Threat Data
Is this bad?

Intro

When checking out the reputation and threat data behind and indicator, there are two main parts: Checking for the presence of the indicator on available blacklists and enriching your investigation with intelligence and metadata around the target indicator.
When checking your indicators against the below sources, be sure you are looking at the other data that is provided outside of the blacklist check. Tools like Hurricane Electric and Cisco's Talos can give you information about the ASN or subnet an indicator is apart of. Use them to see if its not just one IP that is flagged, but if it is an entire subnet or ASN. For domains, look for registration information and registration dates. How long ago was that domain registered? Have you seen malicious domains registered by this user before? Lastly make sure you look at any other related data, even if it is as simple as the comments section of VirusTotal. Other analysts can save you a tremendous amount of work, by making a simple note to help you.
*WARNING* - An indicator can still be malicious even if it is not on any searched blacklists. Do not make the mistake of assuming something is benign, simply because your searches returned nothing.

Threat Maps

Threat Actor Information

Blacklist Checks and Reputation Data

Multi - Blacklist Checkers

    • Searches: IP address, Domain, ASN, Subnet
    • Returns: IP information, WHOIS, DNS (A records), Reputation Check ( IP Only - 93 sources), Website info, Website Preview
  • ​Virustotal​
  • ​Cisco Talos​
    • Searches: IP and Domain data
    • Returns: Reputation check, content details, mail servers, owner details, Subnet reputation details, WHOIS, email volume history, Top Network owners
    • Search: Domain, IP address
    • Returns: Reputation data (94 blacklists)
  • ​MultiRBL​
    • Searches: IP, domain
    • Returns: FCrDNS Test data, Reputation data (242 blacklist checks)
  • ​https://www.infobyip.com/ipbulklookup.php - (Honorable Mention) - A great tool that allows you to take a bulk list of IP addresses or Domains and check them for the presence on blacklists.

IP Reputation data

URL/Domain Reputation data

  • ​URLScan - Returns: Summary data, Reputation data, IP data, domain tree, HTTP transaction data, Screenshot of page, Detected Technologies, links
  • ​URLVoid - Returns Reputation data (34 sources), Registration info, WHOIS, Reverse DNS, ASN
  • ​Zscalar Zulu - Returns: URL info, Risk analysis, Content, URL checks, Host checks
  • ​PhishTank - Returns: Listed on PhishTank
  • ​Quttera Malware Scanner - Returns: Website malware scan report
  • ​MergiTools RBL check - Returns: Reputation data
  • ​Malware Domain Lists - Returns: Reputation data
  • ​Securi SiteCheck - Returns: Security check and malware scan
  • ​https://lots-project.com/ - Living Off Trusted Sites (LOTS) Project, Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. The list of websites below allow attackers to use their domain or subdomain.
  • ​https://reports.adguard.com/en/welcome.html - Checks if site is on AdGuard's block list

File Hash Reputation Data

Email/Spam Data

  • ​Simple Email Rep checker - Returns: Domain reputation, presence on social media, Blacklisted/Malicious activity, Email policy settings
  • ​MXtoolbox MX lookup and Super tool - Returns: Host information, DMARC and DNS record data, Pivot to Blacklist check
  • ​HaveIBeenEmotet - Returns: If your email address or domain is involved in the Emotet malspam.

Indicator Enrichment

These resources may not specifically return reputation data, but with the help of internet scanning services, internet-wide traffic metadata, and indicator enrichment and sharing platforms, we can now add much needed context to our indicators.
  • ​Greynoise​
  • ​BrightCloud​
    • Searches: IP address, domain
    • Returns: Web Reputation, Web category, WHOIS
    • Searches: Domain, IP, Email, Organization
    • Returns: Reputation data, WHOIS, Reverse DNS, Open Ports, Subdomains, Related Entity Graph, pivot search to AlienVault OTX indicator information
  • ​AbuseIPDB​
    • Searches: IP, Domain, Subnet
    • Returns: Reputation data, usage type, Location info
  • ​SANS D-Shield​
    • Searches: Keyword, IP, domain, Port, Header
    • Returns: General information, Reputation data, SSH logs, Honeypot logs, WHOIS
    • Search: IoCs (ip, domain, hash, etc.)
    • Returns: date, IoC, malware family, Tags, Reporter
  • ​Spamhaus Project​
    • Searches: IP, Domain, Hash
    • Returns: Reputation data
    • Searches: IP, Domain, Hash
    • Returns: Reputation Data, Web site data, Open Ports, SSL Certificate data, Malware Detection, WHOIS, MX records and config, NS records and config
    • Searches: File, URL, IP, Domain, Hash, CVE
    • Returns: Any detection from multiple other engines with link to that engines data.
    • Searches: Domain, Hosts, IP, Email, Hash, Tags
    • Returns: Associated intelligence article containing the searched for indicator
  • ​PulseDive​
    • Searches: Indicators, Threats, Feeds, Misc. data
    • Returns: Risk Info, Highlights, Ports, Threat info, Reputation data, Linked Indicators
  • ​Malc0de database​
    • Searches: IP, domain, hash, ASN
    • Returns: ?????
  • ​ThreatShare​
    • Searches: IP, URL
    • Returns: malware family, online status, URLscan data
  • ​Phishstats (Public Dashboard 2)
    • Searches: IP, host, domain, full URL
    • Returns: Related metadata and reputation data.
  • ​Twitter IOC Hunter - An incredible tool that scrapes twitter for IoCs that are publicly reported through thier platform and puts them into a searchable repository. Tweet IoCs are one of the fastest ways to get information on newly discovered IoCs as they will often have context around thier discovery.
    • Search: IP, domain, or email address
    • Returns: Presence on internal blocklist and misc available detail.
    • Search: IP Addresses, Email, Subnet, Domain
    • Returns: Presence on internal blocklist for spam activity

Investigation Tools

If you do not have a SOAR platform to perform some of the OSINT lookups for you, Security analysts must take the tedious effort of plugging their IoC into one of the above tools to gather data manually. To make that process easier, I created a tool that will allow you to open all the tools you want and pivot directly to their results.
Note: Some tools require more than a simple append on to the end of the URI. I am currently working on expanding that functionality.
s0cm0nkeyOSINT.html
20KB
Text
GitHub - s0cm0nkey/EasyOSINT: Simple HTML page that makes it easier for analysts to parse through OSINT around Threat Data
GitHub
Here is a MindMap I have made of the popular tools I use for analyzing indicators.
The interactive version can be found here:
Threat Object.xmind
372KB
Binary
​