gitea-mirror/OSINT-Cheat-sheet
1
0
Fork 0
mirror of https://github.com/Jieyab89/OSINT-Cheat-sheet.git synced 2026-06-12 11:01:18 -07:00
Code Issues Packages Projects Releases Wiki Activity

audit 1

Browse Source
This commit is contained in:
Jieyab89
2026-05-08 01:25:53 +07:00
parent 2b5a0fdc1d
commit d03f9395c1
13 changed files with 4 additions and 2601 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md
-229
View File
@@ -1,229 +0,0 @@
---
name: osint-darkweb-intel
description: >
Comprehensive guide for Dark Web OSINT Intelligence — monitoring threat actor activity,
ransomware group tracking, leak site enumeration, IOC collection from dark web sources,
breach data discovery, paste site monitoring, CTI (Cyber Threat Intelligence) from
underground forums, cryptocurrency transaction tracing, and dark web search techniques.
All methods are PASSIVE and use publicly accessible intelligence feeds, clearnet proxies,
and monitoring services — no illegal access required. Use this skill WHENEVER the user
asks about dark web monitoring, threat intel, ransomware tracking, underground forum
intelligence, dark web OSINT, CTI from dark sources, leak site monitoring, stealer
log analysis, threat actor profiling, or any investigation involving dark web content.
---
# OSINT Dark Web Intelligence Skill
> **Credits**: Tool references and methodology sourced from the
> [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by
> **[Jieyab89](https://github.com/Jieyab89)** — a comprehensive, community-driven
> OSINT resource covering tools, datasets, techniques, and tips for security
> researchers, journalists, investigators, and CTF players. All credit for the
> tool collection goes to him. Please use responsibly and wisely.
This skill covers **passive** dark web intelligence gathering — all techniques
access dark web content through clearnet proxies, monitoring services, aggregators,
and indexed feeds. **No Tor browser required for most techniques.**
> ⚠️ **Ethics & Legal Notice**
> - Use ONLY for legitimate purposes: threat intelligence, authorized research,
> investigative journalism, incident response, CTF, and law enforcement support
> - Do NOT join, register, purchase, or interact with criminal forums/markets
> - Do NOT facilitate, assist, or enable any illegal activity
> - Comply with local law: Indonesia UU ITE, US CFAA 18 U.S.C. § 1030, EU GDPR
> - Use a sandbox VM + VPN for any active browsing; never from your real identity
> - Following Jieyab89's tip: use fake accounts, sandbox machines, enable AV/firewall
---
## INTELLIGENCE MODULES — Read Reference Files as Needed
| Module | Reference File | When to Use |
|--------|---------------|-------------|
| Dark Web Search & Indexing | `references/darkweb-search.md` | Search dark web content from clearnet |
| Ransomware Group Tracking | `references/ransomware-tracking.md` | Monitor ransomware gangs, victim lists |
| Breach & Leak Intelligence | `references/breach-leak-intel.md` | Breach forums, stealer logs, dump sites |
| Threat Actor Profiling | `references/threat-actor-profiling.md` | APT groups, TTPs, attribution |
| Cryptocurrency Tracing | `references/crypto-tracing.md` | Trace crypto payments, wallet clustering |
| Malware & IOC Intelligence | `references/malware-ioc-intel.md` | Malware samples, C2, IOC feeds |
| CTI Feeds & Platforms | `references/cti-feeds-platforms.md` | Threat intel feeds, MISP, OTX, etc. |
| Paste & Leak Monitoring | `references/paste-leak-monitoring.md` | Monitor paste sites and public leaks |
| OPSEC for Dark Web OSINT | `references/opsec-darkweb.md` | Safe investigation procedures |
---
## INVESTIGATION WORKFLOW
### Phase 1 — Define Intelligence Requirement
Before starting, clarify:
1. **Target**: Threat actor? Ransomware group? Specific breach? Organization exposure?
2. **Type**: Passive monitoring? Historical research? Incident response?
3. **Timeframe**: Recent (last 30 days)? Historical? Ongoing?
4. **Output**: IOC list? Threat report? Executive summary? Timeline?
### Phase 2 — Clearnet First (Safe, No Tor Needed)
```
Start with public intelligence aggregators:
1. Search dark web indexes (Ahmia, DarkSearch via clearnet)
2. Check ransomware tracking dashboards
3. Query breach/leak intelligence platforms
4. Pull IOC feeds from threat intel services
5. Check paste site aggregators
6. Query cryptocurrency explorer (if financial traces needed)
7. Cross-reference APT group databases
```
### Phase 3 — Specialized Intelligence Platforms
```
8. Stealthmole / Flare / Recorded Future (commercial dark web monitoring)
9. Hudson Rock (stealer log intelligence)
10. IntelX (dark web indexed content)
11. DeepDark CTI feeds
12. Ransomware.live / ransomwatch (gang tracking)
```
### Phase 4 — Structured Report
```
INTELLIGENCE REPORT
===================
Date : [date]
Target / Actor : [name / group]
Confidence : [Low / Medium / High]
[EXECUTIVE SUMMARY]
[ACTOR PROFILE]
- Known aliases
- Affiliated groups
- TTPs (MITRE ATT&CK)
- Active since
[TECHNICAL INDICATORS]
- IOCs (IPs, domains, hashes, URLs)
- Malware families
- Infrastructure
[DARK WEB PRESENCE]
- Forums mentioned
- Leak sites
- Victim claims
[CRYPTOCURRENCY]
- Wallet addresses
- Transaction patterns
[TIMELINE OF ACTIVITY]
[SOURCES]
[RECOMMENDED ACTIONS]
```
---
## QUICK REFERENCE — Clearnet Dark Web Intelligence
### Dark Web Search (No Tor Required)
```
https://ahmia.fi → Tor hidden service search engine
https://darksearch.io → Dark web search engine (clearnet)
https://www.osintframework.com → OSINT framework with dark web section
https://osint.rocks → Multi-source OSINT including dark sources
```
### Ransomware Tracking
```
https://www.ransomware.live → Live ransomware victim tracker
https://ransomwatch.telemetry.ltd → Ransomwatch group monitoring
https://www.ransom-db.com → Ransomware database
https://ransom.privtools.eu → Ransomware posts aggregator
https://id-ransomware.malwarehunterteam.com → Ransomware identification
https://www.nomoreransom.org → Decryption tools
https://watchguard.com/wgrd-security-hub/ransomware-tracker → Watchguard tracker
```
### Breach & Leak Intelligence
```
https://intelx.io → Intelligence X (dark web indexed)
https://breachdirectory.org → Breach directory
https://search.0t.rocks → Open breach database
https://leakix.net → Exposed service & leak intelligence
https://www.hudsonrock.com/threat-intelligence-cybercrime-tools → Stealer intel
https://whiteintel.io → Stealer log intelligence
https://breach.house → Stealer/breach aggregator
```
### CTI Platforms
```
https://otx.alienvault.com → AlienVault OTX (free, community)
https://www.talosintelligence.com → Cisco Talos
https://pulsedive.com → Pulsedive CTI
https://www.threatminer.org → ThreatMiner
https://threatfox.abuse.ch → ThreatFox IOC database
https://www.virustotal.com → VirusTotal intelligence
https://malpedia.caad.fkie.fraunhofer.de → Malware encyclopedia
https://attack.mitre.org → MITRE ATT&CK framework
```
### Malware & IOC Feeds
```
https://bazaar.abuse.ch/browse → MalwareBazaar samples
https://urlhaus.abuse.ch → Malicious URL feed
https://threatfox.abuse.ch → IOC feed
https://vx-underground.org → Malware sample archive
https://malpedia.caad.fkie.fraunhofer.de → Malware families
https://www.malware-traffic-analysis.net → PCAP & malware traffic analysis
```
### Crypto Tracing
```
https://www.blockchain.com/explorer → Bitcoin explorer
https://etherscan.io → Ethereum explorer
https://www.arkham.io → Crypto intelligence (Jieyab89's tip)
https://explorer.btc.com → BTC explorer
https://tronscan.org → TRON explorer
https://breadcrumbs.app → Crypto wallet graph
```
---
## OPSEC QUICK CHECKLIST
- [ ] Use isolated sandbox VM (not your main machine)
- [ ] Route through VPN before any browsing
- [ ] Use Tor Browser for any .onion access (separate from daily browser)
- [ ] Use fake/throwaway accounts — never your real identity
- [ ] Enable antivirus + firewall on sandbox
- [ ] Do not download files from dark web to your host machine
- [ ] Do not screenshot content that could identify you
- [ ] Never interact with, purchase from, or register on criminal forums
- [ ] Keep notes in encrypted container (VeraCrypt recommended)
- [ ] Disconnect VM from network when not actively investigating
---
## REFERENCE FILES
Load relevant reference based on investigation type:
- `references/darkweb-search.md` → Search & indexing techniques
- `references/ransomware-tracking.md` → Ransomware group intelligence
- `references/breach-leak-intel.md` → Breach & stealer log analysis
- `references/threat-actor-profiling.md` → APT/actor attribution & TTPs
- `references/crypto-tracing.md` → Cryptocurrency transaction analysis
- `references/malware-ioc-intel.md` → Malware samples & IOC collection
- `references/cti-feeds-platforms.md` → CTI platforms & feed integration
- `references/paste-leak-monitoring.md` → Paste & public leak monitoring
- `references/opsec-darkweb.md` → Full OPSEC procedures
---
*Tool list and methodology sourced from the
[OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet)
by [Jieyab89](https://github.com/Jieyab89).
Use responsibly, ethically, and legally.*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md
-276
View File
@@ -1,276 +0,0 @@
# Breach & Leak Intelligence
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Identify, analyze, and monitor data breaches and leaks related to a target —
including credential dumps, database leaks, stealer logs, and sensitive document
disclosures originating from dark web sources. All via clearnet services.
---
## 1. Breach Search Platforms
### HaveIBeenPwned (HIBP)
```
https://haveibeenpwned.com → Single email check
https://haveibeenpwned.com/DomainSearch → All emails at a domain (verify ownership)
# API
curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/user@target.com" \
-H "hibp-api-key: YOUR_KEY" \
-H "User-Agent: investigator-tool" | python3 -m json.tool
# List all known breaches
curl -s "https://haveibeenpwned.com/api/v3/breaches" | \
python3 -c "import sys,json; [print(b['Name'],'|',b['BreachDate'],'|',b['PwnCount']) for b in json.load(sys.stdin)]"
```
### Intelligence X
```
https://intelx.io/?s=target.com
https://intelx.io/?s=email@target.com
https://intelx.io/?s=TARGET_IP
# Indexes: Tor, I2P, paste sites, public leaks, documents, dark web forums
# Historical search — finds content from years back
# API (paid plan for full access)
curl -X POST "https://2.intelx.io/intelligent/search" \
-H "x-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"term":"target.com","maxresults":10,"media":0,"target":0,"timeout":10}'
```
### Breach Directory
```
https://breachdirectory.org
https://search.0t.rocks
https://osintleak.com
https://leakcheck.io → Free tier available
https://snusbase.com → Paid
https://dehashed.com → Paid, limited free
https://leakpeek.com
https://9ghz.com
https://weleakinfo.io
https://leakradar.io
https://exposed.lol
https://bf.based.re → BF database search
https://osintleak.com
```
---
## 2. Stealer Log Intelligence
Malware stealers (RedLine, Raccoon, Vidar, etc.) exfiltrate browser credentials,
cookies, crypto wallets. Their dumps appear on dark web markets and Telegram channels.
### Clearnet Monitoring Services
```
https://www.hudsonrock.com/threat-intelligence-cybercrime-tools
# Free search: enter domain to see if employee credentials were stolen
# by info-stealers and circulating in criminal markets
https://whiteintel.io
# Stealer log intelligence platform
# Check if domain credentials appear in stealer data
https://breach.house/all_stealers
# Aggregated stealer data viewer
https://www.infostealers.com
# Infostealer intelligence and research
```
### Hudson Rock — Free Domain Check
```python
import requests
domain = "target.com"
url = f"https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-domain?domain={domain}"
headers = {"User-Agent": "osint-research/1.0"}
resp = requests.get(url, headers=headers)
data = resp.json()
print(f"Employees in stealer logs: {data.get('total_employees', 0)}")
print(f"Users in stealer logs: {data.get('total_users', 0)}")
```
---
## 3. Paste Site Monitoring
Breached data often first appears on paste sites before being sold:
```
# Search
https://pastebin.com/search?q=target.com
https://psbdmp.ws → Pastebin dump search
https://cybdetective.com/pastebin.html → Multi-paste aggregator
# Google dorks for paste sites
site:pastebin.com "target.com"
site:pastebin.com "@target.com" password OR credentials OR dump
site:pastebin.com "target.com" database
site:gist.github.com "target.com" password
site:paste.centos.org "target.com"
site:justpaste.it "target.com"
# Telegra.ph (Telegram's paste service)
site:telegra.ph "target.com"
```
### Automated Paste Monitoring
```python
import requests, time
def monitor_pastebin(keyword, interval=300):
"""Poll Pastebin scraping API for keyword matches"""
seen = set()
while True:
try:
# Pastebin scraping API (requires Pastebin Pro)
r = requests.get("https://scrape.pastebin.com/api_scraping.php?limit=100")
pastes = r.json()
for paste in pastes:
pid = paste["key"]
if pid in seen:
continue
seen.add(pid)
content = requests.get(f"https://scrape.pastebin.com/api_scrape_item.php?i={pid}").text
if keyword.lower() in content.lower():
print(f"[MATCH] https://pastebin.com/{pid}")
except Exception as e:
print(f"Error: {e}")
time.sleep(interval)
```
---
## 4. Dark Web Breach Forum Intelligence (Clearnet Monitoring)
Monitor without directly accessing forums:
```
# DDO Secrets — public leak publishing
https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets
# Contains government, corporate, and organizational leaks
# Accessible via clearnet
# Breach House
https://breach.house
# Aggregates publicly known breach data
# LeakIX — exposed services that may lead to breaches
https://leakix.net
# Indexes exposed databases, services, and leaked data
# Commercial dark web monitoring (passive intelligence)
https://www.stealthmole.com → Dark web tracker
https://flare.io → Dark web monitoring platform
https://cyble.com → Cyble threat intelligence
https://cybersixgill.com → Deep/dark web intelligence
https://darktrace.com → AI-powered dark web monitoring
https://darkradar.io → Dark radar
```
---
## 5. Database Leak Analysis
When a leak dataset is available for analysis:
```python
import gzip, json
def analyze_leak(filepath, search_term):
"""Search a leak file for specific term"""
opener = gzip.open if filepath.endswith('.gz') else open
mode = 'rt' if filepath.endswith('.gz') else 'r'
matches = []
with opener(filepath, mode, encoding='utf-8', errors='ignore') as f:
for i, line in enumerate(f):
if search_term.lower() in line.lower():
matches.append({"line": i, "content": line.strip()})
return matches
# Example usage
results = analyze_leak("breach_dump.txt", "target.com")
for r in results[:10]:
print(r)
```
### Common Leak File Formats
```
Format 1 — email:password
user@domain.com:Password123
Format 2 — email:hash
user@domain.com:5f4dcc3b5aa765d61d8327deb882cf99
Format 3 — JSON structured
{"email":"user@domain.com","password":"...","name":"..."}
Format 4 — SQL dump
INSERT INTO users VALUES (1,'user@domain.com','hash','name');
```
---
## 6. COMB & Large Dataset Search
```
https://proxynova.com/tools/comb/
# Search in "Collection of Many Breaches" — 3.2B+ records
# Free search by email or domain
https://www.proxynova.com/tools/comb/
# Alternative mirror
```
---
## 7. Library of Leaks
```
https://search.libraryofleaks.org
# Searchable archive of public leaks
# Includes: Wikileaks, Panama Papers, Pandora Papers, etc.
https://aleph.occrp.org
# OCCRP's investigative data platform
# Leaked documents, corporate records, court data
# Used by professional investigative journalists
```
---
## Analyzing a Breach Report
When you find a breach record, extract:
```
1. Breach date → When did it occur vs. when discovered?
2. Data types exposed → Passwords? PII? Financial? Health?
3. Number of records → Scale of exposure
4. Source → Which company/service was breached?
5. Format → Plaintext passwords = high risk
6. Validation → Cross-check against HIBP for confirmation
7. Related breaches → Same actor? Same infrastructure?
```
---
## Tips
- **Hudson Rock free tool** is one of the most powerful for corporate exposure assessment
- **IntelX** has the deepest dark web index — essential for any serious investigation
- **DDO Secrets** is the best clearnet source for large-scale organizational leaks
- **HIBP Domain Search** requires ownership verification — useful for incident responders
- Always **validate** breach data before reporting — not all claimed breaches are real
- **Stealer logs** are more dangerous than traditional breaches — they include live session cookies
---
*Reference: [OSINT Cheat Sheet — Data Breached OSINT section](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md
-249
View File
@@ -1,249 +0,0 @@
# Cryptocurrency Transaction Tracing
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Trace cryptocurrency payments associated with ransomware, dark web markets,
extortion, and other illicit activity — using public blockchain explorers,
graph analysis tools, and exchange intelligence.
> **Note**: All tools listed here use publicly available blockchain data.
> Blockchain transactions are fully public — tracing is legal OSINT.
> Do not attempt to seize, redirect, or interfere with any funds.
---
## 1. Blockchain Explorers (Per Chain)
### Bitcoin (BTC)
```
https://www.blockchain.com/explorer → General purpose BTC explorer
https://explorer.btc.com → BTC explorer
https://mempool.space → Mempool + UTXO explorer (very detailed)
https://blockchair.com/bitcoin → Multi-chain explorer with analytics
https://btcscan.org → Clean BTC scanner
# Search by: wallet address, TXID, block number
```
### Ethereum (ETH) & ERC-20
```
https://etherscan.io → Standard ETH explorer
https://etherscam.com → Known scam addresses
https://blocksec.com → Blockchain security analytics
```
### Monero (XMR) — Privacy Coin (Limited Tracing)
```
https://xmrchain.net → Monero explorer (limited, privacy-focused)
# Note: Monero is designed for privacy — tracing is very limited
# Ring signatures and stealth addresses obscure sender/receiver
```
### USDT / Tron (TRC-20)
```
https://tronscan.org → TRON/USDT TRC-20 explorer
# Popular in ransomware payments and dark web markets
```
### Other Chains
```
https://blockchair.com → Multi-chain: BTC, ETH, BCH, LTC, etc.
https://www.coingecko.com → Market data + contract addresses
```
---
## 2. Crypto Intelligence Platforms
### Arkham Intelligence
```
# From Jieyab89's OSINT Cheat Sheet tips
https://platform.arkhamintelligence.com
# Features:
# - Wallet entity labeling (exchange, mixer, ransomware group, etc.)
# - Transaction graph visualization
# - Portfolio tracking
# - On-chain intelligence with AI entity identification
# - Links wallets to known entities (Binance, Coinbase, dark web markets)
```
### Breadcrumbs
```
https://breadcrumbs.app
# Free crypto investigation tool
# Visual graph: trace funds through multiple hops
# Label known entities (exchanges, mixing services)
# Export graph for reports
# How to use:
# 1. Input wallet address
# 2. Click "Investigate"
# 3. Expand transaction nodes
# 4. Look for connections to labeled entities (exchanges = on/off ramps)
```
### Crystal Blockchain (Commercial)
```
https://crystalblockchain.com
# Professional-grade crypto tracing
# Used by law enforcement and compliance teams
# Risk scoring for wallet addresses
```
### Chainalysis (Commercial, Free Tools Available)
```
https://www.chainalysis.com
# Industry standard for crypto compliance and investigations
# Free tool: https://www.chainalysis.com/free-cryptocurrency-sanctions-screening-tools/
```
---
## 3. Ransomware Wallet Tracking
Known ransomware wallets are often publicly documented:
```
# Ransomwhere — ransomware payment tracker
https://ransomwhe.re
https://ransomwhe.re/browse → Browse reported ransomware payments
# From Jieyab89's Dataset list:
# "Browse ransomware data" → https://ransomwhe.re/#report
# Features:
# - Known ransomware payment addresses
# - Total amounts paid per group
# - Timeline of payments
# - Submit newly discovered wallets
```
### Searching Ransomware Wallets
```python
import requests
def check_ransomwhere(address):
"""Check if a Bitcoin address appears in ransomwhere.re"""
url = f"https://api.ransomwhe.re/export"
resp = requests.get(url)
data = resp.json()
for entry in data.get("result", []):
if address in entry.get("address", ""):
return entry
return None
# Usage
result = check_ransomwhere("1BitcoinAddressHere")
if result:
print(f"Ransomware family: {result.get('family')}")
print(f"Total received: {result.get('balance')} BTC")
```
---
## 4. Blockchain Analytics Techniques
### Address Clustering
Multiple addresses controlled by same entity are often linked through:
- Common-input ownership (UTXO model)
- Change address patterns
- Timing correlation
- Dust attacks
```
# Blockchair supports basic clustering
https://blockchair.com/bitcoin/address/ADDRESS#cluster
# OXT — Bitcoin UTXO analytics
https://oxt.me/address/BITCOIN_ADDRESS
# Shows: cluster, related addresses, entity if known
```
### Following the Money (Step-by-Step)
```
1. Get starting address (from ransom note, report, payment screenshot)
2. Open in mempool.space or blockchain.com
3. Trace outgoing transactions
4. Look for consolidation points (many inputs → one output = aggregation wallet)
5. Check if final destination is a labeled exchange
6. Large exchange deposit → potential KYC record exists
7. Check Arkham/Breadcrumbs for entity labels
8. Cross-reference with known ransomware wallet databases
```
### Mixer / Tumbler Detection
```
Indicators of mixing services:
- Many equal-value outputs (e.g., 10x 0.1 BTC)
- Coinjoin transactions (many inputs, many outputs, equal amounts)
- Wasabi Wallet patterns
- Known mixer addresses:
# Sanction screening (OFAC SDN list)
https://sanctionssearch.ofac.treas.gov
# Check if wallet is under US Treasury sanctions (many ransomware wallets are)
# Chainalysis free screening
https://www.chainalysis.com/free-cryptocurrency-sanctions-screening-tools/
```
---
## 5. OFAC Sanctioned Crypto Addresses
Many ransomware operators have sanctioned wallets:
```
https://sanctionssearch.ofac.treas.gov
# US Treasury Office of Foreign Assets Control
# Search: individual name, entity name, or cryptocurrency address
# Also check:
https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions
# Latest sanction actions — often includes crypto wallet addresses
# Blockchain analytics APIs that include OFAC checks:
https://www.chainalysis.com
https://crystalblockchain.com
```
---
## 6. Exchange Intelligence
When funds reach an exchange, there may be a KYC record:
```
# Identify exchange from address
https://www.blockchain.com/explorer → Tagged addresses
https://blockchair.com → Entity labels
https://arkhamintelligence.com → Exchange identification
# Known exchange deposit address patterns:
# - Binance: cluster of many deposit addresses pointing to hot wallet
# - Coinbase: tagged in blockchain.com
# - Kraken: similar clustering patterns
# If you identify an exchange:
# → Law enforcement can subpoena KYC records
# → Document the evidence trail before reporting
```
---
## Tips
- **Breadcrumbs** is the best free visual tool for quick crypto tracing
- **Arkham** is most powerful for entity identification — often labels wallets automatically
- **Mempool.space** gives the deepest BTC UTXO analysis for free
- **Ransomwhe.re** is the definitive database of known ransomware payment addresses
- **Always document** wallet addresses, transaction IDs, and block heights for evidence
- **Monero** tracing is severely limited by design — pivot to any BTC payments instead
- **OFAC sanctions list** is essential for identifying if a wallet is already flagged by US Treasury
- Blockchain analysis is a specialized field — for serious investigations, use **Chainalysis** or **Crystal**
---
*Reference: [OSINT Cheat Sheet — tips on crypto tracking & Collection Dataset sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md
-319
View File
@@ -1,319 +0,0 @@
# CTI Feeds & Platforms
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Integrate structured threat intelligence feeds and platforms into an investigation
or detection workflow — covering open-source, community, and commercial CTI sources.
---
## 1. Open-Source CTI Platforms
### MISP — Malware Information Sharing Platform
```
https://www.misp-project.org
# Industry-standard open-source CTI sharing platform
# Self-hosted: share IOCs within a trusted community or organization
# Integrates with: Splunk, TheHive, Cortex, QRadar, etc.
# Public MISP instances (read access)
https://www.circl.lu/doc/misp/ → CIRCL MISP (Luxembourg CSIRT)
# MISP feed consumption
# Most major feeds (OTX, abuse.ch, etc.) have MISP format exports
```
### OpenCTI
```
# From Jieyab89's list
https://github.com/OpenCTI-Platform/opencti
# Open-source CTI platform — store, analyze, and share intelligence
# Knowledge graph: actor → campaign → malware → IOC → victim
# Integrates with MISP, STIX/TAXII, TheHive
# Self-host via Docker: docker-compose up -d (demo.opencti.io no longer reliable)
```
### IntelOwl
```
# From Jieyab89's list
https://github.com/intelowlproject/IntelOwl/
# Aggregates results from 50+ analyzers (VT, OTX, Shodan, etc.)
# Single API call → enriched IOC from all sources simultaneously
# Self-hosted, free, open-source
```
---
## 2. Community Intelligence Feeds
### AlienVault OTX
```
https://otx.alienvault.com
# Free, community-driven threat intelligence
# "Pulses" = collections of IOCs around a specific threat
# Subscribe to relevant pulses
# Follow actors: APT28, LockBit, Emotet, etc.
# DirectConnect API
curl "https://otx.alienvault.com/api/v1/pulses/subscribed" \
-H "X-OTX-API-KEY: YOUR_KEY"
# Pull IOCs from a pulse
curl "https://otx.alienvault.com/api/v1/pulses/PULSE_ID/indicators" \
-H "X-OTX-API-KEY: YOUR_KEY"
# Python SDK
pip install OTXv2
from OTXv2 import OTXv2
otx = OTXv2("YOUR_API_KEY")
pulse = otx.get_pulse_details("PULSE_ID")
indicators = otx.get_pulse_indicator_details("PULSE_ID")
```
### Pulsedive
```
# From Jieyab89's list
https://pulsedive.com/dashboard/
# Free tier available
# IOC enrichment, threat feeds, risk scoring
# API
curl "https://pulsedive.com/api/?indicator=suspicious.com&key=YOUR_KEY"
```
### ThreatMiner
```
# From Jieyab89's list
https://www.threatminer.org
# Passive threat intelligence — no API key needed for basic use
# Lookups:
https://www.threatminer.org/domain.php?q=suspicious.com
https://www.threatminer.org/ip.php?q=1.2.3.4
https://www.threatminer.org/sample.php?q=SHA256_HASH
```
---
## 3. Commercial CTI Platforms (Free Tiers Available)
### Recorded Future
```
https://www.recordedfuture.com/vulnerability-database
# Free risk score lookup for IPs, domains, CVEs
# Risk API (limited free access)
curl "https://api.recordedfuture.com/v2/ip/1.2.3.4" \
-H "X-RFToken: YOUR_TOKEN"
```
### Flare
```
# From Jieyab89's list
https://flare.io
# Dark web monitoring + CTI platform
# Monitors: paste sites, dark web forums, leak sites, Telegram
```
### Stealthmole
```
# From Jieyab89's list
https://www.stealthmole.com
# Dark web tracker with CTI focus
```
### Cybersixgill
```
# From Jieyab89's list
https://cybersixgill.com
# Deep and dark web intelligence
# Real-time monitoring of underground forums
```
### Darkfeed
```
# From Jieyab89's list
https://darkfeed.io
# Dark web IOC feed
```
### Falcon Feeds
```
# From Jieyab89's list
https://falconfeeds.io
# Threat intelligence from dark web sources
```
---
## 4. STIX/TAXII — Structured Intelligence Sharing
Standard format for machine-readable threat intelligence:
```python
# Install dependencies
pip install taxii2-client stix2
from taxii2client.v21 import Server
# MITRE ATT&CK TAXII (confirmed active)
server = Server("https://cti-taxii.mitre.org/taxii/")
for api_root in server.api_roots:
for collection in api_root.collections:
print(collection.title, collection.id)
# Note: CISA TAXII (ais.cisa.gov) and Anomali Limo (limo.anomali.com)
# are no longer resolving as of 2025 — use alternatives above instead
```
### Active Public TAXII Servers
```
https://cti-taxii.mitre.org/taxii/ → MITRE ATT&CK (confirmed active)
# Note: limo.anomali.com and ais.cisa.gov/taxii2/ no longer resolve (dead)
# Use MITRE ATT&CK TAXII or self-hosted MISP feeds instead
```
### Alternative — MITRE ATT&CK via GitHub JSON (Simpler, No TAXII Client)
```python
import requests
# Fetch all ATT&CK groups directly
url = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json"
data = requests.get(url).json()
groups = [obj for obj in data["objects"] if obj["type"] == "intrusion-set"]
for g in groups:
print(g.get("name"), "|", g.get("aliases", []))
```
### CISA KEV Feed (Replaces CISA TAXII)
```python
import requests
# CISA Known Exploited Vulnerabilities — always updated JSON feed
url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
data = requests.get(url).json()
vulns = data.get("vulnerabilities", [])
print(f"Total KEVs: {len(vulns)}")
for v in vulns[-5:]: # Latest 5
print(v.get("cveID"), "|", v.get("vendorProject"), "|", v.get("dueDate"))
```
---
## 5. Threat Hunting Platforms
### Splunk (SIEM)
```
# From Jieyab89's list
https://www.splunk.com
# Leading SIEM for log analysis and threat hunting
# Free: Splunk Free (500MB/day)
# Useful SPL for hunting:
# index=* sourcetype=* [inputlookup ioc_list.csv]
```
### Wazuh (Open-Source SIEM/XDR)
```
# From Jieyab89's list
https://wazuh.com
# Free, open-source security monitoring
# Integrates with MISP and threat intel feeds
```
### Grafana
```
# From Jieyab89's list
https://grafana.com
# Visualization for threat intelligence dashboards
# Connect to MISP, OpenCTI, or custom CTI databases
```
---
## 6. Integrating Feeds into a Pipeline
### Simple IOC Aggregation Pipeline
```python
import requests, json
from datetime import datetime
class CTIPipeline:
def __init__(self, otx_key):
self.otx_key = otx_key
self.iocs = {"domains": [], "ips": [], "hashes": [], "urls": []}
def pull_threatfox(self, days=1):
"""Pull recent IOCs from ThreatFox"""
resp = requests.post("https://threatfox-api.abuse.ch/api/v1/",
json={"query": "get_iocs", "days": days})
for ioc in resp.json().get("data", []):
ioc_type = ioc.get("ioc_type")
value = ioc.get("ioc")
if ioc_type == "domain":
self.iocs["domains"].append(value)
elif ioc_type in ("ip:port", "ip"):
self.iocs["ips"].append(value.split(":")[0])
elif ioc_type in ("sha256_hash", "md5_hash"):
self.iocs["hashes"].append(value)
elif ioc_type == "url":
self.iocs["urls"].append(value)
def pull_urlhaus(self):
"""Pull malicious URLs from URLhaus"""
resp = requests.get("https://urlhaus.abuse.ch/downloads/csv_online/")
for line in resp.text.split("\n"):
if line.startswith("#") or not line.strip():
continue
parts = line.split(",")
if len(parts) > 2:
self.iocs["urls"].append(parts[2].strip('"'))
def deduplicate(self):
for key in self.iocs:
self.iocs[key] = list(set(self.iocs[key]))
def export(self, path):
self.deduplicate()
with open(path, "w") as f:
json.dump({"generated": str(datetime.now()), "iocs": self.iocs}, f, indent=2)
print(f"Exported {sum(len(v) for v in self.iocs.values())} IOCs to {path}")
# Usage
pipeline = CTIPipeline(otx_key="YOUR_KEY")
pipeline.pull_threatfox(days=1)
pipeline.pull_urlhaus()
pipeline.export("daily_iocs.json")
```
---
## Tips
- **IntelOwl** gives the broadest enrichment with a single API call — deploy it first
- **OpenCTI** is the best self-hosted platform — run via Docker, the public demo is unreliable
- **ThreatFox + URLhaus** from abuse.ch are the highest-quality free IOC feeds
- **MITRE ATT&CK GitHub JSON** is more reliable than their TAXII endpoint for automation
- **CISA KEV JSON feed** is the best free vulnerability intelligence — no auth needed
- **Pulsedive** is excellent for quick IOC risk scoring without many API keys
- Automate daily feed pulls and delta-compare against your existing blocklists
---
## Removed / Dead Links (Verified April 2025)
| Site | Status | Reason |
|------|--------|--------|
| `misp.seccodeid.com` | Offline | DNS does not resolve |
| `limo.anomali.com` | Offline | DNS does not resolve — Anomali shut down free Limo service |
| `ais.cisa.gov/taxii2/` | Offline | DNS does not resolve |
| `demo.opencti.io` | Removed | Public demo unreliable — self-host via Docker instead |
---
*Reference: [OSINT Cheat Sheet — SOC & Threat Hunting, Researching Cyber Threats sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md
-212
View File
@@ -1,212 +0,0 @@
# Dark Web Search & Indexing
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Search and index dark web content using clearnet-accessible tools, proxies,
and aggregators — without requiring a Tor browser for most operations.
---
## 1. Clearnet Dark Web Search Engines
These index .onion content and are accessible from a regular browser:
```
https://ahmia.fi → Most established Tor search engine
accessible via clearnet
https://darksearch.io → Dark web search via clearnet API
https://lolarchiver.com → Archived dark web content
https://osint.lolarchiver.com → OSINT-focused dark archive
https://open-search.aleph-networks.eu → Open search with dark web data
```
### Ahmia.fi Usage
```
# Basic search
https://ahmia.fi/search/?q=ransomware+group
# Search for specific onion addresses
https://ahmia.fi/search/?q=site:ONIONADDRESS.onion
# API
curl "https://ahmia.fi/api/query?q=keyword&limit=10"
```
### DarkSearch.io API
```bash
# Search via API (free tier available)
curl "https://darksearch.io/api/search?query=keyword&page=1"
# Python
import requests
resp = requests.get("https://darksearch.io/api/search",
params={"query": "ransomware group", "page": 1})
print(resp.json())
```
---
## 2. Intelligence X (IntelX)
One of the most powerful dark web indexing platforms — indexes Tor, I2P, paste
sites, public leaks, and document archives:
```
https://intelx.io/?s=keyword
https://intelx.io/?s=email@target.com
https://intelx.io/?s=target.com
https://intelx.io/?s=BITCOIN_WALLET_ADDRESS
# Selectors to search:
# - Email addresses
# - Domains
# - IP addresses
# - Bitcoin addresses
# - IPFS hashes
# - URLs
# - Phone numbers
```
---
## 3. Tor Hidden Service Search (Requires Tor Browser)
> Only use this for authorized research. Use a dedicated sandbox VM + Tor Browser.
> Never access from your real machine or identity.
```
# Popular .onion search engines (access via Tor Browser only)
DuckDuckGo onion : https://3g2upl4pq6kufc4m.onion
Torch : http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5ayieeo2through7sh6turd.onion
Not Evil : http://notevilmtxf25uw7tskqxj6njlpebyrmlrerfv5hc4tuq7c7hilbyiqd.onion
Haystak : http://haystak5njsmn2hqkewecpaxetahtwhsbsa64jom2k22z5afxhnpxfid.onion
```
---
## 4. Specialized Dark Web Index Tools
### DeepDarkCTI
Threat intelligence from deep and dark web sources:
```bash
# From Jieyab89's list
git clone https://github.com/fastfire/deepdarkCTI
# Contains curated .onion links categorized by type:
# - Forums, markets, ransomware leak sites, paste services
# - Updated list of active dark web resources for CTI
cat deepdarkCTI/ransomware.md # Ransomware sites list
cat deepdarkCTI/forum.md # Forum list
cat deepdarkCTI/combolist.md # Combo/leak list sites
```
### OnionSearch
```bash
pip install onionsearch
onionsearch "keyword"
# Searches across multiple .onion search engines simultaneously
```
---
## 5. OSINT Framework — Dark Web Section
```
https://osintframework.com
# Navigate to: Digital Footprint → Dark Web
# Contains categorized links to:
# - Dark web search engines
# - Forums (indexed/cached versions)
# - Cryptocurrency tracking
# - Paste services
```
---
## 6. Cached & Archived Dark Web Content
Access dark web content without connecting to Tor:
```
https://osint.lolarchiver.com → Cached dark web content
https://lolarchiver.com → Dark web archiver
https://www.libraryofleaks.org → Leaked document library
https://search.libraryofleaks.org → Search leaked documents
# DDO Secrets (Distributed Denial of Secrets) — public leak archive
https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets
# Contains: government leaks, corporate data, hacked datasets
# Browse without accessing dark web directly
# ALEPH (OCCRP)
https://aleph.occrp.org
# Investigative journalism data repository
# Contains leaked documents, corporate records, court data
```
---
## 7. I2P & Freenet Monitoring (Passive)
```
# I2P eepsites search (passive indexing services)
https://i2psearch.com
http://i2pforum.i2p (requires I2P)
# Freenet content search (passive)
# Use Freenet indexes accessible via clearnet bridges
```
---
## 8. Darkweb Academy
```
# From Jieyab89's OSINT Academy list
https://www.darkwebacademy.com/labs/
# Provides labs and training for dark web OSINT
# Safe, sandboxed environments for learning
```
---
## Search Strategies
### Finding Specific Content
```
# Entity-based search
"company name" site:ransomgroup.onion (via Ahmia)
"email@domain.com" intext:password (via IntelX)
"domain.com" leak OR breach OR dump (via DarkSearch)
# Hash-based search
"MD5HASH" OR "SHA256HASH" (malware samples)
"bitcoin:WALLETADDRESS" (crypto payment traces)
# Forum activity
"threat actor alias" forum (track actor across platforms)
```
### Building a Search Query
```
1. Start broad: target name, domain, or keyword
2. Narrow with context: + "breach" / "leaked" / "sale" / "dump"
3. Add time filter if available
4. Cross-reference hits across multiple platforms
5. Extract and pivot from any new selectors found (emails, wallets, aliases)
```
---
## Tips
- **Ahmia** is the most reliable clearnet index for general .onion search
- **IntelX** has the deepest historical index — worth using for any serious investigation
- **DeepDarkCTI** repo is regularly updated with active dark web site links
- **DDO Secrets** is the best clearnet source for leaked government/corporate data
- **ALEPH/OCCRP** is excellent for cross-referencing against investigative journalism leaks
- Always **document your search queries** — reproducibility matters in investigations
---
*Reference: [OSINT Cheat Sheet — Data Breached OSINT & Forums sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md
-281
View File
@@ -1,281 +0,0 @@
# Malware & IOC Intelligence
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Collect, analyze, and enrich malware samples and Indicators of Compromise (IOCs)
from threat intelligence feeds, sandboxes, and dark web-adjacent sources — for
detection engineering, incident response, and threat hunting.
---
## 1. Malware Sample Repositories
### MalwareBazaar (abuse.ch)
```
https://bazaar.abuse.ch/browse/
# Search by hash, tag, file type, or malware family
https://bazaar.abuse.ch/browse/?q=ransomware
https://bazaar.abuse.ch/browse/?q=tag:emotet
# API — download samples and query intel
curl -X POST "https://mb-api.abuse.ch/api/v1/" \
-d "query=get_info&hash=HASH_VALUE"
# Python
import requests
resp = requests.post("https://mb-api.abuse.ch/api/v1/",
data={"query": "get_info", "hash": "SHA256_HERE"})
print(resp.json())
```
### VX-Underground
```
# From Jieyab89's list
https://vx-underground.org
# Largest public malware sample archive
# Categories: APT samples, ransomware, stealers, botnets
# WARNING: Only download to isolated sandbox — these are live malware
# Also useful for:
# - Malware source code leaks
# - Threat actor communications
# - Historical campaign materials
```
### Malware Traffic Analysis
```
# From Jieyab89's list
https://www.malware-traffic-analysis.net/2025/index.html
# PCAP files + malware samples from real infections
# Includes: traffic captures, IOCs, malware files
# Excellent for understanding C2 communication patterns
```
### VirusShare (Registration Required)
```
https://virusshare.com
# Large malware sample collection — requires account
```
### Virus Exchange
```
# From Jieyab89's list
https://virus.exchange
# Sample sharing platform
```
---
## 2. IOC Feeds
### ThreatFox (abuse.ch)
```
https://threatfox.abuse.ch/browse/
# API — get latest IOCs
curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \
-d '{"query":"get_iocs","days":1}'
# Search by IOC value
curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \
-d '{"query":"search_ioc","search_term":"malware.com"}'
# MISP feed format
https://threatfox.abuse.ch/export/misp/
```
### URLhaus (abuse.ch) — Malicious URLs
```
https://urlhaus.abuse.ch
# API
curl -X POST "https://urlhaus-api.abuse.ch/v1/url/" \
-d "url=https://suspicious.com/malware.exe"
# Download daily feed
curl "https://urlhaus.abuse.ch/downloads/csv_online/"
# Python query
import requests
resp = requests.post("https://urlhaus-api.abuse.ch/v1/host/",
data={"host": "suspicious-domain.com"})
print(resp.json())
```
### AlienVault OTX Feeds
```
https://otx.alienvault.com/api/v1/pulses/subscribed
# Returns all IOCs from pulses you follow
# Specific IOC lookup
curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/malware" \
-H "X-OTX-API-KEY: YOUR_KEY"
curl -X GET "https://otx.alienvault.com/api/v1/indicators/file/HASH/analysis" \
-H "X-OTX-API-KEY: YOUR_KEY"
```
### Additional IOC Feeds
```
https://rescure.me/feeds.html → Rescure.me curated feeds
https://www.spamhaus.org/drop/drop.txt → Spamhaus DROP list (BGP blocks)
https://feodotracker.abuse.ch/downloads/ → Feodo botnet C2 IPs
https://sslbl.abuse.ch/blacklist/ → SSL certificate blacklist
https://openphish.com/phishing_feeds.html → OpenPhish phishing URLs
https://phishstats.info:2096/api/phishing → PhishStats API
```
---
## 3. Malware Analysis Sandboxes
Safe environments to analyze suspicious files:
### Free Online Sandboxes
```
https://app.any.run → Interactive (from Jieyab89's list)
https://www.hybrid-analysis.com → Free, Falcon Sandbox powered
https://tria.ge/reports/public → Tria.ge sandbox (from Jieyab89's list)
https://cuckoo.cert.ee → Cuckoo sandbox (Jieyab89's list)
https://capesandbox.com → CAPE sandbox (Jieyab89's list)
https://www.joesandbox.com → Joe Sandbox (from Jieyab89's list)
https://www.vmray.com → VMRay (commercial, limited free)
https://filescan.io → Filescan.io (from Jieyab89's list)
https://www.docguard.io → DocGuard for documents
https://analyze.intezer.com/scan → Intezer (code similarity analysis)
```
### API-Based Analysis
```python
import requests, time
def submit_to_hybrid_analysis(filepath):
"""Submit a file to Hybrid Analysis"""
url = "https://www.hybrid-analysis.com/api/v2/submit/file"
headers = {"api-key": "YOUR_API_KEY", "user-agent": "Falcon Sandbox"}
with open(filepath, "rb") as f:
resp = requests.post(url,
headers=headers,
files={"file": f},
data={"environment_id": 100}) # Windows 7 64-bit
return resp.json()
```
---
## 4. Hash & IOC Enrichment
### VirusTotal
```
# File hash lookup
https://www.virustotal.com/gui/file/SHA256_HASH
# API
curl --request GET \
--url "https://www.virustotal.com/api/v3/files/SHA256_HASH" \
--header "x-apikey: YOUR_API_KEY"
# Batch hash check (Python)
import requests
def vt_check_hash(sha256, api_key):
url = f"https://www.virustotal.com/api/v3/files/{sha256}"
headers = {"x-apikey": api_key}
resp = requests.get(url, headers=headers)
data = resp.json()
stats = data.get("data", {}).get("attributes", {}).get("last_analysis_stats", {})
return {
"malicious": stats.get("malicious", 0),
"suspicious": stats.get("suspicious", 0),
"undetected": stats.get("undetected", 0),
"total": sum(stats.values())
}
```
### Malware Encyclopedia — Malpedia
```
https://malpedia.caad.fkie.fraunhofer.de
# Search by malware name
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
# Each entry contains:
# - YARA rules
# - Actor associations
# - Sample hashes
# - Technical references
# - Aliases across vendors
```
### pwnedOrNot
```
# From Jieyab89's list
https://github.com/thewhiteh4t/pwnedOrNot
# Check if email has leaked and try to get plaintext password
```
---
## 5. YARA Rules
YARA is the standard for malware pattern matching:
### YARA Rule Sources
```
# From Jieyab89's list
https://yaraify.abuse.ch/yarahub/ → Community YARA hub (abuse.ch)
https://github.com/Neo23x0/signature-base → Neo23x0 signature base
https://valhalla.nextron-systems.com → Valhalla YARA feed
# Using YARA rules
pip install yara-python
import yara
rules = yara.compile(filepath="rule.yar")
matches = rules.match("suspicious_file.exe")
for match in matches:
print(f"Rule: {match.rule}, Tags: {match.tags}")
```
---
## 6. C2 Tracking
### C2-Tracker
```
# From Jieyab89's list
https://github.com/montysecurity/C2-Tracker
# Tracks active C2 infrastructure for common RATs and botnets
# Lists are updated regularly:
# - Cobalt Strike C2s
# - Metasploit listeners
# - Brute Ratel C2s
# - Sliver C2s
```
### Feodo Tracker (Emotet/TrickBot/etc.)
```
https://feodotracker.abuse.ch
# Botnet C2 IP tracker
curl "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
```
---
## Tips
- **MalwareBazaar** is the best free starting point for any hash lookup
- **any.run** provides the most interactive analysis experience for free
- **ThreatFox** API is easy to integrate into automated pipelines
- **Valhalla YARA** requires subscription but is the highest quality rule set
- **Malpedia** links malware → actor → campaign — critical for full context
- Never analyze malware on your main machine — always use an isolated sandbox
- **Hash pivoting**: if a hash is known, check its VirusTotal graph for related infrastructure
---
*Reference: [OSINT Cheat Sheet — Researching Cyber Threats, SOC & Threat Hunting sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md
-277
View File
@@ -1,277 +0,0 @@
# OPSEC for Dark Web OSINT Investigations
> *Safety guidelines inspired by [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89) — who emphasizes: "Please use it wisely"*
## Objective
Protect your identity, devices, and legal standing while conducting dark web
intelligence investigations. Poor OPSEC can expose your real identity to threat
actors, compromise your organization, or create legal liability.
---
## 1. Environment Setup
### Recommended Stack (Layered Isolation)
```
Layer 1 — Host Machine
└── Your regular computer (never used for OSINT)
Layer 2 — Hypervisor
└── VirtualBox / VMware / Proxmox
└── Isolated OSINT VM (no shared clipboard, no shared folders)
Layer 3 — Network
└── VPN (kill-switch enabled) → Tor (for .onion) or direct (for clearnet OSINT)
Layer 4 — Browser
└── Tor Browser (for .onion access)
└── Firefox with hardened settings (for clearnet OSINT tools)
Layer 5 — Identity
└── Throwaway accounts (not linked to real name/email/phone)
└── Dedicated OSINT email (ProtonMail, Tutanota)
```
### Recommended OSINT Linux Distros (from Jieyab89's list)
```
https://github.com/tracelabs/tlosint-live → Trace Labs OSINT VM
https://tails.net → Amnesic OS (leaves no trace)
https://www.qubes-os.org → Compartmentalized OS
https://www.parrotsec.org → Parrot OS (security/OSINT)
https://csilinux.com → CSI Linux (OSINT-focused)
```
---
## 2. Network OPSEC
### VPN Configuration
```
Requirements for OSINT VPN:
✓ No-logs policy (independently audited)
✓ Kill switch enabled (cuts internet if VPN drops)
✓ DNS leak protection
✓ Jurisdiction outside 5/9/14-eyes if sensitive work
# Test for leaks before starting
https://www.dnsleaktest.com
https://ipleak.net
https://browserleaks.com
```
### Tor Browser (for .onion access)
```
Download: https://www.torproject.org/download/
# Always use the latest version
# Never resize the window (browser fingerprinting)
# Never log into personal accounts inside Tor Browser
# Disable JavaScript for sensitive .onion sites (Security Level: Safest)
# Never download files directly — preview in sandbox first
# Check your Tor exit node
https://check.torproject.org (accessible via Tor Browser)
```
### Network Isolation
```bash
# Linux: create isolated network namespace for OSINT tools
ip netns add osint-ns
ip netns exec osint-ns ip link set lo up
# Route all OSINT tool traffic through VPN interface only
# Verify no direct connections from OSINT VM
# Disable all non-essential network interfaces in the VM
```
---
## 3. Identity OPSEC
### Account Hygiene
```
✓ Use throwaway/sock puppet accounts for any platform registration
✓ Never use real name, photo, or biographical info in OSINT accounts
✓ Use dedicated email (ProtonMail / Tutanota) created over Tor
✓ Never reuse usernames across platforms
✓ Use separate accounts for OSINT work vs personal use
✓ Generate usernames with no connection to your real identity
# Jieyab89's tip on accounts:
# "Do a active on each platform example like post, follow, following to
# avoid bot detection or blocked by user (target)"
# "Use second account (not your real account)"
```
### Browser Fingerprinting Protection
```
https://browserleaks.com → Test your browser fingerprint
https://coveryourtracks.eff.org → EFF Cover Your Tracks test
# Key fingerprint vectors to neutralize:
# - Screen resolution (use common size: 1920x1080)
# - User agent (use common browser UA)
# - Timezone (match VPN exit location)
# - WebRTC leaks (disable WebRTC in browser)
# - Canvas fingerprinting (block or randomize)
```
---
## 4. Device OPSEC
### Sandbox VM Rules
```
✓ Snapshot the VM before each investigation session
✓ Revert snapshot after sensitive sessions
✓ No shared clipboard between host and OSINT VM
✓ No shared folders — transfer files through encrypted container only
✓ Disable USB passthrough
✓ Use separate VM for different investigation cases (no cross-contamination)
✓ Enable AV in VM (Jieyab89's tip: "Enable your firewall, AV and IDS")
```
### File Handling (from Jieyab89's tips)
```
# Jieyab89's direct guidance:
"Dont upload your private files make sure you have clean personal file in folder"
"Scan the files will you download"
"Encrypt your network traffic, message and disk"
"Beware about attachments such as docx, xlsm or macro documents"
"Beware about malicious script like programm lang always check will you run it"
"beware with code with obfuscate (dont trust it)"
# NEVER:
✗ Open malware samples on your host machine
✗ Click links from threat actors without sandbox isolation
✗ Download dark web files to your main machine
✗ Enable macros in Office documents from dark web sources
```
### File Analysis Before Opening
```bash
# Check file type (don't trust extension)
file suspicious_file.exe
# Compute hashes before opening
sha256sum suspicious_file.exe
md5sum suspicious_file.exe
# Check hash on VirusTotal before any local analysis
# Submit hash only (not the file itself) for initial check
# Strings analysis (safe, no execution)
strings suspicious_file.exe | grep -E "(http|ftp|smtp|password|key|token)"
# Only then: open in an isolated sandbox (AnyRun, Hybrid Analysis, or local Cuckoo)
```
---
## 5. Legal OPSEC
### What Is Legal (OSINT)
```
✓ Accessing publicly available information
✓ Using clearnet dark web monitoring services
✓ Searching indexed dark web content (Ahmia, IntelX, DarkSearch)
✓ Analyzing published breach data for defensive purposes
✓ Tracking ransomware groups through their public leak sites
✓ Researching threat actors using public reports and CTI feeds
✓ Accessing DDO Secrets / OCCRP ALEPH (public interest journalism)
```
### What Is NOT Legal (Do Not Do)
```
✗ Registering accounts on criminal forums
✗ Purchasing stolen data, tools, or credentials
✗ Accessing systems without authorization
✗ Re-publishing stolen personal data of individuals
✗ Attempting to take down or interfere with criminal infrastructure
✗ Interacting with threat actors to elicit information (entrapment risk)
✗ Downloading CSAM or other illegal content (even for research)
```
### Jurisdiction Reference
```
Indonesia → UU ITE No.11/2008 & No.19/2016 (amended)
→ UU PDP No.27/2022 (Personal Data Protection)
USA → Computer Fraud and Abuse Act (18 U.S.C. § 1030)
→ Electronic Communications Privacy Act
EU → GDPR (data handling), Directive on Attacks Against Information Systems
Global → ICCPR Article 17 (right to privacy)
```
---
## 6. Evidence Collection & Chain of Custody
When findings may be used in legal proceedings or incident reports:
```
# Capture with timestamp
date && screenshot
# Archive web pages with timestamp proof
https://archive.today → Submit URL → get archived link
https://web.archive.org/save/URL → Wayback Machine save
# Hash all collected evidence
sha256sum evidence_file > evidence_file.sha256
# Maintain investigation log
[TIMESTAMP] [ACTION] [SOURCE] [FINDING] [HASH]
# Never alter original evidence files
# Store in encrypted container (VeraCrypt)
# Maintain chain of custody documentation
```
---
## 7. Operational Security Checklist
### Before Starting an Investigation
```
[ ] OSINT VM is up-to-date and snapshoted
[ ] VPN is connected and verified (no leaks)
[ ] Tor Browser is latest version (if needed)
[ ] Throwaway accounts ready
[ ] AV/firewall enabled in sandbox
[ ] Investigation scope and legal boundaries are clear
[ ] Evidence folder created with encrypted container
```
### During Investigation
```
[ ] No personal accounts used
[ ] All URLs previewed before clicking (urlscan.io)
[ ] Files scanned before analysis
[ ] Screenshots taken with timestamps
[ ] Sources documented as you go
[ ] No interaction with threat actors
```
### After Investigation
```
[ ] Evidence archived and hashed
[ ] Investigation log complete
[ ] VM snapshot taken (or reverted if sensitive)
[ ] VPN disconnected after session
[ ] Report drafted with source citations
```
---
## Tips
- **Tails OS** is the gold standard for leaving zero traces — use for most sensitive work
- **Qubes OS** provides the best compartmentalization if Tails is too limiting
- **Never combine** personal and OSINT activities in the same browser session
- **Document everything** as you go — memory is unreliable, investigations can take weeks
- Follow Jieyab89's golden rule: **"Use virtual machine, fake host or docker machine"**
- When in doubt about legality — **consult a lawyer before proceeding**, not after
---
*Safety guidance informed by [OSINT Cheat Sheet — Tips & Trick Safe Guide](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89).*
*His words: "Please use it wisely."*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill
BIN
View File
Binary file not shown.
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md
-263
View File
@@ -1,263 +0,0 @@
# Paste & Leak Monitoring
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Monitor paste sites, anonymous publishing services, and public leak channels
for early detection of data disclosures, credential dumps, and sensitive
information related to a target — before it spreads or is sold.
---
## 1. Paste Site Inventory
### Primary Targets for Monitoring
```
https://pastebin.com → Largest paste site
https://psbdmp.ws → Pastebin dump aggregator/search
https://cybdetective.com/pastebin.html → Multi-paste search (Jieyab89's list)
https://paste.centos.org → CentOS community paste
https://justpaste.it → Popular alternative
https://gist.github.com → GitHub Gist (code snippets)
https://friendpaste.com → Alternative paste site
https://telegra.ph → Telegram's publish platform
https://psbdmp.ws → Pastebin dump search
```
---
## 2. Search Strategies
### Google Dork Paste Search
```
# Find mentions of target on paste sites
site:pastebin.com "target.com"
site:pastebin.com "@target.com" password
site:pastebin.com "target.com" database OR dump OR leak OR breach
site:pastebin.com "target.com" username OR email OR credential
site:gist.github.com "target.com" secret OR key OR password
site:justpaste.it "target.com"
site:paste.centos.org "target.com"
site:telegra.ph "target.com" breach OR leak
# Broader search
"target.com" site:pastebin.com OR site:gist.github.com OR site:justpaste.it
```
### Intelligence X Paste Search
```
https://intelx.io/?s=target.com
# IntelX indexes many paste sites including dark web pastes
# More comprehensive than Google for paste monitoring
```
---
## 3. Automated Paste Monitoring
### Pastebin Scraping API (Requires Pastebin Pro Account)
```python
import requests, time, hashlib, json
from datetime import datetime
class PasteMonitor:
"""Monitor Pastebin scraping API for keyword matches"""
def __init__(self, keywords, scraping_key=None):
self.keywords = [k.lower() for k in keywords]
self.scraping_key = scraping_key
self.seen = set()
self.hits = []
def fetch_recent(self):
"""Get recent public pastes via scraping API"""
url = "https://scrape.pastebin.com/api_scraping.php?limit=100"
if self.scraping_key:
url += f"&scraping_key={self.scraping_key}"
try:
resp = requests.get(url, timeout=10)
return resp.json()
except:
return []
def fetch_content(self, paste_key):
"""Fetch raw content of a paste"""
url = f"https://scrape.pastebin.com/api_scrape_item.php?i={paste_key}"
try:
resp = requests.get(url, timeout=10)
return resp.text
except:
return ""
def scan(self):
"""One monitoring cycle"""
pastes = self.fetch_recent()
for paste in pastes:
key = paste.get("key")
if not key or key in self.seen:
continue
self.seen.add(key)
content = self.fetch_content(key)
content_lower = content.lower()
matched = [kw for kw in self.keywords if kw in content_lower]
if matched:
hit = {
"time": datetime.now().isoformat(),
"url": f"https://pastebin.com/{key}",
"keywords": matched,
"size": paste.get("size"),
"title": paste.get("title", ""),
"content_preview": content[:200]
}
self.hits.append(hit)
print(f"[HIT] {hit['url']} | Keywords: {matched}")
def run(self, interval=300):
"""Continuous monitoring loop"""
print(f"Monitoring for: {self.keywords}")
while True:
self.scan()
time.sleep(interval)
# Usage
monitor = PasteMonitor(keywords=["target.com", "targetcompany", "@target.com"])
monitor.run(interval=300) # Check every 5 minutes
```
---
## 4. Telegram Channel Monitoring
Many breach actors publish on Telegram before or instead of dark web forums:
```
# Search Telegram content (clearnet)
https://www.tgstat.com → Telegram channel statistics & search
https://telemetr.io → Telegram analytics
https://www.telegramchannels.me → Channel directory
# Search for relevant channels
# Keywords: "leaks", "breach", "database", "credentials", "combolist"
# Telegram web search (no account needed)
https://t.me/s/CHANNEL_NAME → View channel posts in browser
# Archive Telegram content
# Reference from Jieyab89:
https://www.bellingcat.com/resources/how-tos/2022/03/08/how-to-archive-telegram-content-to-document-russias-invasion-of-ukraine/
```
---
## 5. DDO Secrets — Document & Leak Archive
```
https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets
# Clearnet accessible archive of major leaks
# Categories: government leaks, corporate data, hacked datasets
# Contains: BlueLeaks (US law enforcement), Epik (hosting), ransomware dumps, etc.
# How to use:
# - Browse by category or search by organization name
# - Download index files to understand scope before downloading full datasets
# - All content is legally accessible via clearnet
```
---
## 6. Library of Leaks
```
https://search.libraryofleaks.org
# Searchable archive of public interest leaks
# Includes: Wikileaks, Panama Papers, Pandora Papers, FinCEN Files, etc.
https://aleph.occrp.org
# OCCRP investigative data platform
# Cross-reference leaked documents with corporate registries and court data
```
---
## 7. Early Warning Intelligence
### Signals to Watch For
```
Indicators that a breach may be incoming or just happened:
1. Threat actor posts "we are selling [company] data" in forums
→ Monitor via: ransomware.live, darkfeed.io, flare.io
2. Internal credentials appearing on paste sites
→ Monitor via: pastebin scraping + IntelX
3. Domain mentioned in stealer log markets
→ Monitor via: Hudson Rock, whiteintel.io
4. Company name appears in Telegram breach channels
→ Monitor via: tgstat.com search
5. Unusual volume of mentions in dark web search results
→ Monitor via: IntelX, Ahmia, darksearch.io
```
### Building a Keyword Watchlist
```python
# Keywords to monitor for a target organization
WATCHLIST = {
"company_names": ["Target Corp", "TargetCo", "target-corp"],
"domains": ["target.com", "targetcorp.com"],
"email_patterns": ["@target.com", "@targetcorp.com"],
"brand_names": ["TargetProduct", "TargetBrand"],
"executive_names": ["John CEO Smith", "Jane CFO Doe"], # Key executives
"internal_terms": ["internal_system_name", "product_codename"]
}
```
---
## 8. Breach Validation
Before escalating or reporting a potential breach find:
```
Step 1: Verify the data is real
- Check sample records against known public info (are names/emails plausible?)
- Check date fields — are they consistent with claimed breach date?
- Do NOT contact individuals in the dataset to verify
Step 2: Determine if already known
- Cross-check against HIBP: https://haveibeenpwned.com/PwnedWebsites
- Check databreaches.net: https://databreaches.net
- Search intelx.io for the same dataset
Step 3: Assess severity
- What data types: passwords? PII? financial? health?
- Plaintext vs hashed passwords?
- Volume of records?
- Date of the data (older = lower risk of active exploitation)
Step 4: Document and report
- Screenshot with timestamps
- Archive the paste/post URL (use archive.today)
- Preserve hash of any downloaded evidence files
- Report to affected organization's security team (responsible disclosure)
```
---
## Tips
- **Monitor daily** — paste site data disappears quickly (Pastebin auto-deletes)
- **Archive immediately** when you find something relevant — use archive.today
- **IntelX** is the most reliable for historical paste search and dark web content
- **Telegram** is now a primary distribution channel for breach data — don't ignore it
- **False positives** are common — always validate before escalating
- **GDPR/legal caution**: in some jurisdictions, downloading breach data may have legal implications — consult your legal counsel
---
*Reference: [OSINT Cheat Sheet — Data Breached OSINT, Forums & Sites sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md
-237
View File
@@ -1,237 +0,0 @@
# Ransomware Group Tracking
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Monitor ransomware group activity, track victim postings on leak sites,
identify which groups are active, understand their TTPs, and collect
intelligence from their public-facing infrastructure — all via clearnet.
---
## 1. Ransomware Tracking Dashboards
### ransomware.live (Primary Source)
```
https://www.ransomware.live
# Real-time tracking of ransomware group victim posts
# Covers 100+ active ransomware groups
# Shows: victim name, country, sector, date posted, group name
# Includes screenshots of leak site posts
# Features:
# - Timeline of attacks
# - Group statistics
# - Sector/country breakdown
# - Search by victim name or group
```
### ransomwatch
```
https://ransomwatch.telemetry.ltd
# Monitors ransomware leak site posts
# Structured JSON data available for programmatic use
# Open source: https://github.com/joshhighet/ransomwatch
# API / Data access
curl https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json
curl https://raw.githubusercontent.com/joshhighet/ransomwatch/main/groups.json
# Python
import requests
posts = requests.get("https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json").json()
for post in posts:
if "target_org" in post.get("post_title", "").lower():
print(post)
```
### Ransom DB
```
https://www.ransom-db.com
# Searchable database of ransomware incidents
# Filter by: group, country, sector, date
```
### Ransom Private Tools
```
https://ransom.privtools.eu
# Aggregated ransomware group posts
# Useful for historical research
```
### WatchGuard Ransomware Tracker
```
https://www.watchguard.com/wgrd-security-hub/ransomware-tracker
# Curated ransomware incident tracker
```
---
## 2. Ransomware Group Intelligence
### Known Active Groups (Reference)
```
# Tier 1 (Most Active / Dangerous):
LockBit, ALPHV/BlackCat, Cl0p, Play, Akira, Black Basta,
Hunters International, RansomHub, Medusa, INC Ransom
# Leak Site Monitoring via ransomware.live covers all major groups
```
### Group Profiles via MITRE ATT&CK
```
https://attack.mitre.org/groups/
# Search for specific ransomware group
# Contains: TTPs, techniques, software used, campaigns
# Examples:
https://attack.mitre.org/groups/G0032/ → Lazarus Group
https://attack.mitre.org/groups/G0034/ → Sandworm
https://attack.mitre.org/software/ → Malware used by groups
```
### Malpedia — Ransomware Encyclopedia
```
https://malpedia.caad.fkie.fraunhofer.de
# Search by ransomware family name
# Contains: technical details, YARA rules, references, actor links
# Example
https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat
```
---
## 3. Ransomware Identification
If you have a sample or ransom note:
```
https://id-ransomware.malwarehunterteam.com
# Upload: encrypted file, ransom note, or file extension
# Identifies ransomware family
https://www.nomoreransom.org/en/identification-tool.html
# Ransomware identification + decryption tools if available
# Maintained by Europol + cybersecurity vendors
```
---
## 4. Ransomware Decryption Tools
```
https://www.nomoreransom.org/en/decryption-tools.html
# Free decryptors for many ransomware families
# Organized by ransomware name
https://github.com/erasmus-dsg-university/ransomware-decryptors
# Community collection of decryptors
```
---
## 5. Programmatic Data Collection
### Fetch ransomwatch JSON Data
```python
import requests
import json
from datetime import datetime
def get_recent_ransomware_posts(days=7):
"""Get ransomware posts from the last N days"""
url = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json"
posts = requests.get(url).json()
cutoff = datetime.now().timestamp() - (days * 86400)
recent = []
for post in posts:
try:
ts = datetime.strptime(post["discovered"], "%Y-%m-%d %H:%M:%S.%f").timestamp()
if ts > cutoff:
recent.append(post)
except:
pass
return recent
def search_victim(keyword):
"""Search for a specific victim across all posts"""
url = "https://raw.githubusercontent.com/joshhijom/ransomwatch/main/posts.json"
posts = requests.get(url).json()
return [p for p in posts if keyword.lower() in p.get("post_title", "").lower()]
# Usage
recent = get_recent_ransomware_posts(days=30)
print(f"Posts in last 30 days: {len(recent)}")
victim_hits = search_victim("target company name")
for hit in victim_hits:
print(hit.get("group_name"), "|", hit.get("post_title"), "|", hit.get("discovered"))
```
### Fetch Group List from ransomware.live
```python
import requests
# Get all tracked groups
resp = requests.get("https://api.ransomware.live/v2/groups")
groups = resp.json()
for g in groups:
print(g.get("name"), "|", g.get("location"))
```
---
## 6. Cross-Reference with Threat Intelligence
After identifying a ransomware group, pivot to:
```
# CISA advisories
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# FBI flash alerts
https://www.ic3.gov/Media/News/2024
# Talos intelligence
https://www.talosintelligence.com/ransomware_roundup
# AlienVault OTX pulse for the group
https://otx.alienvault.com/browse/pulses?q=GROUPNAME
# VirusTotal collections
https://www.virustotal.com/gui/collections → search group name
```
---
## 7. Sector & Country Statistics
```
# From ransomware.live statistics
https://www.ransomware.live/charts
# Useful for:
# - Identifying most targeted sectors
# - Country-specific threat landscape
# - Time-based trend analysis
# - Executive-level reporting
```
---
## Tips
- **ransomware.live** is the single best free resource — bookmark it
- **ransomwatch JSON** is machine-readable — great for automated monitoring and alerting
- **MITRE ATT&CK** group pages have the most authoritative TTP mappings
- **Malpedia** is the best technical reference for malware family details and YARA rules
- Set up **automated alerts**: scrape ransomwatch JSON periodically and alert on new keyword matches
- **Victim names are often redacted** initially — monitor for updates where full names appear
- Cross-reference group names across **Malpedia + MITRE + VirusTotal** for complete picture
---
*Reference: [OSINT Cheat Sheet — Researching Cyber Threats & SOC/Threat Hunting sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md
-247
View File
@@ -1,247 +0,0 @@
# Threat Actor Profiling & Attribution
> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
## Objective
Build structured intelligence profiles on threat actors — including APT groups,
ransomware operators, hacktivists, and cybercriminals — using public sources,
CTI frameworks, and dark web intelligence feeds.
---
## 1. MITRE ATT&CK Framework
The gold standard for mapping threat actor behavior:
```
https://attack.mitre.org/groups/ → All documented threat groups
https://attack.mitre.org/techniques/ → Full technique catalog
https://attack.mitre.org/software/ → Malware & tools per group
https://attack.mitre.org/campaigns/ → Campaign-level attribution
# Useful group pages
https://attack.mitre.org/groups/G0032/ → Lazarus Group (DPRK)
https://attack.mitre.org/groups/G0034/ → Sandworm (Russia)
https://attack.mitre.org/groups/G0007/ → APT28 / Fancy Bear
https://attack.mitre.org/groups/G0016/ → APT41 (China)
```
### ATT&CK Navigator — Visualize Group TTPs
```
https://mitre-attack.github.io/attack-navigator/
# Load a group's technique layer to visualize which TTPs they use
# Useful for: detection gap analysis, hunting hypothesis generation
```
---
## 2. APT Group Databases
### Google APT Search CSE
```
# From Jieyab89's SOC & Threat Hunting list
https://cse.google.com/cse?cx=003248445720253387346:turlh5vi4xc
# Search across multiple APT reporting sources simultaneously
```
### APT Group Spreadsheet
```
# From Jieyab89's list
https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml
# Comprehensive APT group list with:
# - Group names and aliases
# - Nation-state attribution
# - Target sectors
# - Active years
```
### Malpedia — Actor Profiles
```
https://malpedia.caad.fkie.fraunhofer.de/actors
# Threat actor profiles linked to malware families
# Each actor page contains:
# - Aliases (different vendor names for same group)
# - Associated malware families
# - References to reporting
# - Country attribution
```
---
## 3. Threat Intelligence Platforms
### AlienVault OTX (Free, Community-Driven)
```
https://otx.alienvault.com
# Search by actor/group name
https://otx.alienvault.com/browse/pulses?q=APT28
# Get pulses for a domain/IP/hash
https://otx.alienvault.com/indicator/domain/target.com
https://otx.alienvault.com/indicator/ip/1.2.3.4
https://otx.alienvault.com/indicator/file/HASH
# API
curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/general" \
-H "X-OTX-API-KEY: YOUR_KEY"
```
### Talos Intelligence (Cisco)
```
https://www.talosintelligence.com
https://www.talosintelligence.com/reputation_center
# Actor-specific reporting
https://blog.talosintelligence.com/?q=APT → Search for APT blog posts
```
### Recorded Future (Commercial)
```
https://www.recordedfuture.com/vulnerability-database
# Free tier: some intelligence available without subscription
```
### Mandiant / Google TI
```
https://www.mandiant.com/advantage/threat-intelligence
https://cloud.google.com/security/products/threat-intelligence
# Free access to some reports and IOCs
# APT naming convention: APT1, APT28, etc.
```
### Falcon Feeds
```
# From Jieyab89's list
https://falconfeeds.io
# Dark web threat intelligence feeds
# Actor profiles and IOC collections
```
---
## 4. Building an Actor Profile
### Profile Template
```markdown
## Threat Actor Profile
**Name**: [Primary name]
**Aliases**: [Vendor-specific names — different vendors name same group differently]
**Attribution**: [Suspected nation-state or criminal group]
**Active Since**: [Year]
**Motivation**: [Financial / Espionage / Hacktivism / Disruption]
### Targeting
- **Sectors**: [Finance, Healthcare, Government, etc.]
- **Regions**: [Geographic focus]
- **Typical Victims**: [Organization types]
### TTPs (MITRE ATT&CK)
- Initial Access: [T1566 Phishing / T1190 Exploit Public-Facing Application]
- Execution: [T1059 Command and Scripting Interpreter]
- Persistence: [T1053 Scheduled Task/Job]
- C2: [T1071 Application Layer Protocol]
- Exfiltration: [T1041 Exfiltration Over C2 Channel]
### Malware & Tools
- [Malware family 1] — [description, Malpedia link]
- [Malware family 2]
- [Custom tooling]
### Infrastructure
- [Known C2 domains/IPs]
- [Hosting patterns]
- [Certificate patterns]
### Dark Web Presence
- [Forum aliases if known]
- [Ransomware leak site if applicable]
- [Communication channels]
### Key Reports
- [Vendor report 1 — link]
- [Vendor report 2 — link]
### IOCs
- Domains: []
- IPs: []
- Hashes: []
- YARA: []
```
---
## 5. Alias Resolution — Same Actor, Different Names
Vendors name the same group differently. Always cross-reference:
```
# APT28 aka:
# Fancy Bear (CrowdStrike), Sofacy (Kaspersky), Pawn Storm (Trend Micro),
# STRONTIUM (Microsoft), BlueDelta (Recorded Future), TA422 (Proofpoint)
# Lookup tool — resolve aliases
https://apt.etda.or.th/cgi-bin/listgroups.cgi → ETDA APT alias resolver
https://malpedia.caad.fkie.fraunhofer.de/actors → Malpedia with aliases
```
---
## 6. Dark Web Forum Actor Tracking
Track threat actor aliases across underground forums (clearnet intelligence):
```
# Search actor alias on clearnet
site:github.com "actor_alias"
site:pastebin.com "actor_alias"
"actor_alias" site:twitter.com OR site:x.com
# Threat intelligence reports mentioning the alias
"actor_alias" filetype:pdf site:mandiant.com
"actor_alias" filetype:pdf site:crowdstrike.com
"actor_alias" site:securelist.com
# Searchable CTI sources
https://otx.alienvault.com/browse/pulses?q=actor_alias
https://www.talosintelligence.com/ → Blog search
https://www.group-ib.com/resources/ → Group-IB reports
```
---
## 7. CTI Report Aggregators
```
https://www.cisa.gov/news-events/cybersecurity-advisories → CISA advisories
https://www.ic3.gov/Media/News → FBI alerts
https://www.ncsc.gov.uk/section/reports-advisories/ → UK NCSC
https://www.cyber.gov.au/about-us/advisories → Australian ASD
https://seclists.org/fulldisclosure/ → Full disclosure list
# Community feeds
https://otx.alienvault.com → OTX Pulses
https://www.virustotal.com/gui/collections → VT collections
https://yaraify.abuse.ch/yarahub/ → YARA rules from community
# Indonesian context
https://bssn.go.id → BSSN (ID national cyber agency)
https://www.idsirtii.or.id → ID-SIRTII national CSIRT
```
---
## Tips
- **Malpedia** is the best single source for actor ↔ malware ↔ alias mapping
- **MITRE ATT&CK** is authoritative for TTP mapping — always map to it for consistency
- **APT alias confusion** is common — always check multiple vendor names before concluding
- **OTX Pulses** are often the fastest community source for newly emerging actor intelligence
- **ETDA APT list** is excellent for quickly resolving vendor naming differences
- **Attribution** should always include a confidence level — it's rarely 100% certain
---
*Reference: [OSINT Cheat Sheet — SOC & Threat Hunting & Researching Cyber Threats sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)*
Jieyab-Claude-Skills/README.md
+3 -11
View File
@@ -1,13 +1,5 @@
# Usage
# NOTES
You can use claude desktop or claude cli, but in this case i use claude cli. Import the skills on this path
On maintence, Jieyab under review for better result and do something research. I will update soon
```
/home/<username>/.claude/skills/Darkweb-Intel
```
Then in claude run /skills or u can call the skills path for claude
# Read the Claude Doc
https://code.claude.com/docs/en/skills
Thank u
README.md
+1
View File
@@ -1764,6 +1764,7 @@ If you has found the person phone number you can check at data breach, e wallet,
- [usersearch](https://usersearch.com/)
- [blackbird (mostly Indonesia)](https://blackbird.mom/)
- [user-scanner](https://github.com/kaifcodec/user-scanner/releases/tag/v1.1.0)
- [maigret 2 made by Rust](https://github.com/krishpranav/maigret/blob/master/data.json)
# Social Networks