TweetFeed

Feeds of IOCs posted on Twitter

Web version at TweetFeed.live

Content

Data collected
Some statistics
How it works
Hunting IOCs via Microsoft Defender
Author
Disclaimer

Data collected

Feeds
2022-04-02 02:34:37 (UTC)
Today	Last 7 days	Last 30 days	Last 365 days
📋 Today (raw)	📋 Week (raw)	📋 Month (raw)	📋 Year (raw)

Output example

_{Date (UTC)}	_SourceUser	_Type	_Value	_Tags	_Tweet
_{2021-08-14 02:26:32}	_{phishunt_io}	_url	_{https://netflix.us2.cards/}	_{#phishing #scam}	_{https://twitter.com/phishunt_io/status/1426369619422502917}
_{2021-08-17 12:15:00}	_{TheDFIRReport}	_ip	_185.56.76.94	_#Trickbot	_{https://twitter.com/TheDFIRReport/status/1427604874053578756}

Some statistics

IOCs

IOC	Today	Week	Month	Year
🔗 URLs	39	2734	13245	80628
🌐 Domains	2	181	769	16058
🚩 IPs	10	1127	5136	47194
🔢 SHA256	2	269	1234	34055
🔢 MD5	0	65	268	1757

Tag	Today	Week	Month	Year
#phishing	45	3052	14732	106068
#scam	0	368	1629	10545
#malware	5	457	1874	17648
#maldoc	0	17	17	17
#ransomware	0	8	17	485
#banker	0	0	0	42
#AgentTesla	0	6	30	5330
#Alienbot	0	0	0	85
#BazarLoader	0	3	10	308
#CobaltStrike	0	424	1842	17028
#Dridex	0	0	0	5472
#Emotet	0	25	127	1374
#FluBot	0	0	0	24
#Formbook	0	1	35	4816
#GootLoader	0	1	1	331
#GuLoader	0	1	5	346
#Hancitor	0	0	0	156
#IcedID	0	4	26	216
#Lapsus	0	0	4	4
#Lazarus	0	8	13	82
#Lokibot	0	3	12	1463
#log4j	0	0	15	243
#Log4shell	0	0	5	220
#ProxyShell	0	0	0	110
#Qakbot	0	4	24	275
#Raccoon	0	0	0	1516
#RedLine	0	5	7	4066
#Remcos	0	4	11	934
#Spring4Shell	0	17	17	17
#SquirrelWaffle	0	0	0	53
#Trickbot	0	0	2	157
#Ursnif	0	9	50	338

Top reporters (today)

Number	User	IOCs
#1	ecarlesi	21
#2	AP_Zenmashi	12
#3	KesaGataMe0	10
#4	HeliosCert	4
#5	RdpSnitch	3
#6	dnstwist	2
#7	PhishStats	1
#8	-	0
#9	-	0
#10	-	0

How it works?

Search tweets that contain certain tags or that are posted by certain infosec people.

Tags being searched

(not case sensitive)

- #phishing
- #scam
- #malware
- #maldoc
- #ransomware
- #banker
- #AgentTesla
- #Alienbot
- #BazarLoader
- #CobaltStrike
- #Dridex
- #Emotet
- #FluBot
- #Formbook
- #GootLoader
- #GuLoader
- #Hancitor
- #IcedID
- #Lapsus
- #Lazarus
- #Lokibot
- #log4j
- #Log4shell
- #ProxyShell
- #Qakbot
- #Raccoon
- #RedLine
- #Remcos
- #Spring4Shell
- #SquirrelWaffle
- #Trickbot
- #Ursnif

Also search Tweets posted by

(these are trusted folks that sometimes don't use tags)

TweetFeed list

IOCs being collected

- URL
- Domain
- IP address
- SHA256 hash
- MD5 hash

Hunting IOCs via Microsoft Defender

1. Search SHA256 hashes with yearly tweets feed

let MaxAge = ago(30d);
let SHA256_whitelist = pack_array(
'XXX' // Some SHA256 hash you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/year.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'sha256'
    | extend SHA256 = tostring(report[3])
    | where SHA256 !in(SHA256_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project SHA256, Tag, Tweet 
);
union (
    TweetFeed
    | join (
        DeviceProcessEvents
        | where Timestamp > MaxAge
    ) on SHA256
), (
    TweetFeed
    | join (
        DeviceFileEvents
        | where Timestamp > MaxAge
    ) on SHA256
), ( 
    TweetFeed
    | join (
        DeviceImageLoadEvents
        | where Timestamp > MaxAge
    ) on SHA256
) | project Timestamp, DeviceName, FileName, FolderPath, SHA256, Tag, Tweet

2. Search IP addresses with monthly tweets feed

let MaxAge = ago(30d);
let IPaddress_whitelist = pack_array(
'XXX' // Some IP address you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type == 'ip'
    | extend RemoteIP = tostring(report[3])
    | where RemoteIP !in(IPaddress_whitelist)
    | where not(ipv4_is_private(RemoteIP))
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteIP, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteIP
) | project Timestamp, DeviceName, RemoteIP, Tag, Tweet

3. Search urls and domains with weekly tweets feed

let MaxAge = ago(30d);
let domain_whitelist = pack_array(
'XXX' // Some URL/Domain you want to whitelist.
);
let TweetFeed = materialize (
    (externaldata(report:string)
    [@"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/week.csv"]
    with (format = "txt"))
    | extend report = parse_csv(report)
    | extend Type = tostring(report[2])
    | where Type in('url','domain')
    | extend RemoteUrl = tostring(report[3])
    | where RemoteUrl !in(domain_whitelist)
    | extend Tag = tostring(report[4])
    | extend Tweet = tostring(report[5])
    | project RemoteUrl, Tag, Tweet 
);
union (
TweetFeed
    | join (
        DeviceNetworkEvents
    | where Timestamp > MaxAge
    ) on RemoteUrl
) | project Timestamp, DeviceName, RemoteUrl, Tag, Tweet

Author

Daniel López

Disclaimer

Please note that all the data is collected from Twitter and sorted/served here as it is on best effort.

I have tried to tune as much as possible the searches trying to collect only valuable info. However please consider making your own analysis before taking any action related to these IOCs.

Anyway feel free to reach me out regarding any False Positive or to provide any kind of feedback.

By the Community for the Community

panwan1040 / tweetfeed Goto Github PK

tweetfeed's Introduction