Bert-JanP/Open-Source-Threat-Intel-Feeds
GitHub: Bert-JanP/Open-Source-Threat-Intel-Feeds
一个开源威胁情报 IOC 源聚合仓库,汇集了 IP、URL、域名、文件哈希、CVE 等多种类型的免费威胁情报源,并提供结构化索引便于导入 SIEM/EDR 等安全平台。
Stars: 783 | Forks: 81
# 免费威胁情报/IOC 源 [](https://twitter.com/intent/tweet?text=Open%20Source%20Threat%20Intel%20Feeds%20Listed!%20Compatible%20with%20EDR%20and%20SIEM%20Solutions!&url=https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules)
本仓库包含无需额外要求即可使用的开源威胁情报源。CSV 文件 [ThreatIntelFeeds](./ThreatIntelFeeds.csv) 基于供应商、描述、类别和 URL 以结构化方式存储。提供 ThreatIntelFeeds 的供应商如下所述。
以下是目前可用的源类别:
- SSL
- IP
- DNS
- URL
- MD5
- SHA1
- SHA256
- CVEID
- JA3
- NamePipes
内容按原样提供。在商业环境中使用内容时,必须在使用前研究相关条件,某些内容在特定条件下可能无法自由使用。您有责任自行研究是否存在此类情况。
| Category | Count |
| --- | --- |
| DNS | 15 |
| IP | 77 |
| MD5 | 11 |
| SHA1 | 4 |
| SHA256 | 7 |
| SSL | 1 |
| URL | 23 |
| CVEID | 4 |
| RANSOMWARELEAK | 1 |
| JA3 | 1 |
| NamePipe | 1 |
# 在 EDR 和 SIEM 中整合威胁情报
本仓库中提供的源可用于在您的 EDR 或 SIEM 解决方案中执行威胁搜寻,以查找恶意活动。针对 Defender For Endpoint 和 Sentinel,已经编写了一些 KQL 搜寻规则,可直接应用到您的 EDR 或 SIEM 中。参见:[KQL Hunting Queries](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/tree/main/Threat%20Hunting)
## KQL
您可以轻松地在 KQL 中为 M365D Advanced Hunting 或 Sentinel 实现这些开源源。这通过使用 [externaldata](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer) 运算符完成。该运算符可以将外部链接作为输入,并将结果解析为数据表,以便用于与其他表进行连接或过滤。如下例所示,其输出是一张与其他表类似的表。
```
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
C2IntelFeeds
| take 100
```
文档解释了所使用的各种参数,例如是否忽略第一行。
### 结合 EDR 网络流量和 IOC 源
下面展示了结合 EDR 网络流量和 IOC 源的结果。此检测可以帮助您识别连接到托管命令和控制(C2)服务器的 IP 的设备。
```
let C2IntelFeeds = externaldata(IP: string, ioc:string)[@"https://raw.githubusercontent.com/drb-ra/C2IntelFeeds/master/feeds/IPC2s-30day.csv"] with (format="csv", ignoreFirstRecord=True);
let IPList = C2IntelFeeds
| project IP;
DeviceNetworkEvents
| where RemoteIP in (IPList)
| join kind=inner C2IntelFeeds on $left.RemoteIP == $right.IP
| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, ioc
```
# 贡献
非常感谢您的贡献,以使这个免费威胁情报/IOC 源列表尽可能庞大和最新。您可以通过创建 Pull Request 来做出贡献。该 PR 必须包含以下内容:
1. 将源的链接添加到 README.md 文件中。如果没有适合该来源的部分,请新建一个部分。
2. 将详细信息添加到 ThreatIntelFeeds.csv 文件中,使用的格式如下所示。Category 指的是上面显示的源类别。
Vendor;Description;Category;Url
3. 源必须是免费的,并且无需任何帐户或 API token 即可使用。
4. 使用 [Validator.py](./Scripts/Validator.py) 脚本验证 CSV 文件的内容。可以在 *script* 目录中运行它。
5. 通过运行 [GenerateTableStatistics.py](./Scripts/GenerateTableStatistics.py) 更新 IOC 源统计表,该脚本会将 markdown 表格保存在 *StatisticsTable.md* 文件中。然后可以将此表粘贴到上方。
# Abuse.ch
- https://sslbl.abuse.ch/blacklist/sslblacklist.csv
- https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
- https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
- https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv
- https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.txt
- https://threatfox.abuse.ch/downloads/hostfile/
- https://feodotracker.abuse.ch/downloads/ipblocklist.txt
- https://feodotracker.abuse.ch/blocklist/
- https://bazaar.abuse.ch/export/txt/md5/recent/
- https://threatfox.abuse.ch/export/csv/md5/recent/
- https://bazaar.abuse.ch/export/txt/sha1/recent/
- https://bazaar.abuse.ch/export/txt/sha256/recent/
- https://threatfox.abuse.ch/export/csv/sha256/recent/
- https://urlhaus.abuse.ch/downloads/csv_recent/
- https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv
服务条款: https://sslbl.abuse.ch/blacklist/, https://feodotracker.abuse.ch/blocklist/
# Blocklist.de
- https://lists.blocklist.de/lists/all.txt
- https://lists.blocklist.de/lists/ssh.txt
- https://lists.blocklist.de/lists/mail.txt
- https://lists.blocklist.de/lists/apache.txt
- https://lists.blocklist.de/lists/imap.txt
- https://lists.blocklist.de/lists/bots.txt
- https://lists.blocklist.de/lists/bruteforcelogin.txt
- https://lists.blocklist.de/lists/strongips.txt
- https://lists.blocklist.de/lists/ftp.txt
服务条款: https://www.blocklist.de/en/index.html
# IPSum
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/2.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt
- https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt
# C2IntelFeeds
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/IPC2s-30day.csv
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2s-30day-filter-abused.csv
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2swithURL-30day-filter-abused.csv
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2swithURL-filter-abused.csv
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2swithURLwithIP-30day-filter-abused.csv
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/domainC2s.csv
- https://github.com/drb-ra/C2IntelFeeds/blob/master/feeds/unverified/IPC2s.csv
# Montysecurity Feeds
- https://github.com/montysecurity/C2-Tracker/tree/main/data
- https://github.com/montysecurity/C2-Tracker/blob/main/data/Brute%20Ratel%20C4%20IPs.txt
- https://github.com/montysecurity/C2-Tracker/blob/main/data/Cobalt%20Strike%20C2%20IPs.txt
- https://github.com/montysecurity/C2-Tracker/blob/main/data/Posh%20C2%20IPs.txt
- https://github.com/montysecurity/C2-Tracker/blob/main/data/Sliver%20C2%20IPs.txt
- https://github.com/montysecurity/C2-Tracker/blob/main/data/Metasploit%20Framework%20C2%20IPs.txt
- https://github.com/montysecurity/C2-Tracker/blob/main/data/Havoc%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/BurpSuite%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Deimos%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/GoPhish%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Gotham%20Stealer%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Hachcat%20Cracking%20Tool%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Metasploit%20Framework%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Mythic%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/NimPlant%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/PANDA%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Posh%20C2%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/PowerSploit%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/XMRig%20Monero%20Cryptominer%20IPs.txt
- https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/all.txt
# Carbon Black
- https://github.com/carbonblack/active_c2_ioc_public/blob/main/cobaltstrike/actor-specific/cobaltstrike_luckymouse_ta428.csv
- https://github.com/carbonblack/active_c2_ioc_public/blob/main/cobaltstrike/actor-specific/cobaltstrike_pyxie.csv
- https://github.com/carbonblack/active_c2_ioc_public/blob/main/shadowpad/shadowpad_202209.tsv
# tweetfeed.live
- https://tweetfeed.live/
- https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv
- https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv
- https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv
- https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv
# Botvrij
- https://www.botvrij.eu/data/blocklist/blocklist_domain.csv
- https://www.botvrij.eu/data/ioclist.md5
- https://www.botvrij.eu/data/ioclist.sha1
- https://www.botvrij.eu/data/ioclist.sha256
# Proofpoint
- https://rules.emergingthreats.net/blockrules/compromised-ips.txt
# CINSscore
- https://cinsscore.com/list/ci-badguys.txt
# Phishing Army
- https://phishing.army/download/phishing_army_blocklist.txt
- https://phishing.army/download/phishing_army_blocklist_extended.txt
# Alienvault
- http://reputation.alienvault.com/reputation.data
- https://reputation.alienvault.com/reputation.generic
# Cisco Talos
- http://www.talosintelligence.com/documents/ip-blacklist
# Binarydefense
- https://www.binarydefense.com/banlist.txt
# CISA
- https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv - CSV
- https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json - JSON
# eCrimeLabs
- https://feeds.ecrimelabs.net/data/metasploit-cve
# MISP Feed CERT-FR
- https://misp.cert.ssi.gouv.fr/feed-misp/hashes.csv
# Mr. Looquer IOC Feed
- https://iocfeed.mrlooquer.com/feed.csv
# SNORT
- https://snort.org/downloads/ip-block-list
# ELLIO: IP Feed (Community version)
- https://cdn.ellio.tech/community-feed
服务条款: https://ellio.tech/beta-terms-and-conditions
# CyberCure
- https://api.cybercure.ai/feed/get_hash?type=csv
- https://api.cybercure.ai/feed/get_url?type=csv
- https://api.cybercure.ai/feed/get_ips?type=csv
# DigitalSide Threat-Intel
- https://osint.digitalside.it/Threat-Intel/lists/latesturls.txt
- https://osint.digitalside.it/Threat-Intel/lists/latestips.txt
- https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
# OpenPhish
- https://openphish.com/feed.txt
# PhishTank
- http://data.phishtank.com/data/online-valid.json
# Cert.PL
- https://hole.cert.pl/domains/domains.csv
# GreenSnow
- https://blocklist.greensnow.co/greensnow.txt
# Mirai Security
- https://mirai.security.gives/data/ip_list.txt
# NIST
- https://services.nvd.nist.gov/rest/json/cves/2.0
# 其他基于 Github 的源
- https://raw.com/aptnotes/data/master/APTnotes.csv
- https://raw.githubusercontent.com/fox-it/cobaltstrike-extraneous-space/master/cobaltstrike-servers.csv
- https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
- https://github.com/ThreatMon/ThreatMon-Daily-C2-Feeds
# Url Abuse
- https://urlabuse.com/public/data/data.txt
- 数据库中最近的 500 条记录(CSV 格式) - https://urlabuse.com/public/data/data_csv.txt
- https://urlabuse.com/public/data/data.json
- https://urlabuse.com/public/data/malware_url.txt
- https://urlabuse.com/public/data/phishing_url.txt
- https://urlabuse.com/public/data/hacked_url.txt
- https://urlabuse.com/public/data/dumps
- https://urlabuse.com/public/files
- https://urlabuse.com/public/screenshot
- https://urlabuse.com/public/misp
# virtualfabric
- https://nocdn.nrd-list.com/0/nrd-list-32-days.txt
- https://nocdn.threat-list.com/0/domains.txt
- https://dl.threat-list.com/1/domains.txt
# threatview.io
- https://threatview.io/Downloads/Experimental-IOC-Tweets.txt
- https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt
- https://threatview.io/Downloads/IP-High-Confidence-Feed.txt
- https://threatview.io/Downloads/DOMAIN-High-Confidence-Feed.txt
- https://threatview.io/Downloads/MD5-HASH-ALL.txt
- https://threatview.io/Downloads/URL-High-Confidence-Feed.txt
- https://threatview.io/Downloads/SHA-HASH-FEED.txt
# VPN
- https://github.com/X4BNet/lists_vpn/tree/main
- https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/NordVPN/nordvpn_ips_list.csv
- https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/ProtonVPN/protonvpn_ip_list.csv
# Tor
- https://www.dan.me.uk/torlist/?full
- https://www.dan.me.uk/torlist/?exit
# Ransomware Live
- https://api.ransomware.live/allcyberattacks
# NamePipes
- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_named_pipe_list.csv
# 值得注意的链接
- https://github.com/eset/malware-ioc
- https://www.misp-project.org/feeds/
- https://github.com/MISP/MISP/blob/2.4/app/files/feed-metadata/defaults.json
- https://github.com/executemalware/Malware-IOCs
- https://raw.githubusercontent.com/tsirolnik/spam-domains-list/master/spamdomains.txt
# 基于威胁的多个源
- https://github.com/firehol/blocklist-ipsets
- https://github.com/pan-unit42/iocs
# Spamhaus Don't Route Or Peer Lists (DROP) lists
- https://www.spamhaus.org/drop/drop_v4.json
标签:AMSI绕过, CVE, DAST, DNS安全, EDR, ESC4, IOC, IP信誉, JA3指纹, KQL, M365 Defender, MD5, Microsoft Sentinel, OSINT, SHA256, SSL证书, 勒索软件, 哈希校验, 威胁情报, 威胁检测, 安全运营, 库, 应急响应, 开发者工具, 恶意URL, 恶意软件分析, 扫描框架, 数字签名, 数据源, 网络安全, 脆弱性评估, 逆向工具, 隐私保护