diff --git a/README.md b/README.md index c029888..fbdc1cd 100755 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ are reused in many other open source projects. - [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_ - [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_ - [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_ +- [lots-project/list.json](./lists/lots-project/list.json) - **List of LOTS (Living Off Trusted Sites) Project Domains** - _Event contains one or more entries of known LOTS Project domains._ - [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._ - [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_ - [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_ diff --git a/lists/lots-project/list.json b/lists/lots-project/list.json new file mode 100644 index 0000000..a8620d8 --- /dev/null +++ b/lists/lots-project/list.json @@ -0,0 +1,191 @@ +{ + "category": "Known identifier", + "description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection", + "list": [ + ".000webhostapp.com", + ".amazonaws.com", + ".appspot.com", + ".atlassian.net", + ".axshare.com", + ".azureedge.net", + ".azurefd.net", + ".azurestaticapps.net", + ".azurewebsites.net", + ".backblazeb2.com", + ".blob.core.windows.net", + ".blogspot.com", + ".box.com", + ".canva.com", + ".clickfunnels.com", + ".cloudapp.azure.com", + ".cloudapp.net", + ".cloudfront.net", + ".cloudwaysapps.com", + ".codesandbox.io", + ".csb.app", + ".digitaloceanspaces.com", + ".docusign.com", + ".doubleclick.net", + ".dropmark.com", + ".duckdns.org", + ".easywp.com", + ".firebaseapp.com", + ".fleek.co", + ".format.com", + ".fyi.to", + ".github.io", + ".glitch.me", + ".godaddysites.com", + ".gofile.io", + ".googleusercontent.com", + ".herokuapp.com", + ".hostingerapp.com", + ".instagram.com", + ".linodeobjects.com", + ".mybluehost.me", + ".mybluemix.net", + ".myportfolio.com", + ".mystrikingly.com", + ".netlify.app", + ".ngrok.io", + ".nimbusweb.me", + ".notion.site", + ".on.aws", + ".ondigitalocean.app", + ".oraclecloud.com", + ".pagecloud.com", + ".pages.dev", + ".plesk.page", + ".repl.co", + ".requestbin.net", + ".rf.gd", + ".sendspace.com", + ".sharepoint.com", + ".slab.com", + ".surveycake.com", + ".translate.goog", + ".trycloudflare.com", + ".tumblr.com", + ".twitter.com", + ".typeform.com", + ".uplooder.net", + ".wasabisys.com", + ".web.app", + ".web.core.windows.net", + ".webflow.io", + ".weebly.com", + ".wixsite.com", + ".wordpress.com", + ".workers.dev", + ".xiti.com", + ".zendesk.com", + "12ft.io", + "1drv.com", + "1drv.ms", + "4sync.com", + "anonfiles.com", + "api.telegram.org", + "app.milanote.com", + "appdomain.cloud", + "archive.org", + "archive.ph", + "attachment.outlook.live.net", + "attachments.office.net", + "beautiful.ai", + "bit.ly", + "bitbucket.io", + "bitbucket.org", + "cdn.discordapp.com", + "cdn.fbsbx.com", + "clbin.com", + "codepen.io", + "ct.sendgrid.net", + "cutt.ly", + "discord.com", + "doc.clickup.com", + "docs.google.com", + "docsend.com", + "dogechain.info", + "drive.google.com", + "dropbox.com", + "evernote.com", + "express.adobe.com", + "facebook.com", + "feedproxy.google.com", + "filebin.net", + "filecloudonline.com", + "filetransfer.io", + "firebasestorage.googleapis.com", + "forms.office.com", + "genius.com", + "gitee.com", + "github.com", + "gitlab.com", + "googleweblight.com", + "graph.microsoft.com", + "i.imgur.com", + "icloud.com", + "ideone.com", + "inmotionhosting.com", + "ix.io", + "lnkd.in", + "localhost.run", + "mediafire.com", + "mega.nz", + "my.visme.co", + "nethunt.com", + "notion.so", + "nt.embluemail.com", + "onedrive.live.com", + "onenoteonlinesync.onenote.com", + "parg.co", + "paste.ee", + "pastebin.com", + "pastebin.pl", + "pastetext.net", + "pastie.org", + "pcloud.com", + "raw.githubusercontent.com", + "rb.gy", + "rebrand.ly", + "reddit.com", + "rentry.co", + "s.id", + "siasky.net", + "sites.google.com", + "slack-files.com", + "slack.com", + "spark.adobe.com", + "sprunge.us", + "stonly.com", + "storage.googleapis.com", + "sway.office.com", + "t.co", + "t.m1.email.samsung.com", + "telegra.ph", + "teletype.in", + "termbin.com", + "textbin.net", + "tinyurl.com", + "track.adform.net", + "transfer.sh", + "trello.com", + "ufile.io", + "viewer.joomag.com", + "wetransfer.com", + "workflowy.com", + "wtools.io", + "youtube.com", + "zerobin.net" + ], + "matching_attributes": [ + "domain", + "domain|ip", + "hostname", + "hostname|port", + "url" + ], + "name": "List of LOTS (Living Off Trusted Sites) Project Domains", + "type": "hostname", + "version": 20241010 +} diff --git a/tools/generate-lots-project.py b/tools/generate-lots-project.py new file mode 100644 index 0000000..e80c0cb --- /dev/null +++ b/tools/generate-lots-project.py @@ -0,0 +1,32 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from bs4 import BeautifulSoup +from generator import download, get_version, write_to_file + + +if __name__ == '__main__': + req = download("https://lots-project.com") + soup = BeautifulSoup(req.text, 'html.parser') + links = soup.find_all('a', class_='link', href=True, target=None) + + lots_list = [] + + for link in links: + if link.contents[0].startswith('*'): + lots_list.append(link.contents[0].lstrip('*')) + elif link.contents[0].startswith('www'): + lots_list.append(link.contents[0].lstrip('www')) + else: + lots_list.append(link.contents[0]) + + warninglist = { + 'name': 'List of LOTS (Living Off Trusted Sites) Project Domains', + 'version': get_version(), + 'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection', + 'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'], + 'type': 'hostname', + 'list': lots_list + } + + write_to_file(warninglist, "lots-project")