Researchers around the world are constantly reverse engineering malware to build blueprints of the bad guys handwork and lucky for us these kind researchers share their findings for free in threat intelligence feeds. This guide will show you how to draw down this data and use it to defend your network against malware attacks.
Threat intelligence can help your organisation clean up malicious activity earlier in the kill chain by identifying network activity bound for known command and control servers or dynamically block the latest phishing domains on your email gateway. In this article we will cover pulling down data from these feeds:
A SIEM (security information and event management software) is able to digest information from text files and add to alerts on the fly without human interaction which allows us to preemptively alarm on new known threats. If you do not have a SIEM check out this list of open source SIEM platforms you can use.
The PowerShell scripts below will pull threat intelligence information from the listed providers for free. Its worth noting that there are lots of different threat intelligence feeds out there but these should be enough to whet your appetite.
This script grabs the current Talos IP list and writes it to a text file named Talos.txt
This file will live in the same directory that the powershell script is executed from. To change the output location just change the $output variable.
Example:
$output = “$PSScriptRootTalos.txt”
could be changed to:
$output = “c:\feeds\talos.txt”
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$url = "https://talosintelligence.com/documents/ip-blacklist"
$output = "$PSScriptRootTalos.txt"
Invoke-WebRequest -Uri $url -OutFile $output
$content = Get-Content $output
Very similar to the method above expect this grabs a list of known TOR exit nodes.
You can change the output location using the same method as above.
$url = “https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1”
$output = “$PSScriptRootTorExitNode.txt”
Invoke-WebRequest -Uri $url -OutFile $output
$content = Get-Content $output
The good people over at SANS helpfully maintain a list of Shodan scanner IPs. I feed this list directly into our firewall to keep our infrastructure out of the Shodan database. Obviously this is of little yield because red teams can just run their own scan but staying out of Shodan seems worthwhile for the small amount of effort required. Mike Hiltz has an interesting post on Shodan scanners here.
This script is slightly different to the two above because the Shodan list is formatted in XML. Luckily for us Powershell can handle XML files very well!
$u[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
[xml]$XmlDocument = Invoke-WebRequest -Uri
“https://isc.sans.edu/api/threatlist/shodan”
$XmlDocument.threatlist.shodan.ipv4 | Out-File “
$PSScriptRootShodanIP.txt”
This list is created by the good people at Abuse.ch and best of all it is free! Blocking these addresses may help protect you from Ransomware, or at least be alerted to its presence on your network. These guys provide lists for all things malicious but this script focuses on the Ransomware list.
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
$url = “https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt”
$output = “$PSScriptRootAbuseCHRansom.txt”
Invoke-WebRequest -Uri $url -OutFile $output
$content = Get-Content $output
$content -notmatch ‘#.*#’ | Set-Content $output
Again this script is a little different to the others, the Abuse.ch list has a header containing titles. Our SIEM wont take this information so some regex magic in the last line in the script cleans this up for us:
“$content -notmatch ‘#.*#’ | Set-Content $output”
I hope this information is useful for you but please note everything here is served as is and comes with no guarantee or warranty. Blocking or acting against any of the information provided above is done so at your own risk!