domains._
|
||||
- [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
|
||||
- [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
|
||||
- [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_
|
||||
|
|
|
@ -0,0 +1,191 @@
|
|||
{
|
||||
"category": "Known identifier",
|
||||
"description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection (https://lots-project.com)",
|
||||
"list": [
|
||||
".000webhostapp.com",
|
||||
".amazonaws.com",
|
||||
".appspot.com",
|
||||
".atlassian.net",
|
||||
".axshare.com",
|
||||
".azureedge.net",
|
||||
".azurefd.net",
|
||||
".azurestaticapps.net",
|
||||
".azurewebsites.net",
|
||||
".backblazeb2.com",
|
||||
".blob.core.windows.net",
|
||||
".blogspot.com",
|
||||
".box.com",
|
||||
".canva.com",
|
||||
".clickfunnels.com",
|
||||
".cloudapp.azure.com",
|
||||
".cloudapp.net",
|
||||
".cloudfront.net",
|
||||
".cloudwaysapps.com",
|
||||
".codesandbox.io",
|
||||
".csb.app",
|
||||
".digitaloceanspaces.com",
|
||||
".docusign.com",
|
||||
".doubleclick.net",
|
||||
".dropmark.com",
|
||||
".duckdns.org",
|
||||
".easywp.com",
|
||||
".firebaseapp.com",
|
||||
".fleek.co",
|
||||
".format.com",
|
||||
".fyi.to",
|
||||
".github.io",
|
||||
".glitch.me",
|
||||
".godaddysites.com",
|
||||
".gofile.io",
|
||||
".googleusercontent.com",
|
||||
".herokuapp.com",
|
||||
".hostingerapp.com",
|
||||
".instagram.com",
|
||||
".linodeobjects.com",
|
||||
".mybluehost.me",
|
||||
".mybluemix.net",
|
||||
".myportfolio.com",
|
||||
".mystrikingly.com",
|
||||
".netlify.app",
|
||||
".ngrok.io",
|
||||
".nimbusweb.me",
|
||||
".notion.site",
|
||||
".on.aws",
|
||||
".ondigitalocean.app",
|
||||
".oraclecloud.com",
|
||||
".pagecloud.com",
|
||||
".pages.dev",
|
||||
".plesk.page",
|
||||
".repl.co",
|
||||
".requestbin.net",
|
||||
".rf.gd",
|
||||
".sendspace.com",
|
||||
".sharepoint.com",
|
||||
".slab.com",
|
||||
".surveycake.com",
|
||||
".translate.goog",
|
||||
".trycloudflare.com",
|
||||
".tumblr.com",
|
||||
".twitter.com",
|
||||
".typeform.com",
|
||||
".uplooder.net",
|
||||
".wasabisys.com",
|
||||
".web.app",
|
||||
".web.core.windows.net",
|
||||
".webflow.io",
|
||||
".weebly.com",
|
||||
".wixsite.com",
|
||||
".wordpress.com",
|
||||
".workers.dev",
|
||||
".xiti.com",
|
||||
".zendesk.com",
|
||||
"12ft.io",
|
||||
"1drv.com",
|
||||
"1drv.ms",
|
||||
"4sync.com",
|
||||
"anonfiles.com",
|
||||
"api.telegram.org",
|
||||
"app.milanote.com",
|
||||
"appdomain.cloud",
|
||||
"archive.org",
|
||||
"archive.ph",
|
||||
"attachment.outlook.live.net",
|
||||
"attachments.office.net",
|
||||
"beautiful.ai",
|
||||
"bit.ly",
|
||||
"bitbucket.io",
|
||||
"bitbucket.org",
|
||||
"cdn.discordapp.com",
|
||||
"cdn.fbsbx.com",
|
||||
"clbin.com",
|
||||
"codepen.io",
|
||||
"ct.sendgrid.net",
|
||||
"cutt.ly",
|
||||
"discord.com",
|
||||
"doc.clickup.com",
|
||||
"docs.google.com",
|
||||
"docsend.com",
|
||||
"dogechain.info",
|
||||
"drive.google.com",
|
||||
"dropbox.com",
|
||||
"evernote.com",
|
||||
"express.adobe.com",
|
||||
"facebook.com",
|
||||
"feedproxy.google.com",
|
||||
"filebin.net",
|
||||
"filecloudonline.com",
|
||||
"filetransfer.io",
|
||||
"firebasestorage.googleapis.com",
|
||||
"forms.office.com",
|
||||
"genius.com",
|
||||
"gitee.com",
|
||||
"github.com",
|
||||
"gitlab.com",
|
||||
"googleweblight.com",
|
||||
"graph.microsoft.com",
|
||||
"i.imgur.com",
|
||||
"icloud.com",
|
||||
"ideone.com",
|
||||
"inmotionhosting.com",
|
||||
"ix.io",
|
||||
"lnkd.in",
|
||||
"localhost.run",
|
||||
"mediafire.com",
|
||||
"mega.nz",
|
||||
"my.visme.co",
|
||||
"nethunt.com",
|
||||
"notion.so",
|
||||
"nt.embluemail.com",
|
||||
"onedrive.live.com",
|
||||
"onenoteonlinesync.onenote.com",
|
||||
"parg.co",
|
||||
"paste.ee",
|
||||
"pastebin.com",
|
||||
"pastebin.pl",
|
||||
"pastetext.net",
|
||||
"pastie.org",
|
||||
"pcloud.com",
|
||||
"raw.githubusercontent.com",
|
||||
"rb.gy",
|
||||
"rebrand.ly",
|
||||
"reddit.com",
|
||||
"rentry.co",
|
||||
"s.id",
|
||||
"siasky.net",
|
||||
"sites.google.com",
|
||||
"slack-files.com",
|
||||
"slack.com",
|
||||
"spark.adobe.com",
|
||||
"sprunge.us",
|
||||
"stonly.com",
|
||||
"storage.googleapis.com",
|
||||
"sway.office.com",
|
||||
"t.co",
|
||||
"t.m1.email.samsung.com",
|
||||
"telegra.ph",
|
||||
"teletype.in",
|
||||
"termbin.com",
|
||||
"textbin.net",
|
||||
"tinyurl.com",
|
||||
"track.adform.net",
|
||||
"transfer.sh",
|
||||
"trello.com",
|
||||
"ufile.io",
|
||||
"viewer.joomag.com",
|
||||
"wetransfer.com",
|
||||
"workflowy.com",
|
||||
"wtools.io",
|
||||
"youtube.com",
|
||||
"zerobin.net"
|
||||
],
|
||||
"matching_attributes": [
|
||||
"domain",
|
||||
"domain|ip",
|
||||
"hostname",
|
||||
"hostname|port",
|
||||
"url"
|
||||
],
|
||||
"name": "List of LOTS (Living Off Trusted Sites) Project Domains",
|
||||
"type": "hostname",
|
||||
"version": 20241010
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
from bs4 import BeautifulSoup
|
||||
from generator import download, get_version, write_to_file
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
req = download("https://lots-project.com")
|
||||
soup = BeautifulSoup(req.text, 'html.parser')
|
||||
links = soup.find_all('a', class_='link', href=True, target=None)
|
||||
|
||||
lots_list = []
|
||||
|
||||
for link in links:
|
||||
if link.contents[0].startswith('*'):
|
||||
lots_list.append(link.contents[0].lstrip('*'))
|
||||
elif link.contents[0].startswith('www'):
|
||||
lots_list.append(link.contents[0].lstrip('www'))
|
||||
else:
|
||||
lots_list.append(link.contents[0])
|
||||
|
||||
warninglist = {
|
||||
'name': 'List of LOTS (Living Off Trusted Sites) Project Domains',
|
||||
'version': get_version(),
|
||||
'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection',
|
||||
'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'],
|
||||
'type': 'hostname',
|
||||
'list': lots_list
|
||||
}
|
||||
|
||||
write_to_file(warninglist, "lots-project")
|
Loading…
Reference in New Issue