add living off trusted sites project domains

2024-10-10 10:55:54 -05:00 · 2024-10-10 10:55:54 -05:00 · fc55112f9c
parent bfbb9a8203
commit fc55112f9c
3 changed files with 224 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -45,6 +45,7 @@ are reused in many other open source projects.
 - [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_
 - [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
 - [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_
+- [lots-project/list.json](./lists/lots-project/list.json) - **List of LOTS (Living Off Trusted Sites) Project Domains** - _Event contains one or more entries of known LOTS Project domains._
 - [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
 - [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
 - [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_
--- a/lists/lots-project/list.json
+++ b/lists/lots-project/list.json
@ -0,0 +1,191 @@
+{
+  "category": "Known identifier",
+  "description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection",
+  "list": [
+    ".000webhostapp.com",
+    ".amazonaws.com",
+    ".appspot.com",
+    ".atlassian.net",
+    ".axshare.com",
+    ".azureedge.net",
+    ".azurefd.net",
+    ".azurestaticapps.net",
+    ".azurewebsites.net",
+    ".backblazeb2.com",
+    ".blob.core.windows.net",
+    ".blogspot.com",
+    ".box.com",
+    ".canva.com",
+    ".clickfunnels.com",
+    ".cloudapp.azure.com",
+    ".cloudapp.net",
+    ".cloudfront.net",
+    ".cloudwaysapps.com",
+    ".codesandbox.io",
+    ".csb.app",
+    ".digitaloceanspaces.com",
+    ".docusign.com",
+    ".doubleclick.net",
+    ".dropmark.com",
+    ".duckdns.org",
+    ".easywp.com",
+    ".firebaseapp.com",
+    ".fleek.co",
+    ".format.com",
+    ".fyi.to",
+    ".github.io",
+    ".glitch.me",
+    ".godaddysites.com",
+    ".gofile.io",
+    ".googleusercontent.com",
+    ".herokuapp.com",
+    ".hostingerapp.com",
+    ".instagram.com",
+    ".linodeobjects.com",
+    ".mybluehost.me",
+    ".mybluemix.net",
+    ".myportfolio.com",
+    ".mystrikingly.com",
+    ".netlify.app",
+    ".ngrok.io",
+    ".nimbusweb.me",
+    ".notion.site",
+    ".on.aws",
+    ".ondigitalocean.app",
+    ".oraclecloud.com",
+    ".pagecloud.com",
+    ".pages.dev",
+    ".plesk.page",
+    ".repl.co",
+    ".requestbin.net",
+    ".rf.gd",
+    ".sendspace.com",
+    ".sharepoint.com",
+    ".slab.com",
+    ".surveycake.com",
+    ".translate.goog",
+    ".trycloudflare.com",
+    ".tumblr.com",
+    ".twitter.com",
+    ".typeform.com",
+    ".uplooder.net",
+    ".wasabisys.com",
+    ".web.app",
+    ".web.core.windows.net",
+    ".webflow.io",
+    ".weebly.com",
+    ".wixsite.com",
+    ".wordpress.com",
+    ".workers.dev",
+    ".xiti.com",
+    ".zendesk.com",
+    "12ft.io",
+    "1drv.com",
+    "1drv.ms",
+    "4sync.com",
+    "anonfiles.com",
+    "api.telegram.org",
+    "app.milanote.com",
+    "appdomain.cloud",
+    "archive.org",
+    "archive.ph",
+    "attachment.outlook.live.net",
+    "attachments.office.net",
+    "beautiful.ai",
+    "bit.ly",
+    "bitbucket.io",
+    "bitbucket.org",
+    "cdn.discordapp.com",
+    "cdn.fbsbx.com",
+    "clbin.com",
+    "codepen.io",
+    "ct.sendgrid.net",
+    "cutt.ly",
+    "discord.com",
+    "doc.clickup.com",
+    "docs.google.com",
+    "docsend.com",
+    "dogechain.info",
+    "drive.google.com",
+    "dropbox.com",
+    "evernote.com",
+    "express.adobe.com",
+    "facebook.com",
+    "feedproxy.google.com",
+    "filebin.net",
+    "filecloudonline.com",
+    "filetransfer.io",
+    "firebasestorage.googleapis.com",
+    "forms.office.com",
+    "genius.com",
+    "gitee.com",
+    "github.com",
+    "gitlab.com",
+    "googleweblight.com",
+    "graph.microsoft.com",
+    "i.imgur.com",
+    "icloud.com",
+    "ideone.com",
+    "inmotionhosting.com",
+    "ix.io",
+    "lnkd.in",
+    "localhost.run",
+    "mediafire.com",
+    "mega.nz",
+    "my.visme.co",
+    "nethunt.com",
+    "notion.so",
+    "nt.embluemail.com",
+    "onedrive.live.com",
+    "onenoteonlinesync.onenote.com",
+    "parg.co",
+    "paste.ee",
+    "pastebin.com",
+    "pastebin.pl",
+    "pastetext.net",
+    "pastie.org",
+    "pcloud.com",
+    "raw.githubusercontent.com",
+    "rb.gy",
+    "rebrand.ly",
+    "reddit.com",
+    "rentry.co",
+    "s.id",
+    "siasky.net",
+    "sites.google.com",
+    "slack-files.com",
+    "slack.com",
+    "spark.adobe.com",
+    "sprunge.us",
+    "stonly.com",
+    "storage.googleapis.com",
+    "sway.office.com",
+    "t.co",
+    "t.m1.email.samsung.com",
+    "telegra.ph",
+    "teletype.in",
+    "termbin.com",
+    "textbin.net",
+    "tinyurl.com",
+    "track.adform.net",
+    "transfer.sh",
+    "trello.com",
+    "ufile.io",
+    "viewer.joomag.com",
+    "wetransfer.com",
+    "workflowy.com",
+    "wtools.io",
+    "youtube.com",
+    "zerobin.net"
+  ],
+  "matching_attributes": [
+    "domain",
+    "domain|ip",
+    "hostname",
+    "hostname|port",
+    "url"
+  ],
+  "name": "List of LOTS (Living Off Trusted Sites) Project Domains",
+  "type": "hostname",
+  "version": 20241010
+}
--- a/tools/generate-lots-project.py
+++ b/tools/generate-lots-project.py
@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from bs4 import BeautifulSoup
+from generator import download, get_version, write_to_file
+
+
+if __name__ == '__main__':
+    req = download("https://lots-project.com")
+    soup = BeautifulSoup(req.text, 'html.parser')
+    links = soup.find_all('a', class_='link', href=True, target=None)
+
+    lots_list = []
+
+    for link in links:
+        if link.contents[0].startswith('*'):
+            lots_list.append(link.contents[0].lstrip('*'))
+        elif link.contents[0].startswith('www'):
+            lots_list.append(link.contents[0].lstrip('www'))
+        else:
+            lots_list.append(link.contents[0])
+
+    warninglist = {
+        'name': 'List of LOTS (Living Off Trusted Sites) Project Domains',
+        'version': get_version(),
+        'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection',
+        'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'],
+        'type': 'hostname',
+        'list': lots_list
+    }
+
+    write_to_file(warninglist, "lots-project")