A quick thread.
Review of the URL's submitted to URLhaus in the past 30 days.
53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.
#infosec #cybersecurity #threathunting
Review of the URL's submitted to URLhaus in the past 30 days.
53109 URLs reported, lets look for patterns; which we can use for threat hunting and detection in DNS entries and proxies logs.
#infosec #cybersecurity #threathunting
25494 of the URLs end with Mozi.m, relating to the Mozi Botnet - securityintelligence.com/posts/botnet-a…. To detect this, we can look for the regex pattern .*Mozi\.m$
A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$
A further 4636 of the URLs end with Mozi.a, related to the above. We can detect this using regex pattern .*Mozi\.a$
Finally, there are 10 URLs which contain Mozi within them in different patterns to above. It is therefore worthwhile searching for any case of Mozi within a URL (This will be greedier than the above, but still worthwhile checking)
Next up, there are 5716 URLs ending /i and 196 URLs ending in /.i To find these, search for the regex pattern .*\/(i|\.i)$
4752 of the URL's are ending with bin.sh. To find these, search for the regex pattern .*\/bin\.sh$
458 of the URL's are ending with .arm followed by a digit. To find these, search for the regex pattern .*\.arm\d+$
458 of the URL's are ending with .arm followed by a digit. To find these, search for the regex pattern .*\.arm\d+$
99 of the URLs are ending with .arm. To find these, search for the regex pattern .*\.arm$
165 of the URL's are ending with .mips. To find these, search for the regex pattern .*\.mips$
145 of the URL's are ending with.mpsl. To find these, search for the regex pattern .*\.mpsl$
165 of the URL's are ending with .mips. To find these, search for the regex pattern .*\.mips$
145 of the URL's are ending with.mpsl. To find these, search for the regex pattern .*\.mpsl$
870 of the URLs contain the pattern wp-
34 of the URLs contain the pattern wordpress
To look for these 904 URLs relating to wordpress, we can use this regex pattern to find URLs matching this in our logs - .*(wp-|wordpress).*.
34 of the URLs contain the pattern wordpress
To look for these 904 URLs relating to wordpress, we can use this regex pattern to find URLs matching this in our logs - .*(wp-|wordpress).*.
For alerting purposes, it is worth looking for the string - (http|https):\/\/.*(wp-|wordpress).*\.(exe|bin|zip|jpg|vbs|bat|rar|ps1|doc|docm|xls|xlsm|pptm|rtf|hta|dll|ws|wsf|sct) As this will show a user visiting a file at a wordpress site.
Using the above methods, we can look for / detect 42379 out of the 53109 URLs reported in the past month (79.796%)
Whilst you are here, check your logs for any communications with these TLDs - spamhaus.org/statistics/tld…
Forgot to mention, I got the URLs from urlhaus.abuse.ch/downloads/csv_…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
