• Stars
    star
    473
  • Rank 92,832 (Top 2 %)
  • Language
  • Created over 3 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

TweetFeed collects Indicators of Compromise (IOCs) shared by the infosec community at Twitter. Here you will find malicious URLs, domains, IPs, and SHA256/MD5 hashes.

TweetFeed

Feeds of IOCs posted by the community at Twitter

TweetFeed.liveย ย ย |ย ย ย  Source codeย ย ย |ย ย ย  Feedback

Want to integrate with OpenCTI? Now you can!

TweetFeed.live


โ˜ฐ Content

โค๏ธ Support the project

If you like the project, please consider:

  • Giving it a star โญ
  • Invite to a coffee โ˜•

๐Ÿ“„ Data collected

Feeds

2023-07-09 18:36:23 (UTC)
Today Last 7 days Last 30 days Last 365 days
๐Ÿ“‹ Today (raw) ๐Ÿ“‹ Week (raw) ๐Ÿ“‹ Month (raw) ๐Ÿ“‹ Year (raw)

Output example

Date (UTC) SourceUser Type Value Tags Tweet
2021-08-14 02:26:32 phishunt_io url https://netflix.us2.cards/ #phishing #scam https://twitter.com/phishunt_io/status/1426369619422502917
2021-08-17 12:15:00 TheDFIRReport ip 185.56.76.94 #Trickbot https://twitter.com/TheDFIRReport/status/1427604874053578756

๐Ÿ“Š Some statistics

Types

Type Today Week Month Year
๐Ÿ”— URLs 117 1298 6012 150417
๐ŸŒ Domains 2 62 812 31067
๐Ÿšฉ IPs 72 852 3867 46983
๐Ÿ”ข SHA256 0 46 291 4405
๐Ÿ”ข MD5 3 98 335 10396

Tags

Tag Today Week Month Year
#phishing 96 1234 6060 158038
#scam 9 157 1392 44453
#malware 10 82 548 41981
#maldoc 0 0 10 200
#ransomware 0 6 34 1555
#banker 0 0 2 66
#AgentTesla 0 4 12 360
#Alienbot 0 0 0 10
#AsyncRAT 0 5 18 86
#Batloader 0 0 0 7
#BazarLoader 0 0 0 7
#CobaltStrike 67 657 2810 21298
#Dcrat 1 6 80 134
#Emotet 0 0 4 299
#Follina 0 0 0 49
#Formbook 0 0 7 276
#GootLoader 0 3 14 179
#GuLoader 0 1 1 109
#IcedID 0 7 51 519
#Lazarus 0 2 15 181
#Lokibot 0 0 0 246
#log4j 0 0 0 27
#Log4shell 0 0 0 9
#Njrat 0 6 78 322
#Qakbot 5 84 413 1227
#Raccoon 0 0 1 186
#RedLine 0 9 37 571
#Remcos 2 19 31 372
#RaspberryRobin 0 0 1 23
#Spring4Shell 0 0 0 2
#SocGolish 0 0 0 7
#Ursnif 0 5 15 318

Top Reporters (today)

Number User IOCs
#1 drb_ra 84
#2 noladefense 58
#3 kubotaa3 14
#4 UK_Daniel_Card 6
#5 CarlyGriggs13 6
#6 harugasumi 6
#7 satontonton 4
#8 ReBensk 4
#9 dubstard 3
#10 0xperator 2

โ“ How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(not case sensitive)
- #phishing
- #scam
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #AsyncRAT
- #BazarLoader
- #Batloader
- #CobaltStrike
- #Dcrat
- #Emotet
- #Follina
- #Formbook
- #GootLoader
- #GuLoader
- #IcedID
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #Njrat
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #RaspberryRobin
- #Spring4Shell
- #SocGholish
- #Ursnif

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

TweetFeed list

๐Ÿ” Hunting IOCs via Microsoft Defender

1. Search SHA256 hashes with yearly tweets feed

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Search IP addresses with monthly tweets feed

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Search urls and domains with weekly tweets feed

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

๐Ÿ‘ค Author

๐Ÿ“Œ Disclaimer

Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.

I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.

Anyway feel free to reach me out or to provide any kind of feedback regarding any contribution or suggestion.


By the community, for the community.