GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → 0xDanielLopez → TweetFeed

0xDanielLopez / TweetFeed

Licence: other
Collecting IOCs posted on Twitter

Labels

osintmalwarephishingmalware-researchphishing-attacksblueteamphishing-sitesmalware-detectionphishing-detection

Projects that are alternatives of or similar to TweetFeed

Malicious-Urlv5
A multi-layered and multi-tiered Machine Learning security solution, it supports always on detection system, Django REST framework used, equipped with a web-browser extension that uses a REST API call.
Stars: ✭ 35 (-80.66%)
Mutual labels:  phishing, phishing-attacks, phishing-detection
malware-writeups
Personal research and publication on malware families
Stars: ✭ 104 (-42.54%)
Mutual labels:  malware, malware-research, malware-detection
Malwaresourcecode
Collection of malware source code for a variety of platforms in an array of different programming languages.
Stars: ✭ 8,666 (+4687.85%)
Mutual labels:  malware, malware-research, malware-detection
yara
Malice Yara Plugin
Stars: ✭ 27 (-85.08%)
Mutual labels:  malware, malware-research, malware-detection
Skeleton
Skeleton is a Social Engineering tool attack switcher
Stars: ✭ 44 (-75.69%)
Mutual labels:  phishing, phishing-attacks, phishing-sites
shark
Best Tool For Phishing, Future Of Phishing
Stars: ✭ 238 (+31.49%)
Mutual labels:  phishing, phishing-attacks, phishing-sites
Threat Hunting
Personal compilation of APT malware from whitepaper releases, documents and own research
Stars: ✭ 219 (+20.99%)
Mutual labels:  malware, malware-research, malware-detection
Phishing.database
Phishing Domains, urls websites and threats database. We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active.
Stars: ✭ 296 (+63.54%)
Mutual labels:  malware, phishing, malware-research
ThePhish
ThePhish: an automated phishing email analysis tool
Stars: ✭ 676 (+273.48%)
Mutual labels:  malware, phishing, phishing-detection
phishEye
phishEye is an ultimate phishing tool in python. Includes popular websites like Facebook, Twitter, Instagram, LinkedIn, GitHub, Dropbox, and many others. Created with Flask, custom templates, and tunneled with ngrok and localhost.run.
Stars: ✭ 47 (-74.03%)
Mutual labels:  phishing, phishing-attacks, phishing-sites
Malware Feed
Bringing you the best of the worst files on the Internet.
Stars: ✭ 69 (-61.88%)
Mutual labels:  malware, malware-research, malware-detection
MurMurHash
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.
Stars: ✭ 79 (-56.35%)
Mutual labels:  phishing, blueteam, phishing-detection
Urlextractor
Information gathering & website reconnaissance | https://phishstats.info/
Stars: ✭ 341 (+88.4%)
Mutual labels:  osint, malware, phishing
Malware-Sample-Sources
Malware Sample Sources
Stars: ✭ 214 (+18.23%)
Mutual labels:  malware, malware-research, malware-detection
PhishingKit-Yara-Search
Yara scan Phishing Kit's Zip archive(s)
Stars: ✭ 24 (-86.74%)
Mutual labels:  phishing, phishing-sites, phishing-detection
scam-links
Collection of phishing and malicious links that focuses on Steam and Discord scams.
Stars: ✭ 118 (-34.81%)
Mutual labels:  malware, phishing-detection
fame modules
Community modules for FAME
Stars: ✭ 55 (-69.61%)
Mutual labels:  malware, malware-research
Batch-Antivirus
Batch Antivirus, a powerful antivirus suite written in batch with real-time protection and heuristical scanning.
Stars: ✭ 26 (-85.64%)
Mutual labels:  malware, malware-detection
memscrimper
Code for the DIMVA 2018 paper: "MemScrimper: Time- and Space-Efficient Storage of Malware Sandbox Memory Dumps"
Stars: ✭ 25 (-86.19%)
Mutual labels:  malware, malware-research
pentesting-framework
Pentesting Framework is a bundle of penetration testing tools, Includes - security, pentesting, hacking and many more.
Stars: ✭ 90 (-50.28%)
Mutual labels:  phishing-attacks, phishing-sites
View All Similar Projects ➔

TweetFeed

Feeds of IOCs posted on Twitter

Web version at TweetFeed.live

TweetFeed.live

Content

Data collected

Feeds
2022-04-22 21:58:56 (UTC)
Today Last 7 days Last 30 days Last 365 days
📋 Today (raw) 📋 Week (raw) 📋 Month (raw) 📋 Year (raw)

Output example

Date (UTC) SourceUser Type Value Tags Tweet
2021-08-14 02:26:32 phishunt_io url https://netflix.us2.cards/ #phishing #scam https://twitter.com/phishunt_io/status/1426369619422502917
2021-08-17 12:15:00 TheDFIRReport ip 185.56.76.94 #Trickbot https://twitter.com/TheDFIRReport/status/1427604874053578756

Some statistics

IOCs

IOC Today Week Month Year
🔗 URLs 481 3204 14484 90389
🌐 Domains 18 124 751 16510
🚩 IPs 153 1142 5546 50947
🔢 SHA256 57 212 1145 34826
🔢 MD5 6 39 259 1914

Tags

Tag Today Week Month Year
#phishing 515 3520 16130 116894
#scam 117 578 1962 11912
#malware 85 292 1734 18813
#maldoc 4 11 74 74
#ransomware 0 3 46 522
#banker 0 1 1 43
#AgentTesla 0 1 20 5338
#Alienbot 0 0 0 85
#BazarLoader 0 0 3 308
#CobaltStrike 46 439 2102 18436
#Dridex 0 0 0 5472
#Emotet 0 31 109 1430
#FluBot 0 0 0 24
#Formbook 0 1 6 4821
#GootLoader 1 4 15 345
#GuLoader 0 3 8 353
#Hancitor 0 0 0 156
#IcedID 0 1 17 229
#Lapsus 0 0 4 4
#Lazarus 0 4 18 91
#Lokibot 0 4 24 1484
#log4j 0 0 4 243
#Log4shell 0 0 8 227
#ProxyShell 0 0 1 111
#Qakbot 1 9 32 297
#Raccoon 0 0 0 1516
#RedLine 4 5 15 4076
#Remcos 1 1 27 956
#Spring4Shell 0 0 26 26
#SquirrelWaffle 0 0 0 53
#Trickbot 0 0 0 157
#Ursnif 0 0 33 362

Top reporters (today)

Number User IOCs
#1 ecarlesi 182
#2 pingineer_jp 103
#3 AP_Zenmashi 82
#4 HeliosCert 74
#5 KesaGataMe0 59
#6 drb_ra 46
#7 malwrhunterteam 26
#8 romonlyht 24
#9 Cryptolaemus1 15
#10 phishunt_io 12

How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(not case sensitive)
- #phishing
- #scam
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #BazarLoader
- #CobaltStrike
- #Dridex
- #Emotet
- #FluBot
- #Formbook
- #GootLoader
- #GuLoader
- #Hancitor
- #IcedID
- #Lapsus
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #ProxyShell
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #Spring4Shell
- #SquirrelWaffle
- #Trickbot
- #Ursnif

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

TweetFeed list

IOCs being collected

- URL
- Domain
- IP address
- SHA256 hash
- MD5 hash

Hunting IOCs via Microsoft Defender

1. Search SHA256 hashes with yearly tweets feed

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Search IP addresses with monthly tweets feed

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Search urls and domains with weekly tweets feed

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

Author

Disclaimer

Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.

I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.

Anyway feel free to reach me out regarding any False Positive or to provide any kind of feedback.

By the Community for the Community

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].