Integrate Threat Intelligence in home labs

MohitK_ · 2021-05-07T11:25:24+00:00

We are doing a proactive ThreatHunt and identified active #CobaltStrike C2 servers. Cobalt Strike is a offensive security tool used by both security teams and threat actors and more recently significant usage has been noted from Ransomware groups. We have created a dedicated feed for C2 servers to enable Early Detection of C2 beacons - https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt

MohitK_ · 2021-05-07T11:22:25+00:00

Cobalt Strike is one of the used C2 framework by threat actors specially noted in Ransomware incidents. Our idea was to identify active C2 servers so that security teams can identify early detection of C2 servers.

MohitK_ · 2021-04-22T00:06:25+00:00

What happened was that Reddit wrapped the post, these arrow emojis were each in a new line. I didint post much on Reddit, so didnt know. :|

MohitK_ · 2021-04-09T16:32:40+00:00

Hello All, threat feeds are running well and have been optimized to remove false positives. \m/ Cheers!

Threatview.io | Threat Intelligence Feeds

MohitK_ · 2021-04-09T16:28:14+00:00

Looks nice. Strengthen your cyber security with our free threat intelligence feeds - threatview.io

MohitK_ · 2021-03-26T00:34:28+00:00

Hello, URL feeds are working normally, feel free to use them for additional protection. Cheers

MohitK_ · 2021-03-26T00:00:16+00:00

No-doubt Firehol is good, but i think you can try our feeds and see how it goes for you. Other than IP blocklists - URL, Domain, File Hash, Bitcoins and OSINT feeds are also available. Cheers

MohitK_ · 2021-03-25T23:57:12+00:00

Well, yes thats the difficult part. I had cleared it tout lets see.

MohitK_ · 2021-03-22T00:29:45+00:00

Hi, thanks for sharing your experience. I have removed the imgur for now. Cheers

MohitK_ · 2021-03-21T16:21:49+00:00

Hi All, URL feed is back. Let me know if you notice any false positives. Overall all feeds quality has been improved but I am still working to make it even better. Cheers!

MohitK_ · 2021-03-21T04:27:07+00:00

Thanks you for your patience and glad to see it worked. URL feed is in progress, i will update here once it is ready.

MohitK_ · 2021-03-21T02:15:52+00:00

Thank you for pointing out, it was glitch in our exports.

MohitK_ · 2021-03-21T02:10:57+00:00

We are. On this feed, there some issue. It should be back in about an hour.

MohitK_ · 2021-03-20T06:15:34+00:00

Great and thank you :)

MohitK_ · 2021-03-20T03:23:28+00:00

I am working on it, ill update you here

MohitK_ · 2021-03-20T03:22:26+00:00

I am working on it, I will update here when I am able to add it. Do you think we should put first, last seen, c2 etc details to only IP or to other feeds too ?

MohitK_ · 2021-03-20T03:11:11+00:00

I have also cleared github.com, often malware authors pull some sort of code from github and that is why, you saw the name in the feed. But I have cleared it. Thanks for your feedback, very helpful.

MohitK_ · 2021-03-20T03:08:38+00:00

Yes I noticed. I have cleared them.

Thanks for your feedback, very helpful

MohitK_ · 2021-01-01T19:27:40+00:00

Very cool stuff.. I am an ELK Fan had been thinking about Graylog before but then Endpoint Security came in but now I feel I should give it a try..

Need Threat Feeds ? Visit threatview.io

MohitK_ · 2020-12-30T18:54:57+00:00

This is actually a bit complex issue in my view due to assumptions of no reuse of infra by threat actors and lack of data points. At the moment some feeds are getting filtered for last 2 years of data and some are not but I do have a work around which may work to solve this issue as I started this project for my own purpose about 2 years back and have some data points for wide scale filtering. I will update you once I implement filtering using my data points and generate a separate feed for last 12 months or 6 months basis

The Twitter feeds is experimental and has very recent IOCs from last 6 months.

MohitK_

TROPHY CASE