-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
Merge branch 'goodlandsecurity-living-off-trusted-sites'
Showing
3 changed files
with
223 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,190 @@ | ||
{ | ||
"description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection", | ||
"list": [ | ||
".000webhostapp.com", | ||
".amazonaws.com", | ||
".appspot.com", | ||
".atlassian.net", | ||
".axshare.com", | ||
".azureedge.net", | ||
".azurefd.net", | ||
".azurestaticapps.net", | ||
".azurewebsites.net", | ||
".backblazeb2.com", | ||
".blob.core.windows.net", | ||
".blogspot.com", | ||
".box.com", | ||
".canva.com", | ||
".clickfunnels.com", | ||
".cloudapp.azure.com", | ||
".cloudapp.net", | ||
".cloudfront.net", | ||
".cloudwaysapps.com", | ||
".codesandbox.io", | ||
".csb.app", | ||
".digitaloceanspaces.com", | ||
".docusign.com", | ||
".doubleclick.net", | ||
".dropmark.com", | ||
".duckdns.org", | ||
".easywp.com", | ||
".firebaseapp.com", | ||
".fleek.co", | ||
".format.com", | ||
".fyi.to", | ||
".github.io", | ||
".glitch.me", | ||
".godaddysites.com", | ||
".gofile.io", | ||
".googleusercontent.com", | ||
".herokuapp.com", | ||
".hostingerapp.com", | ||
".instagram.com", | ||
".linodeobjects.com", | ||
".mybluehost.me", | ||
".mybluemix.net", | ||
".myportfolio.com", | ||
".mystrikingly.com", | ||
".netlify.app", | ||
".ngrok.io", | ||
".nimbusweb.me", | ||
".notion.site", | ||
".on.aws", | ||
".ondigitalocean.app", | ||
".oraclecloud.com", | ||
".pagecloud.com", | ||
".pages.dev", | ||
".plesk.page", | ||
".repl.co", | ||
".requestbin.net", | ||
".rf.gd", | ||
".sendspace.com", | ||
".sharepoint.com", | ||
".slab.com", | ||
".surveycake.com", | ||
".translate.goog", | ||
".trycloudflare.com", | ||
".tumblr.com", | ||
".twitter.com", | ||
".typeform.com", | ||
".uplooder.net", | ||
".wasabisys.com", | ||
".web.app", | ||
".web.core.windows.net", | ||
".webflow.io", | ||
".weebly.com", | ||
".wixsite.com", | ||
".wordpress.com", | ||
".workers.dev", | ||
".xiti.com", | ||
".zendesk.com", | ||
"12ft.io", | ||
"1drv.com", | ||
"1drv.ms", | ||
"4sync.com", | ||
"anonfiles.com", | ||
"api.telegram.org", | ||
"app.milanote.com", | ||
"appdomain.cloud", | ||
"archive.org", | ||
"archive.ph", | ||
"attachment.outlook.live.net", | ||
"attachments.office.net", | ||
"beautiful.ai", | ||
"bit.ly", | ||
"bitbucket.io", | ||
"bitbucket.org", | ||
"cdn.discordapp.com", | ||
"cdn.fbsbx.com", | ||
"clbin.com", | ||
"codepen.io", | ||
"ct.sendgrid.net", | ||
"cutt.ly", | ||
"discord.com", | ||
"doc.clickup.com", | ||
"docs.google.com", | ||
"docsend.com", | ||
"dogechain.info", | ||
"drive.google.com", | ||
"dropbox.com", | ||
"evernote.com", | ||
"express.adobe.com", | ||
"facebook.com", | ||
"feedproxy.google.com", | ||
"filebin.net", | ||
"filecloudonline.com", | ||
"filetransfer.io", | ||
"firebasestorage.googleapis.com", | ||
"forms.office.com", | ||
"genius.com", | ||
"gitee.com", | ||
"github.com", | ||
"gitlab.com", | ||
"googleweblight.com", | ||
"graph.microsoft.com", | ||
"i.imgur.com", | ||
"icloud.com", | ||
"ideone.com", | ||
"inmotionhosting.com", | ||
"ix.io", | ||
"lnkd.in", | ||
"localhost.run", | ||
"mediafire.com", | ||
"mega.nz", | ||
"my.visme.co", | ||
"nethunt.com", | ||
"notion.so", | ||
"nt.embluemail.com", | ||
"onedrive.live.com", | ||
"onenoteonlinesync.onenote.com", | ||
"parg.co", | ||
"paste.ee", | ||
"pastebin.com", | ||
"pastebin.pl", | ||
"pastetext.net", | ||
"pastie.org", | ||
"pcloud.com", | ||
"raw.githubusercontent.com", | ||
"rb.gy", | ||
"rebrand.ly", | ||
"reddit.com", | ||
"rentry.co", | ||
"s.id", | ||
"siasky.net", | ||
"sites.google.com", | ||
"slack-files.com", | ||
"slack.com", | ||
"spark.adobe.com", | ||
"sprunge.us", | ||
"stonly.com", | ||
"storage.googleapis.com", | ||
"sway.office.com", | ||
"t.co", | ||
"t.m1.email.samsung.com", | ||
"telegra.ph", | ||
"teletype.in", | ||
"termbin.com", | ||
"textbin.net", | ||
"tinyurl.com", | ||
"track.adform.net", | ||
"transfer.sh", | ||
"trello.com", | ||
"ufile.io", | ||
"viewer.joomag.com", | ||
"wetransfer.com", | ||
"workflowy.com", | ||
"wtools.io", | ||
"youtube.com", | ||
"zerobin.net" | ||
], | ||
"matching_attributes": [ | ||
"domain", | ||
"domain|ip", | ||
"hostname", | ||
"hostname|port", | ||
"url" | ||
], | ||
"name": "List of LOTS (Living Off Trusted Sites) Project Domains", | ||
"type": "hostname", | ||
"version": 20241104 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/usr/bin/env python3 | ||
# -*- coding: utf-8 -*- | ||
|
||
from bs4 import BeautifulSoup | ||
from generator import download, get_version, write_to_file | ||
|
||
|
||
if __name__ == '__main__': | ||
req = download("https://lots-project.com") | ||
soup = BeautifulSoup(req.text, 'html.parser') | ||
links = soup.find_all('a', class_='link', href=True, target=None) | ||
|
||
lots_list = [] | ||
|
||
for link in links: | ||
if link.contents[0].startswith('*'): | ||
lots_list.append(link.contents[0].lstrip('*')) | ||
elif link.contents[0].startswith('www'): | ||
lots_list.append(link.contents[0].lstrip('www')) | ||
else: | ||
lots_list.append(link.contents[0]) | ||
|
||
warninglist = { | ||
'name': 'List of LOTS (Living Off Trusted Sites) Project Domains', | ||
'version': get_version(), | ||
'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection', | ||
'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'], | ||
'type': 'hostname', | ||
'list': lots_list | ||
} | ||
|
||
write_to_file(warninglist, "lots-project") |