Merge branch 'living-off-trusted-sites' of https://github.com/goodlandsecurity/misp-warninglists into goodlandsecurity-living-off-trusted-sites

main
Alexandre Dulaunoy 2024-11-04 13:30:35 +01:00
commit 3f384370cf
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
3 changed files with 224 additions and 0 deletions

View File

@ -45,6 +45,7 @@ are reused in many other open source projects.
- [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_ - [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_
- [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_ - [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
- [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_ - [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_
- [lots-project/list.json](./lists/lots-project/list.json) - **List of LOTS (Living Off Trusted Sites) Project Domains** - _Event contains one or more entries of known LOTS Project domains._
- [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._ - [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
- [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_ - [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
- [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_ - [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_

View File

@ -0,0 +1,191 @@
{
"category": "Known identifier",
"description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection (https://lots-project.com)",
"list": [
".000webhostapp.com",
".amazonaws.com",
".appspot.com",
".atlassian.net",
".axshare.com",
".azureedge.net",
".azurefd.net",
".azurestaticapps.net",
".azurewebsites.net",
".backblazeb2.com",
".blob.core.windows.net",
".blogspot.com",
".box.com",
".canva.com",
".clickfunnels.com",
".cloudapp.azure.com",
".cloudapp.net",
".cloudfront.net",
".cloudwaysapps.com",
".codesandbox.io",
".csb.app",
".digitaloceanspaces.com",
".docusign.com",
".doubleclick.net",
".dropmark.com",
".duckdns.org",
".easywp.com",
".firebaseapp.com",
".fleek.co",
".format.com",
".fyi.to",
".github.io",
".glitch.me",
".godaddysites.com",
".gofile.io",
".googleusercontent.com",
".herokuapp.com",
".hostingerapp.com",
".instagram.com",
".linodeobjects.com",
".mybluehost.me",
".mybluemix.net",
".myportfolio.com",
".mystrikingly.com",
".netlify.app",
".ngrok.io",
".nimbusweb.me",
".notion.site",
".on.aws",
".ondigitalocean.app",
".oraclecloud.com",
".pagecloud.com",
".pages.dev",
".plesk.page",
".repl.co",
".requestbin.net",
".rf.gd",
".sendspace.com",
".sharepoint.com",
".slab.com",
".surveycake.com",
".translate.goog",
".trycloudflare.com",
".tumblr.com",
".twitter.com",
".typeform.com",
".uplooder.net",
".wasabisys.com",
".web.app",
".web.core.windows.net",
".webflow.io",
".weebly.com",
".wixsite.com",
".wordpress.com",
".workers.dev",
".xiti.com",
".zendesk.com",
"12ft.io",
"1drv.com",
"1drv.ms",
"4sync.com",
"anonfiles.com",
"api.telegram.org",
"app.milanote.com",
"appdomain.cloud",
"archive.org",
"archive.ph",
"attachment.outlook.live.net",
"attachments.office.net",
"beautiful.ai",
"bit.ly",
"bitbucket.io",
"bitbucket.org",
"cdn.discordapp.com",
"cdn.fbsbx.com",
"clbin.com",
"codepen.io",
"ct.sendgrid.net",
"cutt.ly",
"discord.com",
"doc.clickup.com",
"docs.google.com",
"docsend.com",
"dogechain.info",
"drive.google.com",
"dropbox.com",
"evernote.com",
"express.adobe.com",
"facebook.com",
"feedproxy.google.com",
"filebin.net",
"filecloudonline.com",
"filetransfer.io",
"firebasestorage.googleapis.com",
"forms.office.com",
"genius.com",
"gitee.com",
"github.com",
"gitlab.com",
"googleweblight.com",
"graph.microsoft.com",
"i.imgur.com",
"icloud.com",
"ideone.com",
"inmotionhosting.com",
"ix.io",
"lnkd.in",
"localhost.run",
"mediafire.com",
"mega.nz",
"my.visme.co",
"nethunt.com",
"notion.so",
"nt.embluemail.com",
"onedrive.live.com",
"onenoteonlinesync.onenote.com",
"parg.co",
"paste.ee",
"pastebin.com",
"pastebin.pl",
"pastetext.net",
"pastie.org",
"pcloud.com",
"raw.githubusercontent.com",
"rb.gy",
"rebrand.ly",
"reddit.com",
"rentry.co",
"s.id",
"siasky.net",
"sites.google.com",
"slack-files.com",
"slack.com",
"spark.adobe.com",
"sprunge.us",
"stonly.com",
"storage.googleapis.com",
"sway.office.com",
"t.co",
"t.m1.email.samsung.com",
"telegra.ph",
"teletype.in",
"termbin.com",
"textbin.net",
"tinyurl.com",
"track.adform.net",
"transfer.sh",
"trello.com",
"ufile.io",
"viewer.joomag.com",
"wetransfer.com",
"workflowy.com",
"wtools.io",
"youtube.com",
"zerobin.net"
],
"matching_attributes": [
"domain",
"domain|ip",
"hostname",
"hostname|port",
"url"
],
"name": "List of LOTS (Living Off Trusted Sites) Project Domains",
"type": "hostname",
"version": 20241010
}

View File

@ -0,0 +1,32 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from bs4 import BeautifulSoup
from generator import download, get_version, write_to_file
if __name__ == '__main__':
req = download("https://lots-project.com")
soup = BeautifulSoup(req.text, 'html.parser')
links = soup.find_all('a', class_='link', href=True, target=None)
lots_list = []
for link in links:
if link.contents[0].startswith('*'):
lots_list.append(link.contents[0].lstrip('*'))
elif link.contents[0].startswith('www'):
lots_list.append(link.contents[0].lstrip('www'))
else:
lots_list.append(link.contents[0])
warninglist = {
'name': 'List of LOTS (Living Off Trusted Sites) Project Domains',
'version': get_version(),
'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection',
'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'],
'type': 'hostname',
'list': lots_list
}
write_to_file(warninglist, "lots-project")