diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md deleted file mode 100644 index fcd5a1b..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/SKILL.md +++ /dev/null @@ -1,229 +0,0 @@ ---- -name: osint-darkweb-intel -description: > - Comprehensive guide for Dark Web OSINT Intelligence — monitoring threat actor activity, - ransomware group tracking, leak site enumeration, IOC collection from dark web sources, - breach data discovery, paste site monitoring, CTI (Cyber Threat Intelligence) from - underground forums, cryptocurrency transaction tracing, and dark web search techniques. - All methods are PASSIVE and use publicly accessible intelligence feeds, clearnet proxies, - and monitoring services — no illegal access required. Use this skill WHENEVER the user - asks about dark web monitoring, threat intel, ransomware tracking, underground forum - intelligence, dark web OSINT, CTI from dark sources, leak site monitoring, stealer - log analysis, threat actor profiling, or any investigation involving dark web content. ---- - -# OSINT Dark Web Intelligence Skill - -> **Credits**: Tool references and methodology sourced from the -> [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by -> **[Jieyab89](https://github.com/Jieyab89)** — a comprehensive, community-driven -> OSINT resource covering tools, datasets, techniques, and tips for security -> researchers, journalists, investigators, and CTF players. All credit for the -> tool collection goes to him. Please use responsibly and wisely. - -This skill covers **passive** dark web intelligence gathering — all techniques -access dark web content through clearnet proxies, monitoring services, aggregators, -and indexed feeds. **No Tor browser required for most techniques.** - -> ⚠️ **Ethics & Legal Notice** -> - Use ONLY for legitimate purposes: threat intelligence, authorized research, -> investigative journalism, incident response, CTF, and law enforcement support -> - Do NOT join, register, purchase, or interact with criminal forums/markets -> - Do NOT facilitate, assist, or enable any illegal activity -> - Comply with local law: Indonesia UU ITE, US CFAA 18 U.S.C. § 1030, EU GDPR -> - Use a sandbox VM + VPN for any active browsing; never from your real identity -> - Following Jieyab89's tip: use fake accounts, sandbox machines, enable AV/firewall - ---- - -## INTELLIGENCE MODULES — Read Reference Files as Needed - -| Module | Reference File | When to Use | -|--------|---------------|-------------| -| Dark Web Search & Indexing | `references/darkweb-search.md` | Search dark web content from clearnet | -| Ransomware Group Tracking | `references/ransomware-tracking.md` | Monitor ransomware gangs, victim lists | -| Breach & Leak Intelligence | `references/breach-leak-intel.md` | Breach forums, stealer logs, dump sites | -| Threat Actor Profiling | `references/threat-actor-profiling.md` | APT groups, TTPs, attribution | -| Cryptocurrency Tracing | `references/crypto-tracing.md` | Trace crypto payments, wallet clustering | -| Malware & IOC Intelligence | `references/malware-ioc-intel.md` | Malware samples, C2, IOC feeds | -| CTI Feeds & Platforms | `references/cti-feeds-platforms.md` | Threat intel feeds, MISP, OTX, etc. | -| Paste & Leak Monitoring | `references/paste-leak-monitoring.md` | Monitor paste sites and public leaks | -| OPSEC for Dark Web OSINT | `references/opsec-darkweb.md` | Safe investigation procedures | - ---- - -## INVESTIGATION WORKFLOW - -### Phase 1 — Define Intelligence Requirement - -Before starting, clarify: -1. **Target**: Threat actor? Ransomware group? Specific breach? Organization exposure? -2. **Type**: Passive monitoring? Historical research? Incident response? -3. **Timeframe**: Recent (last 30 days)? Historical? Ongoing? -4. **Output**: IOC list? Threat report? Executive summary? Timeline? - -### Phase 2 — Clearnet First (Safe, No Tor Needed) - -``` -Start with public intelligence aggregators: - -1. Search dark web indexes (Ahmia, DarkSearch via clearnet) -2. Check ransomware tracking dashboards -3. Query breach/leak intelligence platforms -4. Pull IOC feeds from threat intel services -5. Check paste site aggregators -6. Query cryptocurrency explorer (if financial traces needed) -7. Cross-reference APT group databases -``` - -### Phase 3 — Specialized Intelligence Platforms - -``` -8. Stealthmole / Flare / Recorded Future (commercial dark web monitoring) -9. Hudson Rock (stealer log intelligence) -10. IntelX (dark web indexed content) -11. DeepDark CTI feeds -12. Ransomware.live / ransomwatch (gang tracking) -``` - -### Phase 4 — Structured Report - -``` -INTELLIGENCE REPORT -=================== -Date : [date] -Target / Actor : [name / group] -Confidence : [Low / Medium / High] - -[EXECUTIVE SUMMARY] - -[ACTOR PROFILE] - - Known aliases - - Affiliated groups - - TTPs (MITRE ATT&CK) - - Active since - -[TECHNICAL INDICATORS] - - IOCs (IPs, domains, hashes, URLs) - - Malware families - - Infrastructure - -[DARK WEB PRESENCE] - - Forums mentioned - - Leak sites - - Victim claims - -[CRYPTOCURRENCY] - - Wallet addresses - - Transaction patterns - -[TIMELINE OF ACTIVITY] - -[SOURCES] - -[RECOMMENDED ACTIONS] -``` - ---- - -## QUICK REFERENCE — Clearnet Dark Web Intelligence - -### Dark Web Search (No Tor Required) -``` -https://ahmia.fi → Tor hidden service search engine -https://darksearch.io → Dark web search engine (clearnet) -https://www.osintframework.com → OSINT framework with dark web section -https://osint.rocks → Multi-source OSINT including dark sources -``` - -### Ransomware Tracking -``` -https://www.ransomware.live → Live ransomware victim tracker -https://ransomwatch.telemetry.ltd → Ransomwatch group monitoring -https://www.ransom-db.com → Ransomware database -https://ransom.privtools.eu → Ransomware posts aggregator -https://id-ransomware.malwarehunterteam.com → Ransomware identification -https://www.nomoreransom.org → Decryption tools -https://watchguard.com/wgrd-security-hub/ransomware-tracker → Watchguard tracker -``` - -### Breach & Leak Intelligence -``` -https://intelx.io → Intelligence X (dark web indexed) -https://breachdirectory.org → Breach directory -https://search.0t.rocks → Open breach database -https://leakix.net → Exposed service & leak intelligence -https://www.hudsonrock.com/threat-intelligence-cybercrime-tools → Stealer intel -https://whiteintel.io → Stealer log intelligence -https://breach.house → Stealer/breach aggregator -``` - -### CTI Platforms -``` -https://otx.alienvault.com → AlienVault OTX (free, community) -https://www.talosintelligence.com → Cisco Talos -https://pulsedive.com → Pulsedive CTI -https://www.threatminer.org → ThreatMiner -https://threatfox.abuse.ch → ThreatFox IOC database -https://www.virustotal.com → VirusTotal intelligence -https://malpedia.caad.fkie.fraunhofer.de → Malware encyclopedia -https://attack.mitre.org → MITRE ATT&CK framework -``` - -### Malware & IOC Feeds -``` -https://bazaar.abuse.ch/browse → MalwareBazaar samples -https://urlhaus.abuse.ch → Malicious URL feed -https://threatfox.abuse.ch → IOC feed -https://vx-underground.org → Malware sample archive -https://malpedia.caad.fkie.fraunhofer.de → Malware families -https://www.malware-traffic-analysis.net → PCAP & malware traffic analysis -``` - -### Crypto Tracing -``` -https://www.blockchain.com/explorer → Bitcoin explorer -https://etherscan.io → Ethereum explorer -https://www.arkham.io → Crypto intelligence (Jieyab89's tip) -https://explorer.btc.com → BTC explorer -https://tronscan.org → TRON explorer -https://breadcrumbs.app → Crypto wallet graph -``` - ---- - -## OPSEC QUICK CHECKLIST - -- [ ] Use isolated sandbox VM (not your main machine) -- [ ] Route through VPN before any browsing -- [ ] Use Tor Browser for any .onion access (separate from daily browser) -- [ ] Use fake/throwaway accounts — never your real identity -- [ ] Enable antivirus + firewall on sandbox -- [ ] Do not download files from dark web to your host machine -- [ ] Do not screenshot content that could identify you -- [ ] Never interact with, purchase from, or register on criminal forums -- [ ] Keep notes in encrypted container (VeraCrypt recommended) -- [ ] Disconnect VM from network when not actively investigating - ---- - -## REFERENCE FILES - -Load relevant reference based on investigation type: - -- `references/darkweb-search.md` → Search & indexing techniques -- `references/ransomware-tracking.md` → Ransomware group intelligence -- `references/breach-leak-intel.md` → Breach & stealer log analysis -- `references/threat-actor-profiling.md` → APT/actor attribution & TTPs -- `references/crypto-tracing.md` → Cryptocurrency transaction analysis -- `references/malware-ioc-intel.md` → Malware samples & IOC collection -- `references/cti-feeds-platforms.md` → CTI platforms & feed integration -- `references/paste-leak-monitoring.md` → Paste & public leak monitoring -- `references/opsec-darkweb.md` → Full OPSEC procedures - ---- - -*Tool list and methodology sourced from the -[OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) -by [Jieyab89](https://github.com/Jieyab89). -Use responsibly, ethically, and legally.* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md deleted file mode 100644 index c261dff..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/breach-leak-intel.md +++ /dev/null @@ -1,276 +0,0 @@ -# Breach & Leak Intelligence - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Identify, analyze, and monitor data breaches and leaks related to a target — -including credential dumps, database leaks, stealer logs, and sensitive document -disclosures originating from dark web sources. All via clearnet services. - ---- - -## 1. Breach Search Platforms - -### HaveIBeenPwned (HIBP) -``` -https://haveibeenpwned.com → Single email check -https://haveibeenpwned.com/DomainSearch → All emails at a domain (verify ownership) - -# API -curl -s "https://haveibeenpwned.com/api/v3/breachedaccount/user@target.com" \ - -H "hibp-api-key: YOUR_KEY" \ - -H "User-Agent: investigator-tool" | python3 -m json.tool - -# List all known breaches -curl -s "https://haveibeenpwned.com/api/v3/breaches" | \ - python3 -c "import sys,json; [print(b['Name'],'|',b['BreachDate'],'|',b['PwnCount']) for b in json.load(sys.stdin)]" -``` - -### Intelligence X -``` -https://intelx.io/?s=target.com -https://intelx.io/?s=email@target.com -https://intelx.io/?s=TARGET_IP - -# Indexes: Tor, I2P, paste sites, public leaks, documents, dark web forums -# Historical search — finds content from years back -# API (paid plan for full access) -curl -X POST "https://2.intelx.io/intelligent/search" \ - -H "x-key: YOUR_API_KEY" \ - -H "Content-Type: application/json" \ - -d '{"term":"target.com","maxresults":10,"media":0,"target":0,"timeout":10}' -``` - -### Breach Directory -``` -https://breachdirectory.org -https://search.0t.rocks -https://osintleak.com -https://leakcheck.io → Free tier available -https://snusbase.com → Paid -https://dehashed.com → Paid, limited free -https://leakpeek.com -https://9ghz.com -https://weleakinfo.io -https://leakradar.io -https://exposed.lol -https://bf.based.re → BF database search -https://osintleak.com -``` - ---- - -## 2. Stealer Log Intelligence - -Malware stealers (RedLine, Raccoon, Vidar, etc.) exfiltrate browser credentials, -cookies, crypto wallets. Their dumps appear on dark web markets and Telegram channels. - -### Clearnet Monitoring Services -``` -https://www.hudsonrock.com/threat-intelligence-cybercrime-tools -# Free search: enter domain to see if employee credentials were stolen -# by info-stealers and circulating in criminal markets - -https://whiteintel.io -# Stealer log intelligence platform -# Check if domain credentials appear in stealer data - -https://breach.house/all_stealers -# Aggregated stealer data viewer - -https://www.infostealers.com -# Infostealer intelligence and research -``` - -### Hudson Rock — Free Domain Check -```python -import requests - -domain = "target.com" -url = f"https://cavalier.hudsonrock.com/api/json/v2/osint-tools/search-by-domain?domain={domain}" -headers = {"User-Agent": "osint-research/1.0"} -resp = requests.get(url, headers=headers) -data = resp.json() - -print(f"Employees in stealer logs: {data.get('total_employees', 0)}") -print(f"Users in stealer logs: {data.get('total_users', 0)}") -``` - ---- - -## 3. Paste Site Monitoring - -Breached data often first appears on paste sites before being sold: - -``` -# Search -https://pastebin.com/search?q=target.com -https://psbdmp.ws → Pastebin dump search -https://cybdetective.com/pastebin.html → Multi-paste aggregator - -# Google dorks for paste sites -site:pastebin.com "target.com" -site:pastebin.com "@target.com" password OR credentials OR dump -site:pastebin.com "target.com" database -site:gist.github.com "target.com" password -site:paste.centos.org "target.com" -site:justpaste.it "target.com" - -# Telegra.ph (Telegram's paste service) -site:telegra.ph "target.com" -``` - -### Automated Paste Monitoring -```python -import requests, time - -def monitor_pastebin(keyword, interval=300): - """Poll Pastebin scraping API for keyword matches""" - seen = set() - while True: - try: - # Pastebin scraping API (requires Pastebin Pro) - r = requests.get("https://scrape.pastebin.com/api_scraping.php?limit=100") - pastes = r.json() - for paste in pastes: - pid = paste["key"] - if pid in seen: - continue - seen.add(pid) - content = requests.get(f"https://scrape.pastebin.com/api_scrape_item.php?i={pid}").text - if keyword.lower() in content.lower(): - print(f"[MATCH] https://pastebin.com/{pid}") - except Exception as e: - print(f"Error: {e}") - time.sleep(interval) -``` - ---- - -## 4. Dark Web Breach Forum Intelligence (Clearnet Monitoring) - -Monitor without directly accessing forums: - -``` -# DDO Secrets — public leak publishing -https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets -# Contains government, corporate, and organizational leaks -# Accessible via clearnet - -# Breach House -https://breach.house -# Aggregates publicly known breach data - -# LeakIX — exposed services that may lead to breaches -https://leakix.net -# Indexes exposed databases, services, and leaked data - -# Commercial dark web monitoring (passive intelligence) -https://www.stealthmole.com → Dark web tracker -https://flare.io → Dark web monitoring platform -https://cyble.com → Cyble threat intelligence -https://cybersixgill.com → Deep/dark web intelligence -https://darktrace.com → AI-powered dark web monitoring -https://darkradar.io → Dark radar -``` - ---- - -## 5. Database Leak Analysis - -When a leak dataset is available for analysis: - -```python -import gzip, json - -def analyze_leak(filepath, search_term): - """Search a leak file for specific term""" - opener = gzip.open if filepath.endswith('.gz') else open - mode = 'rt' if filepath.endswith('.gz') else 'r' - - matches = [] - with opener(filepath, mode, encoding='utf-8', errors='ignore') as f: - for i, line in enumerate(f): - if search_term.lower() in line.lower(): - matches.append({"line": i, "content": line.strip()}) - return matches - -# Example usage -results = analyze_leak("breach_dump.txt", "target.com") -for r in results[:10]: - print(r) -``` - -### Common Leak File Formats -``` -Format 1 — email:password - user@domain.com:Password123 - -Format 2 — email:hash - user@domain.com:5f4dcc3b5aa765d61d8327deb882cf99 - -Format 3 — JSON structured - {"email":"user@domain.com","password":"...","name":"..."} - -Format 4 — SQL dump - INSERT INTO users VALUES (1,'user@domain.com','hash','name'); -``` - ---- - -## 6. COMB & Large Dataset Search - -``` -https://proxynova.com/tools/comb/ -# Search in "Collection of Many Breaches" — 3.2B+ records -# Free search by email or domain - -https://www.proxynova.com/tools/comb/ -# Alternative mirror -``` - ---- - -## 7. Library of Leaks - -``` -https://search.libraryofleaks.org -# Searchable archive of public leaks -# Includes: Wikileaks, Panama Papers, Pandora Papers, etc. - -https://aleph.occrp.org -# OCCRP's investigative data platform -# Leaked documents, corporate records, court data -# Used by professional investigative journalists -``` - ---- - -## Analyzing a Breach Report - -When you find a breach record, extract: - -``` -1. Breach date → When did it occur vs. when discovered? -2. Data types exposed → Passwords? PII? Financial? Health? -3. Number of records → Scale of exposure -4. Source → Which company/service was breached? -5. Format → Plaintext passwords = high risk -6. Validation → Cross-check against HIBP for confirmation -7. Related breaches → Same actor? Same infrastructure? -``` - ---- - -## Tips - -- **Hudson Rock free tool** is one of the most powerful for corporate exposure assessment -- **IntelX** has the deepest dark web index — essential for any serious investigation -- **DDO Secrets** is the best clearnet source for large-scale organizational leaks -- **HIBP Domain Search** requires ownership verification — useful for incident responders -- Always **validate** breach data before reporting — not all claimed breaches are real -- **Stealer logs** are more dangerous than traditional breaches — they include live session cookies - ---- - -*Reference: [OSINT Cheat Sheet — Data Breached OSINT section](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md deleted file mode 100644 index cf514a4..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/crypto-tracing.md +++ /dev/null @@ -1,249 +0,0 @@ -# Cryptocurrency Transaction Tracing - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Trace cryptocurrency payments associated with ransomware, dark web markets, -extortion, and other illicit activity — using public blockchain explorers, -graph analysis tools, and exchange intelligence. - -> **Note**: All tools listed here use publicly available blockchain data. -> Blockchain transactions are fully public — tracing is legal OSINT. -> Do not attempt to seize, redirect, or interfere with any funds. - ---- - -## 1. Blockchain Explorers (Per Chain) - -### Bitcoin (BTC) -``` -https://www.blockchain.com/explorer → General purpose BTC explorer -https://explorer.btc.com → BTC explorer -https://mempool.space → Mempool + UTXO explorer (very detailed) -https://blockchair.com/bitcoin → Multi-chain explorer with analytics -https://btcscan.org → Clean BTC scanner - -# Search by: wallet address, TXID, block number -``` - -### Ethereum (ETH) & ERC-20 -``` -https://etherscan.io → Standard ETH explorer -https://etherscam.com → Known scam addresses -https://blocksec.com → Blockchain security analytics -``` - -### Monero (XMR) — Privacy Coin (Limited Tracing) -``` -https://xmrchain.net → Monero explorer (limited, privacy-focused) -# Note: Monero is designed for privacy — tracing is very limited -# Ring signatures and stealth addresses obscure sender/receiver -``` - -### USDT / Tron (TRC-20) -``` -https://tronscan.org → TRON/USDT TRC-20 explorer -# Popular in ransomware payments and dark web markets -``` - -### Other Chains -``` -https://blockchair.com → Multi-chain: BTC, ETH, BCH, LTC, etc. -https://www.coingecko.com → Market data + contract addresses -``` - ---- - -## 2. Crypto Intelligence Platforms - -### Arkham Intelligence -``` -# From Jieyab89's OSINT Cheat Sheet tips -https://platform.arkhamintelligence.com - -# Features: -# - Wallet entity labeling (exchange, mixer, ransomware group, etc.) -# - Transaction graph visualization -# - Portfolio tracking -# - On-chain intelligence with AI entity identification -# - Links wallets to known entities (Binance, Coinbase, dark web markets) -``` - -### Breadcrumbs -``` -https://breadcrumbs.app -# Free crypto investigation tool -# Visual graph: trace funds through multiple hops -# Label known entities (exchanges, mixing services) -# Export graph for reports - -# How to use: -# 1. Input wallet address -# 2. Click "Investigate" -# 3. Expand transaction nodes -# 4. Look for connections to labeled entities (exchanges = on/off ramps) -``` - -### Crystal Blockchain (Commercial) -``` -https://crystalblockchain.com -# Professional-grade crypto tracing -# Used by law enforcement and compliance teams -# Risk scoring for wallet addresses -``` - -### Chainalysis (Commercial, Free Tools Available) -``` -https://www.chainalysis.com -# Industry standard for crypto compliance and investigations -# Free tool: https://www.chainalysis.com/free-cryptocurrency-sanctions-screening-tools/ -``` - ---- - -## 3. Ransomware Wallet Tracking - -Known ransomware wallets are often publicly documented: - -``` -# Ransomwhere — ransomware payment tracker -https://ransomwhe.re -https://ransomwhe.re/browse → Browse reported ransomware payments - -# From Jieyab89's Dataset list: -# "Browse ransomware data" → https://ransomwhe.re/#report - -# Features: -# - Known ransomware payment addresses -# - Total amounts paid per group -# - Timeline of payments -# - Submit newly discovered wallets -``` - -### Searching Ransomware Wallets -```python -import requests - -def check_ransomwhere(address): - """Check if a Bitcoin address appears in ransomwhere.re""" - url = f"https://api.ransomwhe.re/export" - resp = requests.get(url) - data = resp.json() - for entry in data.get("result", []): - if address in entry.get("address", ""): - return entry - return None - -# Usage -result = check_ransomwhere("1BitcoinAddressHere") -if result: - print(f"Ransomware family: {result.get('family')}") - print(f"Total received: {result.get('balance')} BTC") -``` - ---- - -## 4. Blockchain Analytics Techniques - -### Address Clustering -Multiple addresses controlled by same entity are often linked through: -- Common-input ownership (UTXO model) -- Change address patterns -- Timing correlation -- Dust attacks - -``` -# Blockchair supports basic clustering -https://blockchair.com/bitcoin/address/ADDRESS#cluster - -# OXT — Bitcoin UTXO analytics -https://oxt.me/address/BITCOIN_ADDRESS -# Shows: cluster, related addresses, entity if known -``` - -### Following the Money (Step-by-Step) -``` -1. Get starting address (from ransom note, report, payment screenshot) -2. Open in mempool.space or blockchain.com -3. Trace outgoing transactions -4. Look for consolidation points (many inputs → one output = aggregation wallet) -5. Check if final destination is a labeled exchange -6. Large exchange deposit → potential KYC record exists -7. Check Arkham/Breadcrumbs for entity labels -8. Cross-reference with known ransomware wallet databases -``` - -### Mixer / Tumbler Detection -``` -Indicators of mixing services: -- Many equal-value outputs (e.g., 10x 0.1 BTC) -- Coinjoin transactions (many inputs, many outputs, equal amounts) -- Wasabi Wallet patterns -- Known mixer addresses: - -# Sanction screening (OFAC SDN list) -https://sanctionssearch.ofac.treas.gov -# Check if wallet is under US Treasury sanctions (many ransomware wallets are) - -# Chainalysis free screening -https://www.chainalysis.com/free-cryptocurrency-sanctions-screening-tools/ -``` - ---- - -## 5. OFAC Sanctioned Crypto Addresses - -Many ransomware operators have sanctioned wallets: - -``` -https://sanctionssearch.ofac.treas.gov -# US Treasury Office of Foreign Assets Control -# Search: individual name, entity name, or cryptocurrency address - -# Also check: -https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions -# Latest sanction actions — often includes crypto wallet addresses - -# Blockchain analytics APIs that include OFAC checks: -https://www.chainalysis.com -https://crystalblockchain.com -``` - ---- - -## 6. Exchange Intelligence - -When funds reach an exchange, there may be a KYC record: - -``` -# Identify exchange from address -https://www.blockchain.com/explorer → Tagged addresses -https://blockchair.com → Entity labels -https://arkhamintelligence.com → Exchange identification - -# Known exchange deposit address patterns: -# - Binance: cluster of many deposit addresses pointing to hot wallet -# - Coinbase: tagged in blockchain.com -# - Kraken: similar clustering patterns - -# If you identify an exchange: -# → Law enforcement can subpoena KYC records -# → Document the evidence trail before reporting -``` - ---- - -## Tips - -- **Breadcrumbs** is the best free visual tool for quick crypto tracing -- **Arkham** is most powerful for entity identification — often labels wallets automatically -- **Mempool.space** gives the deepest BTC UTXO analysis for free -- **Ransomwhe.re** is the definitive database of known ransomware payment addresses -- **Always document** wallet addresses, transaction IDs, and block heights for evidence -- **Monero** tracing is severely limited by design — pivot to any BTC payments instead -- **OFAC sanctions list** is essential for identifying if a wallet is already flagged by US Treasury -- Blockchain analysis is a specialized field — for serious investigations, use **Chainalysis** or **Crystal** - ---- - -*Reference: [OSINT Cheat Sheet — tips on crypto tracking & Collection Dataset sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md deleted file mode 100644 index 15a5476..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/cti-feeds-platforms.md +++ /dev/null @@ -1,319 +0,0 @@ -# CTI Feeds & Platforms - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Integrate structured threat intelligence feeds and platforms into an investigation -or detection workflow — covering open-source, community, and commercial CTI sources. - ---- - -## 1. Open-Source CTI Platforms - -### MISP — Malware Information Sharing Platform -``` -https://www.misp-project.org -# Industry-standard open-source CTI sharing platform -# Self-hosted: share IOCs within a trusted community or organization -# Integrates with: Splunk, TheHive, Cortex, QRadar, etc. - -# Public MISP instances (read access) -https://www.circl.lu/doc/misp/ → CIRCL MISP (Luxembourg CSIRT) - -# MISP feed consumption -# Most major feeds (OTX, abuse.ch, etc.) have MISP format exports -``` - -### OpenCTI -``` -# From Jieyab89's list -https://github.com/OpenCTI-Platform/opencti -# Open-source CTI platform — store, analyze, and share intelligence -# Knowledge graph: actor → campaign → malware → IOC → victim -# Integrates with MISP, STIX/TAXII, TheHive -# Self-host via Docker: docker-compose up -d (demo.opencti.io no longer reliable) -``` - -### IntelOwl -``` -# From Jieyab89's list -https://github.com/intelowlproject/IntelOwl/ -# Aggregates results from 50+ analyzers (VT, OTX, Shodan, etc.) -# Single API call → enriched IOC from all sources simultaneously -# Self-hosted, free, open-source -``` - ---- - -## 2. Community Intelligence Feeds - -### AlienVault OTX -``` -https://otx.alienvault.com -# Free, community-driven threat intelligence -# "Pulses" = collections of IOCs around a specific threat - -# Subscribe to relevant pulses -# Follow actors: APT28, LockBit, Emotet, etc. - -# DirectConnect API -curl "https://otx.alienvault.com/api/v1/pulses/subscribed" \ - -H "X-OTX-API-KEY: YOUR_KEY" - -# Pull IOCs from a pulse -curl "https://otx.alienvault.com/api/v1/pulses/PULSE_ID/indicators" \ - -H "X-OTX-API-KEY: YOUR_KEY" - -# Python SDK -pip install OTXv2 -from OTXv2 import OTXv2 -otx = OTXv2("YOUR_API_KEY") -pulse = otx.get_pulse_details("PULSE_ID") -indicators = otx.get_pulse_indicator_details("PULSE_ID") -``` - -### Pulsedive -``` -# From Jieyab89's list -https://pulsedive.com/dashboard/ -# Free tier available -# IOC enrichment, threat feeds, risk scoring - -# API -curl "https://pulsedive.com/api/?indicator=suspicious.com&key=YOUR_KEY" -``` - -### ThreatMiner -``` -# From Jieyab89's list -https://www.threatminer.org -# Passive threat intelligence — no API key needed for basic use - -# Lookups: -https://www.threatminer.org/domain.php?q=suspicious.com -https://www.threatminer.org/ip.php?q=1.2.3.4 -https://www.threatminer.org/sample.php?q=SHA256_HASH -``` - ---- - -## 3. Commercial CTI Platforms (Free Tiers Available) - -### Recorded Future -``` -https://www.recordedfuture.com/vulnerability-database -# Free risk score lookup for IPs, domains, CVEs - -# Risk API (limited free access) -curl "https://api.recordedfuture.com/v2/ip/1.2.3.4" \ - -H "X-RFToken: YOUR_TOKEN" -``` - -### Flare -``` -# From Jieyab89's list -https://flare.io -# Dark web monitoring + CTI platform -# Monitors: paste sites, dark web forums, leak sites, Telegram -``` - -### Stealthmole -``` -# From Jieyab89's list -https://www.stealthmole.com -# Dark web tracker with CTI focus -``` - -### Cybersixgill -``` -# From Jieyab89's list -https://cybersixgill.com -# Deep and dark web intelligence -# Real-time monitoring of underground forums -``` - -### Darkfeed -``` -# From Jieyab89's list -https://darkfeed.io -# Dark web IOC feed -``` - -### Falcon Feeds -``` -# From Jieyab89's list -https://falconfeeds.io -# Threat intelligence from dark web sources -``` - ---- - -## 4. STIX/TAXII — Structured Intelligence Sharing - -Standard format for machine-readable threat intelligence: - -```python -# Install dependencies -pip install taxii2-client stix2 - -from taxii2client.v21 import Server - -# MITRE ATT&CK TAXII (confirmed active) -server = Server("https://cti-taxii.mitre.org/taxii/") -for api_root in server.api_roots: - for collection in api_root.collections: - print(collection.title, collection.id) - -# Note: CISA TAXII (ais.cisa.gov) and Anomali Limo (limo.anomali.com) -# are no longer resolving as of 2025 — use alternatives above instead -``` - -### Active Public TAXII Servers -``` -https://cti-taxii.mitre.org/taxii/ → MITRE ATT&CK (confirmed active) - -# Note: limo.anomali.com and ais.cisa.gov/taxii2/ no longer resolve (dead) -# Use MITRE ATT&CK TAXII or self-hosted MISP feeds instead -``` - -### Alternative — MITRE ATT&CK via GitHub JSON (Simpler, No TAXII Client) -```python -import requests - -# Fetch all ATT&CK groups directly -url = "https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json" -data = requests.get(url).json() - -groups = [obj for obj in data["objects"] if obj["type"] == "intrusion-set"] -for g in groups: - print(g.get("name"), "|", g.get("aliases", [])) -``` - -### CISA KEV Feed (Replaces CISA TAXII) -```python -import requests - -# CISA Known Exploited Vulnerabilities — always updated JSON feed -url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" -data = requests.get(url).json() - -vulns = data.get("vulnerabilities", []) -print(f"Total KEVs: {len(vulns)}") -for v in vulns[-5:]: # Latest 5 - print(v.get("cveID"), "|", v.get("vendorProject"), "|", v.get("dueDate")) -``` - ---- - -## 5. Threat Hunting Platforms - -### Splunk (SIEM) -``` -# From Jieyab89's list -https://www.splunk.com -# Leading SIEM for log analysis and threat hunting - -# Free: Splunk Free (500MB/day) -# Useful SPL for hunting: -# index=* sourcetype=* [inputlookup ioc_list.csv] -``` - -### Wazuh (Open-Source SIEM/XDR) -``` -# From Jieyab89's list -https://wazuh.com -# Free, open-source security monitoring -# Integrates with MISP and threat intel feeds -``` - -### Grafana -``` -# From Jieyab89's list -https://grafana.com -# Visualization for threat intelligence dashboards -# Connect to MISP, OpenCTI, or custom CTI databases -``` - ---- - -## 6. Integrating Feeds into a Pipeline - -### Simple IOC Aggregation Pipeline -```python -import requests, json -from datetime import datetime - -class CTIPipeline: - def __init__(self, otx_key): - self.otx_key = otx_key - self.iocs = {"domains": [], "ips": [], "hashes": [], "urls": []} - - def pull_threatfox(self, days=1): - """Pull recent IOCs from ThreatFox""" - resp = requests.post("https://threatfox-api.abuse.ch/api/v1/", - json={"query": "get_iocs", "days": days}) - for ioc in resp.json().get("data", []): - ioc_type = ioc.get("ioc_type") - value = ioc.get("ioc") - if ioc_type == "domain": - self.iocs["domains"].append(value) - elif ioc_type in ("ip:port", "ip"): - self.iocs["ips"].append(value.split(":")[0]) - elif ioc_type in ("sha256_hash", "md5_hash"): - self.iocs["hashes"].append(value) - elif ioc_type == "url": - self.iocs["urls"].append(value) - - def pull_urlhaus(self): - """Pull malicious URLs from URLhaus""" - resp = requests.get("https://urlhaus.abuse.ch/downloads/csv_online/") - for line in resp.text.split("\n"): - if line.startswith("#") or not line.strip(): - continue - parts = line.split(",") - if len(parts) > 2: - self.iocs["urls"].append(parts[2].strip('"')) - - def deduplicate(self): - for key in self.iocs: - self.iocs[key] = list(set(self.iocs[key])) - - def export(self, path): - self.deduplicate() - with open(path, "w") as f: - json.dump({"generated": str(datetime.now()), "iocs": self.iocs}, f, indent=2) - print(f"Exported {sum(len(v) for v in self.iocs.values())} IOCs to {path}") - -# Usage -pipeline = CTIPipeline(otx_key="YOUR_KEY") -pipeline.pull_threatfox(days=1) -pipeline.pull_urlhaus() -pipeline.export("daily_iocs.json") -``` - ---- - -## Tips - -- **IntelOwl** gives the broadest enrichment with a single API call — deploy it first -- **OpenCTI** is the best self-hosted platform — run via Docker, the public demo is unreliable -- **ThreatFox + URLhaus** from abuse.ch are the highest-quality free IOC feeds -- **MITRE ATT&CK GitHub JSON** is more reliable than their TAXII endpoint for automation -- **CISA KEV JSON feed** is the best free vulnerability intelligence — no auth needed -- **Pulsedive** is excellent for quick IOC risk scoring without many API keys -- Automate daily feed pulls and delta-compare against your existing blocklists - ---- - -## Removed / Dead Links (Verified April 2025) - -| Site | Status | Reason | -|------|--------|--------| -| `misp.seccodeid.com` | Offline | DNS does not resolve | -| `limo.anomali.com` | Offline | DNS does not resolve — Anomali shut down free Limo service | -| `ais.cisa.gov/taxii2/` | Offline | DNS does not resolve | -| `demo.opencti.io` | Removed | Public demo unreliable — self-host via Docker instead | - ---- - -*Reference: [OSINT Cheat Sheet — SOC & Threat Hunting, Researching Cyber Threats sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* \ No newline at end of file diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md deleted file mode 100644 index 08c7833..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/darkweb-search.md +++ /dev/null @@ -1,212 +0,0 @@ -# Dark Web Search & Indexing - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Search and index dark web content using clearnet-accessible tools, proxies, -and aggregators — without requiring a Tor browser for most operations. - ---- - -## 1. Clearnet Dark Web Search Engines - -These index .onion content and are accessible from a regular browser: - -``` -https://ahmia.fi → Most established Tor search engine - accessible via clearnet -https://darksearch.io → Dark web search via clearnet API -https://lolarchiver.com → Archived dark web content -https://osint.lolarchiver.com → OSINT-focused dark archive -https://open-search.aleph-networks.eu → Open search with dark web data -``` - -### Ahmia.fi Usage -``` -# Basic search -https://ahmia.fi/search/?q=ransomware+group - -# Search for specific onion addresses -https://ahmia.fi/search/?q=site:ONIONADDRESS.onion - -# API -curl "https://ahmia.fi/api/query?q=keyword&limit=10" -``` - -### DarkSearch.io API -```bash -# Search via API (free tier available) -curl "https://darksearch.io/api/search?query=keyword&page=1" - -# Python -import requests -resp = requests.get("https://darksearch.io/api/search", - params={"query": "ransomware group", "page": 1}) -print(resp.json()) -``` - ---- - -## 2. Intelligence X (IntelX) - -One of the most powerful dark web indexing platforms — indexes Tor, I2P, paste -sites, public leaks, and document archives: - -``` -https://intelx.io/?s=keyword -https://intelx.io/?s=email@target.com -https://intelx.io/?s=target.com -https://intelx.io/?s=BITCOIN_WALLET_ADDRESS - -# Selectors to search: -# - Email addresses -# - Domains -# - IP addresses -# - Bitcoin addresses -# - IPFS hashes -# - URLs -# - Phone numbers -``` - ---- - -## 3. Tor Hidden Service Search (Requires Tor Browser) - -> Only use this for authorized research. Use a dedicated sandbox VM + Tor Browser. -> Never access from your real machine or identity. - -``` -# Popular .onion search engines (access via Tor Browser only) -DuckDuckGo onion : https://3g2upl4pq6kufc4m.onion -Torch : http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5ayieeo2through7sh6turd.onion -Not Evil : http://notevilmtxf25uw7tskqxj6njlpebyrmlrerfv5hc4tuq7c7hilbyiqd.onion -Haystak : http://haystak5njsmn2hqkewecpaxetahtwhsbsa64jom2k22z5afxhnpxfid.onion -``` - ---- - -## 4. Specialized Dark Web Index Tools - -### DeepDarkCTI -Threat intelligence from deep and dark web sources: -```bash -# From Jieyab89's list -git clone https://github.com/fastfire/deepdarkCTI -# Contains curated .onion links categorized by type: -# - Forums, markets, ransomware leak sites, paste services -# - Updated list of active dark web resources for CTI -cat deepdarkCTI/ransomware.md # Ransomware sites list -cat deepdarkCTI/forum.md # Forum list -cat deepdarkCTI/combolist.md # Combo/leak list sites -``` - -### OnionSearch -```bash -pip install onionsearch -onionsearch "keyword" -# Searches across multiple .onion search engines simultaneously -``` - ---- - -## 5. OSINT Framework — Dark Web Section - -``` -https://osintframework.com -# Navigate to: Digital Footprint → Dark Web -# Contains categorized links to: -# - Dark web search engines -# - Forums (indexed/cached versions) -# - Cryptocurrency tracking -# - Paste services -``` - ---- - -## 6. Cached & Archived Dark Web Content - -Access dark web content without connecting to Tor: - -``` -https://osint.lolarchiver.com → Cached dark web content -https://lolarchiver.com → Dark web archiver -https://www.libraryofleaks.org → Leaked document library -https://search.libraryofleaks.org → Search leaked documents - -# DDO Secrets (Distributed Denial of Secrets) — public leak archive -https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets -# Contains: government leaks, corporate data, hacked datasets -# Browse without accessing dark web directly - -# ALEPH (OCCRP) -https://aleph.occrp.org -# Investigative journalism data repository -# Contains leaked documents, corporate records, court data -``` - ---- - -## 7. I2P & Freenet Monitoring (Passive) - -``` -# I2P eepsites search (passive indexing services) -https://i2psearch.com -http://i2pforum.i2p (requires I2P) - -# Freenet content search (passive) -# Use Freenet indexes accessible via clearnet bridges -``` - ---- - -## 8. Darkweb Academy - -``` -# From Jieyab89's OSINT Academy list -https://www.darkwebacademy.com/labs/ -# Provides labs and training for dark web OSINT -# Safe, sandboxed environments for learning -``` - ---- - -## Search Strategies - -### Finding Specific Content -``` -# Entity-based search -"company name" site:ransomgroup.onion (via Ahmia) -"email@domain.com" intext:password (via IntelX) -"domain.com" leak OR breach OR dump (via DarkSearch) - -# Hash-based search -"MD5HASH" OR "SHA256HASH" (malware samples) -"bitcoin:WALLETADDRESS" (crypto payment traces) - -# Forum activity -"threat actor alias" forum (track actor across platforms) -``` - -### Building a Search Query -``` -1. Start broad: target name, domain, or keyword -2. Narrow with context: + "breach" / "leaked" / "sale" / "dump" -3. Add time filter if available -4. Cross-reference hits across multiple platforms -5. Extract and pivot from any new selectors found (emails, wallets, aliases) -``` - ---- - -## Tips - -- **Ahmia** is the most reliable clearnet index for general .onion search -- **IntelX** has the deepest historical index — worth using for any serious investigation -- **DeepDarkCTI** repo is regularly updated with active dark web site links -- **DDO Secrets** is the best clearnet source for leaked government/corporate data -- **ALEPH/OCCRP** is excellent for cross-referencing against investigative journalism leaks -- Always **document your search queries** — reproducibility matters in investigations - ---- - -*Reference: [OSINT Cheat Sheet — Data Breached OSINT & Forums sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md deleted file mode 100644 index 9230ebe..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/malware-ioc-intel.md +++ /dev/null @@ -1,281 +0,0 @@ -# Malware & IOC Intelligence - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Collect, analyze, and enrich malware samples and Indicators of Compromise (IOCs) -from threat intelligence feeds, sandboxes, and dark web-adjacent sources — for -detection engineering, incident response, and threat hunting. - ---- - -## 1. Malware Sample Repositories - -### MalwareBazaar (abuse.ch) -``` -https://bazaar.abuse.ch/browse/ - -# Search by hash, tag, file type, or malware family -https://bazaar.abuse.ch/browse/?q=ransomware -https://bazaar.abuse.ch/browse/?q=tag:emotet - -# API — download samples and query intel -curl -X POST "https://mb-api.abuse.ch/api/v1/" \ - -d "query=get_info&hash=HASH_VALUE" - -# Python -import requests -resp = requests.post("https://mb-api.abuse.ch/api/v1/", - data={"query": "get_info", "hash": "SHA256_HERE"}) -print(resp.json()) -``` - -### VX-Underground -``` -# From Jieyab89's list -https://vx-underground.org -# Largest public malware sample archive -# Categories: APT samples, ransomware, stealers, botnets -# WARNING: Only download to isolated sandbox — these are live malware - -# Also useful for: -# - Malware source code leaks -# - Threat actor communications -# - Historical campaign materials -``` - -### Malware Traffic Analysis -``` -# From Jieyab89's list -https://www.malware-traffic-analysis.net/2025/index.html -# PCAP files + malware samples from real infections -# Includes: traffic captures, IOCs, malware files -# Excellent for understanding C2 communication patterns -``` - -### VirusShare (Registration Required) -``` -https://virusshare.com -# Large malware sample collection — requires account -``` - -### Virus Exchange -``` -# From Jieyab89's list -https://virus.exchange -# Sample sharing platform -``` - ---- - -## 2. IOC Feeds - -### ThreatFox (abuse.ch) -``` -https://threatfox.abuse.ch/browse/ - -# API — get latest IOCs -curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \ - -d '{"query":"get_iocs","days":1}' - -# Search by IOC value -curl -X POST "https://threatfox-api.abuse.ch/api/v1/" \ - -d '{"query":"search_ioc","search_term":"malware.com"}' - -# MISP feed format -https://threatfox.abuse.ch/export/misp/ -``` - -### URLhaus (abuse.ch) — Malicious URLs -``` -https://urlhaus.abuse.ch - -# API -curl -X POST "https://urlhaus-api.abuse.ch/v1/url/" \ - -d "url=https://suspicious.com/malware.exe" - -# Download daily feed -curl "https://urlhaus.abuse.ch/downloads/csv_online/" - -# Python query -import requests -resp = requests.post("https://urlhaus-api.abuse.ch/v1/host/", - data={"host": "suspicious-domain.com"}) -print(resp.json()) -``` - -### AlienVault OTX Feeds -``` -https://otx.alienvault.com/api/v1/pulses/subscribed -# Returns all IOCs from pulses you follow - -# Specific IOC lookup -curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/malware" \ - -H "X-OTX-API-KEY: YOUR_KEY" - -curl -X GET "https://otx.alienvault.com/api/v1/indicators/file/HASH/analysis" \ - -H "X-OTX-API-KEY: YOUR_KEY" -``` - -### Additional IOC Feeds -``` -https://rescure.me/feeds.html → Rescure.me curated feeds -https://www.spamhaus.org/drop/drop.txt → Spamhaus DROP list (BGP blocks) -https://feodotracker.abuse.ch/downloads/ → Feodo botnet C2 IPs -https://sslbl.abuse.ch/blacklist/ → SSL certificate blacklist -https://openphish.com/phishing_feeds.html → OpenPhish phishing URLs -https://phishstats.info:2096/api/phishing → PhishStats API -``` - ---- - -## 3. Malware Analysis Sandboxes - -Safe environments to analyze suspicious files: - -### Free Online Sandboxes -``` -https://app.any.run → Interactive (from Jieyab89's list) -https://www.hybrid-analysis.com → Free, Falcon Sandbox powered -https://tria.ge/reports/public → Tria.ge sandbox (from Jieyab89's list) -https://cuckoo.cert.ee → Cuckoo sandbox (Jieyab89's list) -https://capesandbox.com → CAPE sandbox (Jieyab89's list) -https://www.joesandbox.com → Joe Sandbox (from Jieyab89's list) -https://www.vmray.com → VMRay (commercial, limited free) -https://filescan.io → Filescan.io (from Jieyab89's list) -https://www.docguard.io → DocGuard for documents -https://analyze.intezer.com/scan → Intezer (code similarity analysis) -``` - -### API-Based Analysis -```python -import requests, time - -def submit_to_hybrid_analysis(filepath): - """Submit a file to Hybrid Analysis""" - url = "https://www.hybrid-analysis.com/api/v2/submit/file" - headers = {"api-key": "YOUR_API_KEY", "user-agent": "Falcon Sandbox"} - - with open(filepath, "rb") as f: - resp = requests.post(url, - headers=headers, - files={"file": f}, - data={"environment_id": 100}) # Windows 7 64-bit - return resp.json() -``` - ---- - -## 4. Hash & IOC Enrichment - -### VirusTotal -``` -# File hash lookup -https://www.virustotal.com/gui/file/SHA256_HASH - -# API -curl --request GET \ - --url "https://www.virustotal.com/api/v3/files/SHA256_HASH" \ - --header "x-apikey: YOUR_API_KEY" - -# Batch hash check (Python) -import requests - -def vt_check_hash(sha256, api_key): - url = f"https://www.virustotal.com/api/v3/files/{sha256}" - headers = {"x-apikey": api_key} - resp = requests.get(url, headers=headers) - data = resp.json() - stats = data.get("data", {}).get("attributes", {}).get("last_analysis_stats", {}) - return { - "malicious": stats.get("malicious", 0), - "suspicious": stats.get("suspicious", 0), - "undetected": stats.get("undetected", 0), - "total": sum(stats.values()) - } -``` - -### Malware Encyclopedia — Malpedia -``` -https://malpedia.caad.fkie.fraunhofer.de - -# Search by malware name -https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet - -# Each entry contains: -# - YARA rules -# - Actor associations -# - Sample hashes -# - Technical references -# - Aliases across vendors -``` - -### pwnedOrNot -``` -# From Jieyab89's list -https://github.com/thewhiteh4t/pwnedOrNot -# Check if email has leaked and try to get plaintext password -``` - ---- - -## 5. YARA Rules - -YARA is the standard for malware pattern matching: - -### YARA Rule Sources -``` -# From Jieyab89's list -https://yaraify.abuse.ch/yarahub/ → Community YARA hub (abuse.ch) -https://github.com/Neo23x0/signature-base → Neo23x0 signature base -https://valhalla.nextron-systems.com → Valhalla YARA feed - -# Using YARA rules -pip install yara-python - -import yara -rules = yara.compile(filepath="rule.yar") -matches = rules.match("suspicious_file.exe") -for match in matches: - print(f"Rule: {match.rule}, Tags: {match.tags}") -``` - ---- - -## 6. C2 Tracking - -### C2-Tracker -``` -# From Jieyab89's list -https://github.com/montysecurity/C2-Tracker -# Tracks active C2 infrastructure for common RATs and botnets - -# Lists are updated regularly: -# - Cobalt Strike C2s -# - Metasploit listeners -# - Brute Ratel C2s -# - Sliver C2s -``` - -### Feodo Tracker (Emotet/TrickBot/etc.) -``` -https://feodotracker.abuse.ch -# Botnet C2 IP tracker -curl "https://feodotracker.abuse.ch/downloads/ipblocklist.txt" -``` - ---- - -## Tips - -- **MalwareBazaar** is the best free starting point for any hash lookup -- **any.run** provides the most interactive analysis experience for free -- **ThreatFox** API is easy to integrate into automated pipelines -- **Valhalla YARA** requires subscription but is the highest quality rule set -- **Malpedia** links malware → actor → campaign — critical for full context -- Never analyze malware on your main machine — always use an isolated sandbox -- **Hash pivoting**: if a hash is known, check its VirusTotal graph for related infrastructure - ---- - -*Reference: [OSINT Cheat Sheet — Researching Cyber Threats, SOC & Threat Hunting sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md deleted file mode 100644 index 745885c..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/opsec-darkweb.md +++ /dev/null @@ -1,277 +0,0 @@ -# OPSEC for Dark Web OSINT Investigations - -> *Safety guidelines inspired by [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89) — who emphasizes: "Please use it wisely"* - -## Objective -Protect your identity, devices, and legal standing while conducting dark web -intelligence investigations. Poor OPSEC can expose your real identity to threat -actors, compromise your organization, or create legal liability. - ---- - -## 1. Environment Setup - -### Recommended Stack (Layered Isolation) -``` -Layer 1 — Host Machine - └── Your regular computer (never used for OSINT) - -Layer 2 — Hypervisor - └── VirtualBox / VMware / Proxmox - └── Isolated OSINT VM (no shared clipboard, no shared folders) - -Layer 3 — Network - └── VPN (kill-switch enabled) → Tor (for .onion) or direct (for clearnet OSINT) - -Layer 4 — Browser - └── Tor Browser (for .onion access) - └── Firefox with hardened settings (for clearnet OSINT tools) - -Layer 5 — Identity - └── Throwaway accounts (not linked to real name/email/phone) - └── Dedicated OSINT email (ProtonMail, Tutanota) -``` - -### Recommended OSINT Linux Distros (from Jieyab89's list) -``` -https://github.com/tracelabs/tlosint-live → Trace Labs OSINT VM -https://tails.net → Amnesic OS (leaves no trace) -https://www.qubes-os.org → Compartmentalized OS -https://www.parrotsec.org → Parrot OS (security/OSINT) -https://csilinux.com → CSI Linux (OSINT-focused) -``` - ---- - -## 2. Network OPSEC - -### VPN Configuration -``` -Requirements for OSINT VPN: -✓ No-logs policy (independently audited) -✓ Kill switch enabled (cuts internet if VPN drops) -✓ DNS leak protection -✓ Jurisdiction outside 5/9/14-eyes if sensitive work - -# Test for leaks before starting -https://www.dnsleaktest.com -https://ipleak.net -https://browserleaks.com -``` - -### Tor Browser (for .onion access) -``` -Download: https://www.torproject.org/download/ -# Always use the latest version -# Never resize the window (browser fingerprinting) -# Never log into personal accounts inside Tor Browser -# Disable JavaScript for sensitive .onion sites (Security Level: Safest) -# Never download files directly — preview in sandbox first - -# Check your Tor exit node -https://check.torproject.org (accessible via Tor Browser) -``` - -### Network Isolation -```bash -# Linux: create isolated network namespace for OSINT tools -ip netns add osint-ns -ip netns exec osint-ns ip link set lo up -# Route all OSINT tool traffic through VPN interface only - -# Verify no direct connections from OSINT VM -# Disable all non-essential network interfaces in the VM -``` - ---- - -## 3. Identity OPSEC - -### Account Hygiene -``` -✓ Use throwaway/sock puppet accounts for any platform registration -✓ Never use real name, photo, or biographical info in OSINT accounts -✓ Use dedicated email (ProtonMail / Tutanota) created over Tor -✓ Never reuse usernames across platforms -✓ Use separate accounts for OSINT work vs personal use -✓ Generate usernames with no connection to your real identity - -# Jieyab89's tip on accounts: -# "Do a active on each platform example like post, follow, following to -# avoid bot detection or blocked by user (target)" -# "Use second account (not your real account)" -``` - -### Browser Fingerprinting Protection -``` -https://browserleaks.com → Test your browser fingerprint -https://coveryourtracks.eff.org → EFF Cover Your Tracks test - -# Key fingerprint vectors to neutralize: -# - Screen resolution (use common size: 1920x1080) -# - User agent (use common browser UA) -# - Timezone (match VPN exit location) -# - WebRTC leaks (disable WebRTC in browser) -# - Canvas fingerprinting (block or randomize) -``` - ---- - -## 4. Device OPSEC - -### Sandbox VM Rules -``` -✓ Snapshot the VM before each investigation session -✓ Revert snapshot after sensitive sessions -✓ No shared clipboard between host and OSINT VM -✓ No shared folders — transfer files through encrypted container only -✓ Disable USB passthrough -✓ Use separate VM for different investigation cases (no cross-contamination) -✓ Enable AV in VM (Jieyab89's tip: "Enable your firewall, AV and IDS") -``` - -### File Handling (from Jieyab89's tips) -``` -# Jieyab89's direct guidance: -"Dont upload your private files make sure you have clean personal file in folder" -"Scan the files will you download" -"Encrypt your network traffic, message and disk" -"Beware about attachments such as docx, xlsm or macro documents" -"Beware about malicious script like programm lang always check will you run it" -"beware with code with obfuscate (dont trust it)" - -# NEVER: -✗ Open malware samples on your host machine -✗ Click links from threat actors without sandbox isolation -✗ Download dark web files to your main machine -✗ Enable macros in Office documents from dark web sources -``` - -### File Analysis Before Opening -```bash -# Check file type (don't trust extension) -file suspicious_file.exe - -# Compute hashes before opening -sha256sum suspicious_file.exe -md5sum suspicious_file.exe - -# Check hash on VirusTotal before any local analysis -# Submit hash only (not the file itself) for initial check - -# Strings analysis (safe, no execution) -strings suspicious_file.exe | grep -E "(http|ftp|smtp|password|key|token)" - -# Only then: open in an isolated sandbox (AnyRun, Hybrid Analysis, or local Cuckoo) -``` - ---- - -## 5. Legal OPSEC - -### What Is Legal (OSINT) -``` -✓ Accessing publicly available information -✓ Using clearnet dark web monitoring services -✓ Searching indexed dark web content (Ahmia, IntelX, DarkSearch) -✓ Analyzing published breach data for defensive purposes -✓ Tracking ransomware groups through their public leak sites -✓ Researching threat actors using public reports and CTI feeds -✓ Accessing DDO Secrets / OCCRP ALEPH (public interest journalism) -``` - -### What Is NOT Legal (Do Not Do) -``` -✗ Registering accounts on criminal forums -✗ Purchasing stolen data, tools, or credentials -✗ Accessing systems without authorization -✗ Re-publishing stolen personal data of individuals -✗ Attempting to take down or interfere with criminal infrastructure -✗ Interacting with threat actors to elicit information (entrapment risk) -✗ Downloading CSAM or other illegal content (even for research) -``` - -### Jurisdiction Reference -``` -Indonesia → UU ITE No.11/2008 & No.19/2016 (amended) - → UU PDP No.27/2022 (Personal Data Protection) -USA → Computer Fraud and Abuse Act (18 U.S.C. § 1030) - → Electronic Communications Privacy Act -EU → GDPR (data handling), Directive on Attacks Against Information Systems -Global → ICCPR Article 17 (right to privacy) -``` - ---- - -## 6. Evidence Collection & Chain of Custody - -When findings may be used in legal proceedings or incident reports: - -``` -# Capture with timestamp -date && screenshot - -# Archive web pages with timestamp proof -https://archive.today → Submit URL → get archived link -https://web.archive.org/save/URL → Wayback Machine save - -# Hash all collected evidence -sha256sum evidence_file > evidence_file.sha256 - -# Maintain investigation log -[TIMESTAMP] [ACTION] [SOURCE] [FINDING] [HASH] - -# Never alter original evidence files -# Store in encrypted container (VeraCrypt) -# Maintain chain of custody documentation -``` - ---- - -## 7. Operational Security Checklist - -### Before Starting an Investigation -``` -[ ] OSINT VM is up-to-date and snapshoted -[ ] VPN is connected and verified (no leaks) -[ ] Tor Browser is latest version (if needed) -[ ] Throwaway accounts ready -[ ] AV/firewall enabled in sandbox -[ ] Investigation scope and legal boundaries are clear -[ ] Evidence folder created with encrypted container -``` - -### During Investigation -``` -[ ] No personal accounts used -[ ] All URLs previewed before clicking (urlscan.io) -[ ] Files scanned before analysis -[ ] Screenshots taken with timestamps -[ ] Sources documented as you go -[ ] No interaction with threat actors -``` - -### After Investigation -``` -[ ] Evidence archived and hashed -[ ] Investigation log complete -[ ] VM snapshot taken (or reverted if sensitive) -[ ] VPN disconnected after session -[ ] Report drafted with source citations -``` - ---- - -## Tips - -- **Tails OS** is the gold standard for leaving zero traces — use for most sensitive work -- **Qubes OS** provides the best compartmentalization if Tails is too limiting -- **Never combine** personal and OSINT activities in the same browser session -- **Document everything** as you go — memory is unreliable, investigations can take weeks -- Follow Jieyab89's golden rule: **"Use virtual machine, fake host or docker machine"** -- When in doubt about legality — **consult a lawyer before proceeding**, not after - ---- - -*Safety guidance informed by [OSINT Cheat Sheet — Tips & Trick Safe Guide](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89).* -*His words: "Please use it wisely."* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill deleted file mode 100644 index bbd31d7..0000000 Binary files a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/osint-darkweb-intel.skill and /dev/null differ diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md deleted file mode 100644 index 244a8e0..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/paste-leak-monitoring.md +++ /dev/null @@ -1,263 +0,0 @@ -# Paste & Leak Monitoring - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Monitor paste sites, anonymous publishing services, and public leak channels -for early detection of data disclosures, credential dumps, and sensitive -information related to a target — before it spreads or is sold. - ---- - -## 1. Paste Site Inventory - -### Primary Targets for Monitoring -``` -https://pastebin.com → Largest paste site -https://psbdmp.ws → Pastebin dump aggregator/search -https://cybdetective.com/pastebin.html → Multi-paste search (Jieyab89's list) -https://paste.centos.org → CentOS community paste -https://justpaste.it → Popular alternative -https://gist.github.com → GitHub Gist (code snippets) -https://friendpaste.com → Alternative paste site -https://telegra.ph → Telegram's publish platform -https://psbdmp.ws → Pastebin dump search -``` - ---- - -## 2. Search Strategies - -### Google Dork Paste Search -``` -# Find mentions of target on paste sites -site:pastebin.com "target.com" -site:pastebin.com "@target.com" password -site:pastebin.com "target.com" database OR dump OR leak OR breach -site:pastebin.com "target.com" username OR email OR credential - -site:gist.github.com "target.com" secret OR key OR password -site:justpaste.it "target.com" -site:paste.centos.org "target.com" -site:telegra.ph "target.com" breach OR leak - -# Broader search -"target.com" site:pastebin.com OR site:gist.github.com OR site:justpaste.it -``` - -### Intelligence X Paste Search -``` -https://intelx.io/?s=target.com -# IntelX indexes many paste sites including dark web pastes -# More comprehensive than Google for paste monitoring -``` - ---- - -## 3. Automated Paste Monitoring - -### Pastebin Scraping API (Requires Pastebin Pro Account) -```python -import requests, time, hashlib, json -from datetime import datetime - -class PasteMonitor: - """Monitor Pastebin scraping API for keyword matches""" - - def __init__(self, keywords, scraping_key=None): - self.keywords = [k.lower() for k in keywords] - self.scraping_key = scraping_key - self.seen = set() - self.hits = [] - - def fetch_recent(self): - """Get recent public pastes via scraping API""" - url = "https://scrape.pastebin.com/api_scraping.php?limit=100" - if self.scraping_key: - url += f"&scraping_key={self.scraping_key}" - try: - resp = requests.get(url, timeout=10) - return resp.json() - except: - return [] - - def fetch_content(self, paste_key): - """Fetch raw content of a paste""" - url = f"https://scrape.pastebin.com/api_scrape_item.php?i={paste_key}" - try: - resp = requests.get(url, timeout=10) - return resp.text - except: - return "" - - def scan(self): - """One monitoring cycle""" - pastes = self.fetch_recent() - for paste in pastes: - key = paste.get("key") - if not key or key in self.seen: - continue - self.seen.add(key) - - content = self.fetch_content(key) - content_lower = content.lower() - - matched = [kw for kw in self.keywords if kw in content_lower] - if matched: - hit = { - "time": datetime.now().isoformat(), - "url": f"https://pastebin.com/{key}", - "keywords": matched, - "size": paste.get("size"), - "title": paste.get("title", ""), - "content_preview": content[:200] - } - self.hits.append(hit) - print(f"[HIT] {hit['url']} | Keywords: {matched}") - - def run(self, interval=300): - """Continuous monitoring loop""" - print(f"Monitoring for: {self.keywords}") - while True: - self.scan() - time.sleep(interval) - -# Usage -monitor = PasteMonitor(keywords=["target.com", "targetcompany", "@target.com"]) -monitor.run(interval=300) # Check every 5 minutes -``` - ---- - -## 4. Telegram Channel Monitoring - -Many breach actors publish on Telegram before or instead of dark web forums: - -``` -# Search Telegram content (clearnet) -https://www.tgstat.com → Telegram channel statistics & search -https://telemetr.io → Telegram analytics -https://www.telegramchannels.me → Channel directory - -# Search for relevant channels -# Keywords: "leaks", "breach", "database", "credentials", "combolist" - -# Telegram web search (no account needed) -https://t.me/s/CHANNEL_NAME → View channel posts in browser - -# Archive Telegram content -# Reference from Jieyab89: -https://www.bellingcat.com/resources/how-tos/2022/03/08/how-to-archive-telegram-content-to-document-russias-invasion-of-ukraine/ -``` - ---- - -## 5. DDO Secrets — Document & Leak Archive - -``` -https://ddosecrets.com/wiki/Distributed_Denial_of_Secrets -# Clearnet accessible archive of major leaks -# Categories: government leaks, corporate data, hacked datasets -# Contains: BlueLeaks (US law enforcement), Epik (hosting), ransomware dumps, etc. - -# How to use: -# - Browse by category or search by organization name -# - Download index files to understand scope before downloading full datasets -# - All content is legally accessible via clearnet -``` - ---- - -## 6. Library of Leaks - -``` -https://search.libraryofleaks.org -# Searchable archive of public interest leaks -# Includes: Wikileaks, Panama Papers, Pandora Papers, FinCEN Files, etc. - -https://aleph.occrp.org -# OCCRP investigative data platform -# Cross-reference leaked documents with corporate registries and court data -``` - ---- - -## 7. Early Warning Intelligence - -### Signals to Watch For -``` -Indicators that a breach may be incoming or just happened: - -1. Threat actor posts "we are selling [company] data" in forums - → Monitor via: ransomware.live, darkfeed.io, flare.io - -2. Internal credentials appearing on paste sites - → Monitor via: pastebin scraping + IntelX - -3. Domain mentioned in stealer log markets - → Monitor via: Hudson Rock, whiteintel.io - -4. Company name appears in Telegram breach channels - → Monitor via: tgstat.com search - -5. Unusual volume of mentions in dark web search results - → Monitor via: IntelX, Ahmia, darksearch.io -``` - -### Building a Keyword Watchlist -```python -# Keywords to monitor for a target organization -WATCHLIST = { - "company_names": ["Target Corp", "TargetCo", "target-corp"], - "domains": ["target.com", "targetcorp.com"], - "email_patterns": ["@target.com", "@targetcorp.com"], - "brand_names": ["TargetProduct", "TargetBrand"], - "executive_names": ["John CEO Smith", "Jane CFO Doe"], # Key executives - "internal_terms": ["internal_system_name", "product_codename"] -} -``` - ---- - -## 8. Breach Validation - -Before escalating or reporting a potential breach find: - -``` -Step 1: Verify the data is real - - Check sample records against known public info (are names/emails plausible?) - - Check date fields — are they consistent with claimed breach date? - - Do NOT contact individuals in the dataset to verify - -Step 2: Determine if already known - - Cross-check against HIBP: https://haveibeenpwned.com/PwnedWebsites - - Check databreaches.net: https://databreaches.net - - Search intelx.io for the same dataset - -Step 3: Assess severity - - What data types: passwords? PII? financial? health? - - Plaintext vs hashed passwords? - - Volume of records? - - Date of the data (older = lower risk of active exploitation) - -Step 4: Document and report - - Screenshot with timestamps - - Archive the paste/post URL (use archive.today) - - Preserve hash of any downloaded evidence files - - Report to affected organization's security team (responsible disclosure) -``` - ---- - -## Tips - -- **Monitor daily** — paste site data disappears quickly (Pastebin auto-deletes) -- **Archive immediately** when you find something relevant — use archive.today -- **IntelX** is the most reliable for historical paste search and dark web content -- **Telegram** is now a primary distribution channel for breach data — don't ignore it -- **False positives** are common — always validate before escalating -- **GDPR/legal caution**: in some jurisdictions, downloading breach data may have legal implications — consult your legal counsel - ---- - -*Reference: [OSINT Cheat Sheet — Data Breached OSINT, Forums & Sites sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md deleted file mode 100644 index 395ec85..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/ransomware-tracking.md +++ /dev/null @@ -1,237 +0,0 @@ -# Ransomware Group Tracking - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Monitor ransomware group activity, track victim postings on leak sites, -identify which groups are active, understand their TTPs, and collect -intelligence from their public-facing infrastructure — all via clearnet. - ---- - -## 1. Ransomware Tracking Dashboards - -### ransomware.live (Primary Source) -``` -https://www.ransomware.live -# Real-time tracking of ransomware group victim posts -# Covers 100+ active ransomware groups -# Shows: victim name, country, sector, date posted, group name -# Includes screenshots of leak site posts - -# Features: -# - Timeline of attacks -# - Group statistics -# - Sector/country breakdown -# - Search by victim name or group -``` - -### ransomwatch -``` -https://ransomwatch.telemetry.ltd -# Monitors ransomware leak site posts -# Structured JSON data available for programmatic use -# Open source: https://github.com/joshhighet/ransomwatch - -# API / Data access -curl https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json -curl https://raw.githubusercontent.com/joshhighet/ransomwatch/main/groups.json - -# Python -import requests -posts = requests.get("https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json").json() -for post in posts: - if "target_org" in post.get("post_title", "").lower(): - print(post) -``` - -### Ransom DB -``` -https://www.ransom-db.com -# Searchable database of ransomware incidents -# Filter by: group, country, sector, date -``` - -### Ransom Private Tools -``` -https://ransom.privtools.eu -# Aggregated ransomware group posts -# Useful for historical research -``` - -### WatchGuard Ransomware Tracker -``` -https://www.watchguard.com/wgrd-security-hub/ransomware-tracker -# Curated ransomware incident tracker -``` - ---- - -## 2. Ransomware Group Intelligence - -### Known Active Groups (Reference) -``` -# Tier 1 (Most Active / Dangerous): -LockBit, ALPHV/BlackCat, Cl0p, Play, Akira, Black Basta, -Hunters International, RansomHub, Medusa, INC Ransom - -# Leak Site Monitoring via ransomware.live covers all major groups -``` - -### Group Profiles via MITRE ATT&CK -``` -https://attack.mitre.org/groups/ -# Search for specific ransomware group -# Contains: TTPs, techniques, software used, campaigns - -# Examples: -https://attack.mitre.org/groups/G0032/ → Lazarus Group -https://attack.mitre.org/groups/G0034/ → Sandworm -https://attack.mitre.org/software/ → Malware used by groups -``` - -### Malpedia — Ransomware Encyclopedia -``` -https://malpedia.caad.fkie.fraunhofer.de -# Search by ransomware family name -# Contains: technical details, YARA rules, references, actor links - -# Example -https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit -https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat -``` - ---- - -## 3. Ransomware Identification - -If you have a sample or ransom note: - -``` -https://id-ransomware.malwarehunterteam.com -# Upload: encrypted file, ransom note, or file extension -# Identifies ransomware family - -https://www.nomoreransom.org/en/identification-tool.html -# Ransomware identification + decryption tools if available -# Maintained by Europol + cybersecurity vendors -``` - ---- - -## 4. Ransomware Decryption Tools - -``` -https://www.nomoreransom.org/en/decryption-tools.html -# Free decryptors for many ransomware families -# Organized by ransomware name - -https://github.com/erasmus-dsg-university/ransomware-decryptors -# Community collection of decryptors -``` - ---- - -## 5. Programmatic Data Collection - -### Fetch ransomwatch JSON Data -```python -import requests -import json -from datetime import datetime - -def get_recent_ransomware_posts(days=7): - """Get ransomware posts from the last N days""" - url = "https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json" - posts = requests.get(url).json() - - cutoff = datetime.now().timestamp() - (days * 86400) - recent = [] - for post in posts: - try: - ts = datetime.strptime(post["discovered"], "%Y-%m-%d %H:%M:%S.%f").timestamp() - if ts > cutoff: - recent.append(post) - except: - pass - return recent - -def search_victim(keyword): - """Search for a specific victim across all posts""" - url = "https://raw.githubusercontent.com/joshhijom/ransomwatch/main/posts.json" - posts = requests.get(url).json() - return [p for p in posts if keyword.lower() in p.get("post_title", "").lower()] - -# Usage -recent = get_recent_ransomware_posts(days=30) -print(f"Posts in last 30 days: {len(recent)}") - -victim_hits = search_victim("target company name") -for hit in victim_hits: - print(hit.get("group_name"), "|", hit.get("post_title"), "|", hit.get("discovered")) -``` - -### Fetch Group List from ransomware.live -```python -import requests - -# Get all tracked groups -resp = requests.get("https://api.ransomware.live/v2/groups") -groups = resp.json() -for g in groups: - print(g.get("name"), "|", g.get("location")) -``` - ---- - -## 6. Cross-Reference with Threat Intelligence - -After identifying a ransomware group, pivot to: - -``` -# CISA advisories -https://www.cisa.gov/known-exploited-vulnerabilities-catalog - -# FBI flash alerts -https://www.ic3.gov/Media/News/2024 - -# Talos intelligence -https://www.talosintelligence.com/ransomware_roundup - -# AlienVault OTX pulse for the group -https://otx.alienvault.com/browse/pulses?q=GROUPNAME - -# VirusTotal collections -https://www.virustotal.com/gui/collections → search group name -``` - ---- - -## 7. Sector & Country Statistics - -``` -# From ransomware.live statistics -https://www.ransomware.live/charts - -# Useful for: -# - Identifying most targeted sectors -# - Country-specific threat landscape -# - Time-based trend analysis -# - Executive-level reporting -``` - ---- - -## Tips - -- **ransomware.live** is the single best free resource — bookmark it -- **ransomwatch JSON** is machine-readable — great for automated monitoring and alerting -- **MITRE ATT&CK** group pages have the most authoritative TTP mappings -- **Malpedia** is the best technical reference for malware family details and YARA rules -- Set up **automated alerts**: scrape ransomwatch JSON periodically and alert on new keyword matches -- **Victim names are often redacted** initially — monitor for updates where full names appear -- Cross-reference group names across **Malpedia + MITRE + VirusTotal** for complete picture - ---- - -*Reference: [OSINT Cheat Sheet — Researching Cyber Threats & SOC/Threat Hunting sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md b/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md deleted file mode 100644 index d757f6e..0000000 --- a/Jieyab-Claude-Skills/OSINT/Darkweb-Intel/references/threat-actor-profiling.md +++ /dev/null @@ -1,247 +0,0 @@ -# Threat Actor Profiling & Attribution - -> *Tools sourced from [OSINT Cheat Sheet](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* - -## Objective -Build structured intelligence profiles on threat actors — including APT groups, -ransomware operators, hacktivists, and cybercriminals — using public sources, -CTI frameworks, and dark web intelligence feeds. - ---- - -## 1. MITRE ATT&CK Framework - -The gold standard for mapping threat actor behavior: - -``` -https://attack.mitre.org/groups/ → All documented threat groups -https://attack.mitre.org/techniques/ → Full technique catalog -https://attack.mitre.org/software/ → Malware & tools per group -https://attack.mitre.org/campaigns/ → Campaign-level attribution - -# Useful group pages -https://attack.mitre.org/groups/G0032/ → Lazarus Group (DPRK) -https://attack.mitre.org/groups/G0034/ → Sandworm (Russia) -https://attack.mitre.org/groups/G0007/ → APT28 / Fancy Bear -https://attack.mitre.org/groups/G0016/ → APT41 (China) -``` - -### ATT&CK Navigator — Visualize Group TTPs -``` -https://mitre-attack.github.io/attack-navigator/ -# Load a group's technique layer to visualize which TTPs they use -# Useful for: detection gap analysis, hunting hypothesis generation -``` - ---- - -## 2. APT Group Databases - -### Google APT Search CSE -``` -# From Jieyab89's SOC & Threat Hunting list -https://cse.google.com/cse?cx=003248445720253387346:turlh5vi4xc -# Search across multiple APT reporting sources simultaneously -``` - -### APT Group Spreadsheet -``` -# From Jieyab89's list -https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml -# Comprehensive APT group list with: -# - Group names and aliases -# - Nation-state attribution -# - Target sectors -# - Active years -``` - -### Malpedia — Actor Profiles -``` -https://malpedia.caad.fkie.fraunhofer.de/actors -# Threat actor profiles linked to malware families -# Each actor page contains: -# - Aliases (different vendor names for same group) -# - Associated malware families -# - References to reporting -# - Country attribution -``` - ---- - -## 3. Threat Intelligence Platforms - -### AlienVault OTX (Free, Community-Driven) -``` -https://otx.alienvault.com - -# Search by actor/group name -https://otx.alienvault.com/browse/pulses?q=APT28 - -# Get pulses for a domain/IP/hash -https://otx.alienvault.com/indicator/domain/target.com -https://otx.alienvault.com/indicator/ip/1.2.3.4 -https://otx.alienvault.com/indicator/file/HASH - -# API -curl -X GET "https://otx.alienvault.com/api/v1/indicators/domain/target.com/general" \ - -H "X-OTX-API-KEY: YOUR_KEY" -``` - -### Talos Intelligence (Cisco) -``` -https://www.talosintelligence.com -https://www.talosintelligence.com/reputation_center - -# Actor-specific reporting -https://blog.talosintelligence.com/?q=APT → Search for APT blog posts -``` - -### Recorded Future (Commercial) -``` -https://www.recordedfuture.com/vulnerability-database -# Free tier: some intelligence available without subscription -``` - -### Mandiant / Google TI -``` -https://www.mandiant.com/advantage/threat-intelligence -https://cloud.google.com/security/products/threat-intelligence - -# Free access to some reports and IOCs -# APT naming convention: APT1, APT28, etc. -``` - -### Falcon Feeds -``` -# From Jieyab89's list -https://falconfeeds.io -# Dark web threat intelligence feeds -# Actor profiles and IOC collections -``` - ---- - -## 4. Building an Actor Profile - -### Profile Template -```markdown -## Threat Actor Profile - -**Name**: [Primary name] -**Aliases**: [Vendor-specific names — different vendors name same group differently] -**Attribution**: [Suspected nation-state or criminal group] -**Active Since**: [Year] -**Motivation**: [Financial / Espionage / Hacktivism / Disruption] - -### Targeting -- **Sectors**: [Finance, Healthcare, Government, etc.] -- **Regions**: [Geographic focus] -- **Typical Victims**: [Organization types] - -### TTPs (MITRE ATT&CK) -- Initial Access: [T1566 Phishing / T1190 Exploit Public-Facing Application] -- Execution: [T1059 Command and Scripting Interpreter] -- Persistence: [T1053 Scheduled Task/Job] -- C2: [T1071 Application Layer Protocol] -- Exfiltration: [T1041 Exfiltration Over C2 Channel] - -### Malware & Tools -- [Malware family 1] — [description, Malpedia link] -- [Malware family 2] -- [Custom tooling] - -### Infrastructure -- [Known C2 domains/IPs] -- [Hosting patterns] -- [Certificate patterns] - -### Dark Web Presence -- [Forum aliases if known] -- [Ransomware leak site if applicable] -- [Communication channels] - -### Key Reports -- [Vendor report 1 — link] -- [Vendor report 2 — link] - -### IOCs -- Domains: [] -- IPs: [] -- Hashes: [] -- YARA: [] -``` - ---- - -## 5. Alias Resolution — Same Actor, Different Names - -Vendors name the same group differently. Always cross-reference: - -``` -# APT28 aka: -# Fancy Bear (CrowdStrike), Sofacy (Kaspersky), Pawn Storm (Trend Micro), -# STRONTIUM (Microsoft), BlueDelta (Recorded Future), TA422 (Proofpoint) - -# Lookup tool — resolve aliases -https://apt.etda.or.th/cgi-bin/listgroups.cgi → ETDA APT alias resolver -https://malpedia.caad.fkie.fraunhofer.de/actors → Malpedia with aliases -``` - ---- - -## 6. Dark Web Forum Actor Tracking - -Track threat actor aliases across underground forums (clearnet intelligence): - -``` -# Search actor alias on clearnet -site:github.com "actor_alias" -site:pastebin.com "actor_alias" -"actor_alias" site:twitter.com OR site:x.com - -# Threat intelligence reports mentioning the alias -"actor_alias" filetype:pdf site:mandiant.com -"actor_alias" filetype:pdf site:crowdstrike.com -"actor_alias" site:securelist.com - -# Searchable CTI sources -https://otx.alienvault.com/browse/pulses?q=actor_alias -https://www.talosintelligence.com/ → Blog search -https://www.group-ib.com/resources/ → Group-IB reports -``` - ---- - -## 7. CTI Report Aggregators - -``` -https://www.cisa.gov/news-events/cybersecurity-advisories → CISA advisories -https://www.ic3.gov/Media/News → FBI alerts -https://www.ncsc.gov.uk/section/reports-advisories/ → UK NCSC -https://www.cyber.gov.au/about-us/advisories → Australian ASD -https://seclists.org/fulldisclosure/ → Full disclosure list - -# Community feeds -https://otx.alienvault.com → OTX Pulses -https://www.virustotal.com/gui/collections → VT collections -https://yaraify.abuse.ch/yarahub/ → YARA rules from community - -# Indonesian context -https://bssn.go.id → BSSN (ID national cyber agency) -https://www.idsirtii.or.id → ID-SIRTII national CSIRT -``` - ---- - -## Tips - -- **Malpedia** is the best single source for actor ↔ malware ↔ alias mapping -- **MITRE ATT&CK** is authoritative for TTP mapping — always map to it for consistency -- **APT alias confusion** is common — always check multiple vendor names before concluding -- **OTX Pulses** are often the fastest community source for newly emerging actor intelligence -- **ETDA APT list** is excellent for quickly resolving vendor naming differences -- **Attribution** should always include a confidence level — it's rarely 100% certain - ---- - -*Reference: [OSINT Cheat Sheet — SOC & Threat Hunting & Researching Cyber Threats sections](https://github.com/Jieyab89/OSINT-Cheat-sheet) by [Jieyab89](https://github.com/Jieyab89)* diff --git a/Jieyab-Claude-Skills/README.md b/Jieyab-Claude-Skills/README.md index 6042224..4d68808 100644 --- a/Jieyab-Claude-Skills/README.md +++ b/Jieyab-Claude-Skills/README.md @@ -1,13 +1,5 @@ -# Usage +# NOTES -You can use claude desktop or claude cli, but in this case i use claude cli. Import the skills on this path +On maintence, Jieyab under review for better result and do something research. I will update soon -``` -/home//.claude/skills/Darkweb-Intel -``` - -Then in claude run /skills or u can call the skills path for claude - -# Read the Claude Doc - -https://code.claude.com/docs/en/skills \ No newline at end of file +Thank u \ No newline at end of file diff --git a/README.md b/README.md index a5ab694..7abd3d1 100644 --- a/README.md +++ b/README.md @@ -1764,6 +1764,7 @@ If you has found the person phone number you can check at data breach, e wallet, - [usersearch](https://usersearch.com/) - [blackbird (mostly Indonesia)](https://blackbird.mom/) - [user-scanner](https://github.com/kaifcodec/user-scanner/releases/tag/v1.1.0) +- [maigret 2 made by Rust](https://github.com/krishpranav/maigret/blob/master/data.json) # Social Networks