Today, we must be proactive in protecting our assets. The huge mass of information available online requires us to have tools to stay aware. If collecting IOCs is important to detect malicious activities as quickas possible, searching for our own data is also a big advantage for early detection and protection. The information that are interesting to track are:
- Domain names
- Public IP addresses
- Windows domains
- Email addresses
- Key person names (all C-level people)
- Company/organization names
- Brands
In short: All PII (Personally Identifiable Information)
A first classic and easy way to hunt for such data is to use Google Alerts.Easy but not very reliable to search for technical stuff like IP addresses. Pastie websites are often used to exchange information and contain plenty of information. If pastebin.com is the most known, they are plenty of others. Im monitoring some of them for years via tools like pastemon orpystemon.
Another source of information to add to your OSINT toolbox is the Hunting feature provided by VirusTotal. Combined with the power of YARA rules, you can define very targetedfilters to search for uploaded samples. If most of the files submitted to Virustotal are binaries, it is also possible to find juicy files like lists of passwords (sample).You can upload your sets of YARA rules to match your PII. In the followingexamples, I"> rule MyDomains{ strings: $domain1 = sans.org nocase wide ascii $domain2 = sans.edu nocase wide ascii $domain3 = rootshell.be nocase wide ascii $domain4 = truesec.be nocase wide ascii condition: any of them}
By default, when a YARA rule matches,notifications are sent by emails. But its much more powerful to use the VirusTotal"> $ ./vt_hunting.py -api redacted -cleanup -json /var/log/vt_hunting.json -dl --samples_directory /var/tmp/samples# of detection,YARA rule,SHA1,Binary type,First seen,Last seen44,MyDomains,redacted,2015-12-30 19:33:47,2015-12-30 19:33:47,RAR,redacted
By running this script from a crontab, Imcollecting samples and store the detection details in a JSON file (that Im injectinginto a Splunk osint index for later reporting). Note thatYARA is a powerful tool but some of its features are not allowed by VirusTotal (like some regular expressions) for performance reasons.
Happy hunting and I wish you already a Happy (and safe!) new Year!
Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key