Campaign Development Tracking

5 automated security scanners

Underground Forum Activity Correlation

Purpose: The Underground Forum Activity Correlation Scanner is designed to identify and analyze discussions related to specific domains and companies within underground forums. It aims to detect campaign discussion tracking, target selection conversations, and attack coordination communication by analyzing the content of posts and threads. This tool helps in identifying potential threats and understanding the tactics used by adversaries.

What It Detects:

Campaign Discussion Tracking: Identifies threads or posts discussing ongoing campaigns targeting the specified domain or company. Patterns include campaign against {company_name}, operation targeting {company_name}, etc.
Target Selection Conversations: Detects discussions about selecting targets, including the specified domain or company. Patterns include selecting targets for {company_name}, target identification process for {company_name}, etc.
Attack Coordination Communication: Identifies coordinated attack plans or communications related to the specified domain or company. Patterns include attack coordination for {company_name}, coordinated strike against {company_name}, etc.
Threat Indicators: Detects known threat indicators such as CVE numbers, malware types, and command-and-control references. Examples of patterns are CVE-[0-9]{4}-[0-9]+, malware|ransomware|trojan, and command*(?:and|&)control|c2|c&c.
Exposure Indicators: Identifies indicators of data exposure, unauthorized access, or breaches. Examples of patterns are exposed|leaked|breached, unauthorized access, and data dump.

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com)
company_name (string): Company name for statement searching (e.g., “Acme Corporation”)
keyword (string): Specific keyword related to the campaign or threat (e.g., “phishing”)

Business Impact: This scanner is crucial for organizations looking to monitor and understand potential threats posed by adversaries in underground forums. By identifying discussions around campaigns, targets, and attack coordination, it helps in assessing and improving security posture against sophisticated cyber threats.

Risk Levels:

Critical: Severe vulnerabilities or indicators that directly impact critical systems should be flagged as critical.
High: High-risk indicators such as malware types and command-and-control references are considered high severity.
Medium: Medium-level findings may include exposure indicators and broader threat discussions that could lead to significant risks if not addressed promptly.
Low: Informal or less direct threats can be flagged as low, but they should still be monitored for trends or potential escalation.
Info: Minimal impact on security posture with little actionable information.

If specific risk levels are not detailed in the README, consider severity based on typical threat indicators and their implications.

Example Findings:

A thread discussing a new CVE vulnerability affecting critical infrastructure systems (CVE-[0-9]{4}-[0-9]+).
A post mentioning malware types commonly used for data theft (malware|ransomware|trojan).

Pastebin Campaign Monitoring

Purpose: The Pastebin Campaign Monitoring Scanner is designed to identify and alert on potential malicious activities such as targeting information sharing, attack instruction distribution, credential/data staging, threat indicators, and exposure indicators related to specific domains and companies. This tool scans Pastebin for patterns that may indicate reconnaissance, exploitation attempts, data breaches, or unauthorized access, providing valuable insights into the security posture of targeted organizations.

What It Detects:

Targeting Information Sharing: Patterns indicating reconnaissance activities or specific targeting of the organization, such as “targeting acme.com” or “reconnaissance on Acme Corporation.”
Attack Instruction Distribution: Instructions or guides related to compromising the target domain or company, including topics like “how to exploit acme.com” and “attack vector for Acme Corporation.”
Credential/Data Staging: Information about stolen credentials, data dumps, or staging areas relevant to the target, such as “credentials for acme.com” and “data dump from Acme Corporation.”
Threat Indicators: Common threat indicators including CVE numbers, malware types, and command-and-control references like “CVE-2023-12345,” “malware|ransomware|trojan,” and “command\s*(?:and|&)\s*control.”
Exposure Indicators: Phrases indicating data exposure or unauthorized access, such as “exposed|leaked|breached,” “unauthorized\s+access,” and “data\s+dump.”

Inputs Required:

domain (string): The primary domain to analyze, e.g., acme.com.
company_name (string): The company name for statement searching, e.g., “Acme Corporation”.
keyword (string): Additional keyword related to the campaign, e.g., “phishing.”

Business Impact: Monitoring Pastebin content for these indicators is crucial as it helps in identifying potential breaches and unauthorized access attempts that could lead to significant data exposure or system compromises. This proactive approach enhances security measures and reduces the risk of cyber threats against targeted organizations.

Risk Levels:

Critical: Findings indicating direct C2 communication, high-value credentials, or critical vulnerabilities (CVE) are considered critical.
High: Indications of malware distribution, phishing activities, and unauthorized access attempts that could lead to significant data exposure.
Medium: General reconnaissance activity without actionable intelligence but indicative of potential threats.
Low: Minimal impact findings such as generic threat indicators not specifying direct malicious intent.
Info: Non-specific or ambiguous findings that do not directly indicate malicious activities but may require further investigation for informational purposes.

Example Findings:

A Pastebin post containing “targeting acme.com” and discussing specific vulnerabilities could be flagged as a critical finding due to its direct relevance to the target domain.
An entry with leaked credentials from Acme Corporation would be considered high risk, highlighting potential unauthorized access attempts against the company.

Threat Actor Infrastructure Expansion

Purpose: The Threat Actor Infrastructure Expansion Scanner is designed to detect potential infrastructure expansion activities by threat actors targeting a specific domain. This helps in identifying and mitigating risks associated with malicious network activity.

What It Detects:

Domain Variants: Identifies domains that are similar but intentionally misspelled or altered versions of the target domain, which could be a sign of typosquatting. Additionally, it detects common naming conventions used by threat actors to create new infrastructure.
Certificate Transparency Logs: Monitors for the issuance of new SSL/TLS certificates associated with the target domain and its variants, as well as identifies sudden increases in certificate issuance which could indicate infrastructure expansion.
Domain Registration Patterns: Analyzes domain registration patterns to identify potential threats such as homograph attacks or registrations of new domains with similar characteristics, and detects unusual registration activities that may indicate malicious intent.

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: Identifying and mitigating risks associated with malicious network activity is crucial for maintaining the security posture of organizations. By detecting potential infrastructure expansion activities, this scanner helps in proactively addressing threats before they can cause significant damage.

Risk Levels:

Critical: The scanner should flag any new domains that are suspiciously similar to the target domain or exhibit unusual registration patterns indicative of malicious intent.
High: Significant increases in certificate issuance without apparent justification could indicate infrastructure expansion, which is a high-risk finding.
Medium: Minor anomalies in domain registration activities might not be critical but still warrant investigation for potential threats.
Low: Informational findings are those that do not pose significant risk and can be monitored or reviewed as part of routine security practices.
Info: Any new domains with typosquatting characteristics should be flagged as informational to guide further analysis and decision-making.

Example Findings: The scanner might flag a domain variant like “acm3.com” which is similar to the target domain but intentionally misspelled, or detect an unusual spike in certificate issuance that could indicate infrastructure expansion by threat actors.

Code Repository Intelligence

Purpose: The Code Repository Intelligence Scanner is designed to detect and analyze malicious activities within specified organizations by identifying attack tool development, exploitation script creation, campaign framework building, and potential vulnerabilities. This scanner helps in detecting threats and safeguarding against cyber attacks by analyzing the content of GitHub repositories.

What It Detects:

Attack Tool Development: Identifies repository names containing keywords such as “exploit”, “malware”, or “attack”. The scanner searches for files with known attack tool signatures and looks for code patterns indicative of exploit development.
Exploitation Script Creation: Detects scripts that contain common exploitation techniques like SQL injection, cross-site scripting (XSS), and remote code execution (RCE). It also identifies scripts using obfuscation methods to evade detection.
Campaign Framework Building: Searches for repository names related to campaign frameworks such as Cobalt Strike or Metasploit. The scanner detects configuration files that set up attack campaigns and looks for documentation explaining how to use these frameworks for malicious purposes.
Security Advisories and Vulnerability Reports: Identifies security advisories mentioning vulnerabilities in third-party software and searches for reports detailing known exploits and their impact.
Code Patterns Indicative of Malicious Activity: Uses regex patterns to find suspicious code snippets that may indicate malicious intent, such as data exfiltration, credential harvesting, or unauthorized access.

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com)
github_org (string): GitHub organization name to scan (e.g., “acme-security”)

Business Impact: This scanner is crucial for organizations aiming to maintain a secure and resilient cybersecurity posture by proactively identifying potential threats posed by malicious actors within their code repositories on GitHub. It helps in mitigating risks associated with attack tool development, exploitation script creation, and campaign framework building that could lead to data breaches or system vulnerabilities.

Risk Levels:

Critical: Findings include repository names containing “exploit”, “malware”, or “attack” keywords, indicating direct involvement in malicious activities.
High: Findings involve scripts using exploitation techniques like SQL injection, XSS, or RCE, which are critical for security as they can be directly used to exploit systems.
Medium: Findings include repository names related to campaign frameworks and configuration files that set up attack campaigns, posing a medium risk due to the potential for unauthorized access and data theft.
Low: Informational findings involve regex patterns detecting suspicious code snippets indicative of malicious intent but not directly harmful without further exploitation.
Info: These are security advisories and vulnerability reports that highlight known exploits and vulnerabilities in third-party software, providing valuable insights for risk mitigation.

Example Findings:

A repository named “malicious-repo” containing files with signatures of known malware tools was flagged as an attack tool development finding.
An exploit script using SQL injection techniques within a repository called “exploit-script-repo” was identified, indicating a high risk for exploitation activities.

Dark Web Reconnaissance Chatter

Purpose: The Dark Web Reconnaissance Chatter Scanner is designed to identify and monitor discussions on the dark web related to target research, vulnerability sharing, and exploitation planning. This tool assists organizations in identifying potential threats by monitoring how their domain, company name, and specific keywords are discussed in underground forums.

What It Detects:

Target Research Discussions: Identifies mentions of the target domain or company name indicating interest or reconnaissance activities.
- Example Patterns: acme\.com, Acme Corporation
Vulnerability Sharing: Detects discussions about known vulnerabilities affecting the target.
- Example Patterns: CVE-\d{4}-\d+
Exploitation Planning: Identifies detailed planning or coordination of attacks targeting the domain or company.
- Example Patterns: malware|ransomware|trojan, command\s*(?:and|&)\s*control|c2|c&c
Data Exposure Indicators: Looks for mentions of data breaches, leaks, or unauthorized access related to the target.
- Example Patterns: exposed|leaked|breached, unauthorized\s+access, data\s+dump
Phishing and Credential Harvesting: Detects discussions about phishing attempts or credential harvesting efforts targeting the domain or company.
- Example Patterns: phishing|credential\s+harvesting

Inputs Required:

domain (string): Primary domain to analyze (e.g., acme.com)
company_name (string): Company name for statement searching (e.g., “Acme Corporation”)
keyword (string): Specific keyword related to the target’s products or services

Business Impact: This scanner is crucial for organizations looking to proactively identify and respond to potential threats on the dark web. By monitoring discussions around their domain, company name, and specific keywords, organizations can better understand the risks associated with unauthorized access and data breaches, allowing them to take immediate action to mitigate these risks.

Risk Levels:

Critical: Detection of detailed exploitation planning or coordination related to the target’s infrastructure is critical as it could lead to immediate cyber attacks affecting business operations and sensitive information.
High: Discovery of known vulnerabilities (CVE) or discussions about malware, ransomware, trojan horses, or unauthorized access points are considered high risk as they can expose sensitive data and systems to significant threats.
Medium: Mention of phishing attempts or credential harvesting activities could be considered medium risk if such activities have the potential to mislead users into divulging confidential information.
Low: Data exposure indicators like exposed or leaked data might pose a low risk unless linked to specific vulnerabilities affecting the organization’s systems.
Info: Informational findings about target research and discussions do not directly impact security but can provide insights for strategic planning in cyber defense.

Example Findings:

A discussion on an underground forum mentions Acme Corporation and discusses potential malware targeting their network infrastructure, indicating a high risk of imminent attacks.
An entry discussing unauthorized access to sensitive data files within the company’s database is flagged as a critical issue that could lead to severe data breaches affecting multiple departments across the organization.