Skip to content

Commit

Permalink
Merge branch 'goodlandsecurity-living-off-trusted-sites'
Browse files Browse the repository at this point in the history
adulau committed Nov 4, 2024

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
2 parents 018f958 + 08cebfa commit f23c0fb
Showing 3 changed files with 223 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -45,6 +45,7 @@ are reused in many other open source projects.
- [googlebot/list.json](./lists/googlebot/list.json) - **List of known Googlebot IP ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)** - _Google Bot IP address ranges (https://developers.google.com/search/apis/ipranges/googlebot.json)_
- [ipv6-linklocal/list.json](./lists/ipv6-linklocal/list.json) - **List of IPv6 link local blocks** - _Event contains one or more entries part of the IPv6 link local prefix (RFC 4291)_
- [link-in-bio/list.json](./lists/link-in-bio/list.json) - **List of known Link in Bio domains** - _Event contains one or more entries of known Link in Bio domains_
- [lots-project/list.json](./lists/lots-project/list.json) - **List of LOTS (Living Off Trusted Sites) Project Domains** - _Event contains one or more entries of known LOTS Project domains._
- [majestic_million/list.json](./lists/majestic_million/list.json) - **Top 10000 websites from Majestic Million** - _Event contains one or more entries from the top 10K of the most used websites (Majestic Million)._
- [microsoft-attack-simulator/list.json](./lists/microsoft-attack-simulator/list.json) - **List of known Office 365 Attack Simulator used for phishing awareness campaigns** - _Office 365 URLs and IP address ranges used for their attack simulator in Office 365 Threat Intelligence_
- [microsoft-azure-appid/list.json](./lists/microsoft-azure-appid/list.json) - **List of Azure Applicaiton IDs** - _List of Azure Application IDs (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in)_
190 changes: 190 additions & 0 deletions lists/lots-project/list.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,190 @@
{
"description": "List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection",
"list": [
".000webhostapp.com",
".amazonaws.com",
".appspot.com",
".atlassian.net",
".axshare.com",
".azureedge.net",
".azurefd.net",
".azurestaticapps.net",
".azurewebsites.net",
".backblazeb2.com",
".blob.core.windows.net",
".blogspot.com",
".box.com",
".canva.com",
".clickfunnels.com",
".cloudapp.azure.com",
".cloudapp.net",
".cloudfront.net",
".cloudwaysapps.com",
".codesandbox.io",
".csb.app",
".digitaloceanspaces.com",
".docusign.com",
".doubleclick.net",
".dropmark.com",
".duckdns.org",
".easywp.com",
".firebaseapp.com",
".fleek.co",
".format.com",
".fyi.to",
".github.io",
".glitch.me",
".godaddysites.com",
".gofile.io",
".googleusercontent.com",
".herokuapp.com",
".hostingerapp.com",
".instagram.com",
".linodeobjects.com",
".mybluehost.me",
".mybluemix.net",
".myportfolio.com",
".mystrikingly.com",
".netlify.app",
".ngrok.io",
".nimbusweb.me",
".notion.site",
".on.aws",
".ondigitalocean.app",
".oraclecloud.com",
".pagecloud.com",
".pages.dev",
".plesk.page",
".repl.co",
".requestbin.net",
".rf.gd",
".sendspace.com",
".sharepoint.com",
".slab.com",
".surveycake.com",
".translate.goog",
".trycloudflare.com",
".tumblr.com",
".twitter.com",
".typeform.com",
".uplooder.net",
".wasabisys.com",
".web.app",
".web.core.windows.net",
".webflow.io",
".weebly.com",
".wixsite.com",
".wordpress.com",
".workers.dev",
".xiti.com",
".zendesk.com",
"12ft.io",
"1drv.com",
"1drv.ms",
"4sync.com",
"anonfiles.com",
"api.telegram.org",
"app.milanote.com",
"appdomain.cloud",
"archive.org",
"archive.ph",
"attachment.outlook.live.net",
"attachments.office.net",
"beautiful.ai",
"bit.ly",
"bitbucket.io",
"bitbucket.org",
"cdn.discordapp.com",
"cdn.fbsbx.com",
"clbin.com",
"codepen.io",
"ct.sendgrid.net",
"cutt.ly",
"discord.com",
"doc.clickup.com",
"docs.google.com",
"docsend.com",
"dogechain.info",
"drive.google.com",
"dropbox.com",
"evernote.com",
"express.adobe.com",
"facebook.com",
"feedproxy.google.com",
"filebin.net",
"filecloudonline.com",
"filetransfer.io",
"firebasestorage.googleapis.com",
"forms.office.com",
"genius.com",
"gitee.com",
"github.com",
"gitlab.com",
"googleweblight.com",
"graph.microsoft.com",
"i.imgur.com",
"icloud.com",
"ideone.com",
"inmotionhosting.com",
"ix.io",
"lnkd.in",
"localhost.run",
"mediafire.com",
"mega.nz",
"my.visme.co",
"nethunt.com",
"notion.so",
"nt.embluemail.com",
"onedrive.live.com",
"onenoteonlinesync.onenote.com",
"parg.co",
"paste.ee",
"pastebin.com",
"pastebin.pl",
"pastetext.net",
"pastie.org",
"pcloud.com",
"raw.githubusercontent.com",
"rb.gy",
"rebrand.ly",
"reddit.com",
"rentry.co",
"s.id",
"siasky.net",
"sites.google.com",
"slack-files.com",
"slack.com",
"spark.adobe.com",
"sprunge.us",
"stonly.com",
"storage.googleapis.com",
"sway.office.com",
"t.co",
"t.m1.email.samsung.com",
"telegra.ph",
"teletype.in",
"termbin.com",
"textbin.net",
"tinyurl.com",
"track.adform.net",
"transfer.sh",
"trello.com",
"ufile.io",
"viewer.joomag.com",
"wetransfer.com",
"workflowy.com",
"wtools.io",
"youtube.com",
"zerobin.net"
],
"matching_attributes": [
"domain",
"domain|ip",
"hostname",
"hostname|port",
"url"
],
"name": "List of LOTS (Living Off Trusted Sites) Project Domains",
"type": "hostname",
"version": 20241104
}
32 changes: 32 additions & 0 deletions tools/generate-lots-project.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from bs4 import BeautifulSoup
from generator import download, get_version, write_to_file


if __name__ == '__main__':
req = download("https://lots-project.com")
soup = BeautifulSoup(req.text, 'html.parser')
links = soup.find_all('a', class_='link', href=True, target=None)

lots_list = []

for link in links:
if link.contents[0].startswith('*'):
lots_list.append(link.contents[0].lstrip('*'))
elif link.contents[0].startswith('www'):
lots_list.append(link.contents[0].lstrip('www'))
else:
lots_list.append(link.contents[0])

warninglist = {
'name': 'List of LOTS (Living Off Trusted Sites) Project Domains',
'version': get_version(),
'description': 'List of popular legitimate domains from LOTS (Living Off Trusted Sites) Project used to conduct phishing, C&C, exfiltration or downloading tools to evade detection',
'matching_attributes': ['domain', 'domain|ip', 'hostname', 'hostname|port', 'url'],
'type': 'hostname',
'list': lots_list
}

write_to_file(warninglist, "lots-project")

0 comments on commit f23c0fb

Please sign in to comment.