Merge branch 'living-off-trusted-sites' of https://github.com/goodlandsecurity/misp-warninglists into goodlandsecurity-living-off-trusted-sites
commit
3f384370cf
|
@ -45,6 +45,7 @@ are reused in many other open source projects.
|
||||||
- [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_
|
- [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_
|
||||||
- [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
|
- [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
|
||||||
- [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_
|
- [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_
|
||||||
|
- [lots-project/list.json](./lists/lots-project/list.json) - **List of LOTS (Living Off Trusted Sites) Project Domains** - _Event contains one or more entries of known LOTS Project domains._
|
||||||
- [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
|
- [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
|
||||||
- [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
|
- [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
|
||||||
- [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_
|
- [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_
|
||||||
|
|
|
@ -0,0 +1,191 @@
|
||||||
|
{
|
||||||
|
"category": "Known identifier",
|
||||||
|
"description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection (https://lots-project.com)",
|
||||||
|
"list": [
|
||||||
|
".000webhostapp.com",
|
||||||
|
".amazonaws.com",
|
||||||
|
".appspot.com",
|
||||||
|
".atlassian.net",
|
||||||
|
".axshare.com",
|
||||||
|
".azureedge.net",
|
||||||
|
".azurefd.net",
|
||||||
|
".azurestaticapps.net",
|
||||||
|
".azurewebsites.net",
|
||||||
|
".backblazeb2.com",
|
||||||
|
".blob.core.windows.net",
|
||||||
|
".blogspot.com",
|
||||||
|
".box.com",
|
||||||
|
".canva.com",
|
||||||
|
".clickfunnels.com",
|
||||||
|
".cloudapp.azure.com",
|
||||||
|
".cloudapp.net",
|
||||||
|
".cloudfront.net",
|
||||||
|
".cloudwaysapps.com",
|
||||||
|
".codesandbox.io",
|
||||||
|
".csb.app",
|
||||||
|
".digitaloceanspaces.com",
|
||||||
|
".docusign.com",
|
||||||
|
".doubleclick.net",
|
||||||
|
".dropmark.com",
|
||||||
|
".duckdns.org",
|
||||||
|
".easywp.com",
|
||||||
|
".firebaseapp.com",
|
||||||
|
".fleek.co",
|
||||||
|
".format.com",
|
||||||
|
".fyi.to",
|
||||||
|
".github.io",
|
||||||
|
".glitch.me",
|
||||||
|
".godaddysites.com",
|
||||||
|
".gofile.io",
|
||||||
|
".googleusercontent.com",
|
||||||
|
".herokuapp.com",
|
||||||
|
".hostingerapp.com",
|
||||||
|
".instagram.com",
|
||||||
|
".linodeobjects.com",
|
||||||
|
".mybluehost.me",
|
||||||
|
".mybluemix.net",
|
||||||
|
".myportfolio.com",
|
||||||
|
".mystrikingly.com",
|
||||||
|
".netlify.app",
|
||||||
|
".ngrok.io",
|
||||||
|
".nimbusweb.me",
|
||||||
|
".notion.site",
|
||||||
|
".on.aws",
|
||||||
|
".ondigitalocean.app",
|
||||||
|
".oraclecloud.com",
|
||||||
|
".pagecloud.com",
|
||||||
|
".pages.dev",
|
||||||
|
".plesk.page",
|
||||||
|
".repl.co",
|
||||||
|
".requestbin.net",
|
||||||
|
".rf.gd",
|
||||||
|
".sendspace.com",
|
||||||
|
".sharepoint.com",
|
||||||
|
".slab.com",
|
||||||
|
".surveycake.com",
|
||||||
|
".translate.goog",
|
||||||
|
".trycloudflare.com",
|
||||||
|
".tumblr.com",
|
||||||
|
".twitter.com",
|
||||||
|
".typeform.com",
|
||||||
|
".uplooder.net",
|
||||||
|
".wasabisys.com",
|
||||||
|
".web.app",
|
||||||
|
".web.core.windows.net",
|
||||||
|
".webflow.io",
|
||||||
|
".weebly.com",
|
||||||
|
".wixsite.com",
|
||||||
|
".wordpress.com",
|
||||||
|
".workers.dev",
|
||||||
|
".xiti.com",
|
||||||
|
".zendesk.com",
|
||||||
|
"12ft.io",
|
||||||
|
"1drv.com",
|
||||||
|
"1drv.ms",
|
||||||
|
"4sync.com",
|
||||||
|
"anonfiles.com",
|
||||||
|
"api.telegram.org",
|
||||||
|
"app.milanote.com",
|
||||||
|
"appdomain.cloud",
|
||||||
|
"archive.org",
|
||||||
|
"archive.ph",
|
||||||
|
"attachment.outlook.live.net",
|
||||||
|
"attachments.office.net",
|
||||||
|
"beautiful.ai",
|
||||||
|
"bit.ly",
|
||||||
|
"bitbucket.io",
|
||||||
|
"bitbucket.org",
|
||||||
|
"cdn.discordapp.com",
|
||||||
|
"cdn.fbsbx.com",
|
||||||
|
"clbin.com",
|
||||||
|
"codepen.io",
|
||||||
|
"ct.sendgrid.net",
|
||||||
|
"cutt.ly",
|
||||||
|
"discord.com",
|
||||||
|
"doc.clickup.com",
|
||||||
|
"docs.google.com",
|
||||||
|
"docsend.com",
|
||||||
|
"dogechain.info",
|
||||||
|
"drive.google.com",
|
||||||
|
"dropbox.com",
|
||||||
|
"evernote.com",
|
||||||
|
"express.adobe.com",
|
||||||
|
"facebook.com",
|
||||||
|
"feedproxy.google.com",
|
||||||
|
"filebin.net",
|
||||||
|
"filecloudonline.com",
|
||||||
|
"filetransfer.io",
|
||||||
|
"firebasestorage.googleapis.com",
|
||||||
|
"forms.office.com",
|
||||||
|
"genius.com",
|
||||||
|
"gitee.com",
|
||||||
|
"github.com",
|
||||||
|
"gitlab.com",
|
||||||
|
"googleweblight.com",
|
||||||
|
"graph.microsoft.com",
|
||||||
|
"i.imgur.com",
|
||||||
|
"icloud.com",
|
||||||
|
"ideone.com",
|
||||||
|
"inmotionhosting.com",
|
||||||
|
"ix.io",
|
||||||
|
"lnkd.in",
|
||||||
|
"localhost.run",
|
||||||
|
"mediafire.com",
|
||||||
|
"mega.nz",
|
||||||
|
"my.visme.co",
|
||||||
|
"nethunt.com",
|
||||||
|
"notion.so",
|
||||||
|
"nt.embluemail.com",
|
||||||
|
"onedrive.live.com",
|
||||||
|
"onenoteonlinesync.onenote.com",
|
||||||
|
"parg.co",
|
||||||
|
"paste.ee",
|
||||||
|
"pastebin.com",
|
||||||
|
"pastebin.pl",
|
||||||
|
"pastetext.net",
|
||||||
|
"pastie.org",
|
||||||
|
"pcloud.com",
|
||||||
|
"raw.githubusercontent.com",
|
||||||
|
"rb.gy",
|
||||||
|
"rebrand.ly",
|
||||||
|
"reddit.com",
|
||||||
|
"rentry.co",
|
||||||
|
"s.id",
|
||||||
|
"siasky.net",
|
||||||
|
"sites.google.com",
|
||||||
|
"slack-files.com",
|
||||||
|
"slack.com",
|
||||||
|
"spark.adobe.com",
|
||||||
|
"sprunge.us",
|
||||||
|
"stonly.com",
|
||||||
|
"storage.googleapis.com",
|
||||||
|
"sway.office.com",
|
||||||
|
"t.co",
|
||||||
|
"t.m1.email.samsung.com",
|
||||||
|
"telegra.ph",
|
||||||
|
"teletype.in",
|
||||||
|
"termbin.com",
|
||||||
|
"textbin.net",
|
||||||
|
"tinyurl.com",
|
||||||
|
"track.adform.net",
|
||||||
|
"transfer.sh",
|
||||||
|
"trello.com",
|
||||||
|
"ufile.io",
|
||||||
|
"viewer.joomag.com",
|
||||||
|
"wetransfer.com",
|
||||||
|
"workflowy.com",
|
||||||
|
"wtools.io",
|
||||||
|
"youtube.com",
|
||||||
|
"zerobin.net"
|
||||||
|
],
|
||||||
|
"matching_attributes": [
|
||||||
|
"domain",
|
||||||
|
"domain|ip",
|
||||||
|
"hostname",
|
||||||
|
"hostname|port",
|
||||||
|
"url"
|
||||||
|
],
|
||||||
|
"name": "List of LOTS (Living Off Trusted Sites) Project Domains",
|
||||||
|
"type": "hostname",
|
||||||
|
"version": 20241010
|
||||||
|
}
|
|
@ -0,0 +1,32 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
from generator import download, get_version, write_to_file
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
req = download("https://lots-project.com")
|
||||||
|
soup = BeautifulSoup(req.text, 'html.parser')
|
||||||
|
links = soup.find_all('a', class_='link', href=True, target=None)
|
||||||
|
|
||||||
|
lots_list = []
|
||||||
|
|
||||||
|
for link in links:
|
||||||
|
if link.contents[0].startswith('*'):
|
||||||
|
lots_list.append(link.contents[0].lstrip('*'))
|
||||||
|
elif link.contents[0].startswith('www'):
|
||||||
|
lots_list.append(link.contents[0].lstrip('www'))
|
||||||
|
else:
|
||||||
|
lots_list.append(link.contents[0])
|
||||||
|
|
||||||
|
warninglist = {
|
||||||
|
'name': 'List of LOTS (Living Off Trusted Sites) Project Domains',
|
||||||
|
'version': get_version(),
|
||||||
|
'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection',
|
||||||
|
'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'],
|
||||||
|
'type': 'hostname',
|
||||||
|
'list': lots_list
|
||||||
|
}
|
||||||
|
|
||||||
|
write_to_file(warninglist, "lots-project")
|
Loading…
Reference in New Issue