## ☰ 目录 - [收集的数据](#page_facing_up-data-collected) - [部分统计](#bar_chart-some-statistics) - [工作原理](#question-how-it-works) - [通过 Microsoft Defender 追猎 IOC](#mag-hunting-iocs-via-microsoft-defender) - [作者](#bust_in_silhouette-author) - [免责声明](#pushpin-disclaimer) ## :page_facing_up: 收集的数据 ## :bar_chart: 部分统计 ## :question: 工作原理 搜索包含特定标签 **或者** 由特定 *infosec* 人员发布的推文。 ### 被搜索的标签 ##### *(不区分大小写)* ``` - #phishing - #scam - #opendir - #malware - #maldoc - #ransomware - #banker - #AgentTesla - #Alienbot - #AsyncRAT - #BazarLoader - #Batloader - #CobaltStrike - #Dcrat - #Emotet - #Formbook - #GootLoader - #GuLoader - #IcedID - #Lazarus - #Lokibot - #log4j - #Log4shell - #Njrat - #Qakbot - #Raccoon - #RedLine - #Remcos - #RaspberryRobin - #Spring4Shell - #SocGholish - #Ursnif ``` ### 同时搜索由以下用户发布的推文 ##### *(这些是值得信赖的人，他们有时不使用标签)*

[**TweetFeed 列表**](https://twitter.com/i/lists/1423693426437001224)

## :mag: 通过 Microsoft Defender 追猎 IOC **1. 使用 `年度` 推文 feed 搜索 `SHA256` 哈希** ``` let MaxAge = ago(30d); let SHA256_whitelist = pack_array( 'XXX' // Some SHA256 hash you want to whitelist. ); let TweetFeed = materialize ( (externaldata(report:string) [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"] with (format = "txt")) | extend report = parse_csv(report) | extend Type = tostring(report[2]) | where Type == 'sha256' | extend SHA256 = tostring(report[3]) | where SHA256 !in(SHA256_whitelist) | extend Tag = tostring(report[4]) | extend Tweet = tostring(report[5]) | project SHA256, Tag, Tweet ); union ( TweetFeed | join ( DeviceProcessEvents | where Timestamp > MaxAge ) on SHA256 ), ( TweetFeed | join ( DeviceFileEvents | where Timestamp > MaxAge ) on SHA256 ), ( TweetFeed | join ( DeviceImageLoadEvents | where Timestamp > MaxAge ) on SHA256 ) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet ```
**2. 使用 `月度` 推文 feed 搜索 `IP 地址`** ``` let MaxAge = ago(30d); let IPaddress_whitelist = pack_array( 'XXX' // Some IP address you want to whitelist. ); let TweetFeed = materialize ( (externaldata(report:string) [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"] with (format = "txt")) | extend report = parse_csv(report) | extend Type = tostring(report[2]) | where Type == 'ip' | extend RemoteIP = tostring(report[3]) | where RemoteIP !in(IPaddress_whitelist) | where not(ipv4_is_private(RemoteIP)) | extend Tag = tostring(report[4]) | extend Tweet = tostring(report[5]) | project RemoteIP, Tag, Tweet ); union ( TweetFeed | join ( DeviceNetworkEvents | where Timestamp > MaxAge ) on RemoteIP ) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet ```
**3. 使用 `周度` 推文 feed 搜索 `urls` 和 `domains`** ``` let MaxAge = ago(30d); let domain_whitelist = pack_array( 'XXX' // Some URL/Domain you want to whitelist. ); let TweetFeed = materialize ( (externaldata(report:string) [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"] with (format = "txt")) | extend report = parse_csv(report) | extend Type = tostring(report[2]) | where Type in('url','domain') | extend RemoteUrl = tostring(report[3]) | where RemoteUrl !in(domain_whitelist) | extend Tag = tostring(report[4]) | extend Tweet = tostring(report[5]) | project RemoteUrl, Tag, Tweet ); union ( TweetFeed | join ( DeviceNetworkEvents | where Timestamp > MaxAge ) on RemoteUrl ) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet ``` ## :bust_in_silhouette: 作者 * [**Daniel López**](https://twitter.com/0xDanielLopez) ## :pushpin: 免责声明 请注意，所有数据均收集自 Twitter，并按 **尽力而为** 的原则在此进行整理/提供。 我已经尝试尽可能调整搜索，试图只收集有价值的信息。但是，请考虑在对这些 IOC 采取任何行动之前进行自己的分析。 如有任何疑问，请随时 **[联系我](https://twitter.com/0xDanielLopez)** 或就任何贡献或建议提供任何形式的 **[反馈](https://tweetfeed.live/feedback.html)**。

---

源于社区，服务社区。

标签：CSV, ESC4, IOC, MD5, Microsoft Defender, OpenCTI, OSINT, SHA256, Twitter, 哈希, 失陷指标, 威胁情报, 威胁猎杀, 安全数据源, 安全社区, 开发者工具, 恶意IP, 恶意URL, 恶意域名, 情报源, 红队平台, 网络安全, 自动化收集, 隐私保护