Hunt

Hunt IOCs in different environments


  1. Bash commands
  2. Microsoft Defender for Endpoint (MDE)

Bash commands

Some bash commands to get IOCs directly from Tweets.


1. Get IOCs by type (url / domain / ip / sha256 / md5)
Command:
curl -s https://api.tweetfeed.live/v1/{Feed} | jq -r '.[] | select(.type == "{type}") | .value' > {Output File}
Command example - getting suspicious URLs from today:
curl -s https://api.tweetfeed.live/v1/today | jq -r '.[] | select(.type == "url") | .value' > suspicious_urls.dat
Output example:
url1
url2
url3
url4
...

2. Get IOCs by type and tag (phishing / malware / CobaltStrike / ...)
Command:
curl -s https://api.tweetfeed.live/v1/{Feed} | jq -r '.[] | select(.type == "{type}") | select(.tags[] | contains("{tag}")) | .value' > {Output File}
Command example - getting all IOCs related to CobaltStrike from today:
curl -s https://api.tweetfeed.live/v1/today | jq -r '.[] | select(.type == "ip") | select(.tags[] | contains("CobaltStrike")) | .value' > iocs_CS.dat
Output example:
ip1
ip2
ip3
ip4
...

Microsoft Defender for Endpoint (MDE) More info

Just examples, modify them as you wish.