\n", " | TotalBytesSent | \n", "
---|---|
TimeGenerated | \n", "\n", " |
2020-07-06 00:00:00+00:00 | \n", "10823 | \n", "
2020-07-06 01:00:00+00:00 | \n", "14821 | \n", "
2020-07-06 02:00:00+00:00 | \n", "13532 | \n", "
2020-07-06 03:00:00+00:00 | \n", "11947 | \n", "
2020-07-06 04:00:00+00:00 | \n", "11193 | \n", "
\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"Anomalous session start time: 2020-07-10 18:00:00+00:00 - end time: 2020-07-10 22:00:00+00:00
" ], "text/plain": [ "Top talkers during anomolous session:
" ], "text/plain": [ "Target IP: 31.220.60.108
" ], "text/plain": [ "31.220.60.108 is a Public IP address
" ], "text/plain": [ "Whois Registrar Info :
" ], "text/plain": [ "ASN Owner: AS-HOSTINGER, LT
" ], "text/plain": [ "ASN Address: Hostinger International Ltd.\n", "61 Lordou Vyronos\n", "Lumiel Building, 4th floor\n", "6023\n", "Larnaca\n", "CYPRUS
" ], "text/plain": [ "Passive DNS records for 31.220.60.108:
" ], "text/plain": [ "Threat Intel results for 31.220.60.108:
" ], "text/plain": [ "\n", " | Ioc | \n", "IocType | \n", "QuerySubtype | \n", "Provider | \n", "Result | \n", "Severity | \n", "Details | \n", "RawResult | \n", "Reference | \n", "Status | \n", "
---|---|---|---|---|---|---|---|---|---|---|
OTX | \n", "31.220.60.108 | \n", "ipv4 | \n", "None | \n", "OTX | \n", "True | \n", "high | \n", "{'pulse_count': 6, 'names': ['Card Skimmer Found Hitting Vulnerable E-Commerce Sites', 'Credit c... | \n", "{'sections': ['general', 'geo', 'reputation', 'url_list', 'passive_dns', 'malware', 'nids_list',... | \n", "https://otx.alienvault.com/api/v1/indicators/IPv4/31.220.60.108/general | \n", "0 | \n", "
XForce | \n", "31.220.60.108 | \n", "ipv4 | \n", "None | \n", "XForce | \n", "True | \n", "high | \n", "{'score': 7.1, 'cats': {'Malware': 71}, 'categoryDescriptions': {'Malware': 'This category lists... | \n", "{'ip': '31.220.60.108', 'history': [{'created': '2012-03-22T07:26:00.000Z', 'reason': 'Regional ... | \n", "https://api.xforce.ibmcloud.com/ipr/31.220.60.108 | \n", "0 | \n", "
Host to investigate: BlackHatDemoHost
" ], "text/plain": [ "\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | resource_id | \n", "name | \n", "resource_type | \n", "location | \n", "tags | \n", "plan | \n", "properties | \n", "kind | \n", "managed_by | \n", "sku | \n", "identity | \n", "state | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|
295 | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/BlackHatDemo/providers/Micros... | \n", "BlackHatDemoHost | \n", "Microsoft.Compute/virtualMachines | \n", "eastus | \n", "{'Role': 'Demo'} | \n", "None | \n", "None | \n", "None | \n", "None | \n", "None | \n", "None | \n", "None | \n", "
\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | TenantId | \n", "TimeGenerated | \n", "AlertDisplayName | \n", "AlertName | \n", "Severity | \n", "Description | \n", "ProviderName | \n", "VendorName | \n", "VendorOriginalId | \n", "SystemAlertId | \n", "ResourceId | \n", "SourceComputerId | \n", "AlertType | \n", "ConfidenceLevel | \n", "ConfidenceScore | \n", "IsIncident | \n", "StartTimeUtc | \n", "EndTimeUtc | \n", "ProcessingEndTime | \n", "RemediationSteps | \n", "ExtendedProperties | \n", "Entities | \n", "SourceSystem | \n", "WorkspaceSubscriptionId | \n", "WorkspaceResourceGroup | \n", "ExtendedLinks | \n", "ProductName | \n", "ProductComponentName | \n", "AlertLink | \n", "Type | \n", "Computer | \n", "src_hostname | \n", "src_accountname | \n", "src_procname | \n", "host_match | \n", "acct_match | \n", "proc_match | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n", "2020-07-10 19:09:23+00:00 | \n", "Suspicious Activity Detected | \n", "Suspicious Activity Detected | \n", "Medium | \n", "Analysis of host data has detected a sequence of one or more processes running on BlackHatDemoHo... | \n", "Detection-WarmPathV2 | \n", "Microsoft | \n", "e3549ae5-3e95-4be7-8ba8-9e1b9d97e926 | \n", "2518078950729219999_e3549ae5-3e95-4be7-8ba8-9e1b9d97e926 | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/BlackHatDemo/providers/Micros... | \n", "73a015ec-e2b6-4bf7-b353-ebeafb54254e | \n", "VM_SuspiciousActivity | \n", "Unknown | \n", "0.0 | \n", "False | \n", "2020-07-10 18:28:47+00:00 | \n", "2020-07-10 18:37:39+00:00 | \n", "2020-07-10 19:09:54+00:00 | \n", "[\\r\\n \"Review each of the individual line items in this alert to see if you recognize them as l... | \n", "{\\r\\n \"Machine Name\": \"BlackHatDemoHos\",\\r\\n \"Command List\": \"FTP session was established.\\nNe... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"HostName\": \"BlackHatDemoHos\",\\r\\n \"AzureID\": \"/subscripti... | \n", "Detection | \n", "40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n", "asihuntomsworkspacerg | \n", "\n", " | Azure Security Center | \n", "\n", " | https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518078950729219999_... | \n", "SecurityAlert | \n", "BlackHatDemoHos | \n", "BlackHatDemoHos | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
1 | \n", "52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n", "2020-07-10 19:09:23+00:00 | \n", "Suspicious Activity Detected | \n", "Suspicious Activity Detected | \n", "Medium | \n", "Analysis of host data has detected a sequence of one or more processes running on BlackHatDemoHo... | \n", "Detection-WarmPathV2 | \n", "Microsoft | \n", "e3549ae5-3e95-4be7-8ba8-9e1b9d97e926 | \n", "95ba8569-5df3-351e-b082-ce9666943e0b | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/BlackHatDemo/providers/Micros... | \n", "73a015ec-e2b6-4bf7-b353-ebeafb54254e | \n", "VM_SuspiciousActivity | \n", "Unknown | \n", "0.0 | \n", "False | \n", "2020-07-10 18:28:47+00:00 | \n", "2020-07-10 18:37:39+00:00 | \n", "2020-07-10 19:09:54+00:00 | \n", "[\\r\\n \"Review each of the individual line items in this alert to see if you recognize them as l... | \n", "{\\r\\n \"Machine Name\": \"BlackHatDemoHos\",\\r\\n \"Command List\": \"FTP session was established.\\nNe... | \n", "[\\r\\n {\\r\\n \"$id\": \"4\",\\r\\n \"HostName\": \"BlackHatDemoHos\",\\r\\n \"AzureID\": \"/subscripti... | \n", "Detection | \n", "40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n", "asihuntomsworkspacerg | \n", "\n", " | Azure Security Center | \n", "\n", " | https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518078950729219999_... | \n", "SecurityAlert | \n", "BlackHatDemoHos | \n", "BlackHatDemoHos | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
2 | \n", "52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n", "2020-07-10 18:41:18+00:00 | \n", "RDP Brute Force | \n", "RDP Brute Force | \n", "Medium | \n", "\n", " | ASI Scheduled Alerts | \n", "Microsoft | \n", "52c2edec-dc25-445e-b81a-b54bf44570a3 | \n", "cf949989-cf21-7ae1-5c02-56122b111f43 | \n", "\n", " | \n", " | 52b1ab41-869e-4138-9e40-2a4457f09bf0_765132a3-cf2f-40cf-b45c-cd6be9b942b7 | \n", "Unknown | \n", "NaN | \n", "False | \n", "2020-07-10 18:27:28+00:00 | \n", "2020-07-10 18:27:39+00:00 | \n", "2020-07-10 18:41:18+00:00 | \n", "\n", " | {\\r\\n \"Query\": \"let bruteforce_hosts = (\\r\\nSecurityEvent\\r\\n| where Computer contains \\\"blackh... | \n", "[\\r\\n {\\r\\n \"$id\": \"3\",\\r\\n \"Address\": \"174.127.235.80\",\\r\\n \"Type\": \"ip\"\\r\\n },\\r\\n ... | \n", "Detection | \n", "40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n", "asihuntomsworkspacerg | \n", "\n", " | Azure Sentinel | \n", "Scheduled Alerts | \n", "\n", " | SecurityAlert | \n", "BlackHatDemoHos | \n", "BlackHatDemoHos | \n", "\n", " | \n", " | True | \n", "False | \n", "False | \n", "
\n", " | 0 | \n", "
---|---|
TenantId | \n", "52b1ab41-869e-4138-9e40-2a4457f09bf0 | \n", "
TimeGenerated | \n", "2020-07-10 19:09:23+00:00 | \n", "
AlertDisplayName | \n", "Suspicious Activity Detected | \n", "
AlertName | \n", "Suspicious Activity Detected | \n", "
Severity | \n", "Medium | \n", "
Description | \n", "Analysis of host data has detected a sequence of one or more processes running on BlackHatDemoHos that have historically been associated with malicious activity. While individual commands may appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host. | \n", "
ProviderName | \n", "Detection-WarmPathV2 | \n", "
VendorName | \n", "Microsoft | \n", "
VendorOriginalId | \n", "e3549ae5-3e95-4be7-8ba8-9e1b9d97e926 | \n", "
SystemAlertId | \n", "2518078950729219999_e3549ae5-3e95-4be7-8ba8-9e1b9d97e926 | \n", "
ResourceId | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/BlackHatDemo/providers/Microsoft.Compute/virtualMachines/BlackHatDemoHost | \n", "
SourceComputerId | \n", "73a015ec-e2b6-4bf7-b353-ebeafb54254e | \n", "
AlertType | \n", "VM_SuspiciousActivity | \n", "
ConfidenceLevel | \n", "Unknown | \n", "
ConfidenceScore | \n", "0 | \n", "
IsIncident | \n", "False | \n", "
StartTimeUtc | \n", "2020-07-10 18:28:47+00:00 | \n", "
EndTimeUtc | \n", "2020-07-10 18:37:39+00:00 | \n", "
ProcessingEndTime | \n", "2020-07-10 19:09:54+00:00 | \n", "
RemediationSteps | \n", "[\\r\\n \"Review each of the individual line items in this alert to see if you recognize them as legitimate administrative activity.\"\\r\\n] | \n", "
ExtendedProperties | \n", "{'Machine Name': 'BlackHatDemoHos', 'Command List': 'FTP session was established.\n", "New user was created.\n", "PING command was executed.\n", "Administrators group members enumeration.\n", "New user was added to the Administrators group.\n", "New scheduled task was created.', 'Account List': 'BLACKHATDEMOHOS\\timvic', 'compromised host': 'BlackHatDemoHos', 'resourceType': 'Virtual Machine', 'ServiceId': '14fa08c7-c48e-4c18-950c-8148024b4398', 'ReportingSystem': 'Azure'} | \n", "
Entities | \n", "[{'$id': '4', 'HostName': 'BlackHatDemoHos', 'AzureID': '/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/BlackHatDemo/providers/Microsoft.Compute/virtualMachines/BlackHatDemoHost', 'OMSAgentID': '73a015ec-e2b6-4bf7-b353-ebeafb54254e', 'Type': 'host'}, {'$id': '5', 'Name': 'timvic', 'NTDomain': 'BLACKHATDEMOHOS', 'Host': {'$ref': '4'}, 'IsDomainJoined': True, 'Type': 'account'}] | \n", "
SourceSystem | \n", "Detection | \n", "
WorkspaceSubscriptionId | \n", "40dcc8bf-0478-4f3b-b275-ed0a94f2c013 | \n", "
WorkspaceResourceGroup | \n", "asihuntomsworkspacerg | \n", "
ExtendedLinks | \n", "\n", " |
ProductName | \n", "Azure Security Center | \n", "
ProductComponentName | \n", "\n", " |
AlertLink | \n", "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518078950729219999_e3549ae5-3e95-4be7-8ba8-9e1b9d97e926/subscriptionId/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroup/BlackHatDemo/referencedFrom/alertDeepLink/location/centralus | \n", "
Type | \n", "SecurityAlert | \n", "
Computer | \n", "BlackHatDemoHos | \n", "
src_hostname | \n", "BlackHatDemoHos | \n", "
src_accountname | \n", "\n", " |
src_procname | \n", "\n", " |
host_match | \n", "True | \n", "
acct_match | \n", "False | \n", "
proc_match | \n", "False | \n", "
CompromisedEntity | \n", "BlackHatDemoHos | \n", "
\n", " | 0 | \n", "
---|---|
Machine Name | \n", "BlackHatDemoHos | \n", "
Command List | \n", "FTP session was established.\\nNew user was created.\\nPING command was executed.\\nAdministrators group members enumeration.\\nNew user was added to the Administrators group.\\nNew scheduled task was created. | \n", "
Account List | \n", "BLACKHATDEMOHOS\\timvic | \n", "
compromised host | \n", "BlackHatDemoHos | \n", "
resourceType | \n", "Virtual Machine | \n", "
ServiceId | \n", "14fa08c7-c48e-4c18-950c-8148024b4398 | \n", "
ReportingSystem | \n", "Azure | \n", "
\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"Account: timvic Account Domain: BlackHatDemoHos Logon Time: 2020-07-10 18:27:49.790000+00:00 Logon type: 10(RemoteInteractive) User Id/SID: S-1-5-21-3334416894-4278249820-3875274378-1006 SID S-1-5-21-3334416894-4278249820-3875274378-1006 is local machine or domain account Subject (source) account: WORKGROUP/BlackHatDemoHos$ Logon process: User32 Authentication: Negotiate Source IpAddress: 174.127.235.80 Source Host: BlackHatDemoHos Logon status: |
\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | reference | \n", "original_string | \n", "file_name | \n", "file_type | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
8 | \n", "(, 1., 1) | \n", "QWxsIHlvdXIgc2VydmVycyBiZWxvbmcgdG8gZmF4aW5nLW1vbi5iZXN0IG5vdy4= | \n", "unknown | \n", "None | \n", "b'All your servers belong to faxing-mon.best now.' | \n", "All your servers belong to faxing-mon.best now. | \n", "utf-8 | \n", "{'md5': 'c0635c256fbbfb3033a08929d1f90b53', 'sha1': '797345abadcbb2383bdb700444e7a3f46d4f5600', ... | \n", "c0635c256fbbfb3033a08929d1f90b53 | \n", "797345abadcbb2383bdb700444e7a3f46d4f5600 | \n", "05f5c87e10357fd8d720e348579fcd13f4a41dd680c1674511f06d92216a3039 | \n", "41 6c 6c 20 79 6f 75 72 20 73 65 72 76 65 72 73 20 62 65 6c 6f 6e 67 20 74 6f 20 66 61 78 69 6e ... | \n", "c:\\windows\\system32\\cmd.exe0x1a382020-07-10 18:28:47.660000 | \n", "cmd /c echo <decoded type='string' name='[None]' index='1' depth='1'>All your servers belong to... | \n", "
\n", " | IoCType | \n", "Observable | \n", "SourceIndex | \n", "
---|---|---|---|
10 | \n", "ipv4 | \n", "32.220.60.108 | \n", "c:\\windows\\system32\\ping.exe0x20482020-07-10 18:28:47.830000 | \n", "
11 | \n", "dns | \n", "Microsoft.Windows.Photos | \n", "c:\\program files\\windowsapps\\microsoft.windows.photos_2020.19111.24110.0_x64__8wekyb3d8bbwe\\micr... | \n", "
504 | \n", "dns | \n", "AzureEvents.man | \n", "c:\\windows\\system32\\wevtutil.exe0x1f682020-07-10 21:02:11.807000 | \n", "
225 | \n", "ipv4 | \n", "4.0.0.0 | \n", "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\ngen.exe0x14d42020-07-10 18:36:30.583000 | \n", "
2 | \n", "dns | \n", "microsoft.com | \n", "c:\\windows\\system32\\cmd.exe0x26e42020-07-10 18:28:46.993000 | \n", "
OTX | |
pulse_count | 5 |
names | ['Malware - Malware Domain Feed V2 - June 04 2020', 'Malware - Malware Domain Feed V2 - February 10 2020', 'Cosmic Lynx: The Rise of A Russian BEC Group', 'Cosmic Lynx: The Rise of A Russian BEC Group', 'Cosmic Lynx The Rise of Russian BEC'] |
tags | [[], [], ['BEC', 'Phishing', 'social engineering', 'Russia', 'Email', 'COVID-19'], ['BEC', 'Phishing', 'social engineering', 'Russia', 'Email', 'COVID-19'], ['” “ corporate', '” “ matter', '” “ law', 'march', '” “ potential', '” “ new', '” “ possible', 'january', '“ corporate', '” “ liaise', 'august', 'june', 'april']] |
references | [[], [], ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf'], ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf'], ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf']] |
{'alexa': 'http://www.alexa.com/siteinfo/secure-ssl-sec.com',\n", "
'base_indicator': {'access_reason': '',
'access_type': 'public',
'content': '',
'description': '',
'id': 2209997916,
'indicator': 'secure-ssl-sec.com',
'title': '',
'type': 'domain'},
'indicator': 'secure-ssl-sec.com',
'pulse_info': {'count': 5,
'pulses': [{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx.alienvault.com/assets/images/default-avatar.png',
'id': '83138',
'is_following': False,
'is_subscribed': False,
'username': 'otxrobottwo_testing'},
'cloned_from': None,
'comment_count': 0,
'created': '2020-06-04T10:29:56.147000',
'description': 'Command and Control domains for '
'Malware. These domains are '
'extracted from a number of '
'sources, and are suspicious.',
'downvotes_count': 0,
'export_count': 3,
'follower_count': 0,
'groups': [],
'id': '5ed8cd24dea4063ecdd46ff0',
'in_group': False,
'indicator_count': 1436,
'indicator_type_counts': {'domain': 1104,
'hostname': 332},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2020-07-20T02:27:31.705000',
'modified_text': '16 hours ago ',
'name': 'Malware - Malware Domain Feed V2 - June '
'04 2020',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'domain',
'subscriber_count': 95,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx20-web-media.s3.amazonaws.com/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png',
'id': '78495',
'is_following': False,
'is_subscribed': False,
'username': 'otxrobottwo'},
'cloned_from': None,
'comment_count': 0,
'created': '2020-02-10T07:12:56.255000',
'description': 'Command and Control domains for '
'Malware. These domains are '
'extracted from a number of '
'sources, and are suspicious.',
'downvotes_count': 0,
'export_count': 3,
'follower_count': 0,
'groups': [],
'id': '5e4102789c1c8aec95a65738',
'in_group': False,
'indicator_count': 1898,
'indicator_type_counts': {'URL': 25,
'domain': 1408,
'hostname': 465},
'industries': [],
'is_author': False,
'is_modified': True,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2020-07-20T01:55:39.683000',
'modified_text': '16 hours ago ',
'name': 'Malware - Malware Domain Feed V2 - '
'February 10 2020',
'public': 1,
'pulse_source': 'api',
'references': [],
'related_indicator_is_active': 1,
'related_indicator_type': 'domain',
'subscriber_count': 265,
'tags': [],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': 'Cosmic Lynx',
'attack_ids': [],
'author': {'avatar_url': 'https://otx20-web-media.s3.amazonaws.com/media/avatars/user_24260/resized/80/avatar_7b67627076.png',
'id': '24260',
'is_following': False,
'is_subscribed': False,
'username': 'Cyber_Hat'},
'cloned_from': '5f04d03c68918d97811bda03',
'comment_count': 0,
'created': '2020-07-08T09:48:12.031000',
'description': '',
'downvotes_count': 0,
'export_count': 8,
'follower_count': 0,
'groups': [],
'id': '5f05965c766786e334704dd0',
'in_group': False,
'indicator_count': 65,
'indicator_type_counts': {'domain': 65},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2020-07-08T09:48:12.031000',
'modified_text': '12 days ago ',
'name': 'Cosmic Lynx: The Rise of A Russian BEC '
'Group',
'public': 1,
'pulse_source': 'web',
'references': ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf'],
'related_indicator_is_active': 1,
'related_indicator_type': 'domain',
'subscriber_count': 957,
'tags': ['BEC',
'Phishing',
'social engineering',
'Russia',
'Email',
'COVID-19'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': 'Cosmic Lynx',
'attack_ids': [],
'author': {'avatar_url': 'https://otx20-web-media.s3.amazonaws.com/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png',
'id': '2',
'is_following': False,
'is_subscribed': True,
'username': 'AlienVault'},
'cloned_from': None,
'comment_count': 0,
'created': '2020-07-07T19:42:52.567000',
'description': '\"We have observed more than 200 '
'BEC campaigns linked to Cosmic '
'Lynx since July 2019, targeting '
'individuals in 46 countries on six '
'continents. Unlike most BEC groups '
'that are relatively target '
'agnostic, Cosmic Lynx has a clear '
'target profile: large, '
'multinational organizations. '
'Nearly all of the organizations '
'Cosmic Lynx has targeted have a '
'significant global presence and '
'many of them are Fortune 500 or '
'Global 2000 companies.\" -Agari',
'downvotes_count': 0,
'export_count': 66,
'follower_count': 0,
'groups': [],
'id': '5f04d03c68918d97811bda03',
'in_group': False,
'indicator_count': 65,
'indicator_type_counts': {'domain': 65},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2020-07-07T19:42:52.567000',
'modified_text': '12 days ago ',
'name': 'Cosmic Lynx: The Rise of A Russian BEC '
'Group',
'public': 1,
'pulse_source': 'web',
'references': ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf'],
'related_indicator_is_active': 1,
'related_indicator_type': 'domain',
'subscriber_count': 114944,
'tags': ['BEC',
'Phishing',
'social engineering',
'Russia',
'Email',
'COVID-19'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': False,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0},
{'TLP': 'white',
'adversary': '',
'attack_ids': [],
'author': {'avatar_url': 'https://otx20-web-media.s3.amazonaws.com/media/avatars/user_94093/resized/80/avatar_281f69b768.png',
'id': '94093',
'is_following': False,
'is_subscribed': False,
'username': 'Sand-Storm'},
'cloned_from': None,
'comment_count': 0,
'created': '2020-07-07T14:53:12.330000',
'description': '',
'downvotes_count': 0,
'export_count': 10,
'follower_count': 0,
'groups': [],
'id': '5f048c58d60cfdb1a2e82d2e',
'in_group': False,
'indicator_count': 126,
'indicator_type_counts': {'IPv4': 61, 'domain': 65},
'industries': [],
'is_author': False,
'is_modified': False,
'is_subscribing': None,
'locked': False,
'malware_families': [],
'modified': '2020-07-07T14:53:12.330000',
'modified_text': '13 days ago ',
'name': 'Cosmic Lynx The Rise of Russian BEC',
'public': 1,
'pulse_source': 'web',
'references': ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf'],
'related_indicator_is_active': 1,
'related_indicator_type': 'domain',
'subscriber_count': 139,
'tags': ['” “ corporate',
'” “ matter',
'” “ law',
'march',
'” “ potential',
'” “ new',
'” “ possible',
'january',
'“ corporate',
'” “ liaise',
'august',
'june',
'april'],
'targeted_countries': [],
'threat_hunter_has_agents': 1,
'threat_hunter_scannable': True,
'upvotes_count': 0,
'validator_count': 0,
'vote': 0,
'votes_count': 0}],
'references': ['https://www.agari.com/cyber-intelligence-research/whitepapers/acid-agari-cosmic-lynx.pdf']},
'sections': ['general',
'geo',
'url_list',
'passive_dns',
'malware',
'whois',
'http_scans'],
'type': 'domain',
'whois': 'http://whois.domaintools.com/secure-ssl-sec.com'}
Is secure-ssl-sec.com a valid domain? True
" ], "text/plain": [ "Is secure-ssl-sec.com resolvable? True
" ], "text/plain": [ "Is the TLS cert used by secure-ssl-sec.com in abuse.ch's abuse list? False
" ], "text/plain": [ "