Query domain reputation

Introduction

• UUID: e0af39c0-095b-4c31-9e42-2a731928c2a1
• Started from issue 13
• State: Published : demo version with output
• Purpose: This playbook queries the enabled OSINT feeds and the local MISP events for matches with one or more domain name(s).
• • The playbook also queries URLscan for historical scans related to the domains and extracts the screenshots from URLscan. The playbook then uses the MISP modules to look up the DNS resolutions and queries VirusTotal, Shodan and URLhaus for information related to the domains. You can also specify additional entries (indicators or elements to be used for querying these sources).
• • The playbook also looks up the known abuse contacts via abuse_finder. All this information is then included in a summary and send to Mattermost and TheHive.
• Tags: [ "domain", "reputation" ]
• External resources: URLscan, abuse_finder, DNS, URLhaus, Shodan, VirusTotal, Mattermost, TheHive
• Target audience: SOC, CSIRT, CTI
• Graphical workflow

Playbook

• Query domain reputation
• • Introduction
• Preparation
• • PR:1 Initialise environment
• • PR:2 Verify MISP modules
• • PR:3 Load helper functions
• • PR:4 Set helper variables
• • PR:5 What are you searching for?
• • PR:6 MISP event details
• • PR:7 Setup MISP event link
• Investigate
• • IN:1 Context details for the domains
• • IN:2 Add the domains to the event
• Correlation
• • CR:1 Correlation with MISP events
• • CR:2 Correlation with MISP feeds
• Enrichment
• • ER:1 Enrich with information from URLscan
• • ER:2 Enrich with DNS information
• • ER:3 Enrich with abuse information
• • ER:4 Add custom enrichment information
• • ER:5 Review the current MISP event graph
• • ER:6 Enrich with information from VirusTotal
• • ER:7 Enrich with information from Shodan
• • ER:8 Enrich with information from URLhaus
• • ER:9 Add screenshots from URLscan to playbook
• • ER:10 Review and export final MISP event graph
• Summary
• • EN:1 MISP indicators
• • EN:2 Create the summary of the playbook
• • EN:3 Send a summary to Mattermost
• • EN:4 Send an alert to TheHive
• • EN:5 Publish MISP event
• • EN:6 End of the playbook
• External references
• Technical details

Preparation

PR:1 Initialise environment

This section initialises the playbook environment and loads the required Python libraries.

The credentials for MISP (API key) and other services are loaded from the file keys.py in the directory vault. A PyMISP object is created to interact with MISP and the active MISP server is displayed. By printing out the server name you know that it's possible to connect to MISP. In case of a problem PyMISP will indicate the error with PyMISPError: Unable to connect to MISP.

The contents of the keys.py file should contain at least :

misp_url="<MISP URL>"                  # The URL to our MISP server
misp_key="<MISP API KEY>"              # The MISP API key
misp_verifycert=<True or False>        # Indicate if PyMISP should attempt to verify the certificate or ignore errors
urlscan_url="https://urlscan.io/api/v1/search"
urlscan_apikey="<URLSCAN API KEY>"
mattermost_playbook_user="<MATTERMOST USER>"
mattermost_hook="<MATTERMOST WEBHOOK>"
thehive_url="<THEHIVE URL>"
thehive_key="<THEHIVE API KEY>"
virustotal_apikey="<VIRUSTOTAL_APIKEY>"
shodan_apikey="<SHODAN_APIKEY>"

# Initialise Python environment
import urllib3
import sys
import json
import base64
import uuid
import time
import re
from prettytable import PrettyTable, MARKDOWN
from IPython.display import Image, display, display_markdown, HTML
from datetime import date
import requests
from pymisp import *
from pymisp.tools import GenericObjectGenerator
from abuse_finder import domain_abuse, ip_abuse, email_abuse, url_abuse
import textwrap

# Load the credentials
sys.path.insert(0, "../vault/")
from keys import *
if misp_verifycert is False:
    import urllib3
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("The \033[92mPython libraries\033[90m are loaded and the \033[92mcredentials\033[90m are read from the keys file.")

# Create the PyMISP object
misp = PyMISP(misp_url, misp_key, misp_verifycert)
misp_headers = {"Authorization": misp_key,  "Content-Type": "application/json", "Accept": "application/json"}
print("I will use the MISP server \033[92m{}\033[90m for this playbook.\n\n".format(misp_url))

The Python libraries are loaded and the credentials are read from the keys file.
I will use the MISP server https://misp.demo.cudeso.be/ for this playbook.

PR:2 Verify MISP modules

This playbook uses the MISP modules to obtain additional correlation or enrichment information. MISP modules are autonomous modules that can be used to extend MISP for new services such as expansion, import and export. The modules are written in Python 3 following a simple API interface. The objective is to ease the extensions of MISP functionalities without modifying core components. The API is available via a simple REST API which is independent from MISP installation or configuration.

In the next cell we check if we have access to the MISP module server and if the required modules are enabled.

# Where can we find the local MISP Module server? You can leave this to the default setting in most cases.
misp_modules_url = "http://127.0.0.1:6666"

# How long do we wait between queries when using the MISP modules (API rate limiting of external service such as VirusTotal)
misp_modules_wait = 3

# Initiliasation
misp_modules = {}
misp_modules_headers = {
    "Content-Type": "application/json",
    "Accept": "application/json"
}
misp_modules_in_use = ["dns", "virustotal_public", "shodan", "urlhaus"]
# Code block to query the MISP module server and check if our modules are enabled
res = requests.get("{}/modules".format(misp_modules_url), headers=misp_modules_headers)
for module in res.json():
    for module_requested in misp_modules_in_use:
        if module.get("name", False) == module_requested:
            misp_modules[module_requested] = {"enabled": True, "input": module.get("mispattributes").get("input")}
            print("Found the \033[92m{}\033[90m MISP module (Accepted input: {}).".format(module_requested, misp_modules[module_requested]["input"]))
print("\n\n")

Found the dns MISP module (Accepted input: ['hostname', 'domain', 'domain|ip']).
Found the shodan MISP module (Accepted input: ['ip-src', 'ip-dst']).
Found the urlhaus MISP module (Accepted input: ['domain', 'hostname', 'ip-src', 'ip-dst', 'md5', 'sha256', 'url']).
Found the virustotal_public MISP module (Accepted input: ['hostname', 'domain', 'ip-src', 'ip-dst', 'md5', 'sha1', 'sha256', 'url']).

PR:3 Load helper functions

The next cell contains helper functions that are used in this playbook.

Instead of distributing helper functions as separate Python files this playbook includes all the required code as one code cell. This makes portability of playbooks between instances easier. The downside is that functions defined in this playbook need to be defined again in other playbooks, which is not optimal for code re-use. For this iteration of playbooks it is chosen to include the code in the playbook (more portability), but you can easily create one "helper" file that contains all the helper code and then import that file in each playbook (for example by adding to the previous cell from helpers import *). Note that the graphical workflow image is included as an external image. A missing image would not influence the further progress of the playbook.

To avoid cluttering the output of the playbook the next code cell is collapsed. You still need to execute it, but you can leave the cell collapsed. Click on the cell to expand it, click on the left bar that indicates the active cell in the Jupyter notebook to collapse it again.

def pb_get_misp_tags(tags=[], local_tags=[]):
    '''
    Get a list of MISP tags based on a Python list

    :param misp: MISP object
    :param object_template: which object template to return
    '''
    misp_tags = []
    for el in tags:
        t = MISPTag()
        t.name = el
        t.local = False
        misp_tags.append(t)

    for el in local_tags:
        t = MISPTag()
        t.name = el
        t.local = True
        misp_tags.append(t)
    return misp_tags


def pb_add_enrichment(playbook_results, field, entry, key, value):
    '''
    Add an enrichment (or correlation) entry but first check that the value is not already there
    
    : param playbook_results: all the enrichment results
    : param field
    : param entry
    : param key
    : param value
    '''
    skip_field = False
    for existing_entry in playbook_results.get(field, []):
        if existing_entry.get(key, False) == value:
            skip_field = True
            print(" Not adding to playbook results because of duplicate. Already added via {}".format(existing_entry.get("source", False)))
    if not skip_field:
        if field in playbook_results:
            playbook_results[field].append(entry)
        else:
            playbook_results[field] = [entry]
    return playbook_results


print("\033[92mHelper functions loaded\033[90m.\n\n".format(misp_url))

Helper functions loaded.

PR:4 Set helper variables

This cell contains helper variables that are used in this playbook. Their usage is explained in the next steps of the playbook.

# Dictionary to playbook results and some of the core objects that are created
playbook_results = {}
case_objects = {}

# A set of regular expressions that we use to determine the attribute type
regular_expressions = {"sha256": "^[a-fA-F0-9]{64}$",
                       "md5": "^[a-fA-F0-9]{32}$",
                       "hostname": "^[a-zA-Z0-9.\-_]+\.[a-zA-Z]{2,}$",
                       "sha1": "^[a-fA-F0-9]{40}$",
                       "url": "^(http|https):\/\/[-a-zA-Z0-9-]{2,256}\.[-a-zA-Z0-9-]{2,256}",
                       "ip-src": "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}",
                       "ip-dst": "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
                      }

# Variables to hold the output tables. Can also be moved to a dictionary
table_customentries = None
table_mispevents = None
table_mispfeeds = None
table_urlscan = None
table_dns = None
table_abuse = None
table_virustotal = None
table_shodan = None
table_urlhaus = None

PR:5 What are you searching for?

In this section you can define your user input as the domains that you want to investigate with this playbook. The variable query_domain can contain one domain (a 'string') or a list of domains.

The input to this cell is crucial for the further progress of this playbook.

# Provide one or more domain names
query_domain = ["qwepoi123098.com", "mikeylinehan.com"]

# Simple function to make a list. Makes it more consistent to work with the user input in the next cells.
if type(query_domain) == str:
    query_domain =[query_domain]
print("The playbook will do the domain reputation query for \033[92m{}\033[90m\n".format(query_domain))

The playbook will do the domain reputation query for ['qwepoi123098.com', 'mikeylinehan.com']

PR:6 MISP event details

Event title

In this playbook we create a new MISP event with title Domain reputation investigation for domainlist. You get the chance to override this default title but remember that it is good practice to choose a self-explanatory event title. This event title is shown in the MISP event index and should provide you the necessary information what the event is about. You should avoid using generic event titles. Read the Best Practices in Threat Intelligence for further guidance.

Contexualisation

This playbook adds event contexualisation via the tags that are defined in event_additional_global_tags (for global tags) and event_additional_local_tags (for local tags). As a reminder, whereas global tags remain attached to the events that you share with your community, the local tags are not shared outside your organisation. It's also a good idea to primarily use tags that are part of a taxonomy, this allows you to make the contexualisation more portable accross multiple MISP instances.

In this playbook the list of tags is build via one of the helper functions pb_get_misp_tags. This function takes two arguments, first a list of tags to convert as global tags, and secondly a list of tags to convert as local tags. It then returns a Python list of MISPTag objects.

Traffic Light Protocol

The default TLP for this event is tlp:amber. The Traffic Light Protocol (TLP) facilitates sharing of potentially sensitive information and allows for more effective collaboration. TLP is a set of four standard labels to indicate the sharing boundaries to be applied by the recipients. TLP is always set by the creator of information. You can find more information at FIRST. You can specify the TLP via event_tlp.

MISP Galaxies

This playbook can also add MISP galaxies to the event with the variable event_galaxies. A common galaxy is for example T1583/001. You can also leave the list empty if you do not want to add galaxies in this stage of the investigation.

MISP distribution, threat level and analysis level

Optionally you can specifiy a MISP distribution (with event_distribution), threat level (with event_threat_level_id) or analysis state (with event_analysis). The event date is set to today via event_date.

If you cannot remember the options for distribution, threat level or the analysis state then use the next cell to guide you. This cell is set as raw. If you change its type to code and execute the cell you get an overview of the options available for creating a MISP event.

# This cell is 'raw' by default. Change it to 'code' to execute it. print("Distribution value") for e in Distribution: print(" ", e.value, "=", e) print("\n") print("Threat level") for e in ThreatLevel: print(" ", e.value, "=", e) print("\n") print("Analysis level") for e in Analysis: print(" ", e.value, "=", e)

PR:7 Setup MISP event link

By default the playbook will generate a title with a prefix and the domains you want to investigate. You can override this event title with the variable event_title. If you leave this value empty the playbook will generate the MISP event title for you.

# Provide the event title for a new event. Leave blank for the playbook to auto generate one
event_title = ""

# Prefix for auto generate event title
event_title_default_prefix = "Domain reputation investigation"

# Optionally, you can change TLP, add additional event (local and global) tags, threatlevel, analysis state or distribution level
event_tlp = "tlp:amber"

# Event context
event_additional_global_tags = []                                 # This needs to be a Python list
event_additional_local_tags = ["workflow:state=\"incomplete\""]   # This needs to be a Python list

# Event galaxies
event_galaxies = ["misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\""]

# Additional MISP event settings
event_threat_level_id = ThreatLevel.low
event_analysis = Analysis.ongoing
event_distribution = Distribution.your_organisation_only
event_date = date.today()

Create MISP event

The next code cell will create the MISP event and store the references to the newly created event in the variable misp_event. This variable is used further when the playbook progresses.

# Code block to create the event or add data to an existing event
event_title = event_title.strip()

if not(event_title is str and len(event_title) > 0):
    event_title = "{} for {}".format(event_title_default_prefix, ' '.join(query_domain))

# Construct the event tags
event_additional_global_tags.append(event_tlp)
event_additional_global_tags.append(event_galaxies)
event_tags = pb_get_misp_tags(event_additional_global_tags, event_additional_local_tags)

# Create the PyMISP object for an event
event = MISPEvent()
event.info = event_title
event.distribution = event_distribution
event.threat_level_id = event_threat_level_id
event.analysis = event_analysis
event.set_date(event_date)

# Create the MISP event on the server side
misp_event = misp.add_event(event, pythonify=True)
print("Continue the playbook with the new \033[92mcreated\033[90m MISP event ID {} with title \033[92m{}\033[90m and UUID {}".format(misp_event.id, misp_event.info, misp_event.uuid))
for tag in event_tags:
    misp.tag(misp_event.uuid, tag, local=tag.local)
    print("\033[92mAdded\033[90m event tag {}".format(tag))
print("\n\n")

Continue the playbook with the new created MISP event ID 2653 with title Domain reputation investigation for qwepoi123098.com mikeylinehan.com and UUID d8a4e911-6d65-4076-b563-76dcdf4ce0cf
Added event tag <MISPTag(name=tlp:amber)>
Added event tag <MISPTag(name=['misp-galaxy:mitre-attack-pattern="Domains - T1583.001"'])>
Added event tag <MISPTag(name=workflow:state="incomplete")>

Investigate

IN:1 Context details for the domains

In this section you can set the context details (tags) for the (domain) attributes via the variable attribute_tags. These tags are used when the domains are added as an object to the MISP event.

attribute_tags = pb_get_misp_tags(["PAP:GREEN", "course-of-action:passive=\"discover\""])

IN:2 Add the domains to the event

Before we query the MISP events or the external data sources we first add the domains that are under investigation as domain-ip objects to our events.

for domain in query_domain:
    domain_object = MISPObject("domain-ip")
    domain_object.add_attribute("domain", domain, tags=attribute_tags, comment="Added by playbook")
    result = misp.add_object(misp_event.uuid, domain_object, pythonify=True)
    if not "errors" in result:
        case_objects[domain] = result
        playbook_results[domain] = []
        print("\033[92mAdded\033[90m object for {} with UUID {}".format(domain, result.uuid))
    else:
        print(result)
print("\n")

Added object for qwepoi123098.com with UUID a7a25778-311f-497a-8cde-5f3391337bca
Added object for mikeylinehan.com with UUID 2d534b25-47d9-4a8f-a14d-51838e5a09b5

Correlation

CR:1 Correlation with MISP events

This cell searches the MISP server for events that have a match with one of the domains previously specified. A summary of the correlation is also shown at the end of the playbook.

Only published events (correlation_published) and attributes that have the to_ids flag (correlation_to_ids) set are take into account. There is a default limit of 1000 hits (correlation_limit) and you can limit the search with tags (correlation_match_tags).

# Only query for published MISP events
correlation_published = True

# Only consider those values that have the to_ids field set to True
correlation_to_ids = True

# Limit the returned results to 1000 attributes
correlation_limit = 1000

# Only return results corresponding with these tags
correlation_match_tags = ["tlp:amber", "tlp:white"]

# Code block to query MISP and find the correlations
if len(query_domain) > 0:
    search_match = misp.search("attributes", to_ids=correlation_to_ids, value=query_domain, tags=correlation_match_tags,
                                   published=correlation_published, limit=correlation_limit, pythonify=True)
    if len(search_match) > 0:
        for attribute in search_match:
            if attribute.Event.id != misp_event.id:   # Skip the event we just created for this playbook
                print("Found \033[92m{}\033[90m in \033[92m{}\033[90m".format(attribute.value, attribute.Event.info))
                entry = {"source": "MISP", "category": attribute.category, "type": attribute.type, "event_id": attribute.Event.id, "event_info": attribute.Event.info, "enriched": attribute.value}
                playbook_results = pb_add_enrichment(playbook_results, attribute.value, entry, "event_id", attribute.Event.id)
        print("\n")
    else:
        print("\033[93mNo correlating MISP events found")
else:
    print("\033[93mNo correlating MISP events found")

Found mikeylinehan.com in M2M -  GlobeImposter "..doc" 2018-01-12 : "Unpaid invoice " - "1234567.7z"
Found qwepoi123098.com in CrowdStrike Falcon Platform Detects and Prevents Active Intrusion Campaign Targeting 3CXDesktopApp Customers

MISP events correlation table

The correlation results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Event", "Event ID"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Event"] = "l"
table.align["Event ID"] = "l"
table._max_width = {"Event": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "MISP":
            table.add_row([match["source"], domain, match["category"], match["type"], match["event_info"], match["event_id"]])
print(table.get_string(sortby="Value"))
table_mispevents = table

+--------+------------------+------------------+----------+----------------------------------------------------+----------+
| Source | Value            | Category         | Type     | Event                                              | Event ID |
+--------+------------------+------------------+----------+----------------------------------------------------+----------+
|  MISP  | mikeylinehan.com | Network activity | hostname | M2M -  GlobeImposter "..doc" 2018-01-12 : "Unpaid  | 2051     |
|        |                  |                  |          | invoice " - "1234567.7z"                           |          |
|  MISP  | qwepoi123098.com | Network activity | domain   | CrowdStrike Falcon Platform Detects and Prevents   | 2540     |
|        |                  |                  |          | Active Intrusion Campaign Targeting 3CXDesktopApp  |          |
|        |                  |                  |          | Customers                                          |          |
+--------+------------------+------------------+----------+----------------------------------------------------+----------+

CR:2 Correlation with MISP feeds

This cell searches the MISP feeds for events that have a match with the domains you specified in query_domain. The output of this cell is a table with all the matches. The output is also repeated at the end of the playbook.

Note that the correlation lookup in the MISP feeds does not return the name of the MISP event, it returns the UUID of the event as title.

if len(query_domain) > 0:
    misp_cache_url = "{}/feeds/searchCaches/".format(misp_url)
    match = False
    for domain in query_domain:
        # Instead of GET, use POST (https://github.com/MISP/MISP/issues/7478)
        cache_results = requests.post(misp_cache_url, headers=misp_headers, verify=misp_verifycert, json={"value": domain})
        for result in cache_results.json():
            if "Feed" in result:
                match = True
                print("Found \033[92m{}\033[90m in \033[92m{}\033[90m".format(domain, result["Feed"]["name"]))
                for match in result["Feed"]["direct_urls"]:
                    entry = {"source": "Feeds", "feed_name": result["Feed"]["name"], "match_url": match["url"]}
                    playbook_results = pb_add_enrichment(playbook_results, domain, entry, "match_url", match["url"])
    if not match:
        print("\033[93mNo correlating information found in MISP feeds.\n\n")
else:
    print("\033[93mNo correlating information found in MISP feeds.\n\n")

Found mikeylinehan.com in CIRCL OSINT Feed

MISP feed correlations table

The correlation results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Feed", "URL"]
table.align["Value"] = "l"
table.align["Feed"] = "l"
table.align["Feed URL"] = "l"
table._max_width = {"Feed": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "Feeds":
            table.add_row([match["source"], domain, match["feed_name"], match["match_url"]])
print(table.get_string(sortby="Value"))
table_mispfeeds = table

+--------+------------------+------------------+---------------------------------------------------------------------------------------+
| Source | Value            | Feed             |                                          URL                                          |
+--------+------------------+------------------+---------------------------------------------------------------------------------------+
| Feeds  | mikeylinehan.com | CIRCL OSINT Feed | https://misp.demo.cudeso.be/feeds/previewEvent/1/5a607314-de88-4309-ba06-c4a9950d210f |
+--------+------------------+------------------+---------------------------------------------------------------------------------------+

Enrichment

ER:1 Enrich with information from URLscan

URLscan

This section queries URLscan.io for scan results of the domains that are under investigation. Note that there is also a MISP enrichment module for URLscan but that module is not used in this playbook. This playbook required more flexibility in handling the results from URLscan.

Query time

Note that execution of this cell takes a couple of seconds.

# Code block to query URLscan
replace_urlscan = ["+", "-", "=", "&&", "||", ">", "<", "!", "(", ")", "{", "}", "[", "]", "^", "~", "*", "?", ":", "/"]
module_source = "URLscan.io"
comment_default = "From {}".format(module_source)
for domain in query_domain:
    domain = domain.strip()
    for k in replace_urlscan:
        domain = domain.replace(k, "\{}".format(k))      # Required by URLscan to avoid errors in the submit
    enrichment = []
    headers = {"API-Key": urlscan_apikey, "Content-Type": "application/json", "Cache-Control": "no-cache"}
    result = requests.get("{}/?q=domain:{}".format(urlscan_url, domain), headers=headers)

    if result.status_code == 200 and result.json().get("total") > 0:
        print("Received {} URLscan results for \033[92m{}\033[90m".format(result.json().get("total"), domain))
        for el in result.json().get("results"):
            screenshot_data = requests.get(el["screenshot"])
            enrichment.append({
                    "url": el["page"]["url"],
                    "ip": el["page"].get("ip", False),
                    "server": el["page"].get("server", "Unknown").strip(),
                    "title": el["page"].get("title", "").strip(),
                    "result": el["result"],
                    "screenshot": el["screenshot"],
                    "screenshot_data": screenshot_data,
                    "time": el["task"].get("time", False),
                    "umbrellaRank": el["page"].get("umbrellaRank", False)
            })

        for enriched in enrichment:
            b_screenshot_data = False
            if "url" in enriched:
                print(" Got analysis result for \033[92m{}\033[90m".format(enriched["url"]))
                entry = {"source": module_source, "category": "Network activity", "type": "url", "enriched": enriched["url"]}
                playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", enriched["url"])
                url_object = MISPObject("url")
                url_object.add_attribute("url", enriched["url"], comment=comment_default)
                url_object.comment = "{} {}".format(comment_default, enriched["result"])
                if "time" in enriched:
                    url_object.last_seen = enriched["time"]
                    url_object.first_seen = enriched["time"]
                    url_object.add_attribute("first-seen", enriched["time"], comment=comment_default)
                    url_object.add_attribute("last-seen", enriched["time"], comment=comment_default)
                if "title" in enriched and enriched["title"]:
                    url_object.add_attribute("text", enriched["title"], comment=comment_default)
                if "ip" in enriched and enriched["ip"]:
                    url_object.add_attribute("ip", enriched["ip"], comment=comment_default)
                    print(" Got \033[92m{}\033[90m".format(enriched["ip"]))
                    entry = {"source": module_source, "category": "Network activity", "type": "ip-dst", "enriched": enriched["ip"]}
                    playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", enriched["ip"])
                url_object_misp = misp.add_object(misp_event.uuid, url_object, pythonify=True)
                if not "errors" in url_object_misp:
                    misp.add_object_reference(url_object_misp.add_reference(case_objects[domain].uuid, "linked-to"))
                    if enriched["url"] not in case_objects:
                        case_objects[enriched["url"]] = url_object_misp                    
                else:
                    print(url_object_misp)

                if "screenshot" in enriched:
                    b_screenshot_data = base64.b64encode(enriched["screenshot_data"].content).decode('utf-8')
                    attribute = MISPAttribute()
                    attribute.value = "screenshot-{}-{}".format(domain, enriched["screenshot"].split("screenshots/")[1])
                    attribute.to_ids = False
                    attribute.type = "attachment"
                    attribute.disable_correlation = True
                    attribute.comment = comment_default
                    screenshot_time = ""
                    if "time" in enriched:
                        attribute.last_seen = enriched["time"]
                        attribute.first_seen = enriched["time"]
                        screenshot_time = enriched["time"]
                    attribute.data = b_screenshot_data
                    attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)                    
                    entry = {"source": module_source, "screenshot_url": enriched["url"], "screenshot_urlscan": enriched["screenshot"], "screenshot_name": attribute.value, "screenshot": b_screenshot_data, "screenshot_time": screenshot_time}
                    playbook_results = pb_add_enrichment(playbook_results, domain, entry, "screenshot", b_screenshot_data)
                    if not "errors" in attribute_misp:
                        misp.add_object_reference(url_object_misp.add_reference(attribute_misp.uuid, "screenshot-of"))
                    else:
                        print(attribute_misp)

                if "server" in enriched and enriched["server"] and enriched["server"] not in ["Unknown"]:
                    already_there = misp.search("attributes", value="server: {}".format(enriched["server"]), uuid=misp_event.uuid, to_ids=False, type="comment", category="Other", limit=1, pythonify=True)
                    if len(already_there) < 1:
                        attribute = MISPAttribute()
                        attribute.category = "Other"
                        attribute.type = "comment"
                        attribute.value = "server: {}".format(enriched["server"])
                        attribute.to_ids = False
                        attribute.disable_correlation = False
                        attribute.comment = comment_default
                        if "time" in enriched:
                            attribute.last_seen = enriched["time"]
                            attribute.first_seen = enriched["time"]
                        attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
                        entry = {"source": module_source, "category": "Other", "type": "server", "enriched": enriched["server"]}
                        playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", enriched["server"])
                    else:
                        attribute_misp = already_there[0]
                    if not "errors" in attribute_misp:
                        misp.add_object_reference(url_object_misp.add_reference(attribute_misp.uuid, "related-to"))
                    else:
                        print(attribute_misp)
                        
                if "umbrellaRank" in enriched and enriched["umbrellaRank"]:
                    already_there = misp.search("attributes", value="umbrellaRank: {}".format(enriched["umbrellaRank"]), uuid=misp_event.uuid, to_ids=False, type="text", category="External analysis", limit=1, pythonify=True)
                    if len(already_there) < 1:
                        attribute = MISPAttribute()
                        attribute.category = "External analysis"
                        attribute.type = "text"
                        attribute.value = "umbrellaRank: {}".format(enriched["umbrellaRank"])
                        attribute.to_ids = False
                        attribute.disable_correlation = False
                        attribute.comment = comment_default
                        if "time" in enriched:
                            attribute.last_seen = enriched["time"]
                            attribute.first_seen = enriched["time"]
                        attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
                        entry = {"source": module_source, "category": "Other", "type": "umbrellaRank", "enriched": enriched["umbrellaRank"]}
                        playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", enriched["umbrellaRank"])
                    else:
                        attribute_misp = already_there[0]
                    if not "errors" in attribute_misp:
                        misp.add_object_reference(url_object_misp.add_reference(attribute_misp.uuid, "ranked-with"))
                    else:
                        print(attribute_misp)

print("Finished URLscan enrichment.\n\n")

Received 8 URLscan results for qwepoi123098.com
 Got analysis result for http://qwepoi123098.com/
 Got 50.116.17.41
 Got analysis result for https://qwepoi123098.com/
 Got analysis result for https://qwepoi123098.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got analysis result for http://qwepoi123098.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 50.116.17.41
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got analysis result for http://qwepoi123098.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 104.194.215.229
 Got analysis result for http://qwepoi123098.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 104.194.215.229
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got analysis result for http://qwepoi123098.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 104.194.215.229
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got analysis result for http://qwepoi123098.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 104.194.215.229
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Not adding to playbook results because of duplicate. Already added via URLscan.io
Received 5 URLscan results for mikeylinehan.com
 Got analysis result for https://www.mikeylinehan.com/
 Got 198.185.159.144
 Got analysis result for http://mikeylinehan.com/
 Got 199.188.200.96
 Got analysis result for http://mikeylinehan.com/
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 199.188.200.96
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got analysis result for http://mikeylinehan.com/kjdfhg874
 Got 199.188.200.96
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got analysis result for http://mikeylinehan.com/kjdfhg874
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got 199.188.200.96
 Not adding to playbook results because of duplicate. Already added via URLscan.io
Finished URLscan enrichment.

URLscan enrichment table

The results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

This playbook has the "enrichment" code and the "table" code in two different code cells. Although this requires you to execute two code cells, it provides you the advantage of being to print out the table, without having to go through the entire enrichment code again. This table returns only those matches corresponding with the source URLscan.io.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Enriched"] = "l"
table._max_width = {"Enriched": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "URLscan.io":
            if "category" in match and "type" in match:
                table.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
            elif "screenshot_name" in match:
                table.add_row([match["source"], domain, "", "screenshot", "{} for {}".format(match["screenshot_name"], match["screenshot_url"])])
print(table.get_string(sortby="Value"))
table_urlscan = table

+------------+------------------+------------------+--------------+----------------------------------------------------+
|   Source   | Value            | Category         | Type         | Enriched                                           |
+------------+------------------+------------------+--------------+----------------------------------------------------+
| URLscan.io | mikeylinehan.com |                  | screenshot   | screenshot-mikeylinehan.com-083df698-5833-403d-86c |
|            |                  |                  |              | 9-c831d88efd79.png for                             |
|            |                  |                  |              | http://mikeylinehan.com/kjdfhg874                  |
| URLscan.io | mikeylinehan.com |                  | screenshot   | screenshot-mikeylinehan.com-5078b872-1baa-41be-a2d |
|            |                  |                  |              | 4-55d097ebc0ef.png for http://mikeylinehan.com/    |
| URLscan.io | mikeylinehan.com |                  | screenshot   | screenshot-mikeylinehan.com-                       |
|            |                  |                  |              | aabf1a98-03f6-497b-a5de-9b6a74f35854.png for       |
|            |                  |                  |              | https://www.mikeylinehan.com/                      |
| URLscan.io | mikeylinehan.com |                  | screenshot   | screenshot-mikeylinehan.com-f2ec917b-e9be-4497-a4e |
|            |                  |                  |              | b-a55401dd1a2a.png for                             |
|            |                  |                  |              | http://mikeylinehan.com/kjdfhg874                  |
| URLscan.io | mikeylinehan.com | Network activity | ip-dst       | 198.185.159.144                                    |
| URLscan.io | mikeylinehan.com | Network activity | ip-dst       | 199.188.200.96                                     |
| URLscan.io | mikeylinehan.com | Network activity | url          | http://mikeylinehan.com/                           |
| URLscan.io | mikeylinehan.com | Network activity | url          | http://mikeylinehan.com/kjdfhg874                  |
| URLscan.io | mikeylinehan.com | Network activity | url          | https://www.mikeylinehan.com/                      |
| URLscan.io | mikeylinehan.com | Other            | server       | Apache                                             |
| URLscan.io | qwepoi123098.com |                  | screenshot   | screenshot-qwepoi123098.com-0ebce94f-7291-4067-99e |
|            |                  |                  |              | 1-049c29992008.png for http://qwepoi123098.com/    |
| URLscan.io | qwepoi123098.com |                  | screenshot   | screenshot-qwepoi123098.com-b3402713-fa1e-4e47-a16 |
|            |                  |                  |              | c-624c0450aa8a.png for http://qwepoi123098.com/    |
| URLscan.io | qwepoi123098.com |                  | screenshot   | screenshot-qwepoi123098.com-                       |
|            |                  |                  |              | bb24693a-59f8-4e77-a939-9eca17126484.png for       |
|            |                  |                  |              | https://qwepoi123098.com/                          |
| URLscan.io | qwepoi123098.com | Network activity | ip-dst       | 104.194.215.229                                    |
| URLscan.io | qwepoi123098.com | Network activity | ip-dst       | 50.116.17.41                                       |
| URLscan.io | qwepoi123098.com | Network activity | url          | http://qwepoi123098.com/                           |
| URLscan.io | qwepoi123098.com | Network activity | url          | https://qwepoi123098.com/                          |
| URLscan.io | qwepoi123098.com | Other            | server       | Microsoft-HTTPAPI/2.0                              |
| URLscan.io | qwepoi123098.com | Other            | umbrellaRank | 468477                                             |
| URLscan.io | qwepoi123098.com | Other            | umbrellaRank | 752465                                             |
+------------+------------------+------------------+--------------+----------------------------------------------------+

ER:2 Enrich with DNS information

The next cell will query the MISP DNS module and add the DNS resolution result as a MISP domain-ip object. This new object is also linked to the domain via a relation resolves-to. The resulting IP addresses can later be used by the VirusTotal and other MISP modules for enrichment.

This module uses the default DNS resolver defined in the MISP module (8.8.8.8) but you can also specify your own DNS server with module_dnsserver.

# DNS server to use. Leave blank to use 8.8.8.8 (default MISP module)
module_dnsserver = ""

module_name = "dns"
module_source = "DNS"
module_comment = "From {}".format(module_source)

if misp_modules[module_name]["enabled"] and len(query_domain) > 0:
    for value in query_domain:
        attribute_type = "domain"
        data = {
            "domain": f"{value}",
            "module": module_name
        }
        if len(module_dnsserver) > 0:
            data["config"] = { "nameserver": module_dnsserver }
        print("Query \033[92m{}\033[90m".format(value))
        result = requests.post("{}/query".format(misp_modules_url), headers=misp_modules_headers, json=data)
        #pprint(result.json())
        if "results" in result.json() and len(result.json()["results"]) > 0:
            result_json = result.json()["results"]
            for entry in result_json:
                if "values" in entry:
                    for module_value in entry["values"]:
                        ip_object = MISPObject("domain-ip")
                        ip_object.add_attribute("ip", module_value, comment=module_comment)
                        ip_object_misp = misp.add_object(misp_event.uuid, ip_object, pythonify=True)
                        if not "errors" in ip_object_misp:
                            case_objects[module_value] = ip_object_misp
                            misp.add_object_reference(case_objects[value].add_reference(ip_object_misp.uuid, "resolves-to"))
                            print(" Got \033[92m{}\033[90m".format(module_value))
                            entry = {"source": module_source, "category": "Network activity", "type": "ip-dst", "enriched": module_value}
                            playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", module_value)

print("Finished DNS enrichment.\n\n")

Query qwepoi123098.com
 Got 50.116.17.41
Query mikeylinehan.com
Finished DNS enrichment.

DNS enrichment table

The results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

This table returns only those matches corresponding with the source DNS.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Enriched"] = "l"
table._max_width = {"Enriched": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "DNS":
            table.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
print(table.get_string(sortby="Value"))
table_dns = table

+--------+------------------+------------------+--------+--------------+
| Source | Value            | Category         | Type   | Enriched     |
+--------+------------------+------------------+--------+--------------+
|  DNS   | mikeylinehan.com | Network activity | ip-dst | 50.116.17.41 |
+--------+------------------+------------------+--------+--------------+

ER:3 Enrich with abuse information

The next cell uses the abuse_finder information to get the most appropriate contact details for abuse reports. These contain details are also added as MISP attributes, either whois-registrant-name or whois-registrant-email.

The first cell will look up the details for the domains. The second cell looks up the details for the IP addresses.

Optionally you can specify the relationship type with the variable relationtype (by default it is associated-with).

# Relationship type for abuse records
relationtype = "associated-with"

module_source = "abuse_finder"
module_comment = "From {}".format(module_source)

# Lookup abuse details for the domains
for domain in query_domain:
    print("Trying \033[92m{}\033[90m".format(domain))
    details = domain_abuse(domain)
    if "names" in details:
        attribute_category = "Attribution"
        attribute_type = "whois-registrant-name"
        for name in details["names"]:
            print(" Got \033[92m{}\033[90m".format(name))
            entry = {"source": module_source, "category": attribute_category, "type": attribute_type, "enriched": name}
            playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", name)
            
            attribute = MISPAttribute()
            attribute.value = name
            attribute.to_ids = False
            attribute.category = attribute_category
            attribute.type = attribute_type
            attribute.disable_correlation = True
            attribute.comment = "{}. Information for {}".format(module_comment, domain)
            attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
            if not "errors" in attribute_misp:
                misp.add_object_reference(case_objects[domain].add_reference(attribute_misp.uuid, relationtype))
            else:
                print(attribute_misp)
    if "abuse" in details:
        attribute_category = "Attribution"
        attribute_type = "whois-registrant-email"
        for name in details["abuse"]:
            print(" Got \033[92m{}\033[90m".format(name))
            entry = {"source": module_source, "category": "Attribution", "type": "whois-registrant-email", "enriched": name}
            playbook_results = pb_add_enrichment(playbook_results, domain, entry, "enriched", name)

            attribute = MISPAttribute()
            attribute.value = name
            attribute.to_ids = False
            attribute.category = attribute_category
            attribute.type = attribute_type
            attribute.disable_correlation = True
            attribute.comment = "{}. Information for {}".format(module_comment, domain)
            attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
            if not "errors" in attribute_misp:
                misp.add_object_reference(case_objects[domain].add_reference(attribute_misp.uuid, relationtype))
            else:
                print(attribute_misp)
        
print("Finished abuse_finder enrichment for domains.\n\n")

Trying qwepoi123098.com
 Got NameCheap, Inc.
 Got abuse@namecheap.com
Trying mikeylinehan.com
Finished abuse_finder enrichment for domains.

# Lookup abuse details for the IP addresses
for ip in case_objects:
    if re.match(r"{}".format(regular_expressions["ip-dst"]), ip):
        print("Trying \033[92m{}\033[90m".format(ip))
        details = ip_abuse(ip)
        if "names" in details:
            attribute_category = "Attribution"
            attribute_type = "whois-registrant-name"
            for name in details["names"]:
                print(" Got \033[92m{}\033[90m".format(name))
                entry = {"source": module_source, "category": attribute_category, "type": attribute_type, "enriched": name}
                playbook_results = pb_add_enrichment(playbook_results, ip, entry, "enriched", name)

                attribute = MISPAttribute()
                attribute.value = name
                attribute.to_ids = False
                attribute.category = attribute_category
                attribute.type = attribute_type
                attribute.disable_correlation = True
                attribute.comment = "{}. Information for {}".format(module_comment, ip)
                attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
                if not "errors" in attribute_misp:
                    misp.add_object_reference(case_objects[ip].add_reference(attribute_misp.uuid, relationtype))
                else:
                    print(attribute_misp)
        if "abuse" in details:
            attribute_category = "Attribution"
            attribute_type = "whois-registrant-email"
            for name in details["abuse"]:
                print(" Got \033[92m{}\033[90m".format(name))
                entry = {"source": module_source, "category": "Attribution", "type": "whois-registrant-email", "enriched": name}
                playbook_results = pb_add_enrichment(playbook_results, ip, entry, "enriched", name)

                attribute = MISPAttribute()
                attribute.value = name
                attribute.to_ids = False
                attribute.category = attribute_category
                attribute.type = attribute_type
                attribute.disable_correlation = True
                attribute.comment = "{}. Information for {}".format(module_comment, ip)
                attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
                if not "errors" in attribute_misp:
                    misp.add_object_reference(case_objects[ip].add_reference(attribute_misp.uuid, relationtype))
                else:
                    print(attribute_misp)

print("Finished abuse_finder enrichment for IPs.\n\n")

Trying 50.116.17.41
 Got Akamai Technologies, Inc.
 Got Linode
 Got abuse@akamai.com
 Got abuse@linode.com
Finished abuse_finder enrichment for IPs.

Abuse information enrichment table

The results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

This table returns only those matches corresponding with the source abuse_finder.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Enriched"] = "l"
table._max_width = {"Enriched": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "abuse_finder":
            table.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
print(table.get_string(sortby="Value"))
table_abuse = table

+--------------+------------------+-------------+------------------------+---------------------------+
|    Source    | Value            | Category    | Type                   | Enriched                  |
+--------------+------------------+-------------+------------------------+---------------------------+
| abuse_finder | 50.116.17.41     | Attribution | whois-registrant-email | abuse@akamai.com          |
| abuse_finder | 50.116.17.41     | Attribution | whois-registrant-email | abuse@linode.com          |
| abuse_finder | 50.116.17.41     | Attribution | whois-registrant-name  | Akamai Technologies, Inc. |
| abuse_finder | 50.116.17.41     | Attribution | whois-registrant-name  | Linode                    |
| abuse_finder | qwepoi123098.com | Attribution | whois-registrant-email | abuse@namecheap.com       |
| abuse_finder | qwepoi123098.com | Attribution | whois-registrant-name  | NameCheap, Inc.           |
+--------------+------------------+-------------+------------------------+---------------------------+

ER:4 Add custom enrichment information

The next cells query VirusTotal, Shodan and URLhaus for additional enrichments. This is done with the list of domains you provided earlier (via query_domain) but also (optionally) on the results of DNS resolution. But before we get to that you can also add additional entries that need to be investigated by the next enrichment cells.

You can add these entries now as custom enrichment information. Obviously you can also use them to add additional indicators that you found relevant for your investigation.

You first have to define the domain that the information is related to with custom_entry_domain and set the enrichment category custom_entry_category, type custom_entry_type and value custom_entry_value. If you leave custom_entry_value empty then the code execution is skipped and no additional entries are added. You can add multiple values by re-executing the next two cells multiple times.

Optionally you can also specify the relation type (with custom_entry_relation), set the to_ids value (with custom_entry_to_ids) and provide a comment (with custom_entry_comment).

To provide you some help the next cell prints out the domains you supplied earlier via query_domains. You can use that as input for the custom_entry_domain in the cell for adding custom enrichment information.

# Print an overview of the domains this playbook works with
count = 0
for domain in query_domain:
    print("{} = {}".format(count, domain))
    count += 1

0 = qwepoi123098.com
1 = mikeylinehan.com

# To which domain do you want the enrichment to link
custom_entry_domain = query_domain[0] # (or provide the domain directly)

# What's the MISP category and type
custom_entry_category = "Payload delivery"
custom_entry_type = "md5"

# Custom value
custom_entry_value = "44d88612fea8a8f36de82e1278abb02f" # For example MD5 of EICAR

# Define the relation ship type
custom_entry_relation = "linked-to"

# Do you want to have the to_ids field enabled when adding it the attribute to MISP?
custom_entry_to_ids = True

# Comment field for additional entry
custom_entry_comment = "EICAR hash"

if len(custom_entry_value.strip()) > 0:
    # Set the custom enrichment
    entry = {"source":"Custom", "category": custom_entry_category, "type": custom_entry_type, "enriched": custom_entry_value}
    playbook_results = pb_add_enrichment(playbook_results, custom_entry_domain, entry, "enriched", entry["enriched"])

    # Add to MISP
    attribute = MISPAttribute()
    attribute.value = custom_entry_value
    attribute.to_ids = custom_entry_to_ids
    attribute.category = custom_entry_category
    attribute.type = custom_entry_type
    attribute.comment = "Added as custom enrichment - {}".format(custom_entry_comment)
    attribute_misp = misp.add_attribute(misp_event.uuid, attribute, pythonify=True)
    if not "errors" in attribute_misp:
        print("Attribute \033[92m{}\033[90m added\n".format(attribute_misp.uuid))
        misp.add_object_reference(case_objects[custom_entry_domain].add_reference(attribute_misp.uuid, custom_entry_relation))
        if not table_customentries:
            table_customentries = PrettyTable()
            table_customentries.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
            table_customentries.align["Value"] = "l"
            table_customentries.align["Category"] = "l"
            table_customentries.align["Type"] = "l"
            table_customentries.align["Enriched"] = "l"
            table_customentries._max_width = {"Enriched": 50}
        for domain in playbook_results:
            for match in playbook_results[domain]:
                if match["source"] == "Custom":
                    table_customentries.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
    else:
        print(attribute_misp)
        print("Attribute \033[91mnot added\033[90m\n")

Attribute a8088495-1975-42ce-bc76-2273f901fca4 added

ER:5 Review the current MISP event graph

The MISP event graph allows you to get a visualisation of the relationships between different objects and attributes. At this stage of the investigation it can already be useful to have a look at the current graph. It should contain the relations for the domain objects, the URL objects received from URLscan but also the DNS, abuse information and custom enrichment information.

You can access the event graph by logging in to MISP, viewing the details of the newly created event and then using the Event graph tab. While you are reviewing the event graph it can also be useful to have a look at the correlation graph.

ER:6 Enrich with information from VirusTotal

If the VirusTotal module is enabled in MISP modules you can now query VirusTotal.

By default the playbook will query VirusTotal for results related to the original domains you specified as input in the first section of the playbook. But you can extend this list via virustotal_include_enrichment. Be aware that some attributes (such as IPs) can create a lot of additional attributes when the domain points to a shared hosting facility.

You can also ignore results that are returned by VirusTotal with virustotal_skip_enrichment_result.

And finally you can also indicate if you want to keep the to_ids value set by the VirusTotal module or always set it to False (virustotal_to_ids). The latter is advised. If you set virustotal_to_ids to True, then the playbook keeps the value returned by the VirusTotal module.

# In addition to the domains, query VirusTotal for the below enrichment values
# Beware of IPs pointing to hosting facilities
#virustotal_include_enrichment = []
virustotal_include_enrichment = ["ip-dst"]
#virustotal_include_enrichment = ["ip-dst", "url", "domain", "whois-registrant-email"]

# Do not include related URLs returned by VirusTotal. For some domains this can result a large result set
virustotal_result_skip_enrichment_result = ["url", "domain"]

# to_ids: False: always set to False ; True: keep what's returned by the MISP module
virustotal_to_ids = False

# Code block to query VirusTotal
vt_query = []
for domain in query_domain:
    if re.match(r"{}".format(regular_expressions["hostname"]), domain):
        vt_query.append(domain)

for domain in playbook_results:
    for element in playbook_results[domain]:
        if element.get("type", False) in virustotal_include_enrichment and len(element["enriched"]) > 0 and element["enriched"] not in vt_query:
            vt_query.append(element["enriched"])

# Code block to query VirusTotal
module_name = "virustotal_public"
module_source = "VirusTotal"
if misp_modules[module_name]["enabled"]:
    for value in vt_query:
        module_comment = "From {} for {}".format(module_source, value)
        for expr in regular_expressions:
            if re.match(r"{}".format(regular_expressions[expr]), value):
                attribute_type = expr
                break

        if attribute_type in misp_modules[module_name]["input"]:
            data = {
                "attribute": {
                    "type": f"{attribute_type}",
                    "uuid": str(uuid.uuid4()),
                    "value": f"{value}",
                },
                "module": module_name,
                "config": {"apikey": virustotal_apikey}
            }
            print("Query \033[92m{}\033[90m as \033[92m{}\033[90m".format(value, attribute_type))
            result = requests.post("{}/query".format(misp_modules_url), headers=misp_modules_headers, json=data)
            if "results" in result.json() and len(result.json()["results"]) > 0:
                result_json = result.json()["results"]
                for misp_attribute in result_json.get("Attribute", []):
                    if misp_attribute["type"] in virustotal_result_skip_enrichment_result:
                        print(" Skip {} \033[96m{}\033[90m".format(misp_attribute["type"], misp_attribute["value"]))
                        continue
                    else:
                        del misp_attribute["uuid"]
                        misp_attribute["comment"] = "{}{}".format(module_comment, misp_attribute.get("comment", ""))
                        if misp_attribute["to_ids"] == True and not virustotal_to_ids:
                            misp_attribute["to_ids"] = False
                        try:
                            created_attribute = misp.add_attribute(misp_event.uuid, misp_attribute, pythonify=True)
                            if not "errors" in created_attribute:
                                if value in case_objects:
                                    misp.add_object_reference(case_objects[value].add_reference(created_attribute.uuid, "related-to"))
                                print(" Got {} \033[92m{}\033[90m".format(misp_attribute["type"], misp_attribute["value"]))
                                entry = {"source": module_source, "category": misp_attribute["category"], "type": misp_attribute["type"], "enriched": misp_attribute["value"]}
                                playbook_results = pb_add_enrichment(playbook_results, value, entry, "enriched", misp_attribute["value"])
                        except:
                            print(" Unable to add {} \033[92m{}\033[90m to MISP event".format(misp_attribute["type"], misp_attribute["value"]))

                for misp_object in result_json.get("Object", []):
                    if misp_object["name"] in virustotal_result_skip_enrichment_result:
                        print(" Skip {}".format(misp_object["name"]))
                        continue
                    else:
                        del misp_object["uuid"]
                        misp_object["comment"] = "{}{}".format(module_comment, misp_object.get("comment", ""))
                        new_attribute_list = []
                        for attribute in misp_object.get("Attribute", []):
                            if attribute["type"] in virustotal_result_skip_enrichment_result:
                                print(" Skip {} \033[96m{}\033[90m".format(attribute["type"], attribute["value"]))
                            else:
                                if attribute["to_ids"] == True and not virustotal_to_ids:
                                    attribute["to_ids"] = False
                                attribute["comment"] = module_comment
                                new_attribute_list.append(attribute)
                        misp_object["Attribute"] = new_attribute_list
                        if len(misp_object["Attribute"]) > 0:
                            created_object = misp.add_object(misp_event.uuid, misp_object, pythonify=True)
                            if not "errors" in created_object:
                                if value in case_objects:
                                    misp.add_object_reference(case_objects[value].add_reference(created_object.uuid, "related-to"))
                                if misp_object["name"] == "whois":
                                    whois_attributes = misp_object.get("Attribute", [])
                                    for whois_attribute in whois_attributes:
                                        print(" Got whois data for \033[92m{}\033[90m ".format(domain))
                                        entry = {"source": module_source, "category": "Other", "type": "whois", "enriched": whois_attribute["value"]}
                                        playbook_results = pb_add_enrichment(playbook_results, value, entry, "enriched", whois_attribute["value"])
                                else:
                                    if misp_object["name"] == "domain-ip":
                                        for attribute in misp_object.get("Attribute",[]):
                                            if attribute["type"] == "ip-dst":
                                                if attribute["value"] not in case_objects:
                                                    case_objects[attribute["value"]] = created_object
                                    for misp_attribute in misp_object["Attribute"]:
                                        print(" Got {} \033[92m{}\033[90m as part of object {}".format(misp_attribute["type"], misp_attribute["value"], misp_object["name"]))
                                        entry = {"source": module_source, "category": misp_attribute["category"], "type": misp_attribute["type"], "enriched": misp_attribute["value"]}
                                        playbook_results = pb_add_enrichment(playbook_results, value, entry, "enriched", misp_attribute["value"])

            print("Sleeping for {} seconds".format(misp_modules_wait))
            time.sleep(misp_modules_wait)
        else:
            print("Skipping \033[91m{}\033[90m. Not a valid query type ({}).".format(value, misp_modules[module_name]["input"]))

print("Finished VirusTotal enrichment.\n\n")

Query qwepoi123098.com as hostname
 Got sha256 2b6282da522f1f51ee6e0ed5e37aa55a191d34ffbb3c287cb20d71ad2bf25b4b
 Got sha256 ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f126e8965d777fbf0
 Skip domain www.qwepoi123098.com
 Skip url https://qwepoi123098.com/
 Skip url http://qwepoi123098.com/
 Got whois data for 50.116.17.41 
 Skip domain qwepoi123098.com
 Got ip-dst 104.194.215.229 as part of object domain-ip
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got ip-dst 139.162.120.150 as part of object domain-ip
 Got ip-dst 146.70.87.109 as part of object domain-ip
 Got ip-dst 50.116.17.41 as part of object domain-ip
 Not adding to playbook results because of duplicate. Already added via URLscan.io
Sleeping for 3 seconds
Query mikeylinehan.com as hostname
 Got sha256 51c93eda00d090aae0d3e211fb1679aa6456df7dc51a7cd45bf4d3b990b531c7
 Got sha256 69fb7b96d2da05f2aef88efc9e788ede343c9112ae164fe026e504449d56464e
 Got sha256 86749d3e3233d7a75a618c98eac9f31f508aed4492849f65b907787b0bd1d047
 Got sha256 75d6289e33dbf05543f8a850e40c7bb3e3f8b9e2872015f8a7b09906aabb7b5e

Something went wrong (403): {'saved': False, 'name': 'Could not add Attribute', 'message': 'Could not add Attribute', 'url': '/attributes/add', 'errors': {'value': ['A similar attribute already exists for this event.']}}

 Got sha256 5596dc862bd9aea2981ebe1f8a638557d1383ccd9a47c94c9610300325f94a0e
 Got sha256 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1112a4e670c97d4
 Got sha256 c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8
 Got sha256 103d93ab0996ed79df9184183fb63f3c37c2fbd0aa505174e29256ddf02208b5
 Skip domain www.mikeylinehan.com
 Skip url https://mikeylinehan.com/
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/11/0ML0211_0ML0211-R1-E012.jpg
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/10/16779837_10211211562552145_141027329_n.jpg
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/10/20597623_330257494090980_248941076_o.jpg
 Skip url http://mikeylinehan.com/wp-content/themes/avata/options-framework/assets/css/hoo-styles.css
 Skip url http://mikeylinehan.com/wp-includes/wlwmanifest.xml
 Skip url http://mikeylinehan.com/kjdfhg874
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/10/19549566_313330345783695_504397474_o.jpg
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/10/0ML1585_0ML1585-R1-048-22A.jpg);background-position:
 Skip url http://mikeylinehan.com/
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/11/23770209_371449203305142_1680412421_o.jpg
 Skip url http://mikeylinehan.com/xmlrpc.php?rsd
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/10/cropped-film-roll-1-180x180.jpg
 Skip url http://mikeylinehan.com/wp-content/themes/avata-child/style.css?ver=4.8.4
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/11/23269661_365322613917801_1076170444_o.jpg
 Skip url http://mikeylinehan.com/wp-content/themes/avata/assets/plugins/lightGallery/js/lightgallery-all.min.js?ver=1.5
 Skip url http://mikeylinehan.com/wp-content/uploads/2017/11/23269797_365324563917606_1407453225_o-1.jpg
 Skip url http://mikeylinehan.com/KJDFHG874
 Skip url http://mikeylinehan.com/wp-login.php
 Skip url http://mikeylinehan.com/kjdfhg874?
 Skip url http://mikeylinehan.com/wp-includes/woodbridge.php
 Got whois data for 50.116.17.41 
 Skip domain mikeylinehan.com
 Got ip-dst 198.185.159.144 as part of object domain-ip
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got ip-dst 198.185.159.145 as part of object domain-ip
 Got ip-dst 198.49.23.144 as part of object domain-ip
 Got ip-dst 198.49.23.145 as part of object domain-ip
 Got ip-dst 199.188.200.96 as part of object domain-ip
 Not adding to playbook results because of duplicate. Already added via URLscan.io
 Got ip-dst 199.59.243.222 as part of object domain-ip
 Got ip-dst 91.195.240.117 as part of object domain-ip
Sleeping for 3 seconds
Query 50.116.17.41 as ip-src
 Skip url https://probes.space/
 Skip url http://aequuira1aedeezais5i.probes.space/
 Skip url https://dunamistrd.com/
 Skip url http://www.aimee0febai5phoht2ti.probes.website/
 Skip url http://zacharryblogs.com/
 Skip url http://qwepoi123098.com/
 Skip url http://officestoragebox.com/
 Skip url http://dunamistrd.com/
 Skip url http://akamaitechcloudservices.com/
 Skip url http://franavru.xyz/
 Skip url http://www.akamaicontainer.com/
 Skip url https://probes.website/
 Skip url http://journalide.org/
 Skip url http://sbmsa.wiki/
 Skip url http://pbxsources.com/
 Skip url http://akamaicontainer.com/
 Skip url http://msstorageazure.com/
 Skip url https://journalide.org/djour.php
 Skip url http://aimee0febai5phoht2ti.probes.website/
 Skip url http://probes.website/
 Skip url https://zacharryblogs.com/feed
 Skip url https://aequuiralaedeezaisbi.probes.space/
 Skip url http://aequuiralaedeezaisbi.probes.space/
 Skip url http://zacharryblogs.com/xmlquery
 Skip url http://visualstudiofactory.com/
 Skip url http://glcloudservice.com/
 Skip url https://akamaitechcloudservices.com/v2/storage
 Skip url https://pbxsources.com/exchange
 Skip url https://colasc.net/
 Skip url http://equuira1aedeezais5i.probes.space/
 Skip url http://ssw-live.org/
 Skip url http://a2quuira1aedeezais5i.probes.space/
 Skip url http://hyui.org/
 Skip url https://aequuira1aedeezais5i.probes.space/
 Skip url http://www.aequuira1aedeezais5i.probes.space/
 Skip url http://probes.space/
 Skip url http://50.116.17.41/fakeurl.html
 Skip url http://ttspersonnel.com/
 Skip url https://www.aimee0febai5phoht2ti.probes.website/
 Skip url https://www.aequuira1aedeezais5i.probes.space/
 Skip url http://www.colasc.net/
 Skip url https://www.cimexcoinc.net/
 Skip url https://finnremote.com/
 Skip url https://www.jeemanint.com/
 Skip url https://greaterrvb.com/
 Skip url http://pacificteleports.com/
 Skip url http://www.revolutiondeuxzero.com/
 Skip url http://50.116.17.41/
 Skip url http://telegraf-news.biz/
 Skip url https://franavru.xyz/
 Skip url https://hyui.org/
 Skip url http://lecinqcinq.com/
 Skip url http://brilandbrands.com/
 Skip url http://franavru.xyz/dumbdumb?dcsqdcasdxasd=+mLytBXBjOWigtCFlLvkJHy37yfvExMTHWFx6afoeE9ThCW09eFGtWmDk+xdyELPkrwYbUcZkq/0irUQQW21/CHn71AaNmt0+5k4jv7lIm8mJwrmP6da4IhtVFHfkkH2oeWSzR2dZ/dEgsQPSXuVUSgs8IPG+I9wfz7pyuKh04IxLdXCyqFATWpjcS6NQ8VGYUQMgbOFUjIR2o4CeHhCW3OMSbtSG0GWmsw2+qsI6rgHNs0MaRmb4GbL8ARgsOCjGbF1Kh31cRQfTJ0UcQLRNK/kiyQlDmsTNNN/BUIUPYldYN2xFuzozWYN4k83loJmTi9H15qiPtUVqHgDGkGKEAaLt8g953OpdsnQtfyvKvKSZkbuwqLhF2e1VolEcSARapbE2tODi95/vOouYSi272q9rqkQJXvxIQuUpm2en1uOn3p0nUVNGqmqOEBxwnPkihKijw/G5C2Nb5VKjxEmayrczSxj0p1HEvLZFNfTl+zLYdidsI46vFcK46FJxKDsbnt+1RnaZyzuuOYUUPj/52htP29M6Au4CA2JYDE8h02VhtbksG6MH16ijybJ2MV7TZKUXcp5KLW7BvopB+TZLKOVHd9EUkE/kXCMzf+Gmpsci5urPYupTNs1riF5PPjdF/VV881JnbaB
 Skip url http://greaterrvb.com/
 Skip url https://50.116.17.41/
 Skip url http://franavru.xyz/dumbdumb?dcsqdcasdxasd=MMr4VdC+4YRA0aswGsTZc+sn1bUp7nlbu0GqhmaDWGQa4JqG0AYvs1zm8KR4Ke8XPDLnPacAeJvi8x++HSSmrLXxknBNznRikBx67usUu2yUdHD/F7xcyxj6f71YhBC0KiclwklmyraK4qZQuj11Yo0C95c6vDL4eCuQiJI2igcf6bT6Z0x3owq8HKIcO95J+FGFgzZs+vKoNwAHcLIayTaIU5ey02zu0QDepmxSX+HsJlKzmuzDPztIDUGJjhsnhGNr3ZL6Qqetb6uVFacQi/1SDDL3fF0i90+K3g3/4jEL32p0FhRznHKsgkGztBM8rSkW2OGd3jdMKT2EF+5mUse4U8WZaA2Vz3nCx4VX7PvsPxO1OhQ6ELlhXOpmJaVQFV+pmowipvRkvdVjVclsBc70woQqhF/dQflEwvVjL7tEz38lcxk7d3Q7rK0iEX0hB2tOknBxBDidj4q31NRMgndEA5ryNmSjarT3rT9SRliidjvs0EfiIcPLI+/krNFld7z9ja4Crh9msPAW4j7aZdPA/VW75+dwMHuf9X9fhndZiX0rEjnD8+MlGT29od4bdHpTCSDU6fTaaIgTVY2X3MxfZ8PkMXe7Hqk4nSx4oo++q+pqGncTPdROBz64i0I7NWFK/RTd7iQo
 Skip url https://weightloss-4sure.com/
 Skip url https://jeleniacoffee.com/
 Skip url https://www.golden-hotelbg.com/
 Skip url https://slovenia-properties.com/
 Skip url http://wyndham-price.com/
 Skip url http://aimeeofebaisphoht2ti.probes.website/
 Skip url https://www.propertyeez.com/
 Skip url http://tnskvggujjqfcskwk.com/
 Skip url http://aimee0febai5phoht2ti.probes.website:443/static/cdvrlg0yejdtvq49smqqamdg904na68nd9vdf14f5hfjgpglawjsahayoeuyrbdnxqiragbxlotgmyoe99hgnz0sl_hwqb8iuugo8pjh92eam3iolmm73ntlqti4hedrdcpx4oguksymtmx2vvlpi-zlu54p18deioz1jvb0pfr34-om/kitten.gif
 Skip url http://lecinqcinq.com/wp-content/plugins/header-footer-elementor/assets
 Skip url http://ipv6-google.com/75cYPz8mDl4ANgE3Wn1UeQE31wt8CqPic5SeToEKdLrhCEskO6dVTaXxCUJbYJxyTyPsyN-FSb_iSf_iqtf1gWK0Gtfw0xsRbKdb7bg8ExL55L2Tp0apGvPVsQ
 Skip url https://www.lecinqcinq.com/produit/lave-sol-amir-clean-1l/
 Skip url http://xn--aequuira1aedeezais5i-o9a2gt1d.probes.space/
 Skip url http://yeeterracing.com/
 Skip url http://newska-uanews.biz/
 Skip url https://xn--aequuira1aedeezais5i-o9a2gt1d.probes.space/
 Skip url http://dogtoobig.com/
 Skip url https://newska-uanews.biz/
 Skip url http://9netway.com/
 Skip url http://catchaplane.net/
 Skip url https://catchaplane.net/
 Skip url https://9netway.com/
 Skip url https://dogtoobig.com/
 Skip url https://a2quuira1aedeezais5i.probes.space/
 Skip url http://lecinqcinq.com/wp-includes/js/jquery/ui
 Skip url https://aimee0febai5phoht2ti.probes.website/
 Skip url https://tnskvggujjqfcskwk.com/
 Skip url http://whynooneistherefornoneofthem.com/
 Skip url https://yeeterracing.com/
 Skip url http://whynooneistherefornoneofthem.com/about.php
 Skip url https://whynooneistherefornoneofthem.com/
 Skip url http://numienimfe2.com/
 Skip url https://numienimfe2.com/
 Skip url http://whynooneistherefornoneofthem.com/about.php,
 Skip url http://whynooneistherefornoneofthem.com/about.ph
 Skip url https://aimee0febai5phoht2ti.probes.website/dot.gif
 Skip url http://aimee0febai5phoht2ti.probes.website/ptj
 Skip url http://aimee0febai5phoht2ti.probes.website/pixel
 Skip url https://aimee0febai5phoht2ti.probes.website/static/9NfqZYlTJ_jUKRaK_DUhwHW8p8D51nTb8cjOKmSe7XQyF5j3F86AJ5Fx6soCJSXhisfjvp6j4bJUArleZcbPNPdTCQ6P7Y96Wf4BqhYKdEzOvxpMy_0kt9-xk7GgAxqalVbmj1KUp5t_5-p4mz7g1KINucOZtMYeocKeLkty_PoQinFi/kitten.gif
 Skip url http://switlawert.com/
 Skip url http://firstcupworlds.com/
 Skip url http://queryforworld.com/
 Skip url http://mehanistran.com/
 Skip url http://carint.hopto.org/
 Skip url http://petalstudent.com/
 Skip url http://weightloss-4sure.com/administrator/index.php
 Skip url http://ipv6-google.com/
 Skip url https://dataetransfer.com/
 Skip url https://mail.petalstudent.com/
 Skip url http://www.sfbayexpetec.com/
 Skip url http://meenymineymoemyeeny.com/post.php
 Skip url http://smtp.threesonssignature.com/
 Skip url http://server.apbinvestments.com/
 Skip url http://primedesigns.biz/
 Skip url http://mail.threesonssignature.com/
 Skip url http://imap.mail.bestiemail.com/
 Skip url https://betterlivinghomehealthcareinc.com/
 Skip url https://hind-dorroliver.com/
 Skip url http://notepad-plus.sourcaforga.com/
 Skip url http://www.vogueexpeditions.com/
 Skip url http://www.bitcoindisclaimers.com/
 Skip url http://quynnsattic.com/
 Skip url http://localhost.bestiemail.com/
 Skip url http://abqgrandhotel.com/
 Skip url http://revolutiondeuxzero.com/downloader
 Skip url https://trgarcelsons2.com/
 Skip url http://trgarcelsons2.com/
 Skip url http://localhost.invesdentcanada.com/
 Skip url http://localhost.finnremote.com/
 Skip url http://westernbuslines.com/
 Skip url http://50.116.17.41/fakeurl.htm
 Skip url http://indaqugret2.com/
 Skip url http://probes.site/
 Got AS 63949 as part of object asn
 Got text US as part of object asn
 Skip domain 000005225.net
 Skip domain 118173176587.buxhere.com
 Skip domain 118173176684.buxhere.com
 Skip domain 118173176781.buxhere.com
 Skip domain 11e2540739d7fbea1ab8f9aa7a107648.com
 Skip domain 18213879527.buxhere.com
 Skip domain 28209809224.buxhere.com
 Skip domain 28209809321.buxhere.com
 Skip domain 365office-update.com
 Skip domain 48201668624.buxhere.com
 Skip domain 48519280.buxhere.com
 Skip domain 56380479.buxhere.com
 Skip domain 58124635093.buxhere.com
 Skip domain 5com-informatique-dax.com
 Skip domain 68120588972.buxhere.com
 Skip domain 68193528032.buxhere.com
 Skip domain 68193528129.buxhere.com
 Skip domain 79183733.buxhere.com
 Skip domain 7er9w3kijs4.info
 Skip domain 897234kjdsf4523234.com
 Skip domain 9netway.com
 Skip domain a2quuira1aedeezais5i.probes.space
 Skip domain aaoa.ihelloyou.net
 Skip domain aaqp.ihelloyou.net
 Skip domain abjnd.ihelloyou.net
 Skip domain abqgrandhotel.com
 Skip domain abwgid.ihelloyou.net
 Skip domain abynsak.ihelloyou.net
 Skip domain acadiavpn.glcloudservice.com
 Skip domain acamscl.ihelloyou.net
 Skip domain acg.ihelloyou.net
 Skip domain aciai.ihelloyou.net
 Skip domain ack.ihelloyou.net
 Skip domain acqx.ihelloyou.net
 Skip domain ad.7er9w3kijs4.info
 Skip domain adanj.ihelloyou.net
 Skip domain adau.ihelloyou.net
 Skip domain add.7er9w3kijs4.info
 Skip domain adifusion.online
 Skip domain adwordactivation.com
 Skip domain aefxeqw.ihelloyou.net
 Skip domain aelrgp.ihelloyou.net
 Skip domain aequuira1aedeezais5i.probes.space
 Skip domain aequuiralaedeezaisbi.probes.space
 Skip domain aexy.ihelloyou.net
 Skip domain age.ihelloyou.net
 Skip domain agesask.net
 Skip domain aggxwx.ihelloyou.net
 Skip domain aghvk.ihelloyou.net
 Skip domain agxdj.ihelloyou.net
 Skip domain ahein.ihelloyou.net
 Skip domain aimee0febai5phoht2ti.probes.website
 Skip domain aimeeofebaisphoht2ti.probes.website
 Skip domain ainbqby.ihelloyou.net
 Skip domain aiojprd.ihelloyou.net
 Skip domain aivrplr.ihelloyou.net
 Skip domain ajbrg.ihelloyou.net
 Skip domain ajmdyxy.ihelloyou.net
 Skip domain ajuvje.ihelloyou.net
 Skip domain aka.ihelloyou.net
 Skip domain akamaicontainer.com
 Skip domain akamaitechcloudservices.com
 Skip domain akob.ihelloyou.net
 Skip domain akrgidj.ihelloyou.net
 Skip domain alcdr.ihelloyou.net
 Skip domain ale.ihelloyou.net
 Skip domain alju.ihelloyou.net
 Skip domain alnx.ihelloyou.net
 Skip domain amawhe.ihelloyou.net
 Skip domain amoql.ihelloyou.net
 Skip domain anat.ihelloyou.net
 Skip domain anessgroup.com
 Skip domain anrw.ihelloyou.net
 Skip domain aodjcqc.ihelloyou.net
 Skip domain aoist.ihelloyou.net
 Skip domain aosk.ihelloyou.net
 Skip domain aotukmd.ihelloyou.net
 Skip domain aphwge.ihelloyou.net
 Skip domain aqg.ihelloyou.net
 Skip domain aqi.ihelloyou.net
 Skip domain aqmq.ihelloyou.net
 Skip domain aqn.ihelloyou.net
 Skip domain aqndju.ihelloyou.net
 Skip domain aqr.ihelloyou.net
 Skip domain arkem.net
 Skip domain asaq.ihelloyou.net
 Skip domain atgain.ihelloyou.net
 Skip domain auglde.ihelloyou.net
 Skip domain augy.ihelloyou.net
 Skip domain autohelptech.com
 Skip domain avautoupdate.info
 Skip domain avdnadp.ihelloyou.net
 Skip domain avka.ihelloyou.net
 Skip domain avmxypi.ihelloyou.net
 Skip domain awtn.ihelloyou.net
 Skip domain axbqo.ihelloyou.net
 Skip domain axmb.ihelloyou.net
 Skip domain axnj.ihelloyou.net
 Skip domain axq.ihelloyou.net
 Skip domain axxfsaw.ihelloyou.net
 Skip domain ayaiesv.ihelloyou.net
 Skip domain aybnan.ihelloyou.net
 Skip domain aylv.ihelloyou.net
 Skip domain azuredeploystore.azureonlinecloud.com
 Skip domain azureonlinecloud.com
 Skip domain bac.ihelloyou.net
 Skip domain bafgmt.ihelloyou.net
 Skip domain bahwi.ihelloyou.net
 Skip domain baww.ihelloyou.net
 Skip domain bcqb.ihelloyou.net
 Skip domain bcyoc.ihelloyou.net
 Skip domain bdg.ihelloyou.net
 Skip domain bdluvgc.ihelloyou.net
 Skip domain bejhs.ihelloyou.net
 Skip domain belsaw920.com
 Skip domain beotjye.ihelloyou.net
 Skip domain bestbsd.info
 Skip domain bestiemail.com
 Skip domain betterlivinghomehealthcareinc.com
 Skip domain bfcl.ihelloyou.net
 Skip domain bfjs.ihelloyou.net
 Skip domain bhm.ihelloyou.net
 Skip domain bifrxnf.ihelloyou.net
 Skip domain bistrictions.net
 Skip domain biw.ihelloyou.net
 Skip domain bllhm.ihelloyou.net
 Skip domain blm.ihelloyou.net
 Skip domain bloh.ihelloyou.net
 Skip domain blonghomes.com
 Skip domain bmm.ihelloyou.net
 Skip domain bolfhto.ihelloyou.net
 Skip domain bpfluat.biz
 Skip domain brilandbrands.com
 Skip domain bsx.ihelloyou.net
 Skip domain bsyl.ihelloyou.net
 Skip domain btjn.ihelloyou.net
 Skip domain btkpb.ihelloyou.net
 Skip domain btqwlhn.ihelloyou.net
 Skip domain bud.ihelloyou.net
 Skip domain buxhere.com
 Skip domain buy.ihelloyou.net
 Skip domain bwjaym.ihelloyou.net
 Skip domain bxaq.ihelloyou.net
 Skip domain cajaal.ihelloyou.net
 Skip domain calcutime.com
 Skip domain carhrow.ihelloyou.net
 Skip domain carint.hopto.org
 Skip domain cascsff.com
 Skip domain catchaplane.net
 Skip domain cbc.ihelloyou.net
 Skip domain cblmhm.ihelloyou.net
 Skip domain ccalf.ihelloyou.net
 Skip domain cdiw.ihelloyou.net
 Skip domain cdj.ihelloyou.net
 Skip domain cdu.ihelloyou.net
 Skip domain ceelgd.ihelloyou.net
 Skip domain cerw.ihelloyou.net
 Skip domain cfnwr.ihelloyou.net
 Skip domain christmaslastdeals.com
 Skip domain cimexcoinc.net
 Skip domain cir.ihelloyou.net
 Skip domain ckib.ihelloyou.net
 Skip domain ckjpud.ihelloyou.net
 Skip domain cktmry.ihelloyou.net
 Skip domain clerkhead.com
 Skip domain clsga.ihelloyou.net
 Skip domain cmcql.ihelloyou.net
 Skip domain cmjvau.ihelloyou.net
 Skip domain cmoeeu93sdc.net
 Skip domain cnaaw.ihelloyou.net
 Skip domain cnaybq.ihelloyou.net
 Skip domain cntfgd.ihelloyou.net
 Skip domain colasc.net
 Skip domain colornet30.info
 Skip domain com.ihelloyou.net
 Skip domain cortnovij.com
 Skip domain cptadk.ihelloyou.net
 Skip domain cqfey.ihelloyou.net
 Skip domain crdxlu.ihelloyou.net
 Skip domain crgw.ihelloyou.net
 Skip domain csmfgv.ihelloyou.net
 Skip domain ctreeconsulting.org
 Skip domain cxywia.ihelloyou.net
 Skip domain dae.ihelloyou.net
 Skip domain damemp3.org
 Skip domain dataetransfer.com
 Skip domain datnb.ihelloyou.net
 Skip domain dauxa.ihelloyou.net
 Skip domain dca.ihelloyou.net
 Skip domain dcn.ihelloyou.net
 Skip domain dctwvr.ihelloyou.net
 Skip domain dd.zxcvbnmzxcvbnm.com
 Skip domain ddjxtwq.ihelloyou.net
 Skip domain ddl.ihelloyou.net
 Skip domain defeatswirly2.net
 Skip domain devilslife.com
 Skip domain dfbyjt.ihelloyou.net
 Skip domain dggl.ihelloyou.net
 Skip domain dhh.ihelloyou.net
 Skip domain dhs.ihelloyou.net
 Skip domain djxqsnr.ihelloyou.net
 Skip domain dlejckb.ihelloyou.net
 Skip domain dlrpn.ihelloyou.net
 Skip domain dls.ihelloyou.net
 Skip domain dmdaaq.ihelloyou.net
 Skip domain dnjmja.ihelloyou.net
 Skip domain dnslookupdater.com
 Skip domain dnssecupdater.com
 Skip domain dofmarfin.com
 Skip domain dogtoobig.com
 Skip domain domfarin.com
 Skip domain douwh.ihelloyou.net
 Skip domain downloads.damemp3.org
 Skip domain dprple.ihelloyou.net
 Skip domain dpwfi.ihelloyou.net
 Skip domain dqda.ihelloyou.net
 Skip domain dralands.com
 Skip domain drpapw.ihelloyou.net
 Skip domain drxeuie.ihelloyou.net
 Skip domain dry.ihelloyou.net
 Skip domain dsjr.ihelloyou.net
 Skip domain dswqa.ihelloyou.net
 Skip domain dtappw.ihelloyou.net
 Skip domain dtfb.ihelloyou.net
 Skip domain dunamistrd.com
 Skip domain dwjokm.ihelloyou.net
 Skip domain dxi.ihelloyou.net
 Skip domain dxlaj.ihelloyou.net
 Skip domain dxtaens.ihelloyou.net
 Skip domain dyag.ihelloyou.net
 Skip domain dymk.ihelloyou.net
 Skip domain eaaw.ihelloyou.net
 Skip domain eanda.ihelloyou.net
 Skip domain ecahs.ihelloyou.net
 Skip domain ecdln.ihelloyou.net
 Skip domain ecgjjdb.ihelloyou.net
 Skip domain ecvhppl.ihelloyou.net
 Skip domain edaoggj.ihelloyou.net
 Skip domain edfynaq.ihelloyou.net
 Skip domain edmcinc.com
 Skip domain ehlvufq.ihelloyou.net
 Skip domain ejas.ihelloyou.net
 Skip domain ejeaaa.ihelloyou.net
 Skip domain ekctp.ihelloyou.net
 Skip domain ekizmedia.com
 Skip domain ekqotot.ihelloyou.net
 Skip domain elis.ihelloyou.net
 Skip domain emkv.ihelloyou.net
 Skip domain emn.ihelloyou.net
 Skip domain emur.ihelloyou.net
 Skip domain emv1.journalide.org
 Skip domain emwi.ihelloyou.net
 Skip domain enterhere2.biz
 Skip domain eovwu.ihelloyou.net
 Skip domain eqaa.ihelloyou.net
 Skip domain equmhjn.ihelloyou.net
 Skip domain equuira1aedeezais5i.probes.space
 Skip domain eqvaw.ihelloyou.net
 Skip domain eqytik.ihelloyou.net
 Skip domain eskt.ihelloyou.net
 Skip domain ets.ihelloyou.net
 Skip domain euvaglo.ihelloyou.net
 Skip domain everligh.com
 Skip domain everyopenclinercorparetion.ru
 Skip domain ewnk.ihelloyou.net
 Skip domain exbandos.biz
 Skip domain executiverainmakers.com
 Skip domain exeka.ihelloyou.net
 Skip domain exlanq.ihelloyou.net
 Skip domain exp.ihelloyou.net
 Skip domain explorer-update.com
 Skip domain exskcp.ihelloyou.net
 Skip domain facskar.ihelloyou.net
 Skip domain faqhq.ihelloyou.net
 Skip domain fatvsks.ihelloyou.net
 Skip domain fcjn.ihelloyou.net
 Skip domain fdal.ihelloyou.net
 Skip domain fejlfal.ihelloyou.net
 Skip domain ffbsv.ihelloyou.net
 Skip domain fgaua.ihelloyou.net
 Skip domain fhahgr.ihelloyou.net
 Skip domain fhma.ihelloyou.net
 Skip domain fijny.ihelloyou.net
 Skip domain finnremote.com
 Skip domain fireeyeupdate.com
 Skip domain firstcupworlds.com
 Skip domain fjn.ihelloyou.net
 Skip domain fjtumrx.ihelloyou.net
 Skip domain fkfyt.ihelloyou.net
 Skip domain fklvhs.ihelloyou.net
 Skip domain flvc.ihelloyou.net
 Skip domain fma.ihelloyou.net
 Skip domain fmuijlb.ihelloyou.net
 Skip domain fni.ihelloyou.net
 Skip domain foaokcc.ihelloyou.net
 Skip domain fobdeq.ihelloyou.net
 Skip domain foj.ihelloyou.net
 Skip domain foolishfoe.biz
 Skip domain footballrecovery.net
 Skip domain forbss.net
 Skip domain forskys.com
 Skip domain fpxch.ihelloyou.net
 Skip domain fqqbv.ihelloyou.net
 Skip domain franavru.xyz
 Skip domain free.avautoupdate.info
 Skip domain free.systemupdates.biz
 Skip domain frg.ihelloyou.net
 Skip domain fsqtm.ihelloyou.net
 Skip domain fstfxaa.ihelloyou.net
 Skip domain fsxja.ihelloyou.net
 Skip domain ftanveu.ihelloyou.net
 Skip domain ftdeveloppromo.com
 Skip domain ftika.ihelloyou.net
 Skip domain ftopserkj.com
 Skip domain fullproofpublishing.com
 Skip domain furious.devilslife.com
 Skip domain fvahh.ihelloyou.net
 Skip domain fvvc.ihelloyou.net
 Skip domain fvyc.ihelloyou.net
 Skip domain fvykk.ihelloyou.net
 Skip domain fwtresn.ihelloyou.net
 Skip domain fwwojvy.ihelloyou.net
 Skip domain fxfh.ihelloyou.net
 Skip domain fxhgjr.ihelloyou.net
 Skip domain fxmap.ihelloyou.net
 Skip domain g43gwef.com
 Skip domain gaq.ihelloyou.net
 Skip domain gbnyqrv.ihelloyou.net
 Skip domain gbxua.ihelloyou.net
 Skip domain gclhjwg.ihelloyou.net
 Skip domain gcve.ihelloyou.net
 Skip domain geil-de.info
 Skip domain geq.ihelloyou.net
 Skip domain gfdfn.ihelloyou.net
 Skip domain ghsbi.ihelloyou.net
 Skip domain ghtmq.ihelloyou.net
 Skip domain gicqxw.ihelloyou.net
 Skip domain gjw.ihelloyou.net
 Skip domain glcloudservice.com
 Skip domain gmelhkw.ihelloyou.net
 Skip domain gnn.ihelloyou.net
 Skip domain gnxg.ihelloyou.net
 Skip domain gnyf.ihelloyou.net
 Skip domain golden-hotelbg.com
 Skip domain gpbch.ihelloyou.net
 Skip domain gpe.ihelloyou.net
 Skip domain gqc.ihelloyou.net
 Skip domain gqfhyn.ihelloyou.net
 Skip domain gqjrlqx.ihelloyou.net
 Skip domain grahamherdman.com
 Skip domain greaterrvb.com
 Skip domain grl.ihelloyou.net
 Skip domain gsauead.ihelloyou.net
 Skip domain gsd.ihelloyou.net
 Skip domain gsfvbc.ihelloyou.net
 Skip domain gti.ihelloyou.net
 Skip domain gtreport.biz
 Skip domain guiit.ihelloyou.net
 Skip domain gvf.ihelloyou.net
 Skip domain gvkilhtjnci.com
 Skip domain gvr.ihelloyou.net
 Skip domain gvvsa.ihelloyou.net
 Skip domain gwcqyls.ihelloyou.net
 Skip domain gwovpa.ihelloyou.net
 Skip domain gwtn.ihelloyou.net
 Skip domain gypqiea.ihelloyou.net
 Skip domain haap.ihelloyou.net
 Skip domain haenfm.ihelloyou.net
 Skip domain hamifpn.ihelloyou.net
 Skip domain han.ihelloyou.net
 Skip domain hapfqy.ihelloyou.net
 Skip domain hardcastleproperty.com
 Skip domain hay.ihelloyou.net
 Skip domain hbjf.ihelloyou.net
 Skip domain hbrfdh.ihelloyou.net
 Skip domain hbulqo.ihelloyou.net
 Skip domain hclixs.ihelloyou.net
 Skip domain hcmam.ihelloyou.net
 Skip domain hdyeajd.ihelloyou.net
 Skip domain hebp.ihelloyou.net
 Skip domain hevhjo.ihelloyou.net
 Skip domain hfxmsa.ihelloyou.net
 Skip domain hhdgkka.ihelloyou.net
 Skip domain hhr.ihelloyou.net
 Skip domain hhwtj.ihelloyou.net
 Skip domain hibkka.ihelloyou.net
 Skip domain himolamodaspopular.ru
 Skip domain hind-dorroliver.com
 Skip domain hkcj.ihelloyou.net
 Skip domain hkg.ihelloyou.net
 Skip domain hkuk.ihelloyou.net
 Skip domain hnrr.ihelloyou.net
 Skip domain hntcv.ihelloyou.net
 Skip domain hojbvl.ihelloyou.net
 Skip domain hoklrhok.com
 Skip domain homefreeweb.com
 Skip domain homeonthethrone.com
 Skip domain hqhg.ihelloyou.net
 Skip domain hqilcya.ihelloyou.net
 Skip domain hqsbsp.ihelloyou.net
 Skip domain hrpkr.ihelloyou.net
 Skip domain hsmj.ihelloyou.net
 Skip domain htaxrfk.ihelloyou.net
 Skip domain htf.ihelloyou.net
 Skip domain htrnk.ihelloyou.net
 Skip domain huqcray.ihelloyou.net
 Skip domain huybd.ihelloyou.net
 Skip domain hva.ihelloyou.net
 Skip domain hxffc.ihelloyou.net
 Skip domain hxg.ihelloyou.net
 Skip domain hyui.org
 Skip domain hyv.ihelloyou.net
 Skip domain iaanoi.ihelloyou.net
 Skip domain iaaua.ihelloyou.net
 Skip domain iadc.ihelloyou.net
 Skip domain iakhss.ihelloyou.net
 Skip domain iavy.ihelloyou.net
 Skip domain ibj.ihelloyou.net
 Skip domain ibw.ihelloyou.net
 Skip domain icpm.ihelloyou.net
 Skip domain icsemiconductors.com
 Skip domain idg.ihelloyou.net
 Skip domain ieaxaaj.ihelloyou.net
 Skip domain ifb.ihelloyou.net
 Skip domain ifkfe.ihelloyou.net
 Skip domain ifp.ihelloyou.net
 Skip domain igo.ihelloyou.net
 Skip domain igukb.ihelloyou.net
 Skip domain igyua.ihelloyou.net
 Skip domain ihelloyou.net
 Skip domain ihijyvh.ihelloyou.net
 Skip domain iihui.ihelloyou.net
 Skip domain ijawfxp.ihelloyou.net
 Skip domain ilcty.ihelloyou.net
 Skip domain iljrfi.ihelloyou.net
 Skip domain ilng.ihelloyou.net
 Skip domain ilovemyukrainianguy.com
 Skip domain iltf.ihelloyou.net
 Skip domain imap.mail.bestiemail.com
 Skip domain imved.ihelloyou.net
 Skip domain indaqugret2.com
 Skip domain indianhotproperties.com
 Skip domain inilxq.ihelloyou.net
 Skip domain innatamidwifery.com
 Skip domain iokqn.ihelloyou.net
 Skip domain ionxpi.ihelloyou.net
 Skip domain ioyfg.ihelloyou.net
 Skip domain ip-internet-explorer.com
 Skip domain ipcacgw.ihelloyou.net
 Skip domain ipg.ihelloyou.net
 Skip domain ipukaub.ihelloyou.net
 Skip domain ipv6-google.com
 Skip domain iqkyyul.ihelloyou.net
 Skip domain irbkv.ihelloyou.net
 Skip domain irqbxfb.ihelloyou.net
 Skip domain isqo.ihelloyou.net
 Skip domain isvpyl.ihelloyou.net
 Skip domain italiatavola.com
 Skip domain itgclym.ihelloyou.net
 Skip domain itoyei.ihelloyou.net
 Skip domain itxy.ihelloyou.net
 Skip domain iuatxaa.ihelloyou.net
 Skip domain ivhqmt.ihelloyou.net
 Skip domain ivxhyhx.ihelloyou.net
 Skip domain iwe.ihelloyou.net
 Skip domain iwqavch.ihelloyou.net
 Skip domain ixkkq.ihelloyou.net
 Skip domain ixvbtpj.ihelloyou.net
 Skip domain jarsjbr.ihelloyou.net
 Skip domain jbexx.ihelloyou.net
 Skip domain jbia.ihelloyou.net
 Skip domain jbtil.ihelloyou.net
 Skip domain jchlh.ihelloyou.net
 Skip domain jditp.ihelloyou.net
 Skip domain jeemanint.com
 Skip domain jeithe7eijeefohch3qu.probes.site
 Skip domain jeleniacoffee.com
 Skip domain jesnikl.ihelloyou.net
 Skip domain jgyxynh.ihelloyou.net
 Skip domain jhmuv.ihelloyou.net
 Skip domain jhs.ihelloyou.net
 Skip domain jimmysmail.com
 Skip domain jiopf.ihelloyou.net
 Skip domain jjg.ihelloyou.net
 Skip domain jjwc.ihelloyou.net
 Skip domain jkqapaq.ihelloyou.net
 Skip domain jkxerd.ihelloyou.net
 Skip domain jlglsh.ihelloyou.net
 Skip domain jmfmv.ihelloyou.net
 Skip domain jmor.ihelloyou.net
 Skip domain jnax.ihelloyou.net
 Skip domain jopff.ihelloyou.net
 Skip domain journalide.org
 Skip domain jowxsvv.ihelloyou.net
 Skip domain jpgjaa.ihelloyou.net
 Skip domain jpk.ihelloyou.net
 Skip domain jqat.ihelloyou.net
 Skip domain jqjtjo.ihelloyou.net
 Skip domain jqvp.ihelloyou.net
 Skip domain jqxsil.ihelloyou.net
 Skip domain jrjmdc.ihelloyou.net
 Skip domain jrwd.ihelloyou.net
 Skip domain jshnlnx.ihelloyou.net
 Skip domain juctxy.ihelloyou.net
 Skip domain jueu.ihelloyou.net
 Skip domain juva.ihelloyou.net
 Skip domain juvndh.ihelloyou.net
 Skip domain jwlavi.ihelloyou.net
 Skip domain jxrgchk.ihelloyou.net
 Skip domain jxsea.ihelloyou.net
 Skip domain jygw.ihelloyou.net
 Skip domain jyk.ihelloyou.net
 Skip domain jyr.ihelloyou.net
 Skip domain jyvjr.ihelloyou.net
 Skip domain kad.ihelloyou.net
 Skip domain kavaynf.ihelloyou.net
 Skip domain kavx.ihelloyou.net
 Skip domain kayp.ihelloyou.net
 Skip domain kcgfit.ihelloyou.net
 Skip domain kchwio.ihelloyou.net
 Skip domain kcmviewpr3n.com
 Skip domain kdgx.ihelloyou.net
 Skip domain keb.ihelloyou.net
 Skip domain kede.ihelloyou.net
 Skip domain kfe8jr.com
 Skip domain kfeg.ihelloyou.net
 Skip domain khtya.ihelloyou.net
 Skip domain khvfh.ihelloyou.net
 Skip domain kijavvv.com
 Skip domain kjarj.ihelloyou.net
 Skip domain kjlocmy.ihelloyou.net
 Skip domain kkfa.ihelloyou.net
 Skip domain kkvhep.ihelloyou.net
 Skip domain kkvjb.ihelloyou.net
 Skip domain kkyft.ihelloyou.net
 Skip domain kmchc.ihelloyou.net
 Skip domain knc.ihelloyou.net
 Skip domain koaakvf.ihelloyou.net
 Skip domain koffeemail.com
 Skip domain komupa.ihelloyou.net
 Skip domain kozlov.orlov-alexandr.com
 Skip domain kpao.ihelloyou.net
 Skip domain kqryulv.ihelloyou.net
 Skip domain kqtbxd.ihelloyou.net
 Skip domain kqye.ihelloyou.net
 Skip domain ksxu.ihelloyou.net
 Skip domain ktc.ihelloyou.net
 Skip domain kvbf.ihelloyou.net
 Skip domain kvei.ihelloyou.net
 Skip domain kwdjgwc.ihelloyou.net
 Skip domain kxkve.ihelloyou.net
 Skip domain landsez.com
 Skip domain lanfac.ihelloyou.net
 Skip domain laoyvsl.ihelloyou.net
 Skip domain lap.ihelloyou.net
 Skip domain lardh.ihelloyou.net
 Skip domain lau.ihelloyou.net
 Skip domain lbojgnf.ihelloyou.net
 Skip domain lbpt.ihelloyou.net
 Skip domain lbqp.ihelloyou.net
 Skip domain lbtpho.ihelloyou.net
 Skip domain lbutiw.ihelloyou.net
 Skip domain ldoaa.ihelloyou.net
 Skip domain ldumq.ihelloyou.net
 Skip domain lecinqcinq.com
 Skip domain letdb.ihelloyou.net
 Skip domain lfdchv.ihelloyou.net
 Skip domain lffaic.ihelloyou.net
 Skip domain lffxii.ihelloyou.net
 Skip domain lfnqtv.ihelloyou.net
 Skip domain lgsaio.ihelloyou.net
 Skip domain li601-41.members.linode.com
 Skip domain liptilt.ihelloyou.net
 Skip domain liwcvu.ihelloyou.net
 Skip domain ljxyrmt.ihelloyou.net
 Skip domain lkadhsp.ihelloyou.net
 Skip domain lkegg.ihelloyou.net
 Skip domain lkka.ihelloyou.net
 Skip domain lkyhty.ihelloyou.net
 Skip domain lltakj.ihelloyou.net
 Skip domain lmehcb.ihelloyou.net
 Skip domain lmjf.ihelloyou.net
 Skip domain localhost.bestiemail.com
 Skip domain localhost.everligh.com
 Skip domain localhost.finnremote.com
 Skip domain localhost.hyui.org
 Skip domain localhost.invesdentcanada.com
 Skip domain localhost.journalide.org
 Skip domain localhost.meenymineymoemyeeny.com
 Skip domain localhost.numienimfe2.com
 Skip domain localhost.rtggrtgtr.com
 Skip domain lssrt.ihelloyou.net
 Skip domain lstyady.ihelloyou.net
 Skip domain luav.ihelloyou.net
 Skip domain lvcvb.ihelloyou.net
 Skip domain lwep.ihelloyou.net
 Skip domain lwvdw.ihelloyou.net
 Skip domain lxct.ihelloyou.net
 Skip domain lxmu.ihelloyou.net
 Skip domain lygqp.ihelloyou.net
 Skip domain lyrgbc.ihelloyou.net
 Skip domain mafyo.ihelloyou.net
 Skip domain mail.bestiemail.com
 Skip domain mail.petalstudent.com
 Skip domain mail.threesonssignature.com
 Skip domain mail3.9netway.com
 Skip domain mamha.ihelloyou.net
 Skip domain manjgq.ihelloyou.net
 Skip domain mas.ihelloyou.net
 Skip domain mbaxah.ihelloyou.net
 Skip domain mbqb.ihelloyou.net
 Skip domain mbtacul.ihelloyou.net
 Skip domain mby.ihelloyou.net
 Skip domain mdegbpa.ihelloyou.net
 Skip domain medsharetech.com
 Skip domain medsx.ihelloyou.net
 Skip domain meenymineymoemyeeny.com
 Skip domain megako.net
 Skip domain mehanistran.com
 Skip domain melio823mn.com
 Skip domain meridahh.com
 Skip domain messenger-live.org
 Skip domain meuhl.ihelloyou.net
 Skip domain mexuwbq.ihelloyou.net
 Skip domain mfew.ihelloyou.net
 Skip domain mfjhxj.ihelloyou.net
 Skip domain mfn.ihelloyou.net
 Skip domain mfoirl.ihelloyou.net
 Skip domain mfqoi.ihelloyou.net
 Skip domain mfsa.ihelloyou.net
 Skip domain mfxe.ihelloyou.net
 Skip domain mhsffy.ihelloyou.net
 Skip domain microsoft.connection.manager.monitor.security32.biz
 Skip domain miecros.info
 Skip domain mifccqh.ihelloyou.net
 Skip domain milk850.net
 Skip domain miqice.ihelloyou.net
 Skip domain mjnlkqf.ihelloyou.net
 Skip domain mkl.ihelloyou.net
 Skip domain mlni.ihelloyou.net
 Skip domain mmatvqx.ihelloyou.net
 Skip domain mmnservicez.net
 Skip domain mmyho.ihelloyou.net
 Skip domain mngawao.ihelloyou.net
 Skip domain mnnknim.ihelloyou.net
 Skip domain mpjjbxv.ihelloyou.net
 Skip domain mprtet.ihelloyou.net
 Skip domain mpss.ihelloyou.net
 Skip domain mqe.ihelloyou.net
 Skip domain mqf.ihelloyou.net
 Skip domain mqq.ihelloyou.net
 Skip domain ms-dos.se.updates32.biz
 Skip domain ms-dos.security.security32.biz
 Skip domain ms-tech.us
 Skip domain msdos-security.updates32.biz
 Skip domain msdos.service.security32.biz
 Skip domain msdos.service.updates32.biz
 Skip domain mse.ihelloyou.net
 Skip domain msstorageazure.com
 Skip domain msstorageboxes.com
 Skip domain msvyh.ihelloyou.net
 Skip domain mulben.ihelloyou.net
 Skip domain mutta.agesask.net
 Skip domain mvideo.indaqugret2.com
 Skip domain mvideo.numienimfe2.com
 Skip domain mvideo.trgarcelsons2.com
 Skip domain mvideo.viophipalz2.com
 Skip domain mwh.ihelloyou.net
 Skip domain mxflt.ihelloyou.net
 Skip domain mxwm.ihelloyou.net
 Skip domain myl.ihelloyou.net
 Skip domain mysouu.ihelloyou.net
 Skip domain n.n.c.119c39640b6c4dca8531b97a3763b65a.dnslookupdater.com
 Skip domain n.sqlteam.info
 Skip domain naaa.ihelloyou.net
 Skip domain namcr.ihelloyou.net
 Skip domain nasp.ihelloyou.net
 Skip domain naukf.ihelloyou.net
 Skip domain nax.ihelloyou.net
 Skip domain nbiu.ihelloyou.net
 Skip domain nbja.ihelloyou.net
 Skip domain nbxmnj.ihelloyou.net
 Skip domain ncunl.ihelloyou.net
 Skip domain ndhitt.ihelloyou.net
 Skip domain ndp.ihelloyou.net
 Skip domain neponilomancitlimposup.ru
 Skip domain newska-uanews.biz
 Skip domain nggqfvm.ihelloyou.net
 Skip domain ngrvqjp.ihelloyou.net
 Skip domain nhjx.ihelloyou.net
 Skip domain nhqo.ihelloyou.net
 Skip domain nhrjs.ihelloyou.net
 Skip domain nidxlqo.ihelloyou.net
 Skip domain njubduc.ihelloyou.net
 Skip domain nla.ihelloyou.net
 Skip domain nlf.ihelloyou.net
 Skip domain nlp.ihelloyou.net
 Skip domain nmdek.ihelloyou.net
 Skip domain nmdg.ihelloyou.net
 Skip domain nmmdafh.ihelloyou.net
 Skip domain nmxsc.ihelloyou.net
 Skip domain nnbtavl.ihelloyou.net
 Skip domain nngrbag.ihelloyou.net
 Skip domain nomerking.net
 Skip domain nortontorton.com
 Skip domain notepad-plus.sourcaforga.com
 Skip domain notepad-plus.sourcefolge.org
 Skip domain npaax.ihelloyou.net
 Skip domain npf.ihelloyou.net
 Skip domain nplak.ihelloyou.net
 Skip domain nqkmmk.ihelloyou.net
 Skip domain nqoq.ihelloyou.net
 Skip domain nragj.ihelloyou.net
 Skip domain nrwlaa.ihelloyou.net
 Skip domain nrxck.ihelloyou.net
 Skip domain ns1.player1352.com
 Skip domain ns1.theimageparlour.net
 Skip domain ns1.thepicturehut.net
 Skip domain ns2.outlook360.org
 Skip domain ns2.theimageparlour.net
 Skip domain ns2.thepicturehut.net
 Skip domain ns2.winfeedback.net
 Skip domain ns3.theimageparlour.net
 Skip domain ns3.thepicturehut.net
 Skip domain ns4.theimageparlour.net
 Skip domain ns4.thepicturehut.net
 Skip domain nsaaeqc.ihelloyou.net
 Skip domain nsg.ihelloyou.net
 Skip domain nsimhq.ihelloyou.net
 Skip domain nsyaaae.ihelloyou.net
 Skip domain ntanjau.ihelloyou.net
 Skip domain ntfnkb.ihelloyou.net
 Skip domain nuftcrx.ihelloyou.net
 Skip domain numienimfe2.com
 Skip domain nvm.ihelloyou.net
 Skip domain nvok.ihelloyou.net
 Skip domain nwhedlv.ihelloyou.net
 Skip domain nxcqpb.ihelloyou.net
 Skip domain oabrpjp.ihelloyou.net
 Skip domain oakndp.ihelloyou.net
 Skip domain obliwk.ihelloyou.net
 Skip domain obtcn.ihelloyou.net
 Skip domain ocw.ihelloyou.net
 Skip domain odsskqw.ihelloyou.net
 Skip domain oea.ihelloyou.net
 Skip domain officestoragebox.com
 Skip domain ofutag.ihelloyou.net
 Skip domain ogc.ihelloyou.net
 Skip domain ogeyth.ihelloyou.net
 Skip domain oglcysa.ihelloyou.net
 Skip domain ogpc.ihelloyou.net
 Skip domain ogrbkgy.ihelloyou.net
 Skip domain ogrkvn.ihelloyou.net
 Skip domain ohthaki.ihelloyou.net
 Skip domain oihy.ihelloyou.net
 Skip domain oiratif.ihelloyou.net
 Skip domain oiya.ihelloyou.net
 Skip domain ojelmri.ihelloyou.net
 Skip domain ojspnd.ihelloyou.net
 Skip domain ojwcfx.ihelloyou.net
 Skip domain ojybks.ihelloyou.net
 Skip domain okfb.ihelloyou.net
 Skip domain olaqvlo.ihelloyou.net
 Skip domain olv.ihelloyou.net
 Skip domain ompj.ihelloyou.net
 Skip domain ongpd.ihelloyou.net
 Skip domain oofutno.ihelloyou.net
 Skip domain opbqm.ihelloyou.net
 Skip domain opeedyf.ihelloyou.net
 Skip domain optxmgrlbqoqsne.com
 Skip domain oraja.ihelloyou.net
 Skip domain orb.ihelloyou.net
 Skip domain orj.ihelloyou.net
 Skip domain orkxjlm.ihelloyou.net
 Skip domain orlov-alexandr.com
 Skip domain orrrqrc.ihelloyou.net
 Skip domain otf.ihelloyou.net
 Skip domain otmtg.com
 Skip domain oubcajy.ihelloyou.net
 Skip domain outlook360.org
 Skip domain ovgri.ihelloyou.net
 Skip domain owby.ihelloyou.net
 Skip domain owvsel.ihelloyou.net
 Skip domain owxoa.ihelloyou.net
 Skip domain oxpgk.ihelloyou.net
 Skip domain oyes.ihelloyou.net
 Skip domain pacificteleports.com
 Skip domain paj.ihelloyou.net
 Skip domain pajqvwv.ihelloyou.net
 Skip domain pbxsources.com
 Skip domain pclelectric.net
 Skip domain pda.ihelloyou.net
 Skip domain pdam.ihelloyou.net
 Skip domain pdiai.ihelloyou.net
 Skip domain pdptxy.ihelloyou.net
 Skip domain peletonfraud.com
 Skip domain peohy.ihelloyou.net
 Skip domain petalstudent.com
 Skip domain pfdxfn.ihelloyou.net
 Skip domain pfrxbfx.ihelloyou.net
 Skip domain pfubem.ihelloyou.net
 Skip domain pgffg.ihelloyou.net
 Skip domain pgktmei.ihelloyou.net
 Skip domain pgt.ihelloyou.net
 Skip domain pgyfq.ihelloyou.net
 Skip domain phauyc.ihelloyou.net
 Skip domain picturemagics.net
 Skip domain pidsa.ihelloyou.net
 Skip domain piev.ihelloyou.net
 Skip domain pinnaclefacilityservices.com
 Skip domain pjupj.ihelloyou.net
 Skip domain pkarp.ihelloyou.net
 Skip domain pkdxj.ihelloyou.net
 Skip domain player1352.com
 Skip domain plncm.ihelloyou.net
 Skip domain pmu.ihelloyou.net
 Skip domain pmvps.ihelloyou.net
 Skip domain pmy.ihelloyou.net
 Skip domain pnaoe.ihelloyou.net
 Skip domain pnbhlf.com
 Skip domain poi.ihelloyou.net
 Skip domain pokaor.com
 Skip domain powertime.pw
 Skip domain ppkklay.ihelloyou.net
 Skip domain pqmor.ihelloyou.net
 Skip domain pqsuan.ihelloyou.net
 Skip domain primedesigns.biz
 Skip domain probes.site
 Skip domain probes.space
 Skip domain probes.website
 Skip domain propertyeez.com
 Skip domain prppa.ihelloyou.net
 Skip domain psh.ihelloyou.net
 Skip domain psr.ihelloyou.net
 Skip domain ptbyah.ihelloyou.net
 Skip domain ptkecoq.ihelloyou.net
 Skip domain ptx.ihelloyou.net
 Skip domain pvokcr.ihelloyou.net
 Skip domain pvrbg.ihelloyou.net
 Skip domain pwarkland.com
 Skip domain pxcsnhk.ihelloyou.net
 Skip domain pydcfe.ihelloyou.net
 Skip domain pykyx.ihelloyou.net
 Skip domain pylaqm.ihelloyou.net
 Skip domain qafjxo.ihelloyou.net
 Skip domain qah.ihelloyou.net
 Skip domain qauyh.ihelloyou.net
 Skip domain qavv.ihelloyou.net
 Skip domain qaxb.ihelloyou.net
 Skip domain qaxu.ihelloyou.net
 Skip domain qay.ihelloyou.net
 Skip domain qayduss.ihelloyou.net
 Skip domain qbm.ihelloyou.net
 Skip domain qboyvc.ihelloyou.net
 Skip domain qctoyef.ihelloyou.net
 Skip domain qdg.ihelloyou.net
 Skip domain qdhmat.ihelloyou.net
 Skip domain qdks.ihelloyou.net
 Skip domain qeso.ihelloyou.net
 Skip domain qeugcsr.ihelloyou.net
 Skip domain qgnkqu.ihelloyou.net
 Skip domain qguig.ihelloyou.net
 Skip domain qhybeqk.ihelloyou.net
 Skip domain qiwga.ihelloyou.net
 Skip domain qkbx.ihelloyou.net
 Skip domain qkekbjr.ihelloyou.net
 Skip domain qkfl.ihelloyou.net
 Skip domain qkuogxn.ihelloyou.net
 Skip domain qlr.ihelloyou.net
 Skip domain qlrmaoq.ihelloyou.net
 Skip domain qlxp.ihelloyou.net
 Skip domain qnuimaj.ihelloyou.net
 Skip domain qnwdev.ihelloyou.net
 Skip domain qoaj.ihelloyou.net
 Skip domain qpaame.ihelloyou.net
 Skip domain qpnotv.ihelloyou.net
 Skip domain qra.ihelloyou.net
 Skip domain qsbjd.ihelloyou.net
 Skip domain qswibfs.ihelloyou.net
 Skip domain queryforworld.com
 Skip domain quh.ihelloyou.net
 Skip domain quickenloansfirst.com
 Skip domain quynnsattic.com
 Skip domain qvsi.ihelloyou.net
 Skip domain qwepoi123098.com
 Skip domain qxarp.ihelloyou.net
 Skip domain qxlat.ihelloyou.net
 Skip domain rabqo.ihelloyou.net
 Skip domain rachnsai.net
 Skip domain radiovaweonearch.com
 Skip domain ravbgd.ihelloyou.net
 Skip domain rccgovercomersabuja.org
 Skip domain rcnbthr.ihelloyou.net
 Skip domain record.enterhere2.biz
 Skip domain resetmymemory.com
 Skip domain revistatuprofesion.com
 Skip domain revolutiondeuxzero.com
 Skip domain rfebf.ihelloyou.net
 Skip domain rfoup.ihelloyou.net
 Skip domain rfva.ihelloyou.net
 Skip domain rfwt.ihelloyou.net
 Skip domain rgd.ihelloyou.net
 Skip domain rhpmadj.ihelloyou.net
 Skip domain rhtyabk.ihelloyou.net
 Skip domain rie.ihelloyou.net
 Skip domain rjjr.ihelloyou.net
 Skip domain rkuod.ihelloyou.net
 Skip domain rmm.ihelloyou.net
 Skip domain rmtth.ihelloyou.net
 Skip domain rnlbm.ihelloyou.net
 Skip domain rnqaejd.ihelloyou.net
 Skip domain root.clerkhead.com
 Skip domain roxi.ihelloyou.net
 Skip domain rpeuxe.ihelloyou.net
 Skip domain rpi.ihelloyou.net
 Skip domain rpkf.ihelloyou.net
 Skip domain rpou.ihelloyou.net
 Skip domain rpxvx.ihelloyou.net
 Skip domain rqxkgnt.ihelloyou.net
 Skip domain rrha.ihelloyou.net
 Skip domain rrpuuh.ihelloyou.net
 Skip domain rrvka.ihelloyou.net
 Skip domain rt56uu67.com
 Skip domain rtggrtgtr.com
 Skip domain rtuea.ihelloyou.net
 Skip domain rusy.ihelloyou.net
 Skip domain rutba.ihelloyou.net
 Skip domain rwbhdel.ihelloyou.net
 Skip domain rwlqk.ihelloyou.net
 Skip domain rww.ihelloyou.net
 Skip domain rxmlxu.ihelloyou.net
 Skip domain rydria.ihelloyou.net
 Skip domain ryet.ihelloyou.net
 Skip domain rys.ihelloyou.net
 Skip domain ryxtujc.ihelloyou.net
 Skip domain sabia.ihelloyou.net
 Skip domain saipropmart.com
 Skip domain saltjob.com
 Skip domain samo.ihelloyou.net
 Skip domain sbkrnxk.ihelloyou.net
 Skip domain sbm.ihelloyou.net
 Skip domain sbmsa.wiki
 Skip domain sds.ihelloyou.net
 Skip domain security32.biz
 Skip domain sefpy.ihelloyou.net
 Skip domain separatemilkandtee.com
 Skip domain server.apbinvestments.com
 Skip domain service.journalide.org
 Skip domain sfbayexpetec.com
 Skip domain sfs.ihelloyou.net
 Skip domain shirlykokr.net
 Skip domain shraf.ihelloyou.net
 Skip domain shxv.ihelloyou.net
 Skip domain shy.ihelloyou.net
 Skip domain siqfep.ihelloyou.net
 Skip domain sjys.ihelloyou.net
 Skip domain skkab.ihelloyou.net
 Skip domain slek.ihelloyou.net
 Skip domain slovenia-properties.com
 Skip domain slr.ihelloyou.net
 Skip domain smtp.rt56uu67.com
 Skip domain smtp.threesonssignature.com
 Skip domain snygyax.ihelloyou.net
 Skip domain soa.ihelloyou.net
 Skip domain socksa.com
 Skip domain sopcb.ihelloyou.net
 Skip domain sourcaforga.com
 Skip domain spx.ihelloyou.net
 Skip domain spyroa.ihelloyou.net
 Skip domain sqlteam.info
 Skip domain sqo.ihelloyou.net
 Skip domain srgxatx.ihelloyou.net
 Skip domain ssw-live.org
 Skip domain ssyu.ihelloyou.net
 Skip domain stratk.com
 Skip domain suaqp.ihelloyou.net
 Skip domain sufjscp.ihelloyou.net
 Skip domain supportvpn.net
 Skip domain svch.service.security32.biz
 Skip domain svch.service.updates32.biz
 Skip domain svhxkco.ihelloyou.net
 Skip domain svn-git.net
 Skip domain svr.ihelloyou.net
 Skip domain switlawert.com
 Skip domain swj.ihelloyou.net
 Skip domain taa.ihelloyou.net
 Skip domain tab.ihelloyou.net
 Skip domain taevn.ihelloyou.net
 Skip domain tarheelparamed.com
 Skip domain tas.ihelloyou.net
 Skip domain tastxy.ihelloyou.net
 Skip domain tavbf.ihelloyou.net
 Skip domain taw.ihelloyou.net
 Skip domain tdew.ihelloyou.net
 Skip domain tdnpa.ihelloyou.net
 Skip domain tdye.ihelloyou.net
 Skip domain technologisticsafrica.com
 Skip domain telegraf-news.biz
 Skip domain teojart.ihelloyou.net
 Skip domain teqaf.ihelloyou.net
 Got ip-dst 50.116.17.41 as part of object domain-ip
Sleeping for 3 seconds
Query 104.194.215.229 as ip-src
 Skip url http://qwepoi123098.com/
 Skip url https://qwepoi123098.com/
 Skip url http://104.194.215.229/
 Got AS 8100 as part of object asn
 Got text US as part of object asn
 Skip domain homeschools.cl
 Skip domain notas.homeschools.cl
 Skip domain ntx5.www3iwebonline.com
 Skip domain qwepoi123098.com
 Skip domain ricurascheesecake.cl
 Skip domain www.homeschools.cl
 Skip domain www.notas.homeschools.cl
 Skip domain www.qwepoi123098.com
 Skip domain www.ricurascheesecake.cl
 Got ip-dst 104.194.215.229 as part of object domain-ip
Sleeping for 3 seconds
Query 198.185.159.144 as ip-src
Sleeping for 3 seconds
Query 199.188.200.96 as ip-src
 Skip url https://premiumpest.ca/ed/index.php?qbot.zip
 Skip url https://cv-gratuit.com/uat/index.php?qbot.zip
 Skip url https://cv-gratuit.com/es/index.php?qakbot.zip
 Skip url https://harden-egy.com/
 Skip url http://www.graniteexcavation.com/
 Skip url https://sirniksend.com/
 Skip url http://sirniksend.com/
 Skip url https://3mplushydro.com/
 Skip url https://tramites-italovenezolano.com/
 Skip url https://mail.tramites-italovenezolano.com/
 Skip url https://premiumpest.ca/
 Skip url http://premiumpest.ca/
 Skip url http://earn-hub.online/
 Skip url http://support.gricd.com/
 Skip url https://cv-gratuit.com/es/index.php
 Skip url https://support.gricd.com/knowledgebase/how-to-track-device-location/
 Skip url http://nfticosolutions.top/
 Skip url http://moneydiet101.com/
 Skip url https://ncrediblecredit.com/
 Skip url https://jghfcjutbhjghjdfykvhjjc.ml/
 Skip url http://onlineeventrust.com/
 Skip url http://jghfcjutbhjghjdfykvhjjc.ml/
 Skip url https://jamesappliance.shop/
 Skip url http://harden-egy.com/
 Skip url https://cv-gratuit.com/
 Skip url https://www.moneydiet101.com/the-ultimate-guide-to-investing-in-yourself-and-roadblocks-to-avoid/
 Skip url https://moneydiet101.com/
 Skip url https://ea-faucet.earn-hub.online/
 Skip url http://graniteexcavation.com/
 Skip url https://www.graniteexcavation.com/
 Skip url http://hosenbergshipping.com/wp-includes/aeasrd/al
 Skip url http://mail.tramites-italovenezolano.com/
 Skip url https://support.gricd.com/
 Skip url http://bonocasio.com/
 Skip url https://nfticosolutions.top/
 Skip url https://cv-gratuit.com/wp-content/uploads/2022/01/Exemple-de-cv-etudiant.png
 Skip url http://pachetes.com/
 Skip url https://cv-gratuit.com/wp-content/uploads/2022/01/Design1-cvcanva-page-0.png
 Skip url https://onlineeventrust.com/index.html
 Skip url http://tramites-italovenezolano.com/
 Skip url https://hosenbergshipping.com/
 Skip url http://cv-gratuit.com/
 Skip url https://nicecloth.net/
 Skip url https://pachetes.com/
 Skip url http://support.gricd.com/knowledgebase/how-to-track-device-location/
 Skip url https://smarttradeslimited.com/.well-known/.ax/sh_o.php?r
 Skip url http://itphobia.com/how-to-start-an-online-business-at-home
 Skip url http://ncrediblecredit.com/
 Skip url http://itphobia.com/windows-phone-parental-controls-setup-configure-step-by-step
 Skip url http://cv-gratuit.com/wp-content/uploads/2022/01/exemple-de-cv-etudiant.png
 Skip url https://smarttradeslimited.com/
 Skip url http://smarttradeslimited.com/ttun/index.php
 Skip url http://harden-egy.com/ause/index.php?qbot.zip
 Skip url https://smarttradeslimited.com/ttun/index.php
 Skip url http://itphobia.com/strategize-your-video-marketing-using-data-analysis/?utm_source=contentstudio.io
 Skip url https://jenningsandmeser.net/
 Skip url https://jenningsandmeser.net/text/
 Skip url http://jenningsandmeser.net/text
 Skip url http://jenningsandmeser.net/text/
 Skip url https://jenningsandmeser.net/text
 Skip url http://jenningsandmeser.net/
 Skip url http://cv-gratuit.com/exemple-de-cv-gratuit
 Skip url https://jenningsandmeser.net/one
 Skip url https://cv-gratuit.com/exemple-de-cv-gratuit
 Skip url https://cv-gratuit.com/exemple-de-cv-gratuit/
 Skip url https://harden-egy.com/ause/index.php?QBOT.zip
 Skip url https://harden-egy.com/ause/index.php?TORUPRIC=7
 Skip url http://harden-egy.com/ause/index.php
 Skip url https://europerovision.com/
 Skip url http://cv-gratuit.com/es/index.php
 Skip url http://cv-gratuit.com/es/index.php?qakbot.zip
 Skip url https://europerovision.com:26/
 Skip url https://homoeohealers.com/nma/index.php?QBOT.zip
 Skip url https://homoeohealers.com/nma/index.php?RMEDOLO=2
 Skip url https://graniteexcavation.com/
 Skip url http://premiumpest.ca/dau/index.php?qbot.zip
 Skip url http://nicecloth.net/
 Skip url http://shopbjay.com/
 Skip url https://premiumpest.ca/dau/index.php?qbot.zip
 Skip url https://pachetes.com/blog/golden-rottie-retriever
 Skip url https://shopbjay.com/
 Skip url https://cv-gratuit.com/es/index.php?
 Skip url http://itphobia.com/tips-to-write-seo-optimized-content
 Skip url http://premiumpest.ca/ed/index.php?qbot.zip
 Skip url http://premiumpest.ca/ed/index.php?iauq-ni=10
 Skip url http://itphobia.com/top-3-ways-your-business-can-benefit-from-an-seo-expert
 Skip url http://sampack.biz/al/index.php
 Skip url http://premiumpest.ca/ed/index.php
 Skip url http://itphobia.com/how-to-get-more-traffic-from-google-seo-tips-that-work
 Skip url http://homoeohealers.com/
 Skip url http://sampack.biz/
 Skip url https://premiumpest.ca/ed/index.php?iauq-ni=10
 Skip url https://homoeohealers.com/tee/index.php?qbot.zip
 Skip url https://homoeohealers.com/
 Skip url https://sampack.biz/
 Skip url http://homoeohealers.com/tee/index.php
 Skip url https://bonocasio.com/
 Skip url https://standrewsgh.com/
 Skip url https://cvcanva.com/
 Skip url https://jghfcjutbhjghjdfykvhjjc.ml/cgi-sys/defaultwebpage.cgi
 Skip url http://greatwallsdl.com/
 Skip url http://peekjoy.com/
 Skip url http://freecarecenter.com/
 Skip url http://corbet.app/
 Skip url http://asaman.net/
 Skip url https://www.khayathussain.com/
 Skip url http://hodaclinic.com/
 Skip url http://planetawesomekid.com/
 Skip url http://www.gricd.com/
 Skip url http://cpanel.mecury.onlinepokermalaysia.net/
 Skip url http://alphaprecision.com.sg/
 Skip url https://musk22.to/
 Skip url http://www.atlantaglassartguild.org/
 Skip url https://home.cryptohubx.online/
 Skip url http://cryptohubx.online/
 Skip url https://www.gricd.com/
 Skip url https://itphobia.com/positions-to-work-from-home-9-positions-your-business-should-be-hiring-remotely/
 Skip url https://relexglobal.com/about
 Skip url https://itphobia.com/6-ways-how-technology-helps-in-business-growth/
 Skip url http://www.alphaprecision.com.sg/
 Skip url https://itphobia.com/the-ultimate-guide-to-digital-marketing-for-contractors/
 Skip url https://corgilumpur.com/hoarding/top-10-father-physical-mental-abuse-me/
 Skip url https://www.wtecourier.com/206906/wtec-eorg.htm
 Skip url https://itphobia.com/is-social-media-marketing-important/
 Skip url https://toolguider.com/how-conveyor-belt-system-works/
 Skip url https://athletesphysiques.com/julie-de-bona/
 Skip url https://vigourmag.com/best-of-vigour/
 Skip url https://itphobia.com/outsourcing-technology-and-it-based-functions/
 Skip url https://clickdeals.tech/
 Skip url http://www.astontankfarm.com/
 Skip url https://www.megasaleoffers.com/products/Microsoft---Surface-Book-2---13.5"-PixelSense%E2%84%A2-Display---i7-{47}-16GB-{47}-1TB-dGPU---Silver.html
 Skip url https://www.rma.org.rw/eyqofjub199130/
 Skip url http://www.earn-hub.online/
 Skip url https://mapas.vernocchi.com.ar/insesp.pdf
 Skip url https://herbalattic.com/
 Skip url https://chiappafirearmsltd.com/
 Skip url https://barbybeautystudio.com/about/
 Skip url https://fullstamina.com/couples/
 Skip url https://itphobia.com/does-sms-marketing-work-as-an-effective-digital-marketing-strategy/
 Skip url https://legalpapers.online/
 Skip url https://myfxjourney.com/
 Skip url https://www.arquitectoszaragoza.net/
 Skip url https://eco-netz.net/
 Skip url http://orangebd.online/
 Skip url https://www.workandwealth.com/what-is-the-average-cost-of-a-class-ring/
 Skip url http://itphobia.com/
 Skip url https://primecapitalsmanagement.com/
 Skip url https://4extrapressure.com/
 Skip url https://itphobia.com/how-to-start-an-online-business-at-home/
 Skip url https://www.naturechemicals.com/
 Skip url https://vigourmag.com/
 Skip url https://streamsell.shop/product/directv/
 Skip url https://masama.org/product/premium-robusta-coffee/
 Skip url https://itphobia.com/windows-phone-parental-controls-setup-configure-step-by-step/
 Skip url https://www.ezwin.pro/
 Skip url https://www.upcomingshidduchevents.com/upcoming-events/
 Skip url https://upcomingshidduchevents.com/
 Skip url https://athletesphysiques.com/qimmah-russo/
 Skip url https://athletesphysiques.com/go-Anavar-Steroid
 Skip url https://www.konig.games/
 Skip url https://www.ps3specialist.services/
 Skip url http://itphobia.com/5-essential-ecommerce-tools-to-use-for-your-online-store
 Skip url https://athletesphysiques.com/larry-wheels/
 Skip url https://itphobia.com/5-essential-ecommerce-tools-to-use-for-your-online-store/
 Skip url https://smarttradeslimited.com/ttun/index.php?ut=6
 Skip url https://itphobia.com/strategize-your-video-marketing-using-data-analysis/?utm_source=contentstudio.io
 Skip url https://graphicsoftempe.com/
 Skip url https://diacripto.com/2022/06/13/la-transaccion-atascada-obliga-a-binance-a-pausar-los-retiros-de-btc/
 Skip url http://theholistichoney.com/
 Skip url https://chinabrasserie.co.uk/menu.html
 Skip url https://www.fivestartrend.com/product/marc-jacobs-the-snapshot-dtm-moon-white/
 Skip url https://cesarnoticias.co/universidad-popular-del-cesar-abre-inscripciones-para-el-primer-periodo-del-2023/
 Skip url https://chinabrasserie.co.uk/
 Skip url https://www.nextdaypetdelivery.com/
 Skip url http://bellanadia.com/
 Skip url https://www.bellanadia.com/
 Skip url http://www.bellanadia.com/
 Skip url https://bellanadia.com/
 Skip url https://www.workandwealth.com/works-ye-mighty-despair/
 Skip url https://harden-egy.com/ause/index.php?ETIXETOCNERMAI=6
 Skip url https://nichola.dev/angular-custom-form-control-color-picker/
 Skip url http://www.pcbloop.com/
 Skip url https://www.fiocchibulkammo.com/product/400-rounds-of-22-lr-ammo-by-browning-36gr-cphp/
 Skip url https://puckemup.com/
 Skip url https://nuctechs.com/
 Skip url https://petrodec.com/
 Skip url https://adriansolca.com/2021/07/15/diseno-de-servicios/
 Skip url https://itphobia.com/still-life-photography-tips-for-beginners/
 Skip url https://cv-gratuit.com/es/index.php?bttscesuiasein-prscrooi=9
 Skip url https://freecarecenter.com/4-ingredient-potato-soup-the-choosy-eater/
 Skip url https://itphobia.com/is-there-any-advantage-of-social-media-marketing/
 Skip url https://itphobia.com/tips-to-write-seo-optimized-content/
 Skip url https://evolutionsportsuk.co.uk/
 Skip url https://buy.gricd.com/product/mote50/
 Skip url https://itphobia.com/top-3-ways-your-business-can-benefit-from-an-seo-expert/
 Skip url https://itphobia.com/how-to-get-more-traffic-from-google-seo-tips-that-work/
 Skip url http://itphobia.com/what-is-a-headless-wordpress-site-how-to-build-it
 Skip url https://itphobia.com/what-is-a-headless-wordpress-site-how-to-build-it/
 Skip url https://finefoodproducts.uk/
 Skip url http://mtmsschool.online/
 Got AS 22612 as part of object asn
 Got text US as part of object asn
 Skip domain 01clientestone.com
 Skip domain 02906locks.com
 Skip domain 0gravity.dev
 Skip domain 0tljt8hhdsd160edrbsdsdu13ofmp2dsd.elmasryah.com
 Skip domain 0x40.pw
 Skip domain 1.bhtswap.online
 Skip domain 1.e-store.club
 Skip domain 1.graniteexcavation.com
 Skip domain 1000902378.com
 Skip domain 10minutemail.uk
 Skip domain 10xgloabalfx.com
 Skip domain 111.biznes.gold
 Skip domain 11clicks.com
 Skip domain 11clicks.net
 Skip domain 123-321.website
 Skip domain 123-321.xyz
 Skip domain 123.cracklehd.com
 Skip domain 123compu.com
 Skip domain 14all41.org
 Skip domain 1800webuyhomecash.com
 Skip domain 1und1-online.info
 Skip domain 2.bhtswap.online
 Skip domain 2002saloon.com
 Skip domain 2007gold.com
 Skip domain 2021gsitv.lucarimediotti.com
 Skip domain 247fxexpert.com
 Skip domain 247naijacakeaffairs.com
 Skip domain 24hourbot.website
 Skip domain 24men.xyz
 Skip domain 24tradefx.com
 Skip domain 2accesme.com
 Skip domain 2booklists.best
 Skip domain 2flagsnation.com
 Skip domain 2k18-reignzzbot.tk
 Skip domain 2night9.localgirl.club
 Skip domain 2tmtec1.zipfizz.online
 Skip domain 2tmtech.zipfizz.online
 Skip domain 2up5downsolutions.com
 Skip domain 2x3.company
 Skip domain 2xeth.xyz
 Skip domain 321.123-321.website
 Skip domain 365assist-centre.com
 Skip domain 365onlinehelp-secure.com
 Skip domain 36obk.com
 Skip domain 3827.to
 Skip domain 3ddd.exemplarymarketing.com
 Skip domain 3dotspeople.inprogresswebsider.com
 Skip domain 3mplus.co
 Skip domain 3mplushydro.com
 Skip domain 420smoke.us
 Skip domain 43trlokqdsdhmgde4hxdsdmazhxocpdsdm6hl3m6sdsd.liberalforumegypt.org
 Skip domain 43zp6qo5dsdrchjipgzdsdljkilqondsdimn4qdhmdsd.liberalforumegypt.org
 Skip domain 4extrapressure.com
 Skip domain 501kg.com
 Skip domain 5050hack.com
 Skip domain 5fold.club
 Skip domain 5ngoqrmidsdg37ltgxhdsdzwfaohakdsd.liberalforumegypt.org
 Skip domain 5q5ypzuxdsdzr6lr8qddsdmwsqrjordsd.elmasryah.com
 Skip domain 63y21hjyio98qd867yr1h2jgyi7q9da86qetu81u3yfi9oqi718ugid99183fy1.dongenvgulick.website
 Skip domain 656jener.com
 Skip domain 6itm.xyz
 Skip domain 6qbemgoudsdgaippsc7dsd.ethraaegypt.com
 Skip domain 6qn8cglpdsd3yaabyyddsdemqwqrcidsd.elmasryah.com
 Skip domain 6waysrwanda.com
 Skip domain 7.graniteexcavation.com
 Skip domain 740086.needstobechanged.com
 Skip domain 777obmana.net
 Skip domain 77obmana.net
 Skip domain 7pagos.com
 Skip domain 7starsecrets.digital
 Skip domain 7zip.app
 Skip domain 8-926-047-20-96.ru
 Skip domain 814lawns.com
 Skip domain 8576044-limited-edition.zuxboxes.london
 Skip domain 88-uwthailand.news
 Skip domain 898vip.com
 Skip domain 8acrnoghdsd4i6xknamdsdhjpwofcldsd.elmasryah.com
 Skip domain 8kbet.club
 Skip domain 9272021.xyz
 Skip domain a.metrofinances.us
 Skip domain a.mx.graniteexcavation.com
 Skip domain a.rentsolutions.website
 Skip domain a10yoob.com
 Skip domain a11.fun
 Skip domain a5gisw8gdsdrbfnbnsjdsdf42vq4kddsd.liberalforumegypt.org
 Skip domain a_papachrysanthou1002.wtecourier.com
 Skip domain aa.lkenny.com
 Skip domain aa.metrofinances.us
 Skip domain aanicharge.com
 Skip domain aanvraagconcept.xyz
 Skip domain aanzoeking.website
 Skip domain aaronandeva.com
 Skip domain aasportsshop.com
 Skip domain aavila.design
 Skip domain abbeyreal.com
 Skip domain abdulrehman-ios.com
 Skip domain aberdenasset.co
 Skip domain abn-halen.nl
 Skip domain abouain.com
 Skip domain absaroka-media-publishing.com
 Skip domain academy.edigitalize.com
 Skip domain acc.hostilica.co
 Skip domain acceluxtrades.com
 Skip domain access.tienplaygirl.website
 Skip domain account.en.metrofinances.co
 Skip domain account.ftn-b.com
 Skip domain account.metrofinances.co
 Skip domain accounts-aws.com
 Skip domain accounts.sky-mobile.co
 Skip domain accountsupdts.com
 Skip domain acedemy.scigurulk.com
 Skip domain acetrustint.com
 Skip domain acheliskenya.com
 Skip domain achterstand.online
 Skip domain acigroupbd.com
 Skip domain acpn.gricd.com
 Skip domain acrobaticthinking.com
 Skip domain actecpty.com
 Skip domain activaciononlinezonabn23.xyz
 Skip domain activatedirectory.com
 Skip domain ad-space.earn-hub.me
 Skip domain adaboost.cc
 Skip domain adam.pointer.ai
 Skip domain adapad.eu
 Skip domain adbratt.com
 Skip domain adccoin.pro
 Skip domain add-listing-apartments.com
 Skip domain adearning.info
 Skip domain adebimpeseriki.info
 Skip domain adegboyegaogunjimi.com
 Skip domain adelanistora.com
 Skip domain adexpert.co.il
 Skip domain adgem.earn-hub.me
 Skip domain admin.assignmentwritings.net
 Skip domain admin.detallesalgodulceparati.com
 Skip domain admin.gricd.com
 Skip domain admin.namastecurryhouse.com
 Skip domain admin.viveksaxena.tech
 Skip domain admin.wizardwriters.net
 Skip domain adrianjones.org
 Skip domain adriansolca.com
 Skip domain adscasereview.1000902378.com
 Skip domain adsclick.club
 Skip domain adtraffickers.com
 Skip domain adult-dating.earn-hub.me
 Skip domain adultdatingfun.club
 Skip domain advaithsreedevarchitects.com
 Skip domain advancedex.com
 Skip domain advancedpathpod.com
 Skip domain adveeeeeeeeenture.com
 Skip domain adviceforgraduate.com
 Skip domain adwiya.ga
 Skip domain adwiyaa.com
 Skip domain adxdigital.com
 Skip domain ae-energy.com
 Skip domain aemal.teerebd.com
 Skip domain aequroetmontis.com
 Skip domain aesuscapitalfinancingincltd.co.uk
 Skip domain aff.alhamrashades.com
 Skip domain affiliate-marketing.kai-friebe.site
 Skip domain affiliatemarketingforever.com
 Skip domain affiliatemarketinginfo.xyz
 Skip domain africachipssenegal.net
 Skip domain africanmissionarypastors.org
 Skip domain africanoss.fiacre.us
 Skip domain africardprepaid.xyz
 Skip domain agapeiglobafoundation.com
 Skip domain agapeiglobalfoundation.com
 Skip domain ageev.group
 Skip domain agenbolapromo.com
 Skip domain agenbolaresmi.com
 Skip domain agendatexas.com
 Skip domain agg-area2siena.co
 Skip domain agileconsulting.io
 Skip domain agkf6tiydsdhnehgpt2dsdv2xduqvydsd.elmasryah.com
 Skip domain agricola-consult-ltd.com
 Skip domain agriona.website
 Skip domain agriseafood.com
 Skip domain agrozatra.com
 Skip domain agusls.my.id
 Skip domain aherve.com
 Skip domain ahjayseirbhis.com
 Skip domain ahmed-hany.com
 Skip domain ahsanscollection.com
 Skip domain ahv3jykcdsdzrc6g454dsd.ethraaegypt.com
 Skip domain aib.fix117.info
 Skip domain aidasplace.com
 Skip domain aii.fund
 Skip domain aimcheck.info
 Skip domain airdrop.ditcoin.io
 Skip domain airdrop.seotoolkit.center
 Skip domain airdrop1.seotoolkit.center
 Skip domain airdroptoken.club
 Skip domain airpickcourier.com
 Skip domain airsoservices.com
 Skip domain airtellifestyle.com
 Skip domain aiyah.org
 Skip domain ajalapus.com
 Skip domain ajishopi.ma
 Skip domain ajkershopbd.com
 Skip domain akashdas.me
 Skip domain akhbarona.org
 Skip domain akristof.com
 Skip domain akritijewellersindia.com
 Skip domain akubee.shop
 Skip domain akubeestore.xyz
 Skip domain aladastore.me
 Skip domain alamedawaterdamage.website
 Skip domain alamedawaterdamage.xyz
 Skip domain alamobowli.com
 Skip domain alba-guarch.com
 Skip domain albacros.com
 Skip domain albaniacybersecurity.com
 Skip domain albertaemarco.com
 Skip domain albpentesting.com
 Skip domain alcesium.com
 Skip domain alecsportsscholarship.com
 Skip domain alert-notify.net
 Skip domain alert.secureonline0083.ga
 Skip domain alexis.localgirl.club
 Skip domain alexvazquez.me
 Skip domain algo-venture.com
 Skip domain alhamrashades.com
 Skip domain aliencreaturesfrombeyond.com
 Skip domain alienparanormal.com
 Skip domain alienufohub.com
 Skip domain alif24.de
 Skip domain alifestyleofnourishment.com
 Skip domain alinstanteconveniobn.xyz
 Skip domain alira.cryptopak.shop
 Skip domain alirezamalik.com
 Skip domain alison69.localgirl.club
 Skip domain alisterbanks.com
 Skip domain alitalianrecipes.com
 Skip domain allert-westpac.com
 Skip domain alleviola.com
 Skip domain allgetfree.net
 Skip domain allianz-bank.priloznost-resitev.com
 Skip domain alliepaves.com
 Skip domain allinoneclinic.com
 Skip domain allsaferefundrecovery.com
 Skip domain allstarsmining-investment001.com
 Skip domain allthingsburger.com
 Skip domain alltypetest.baundule.com
 Skip domain allvideodownloader.seotoolkit.center
 Skip domain alma9ala.com
 Skip domain almasfinance.com
 Skip domain alouadifa.com
 Skip domain alpha.gricd.com
 Skip domain alphaprecision.com.sg
 Skip domain alphashelter.info
 Skip domain alqariainstitute.com
 Skip domain alrafidainenergy.com
 Skip domain alrafidainenergy.com.zect-iq.com
 Skip domain alsafaa-school.com
 Skip domain alshomokh-hotel.com
 Skip domain altarpay.com
 Skip domain alternativestorylab.com
 Skip domain alu-mag.biz
 Skip domain alybanking.com
 Skip domain alytrust.com
 Skip domain amadermagazine.com
 Skip domain amakittens.com
 Skip domain amalika.website
 Skip domain amarbanglablog.com
 Skip domain amartailor.com.bd
 Skip domain amaz0n-shipping-worldwide.live
 Skip domain amazing.cam
 Skip domain amazingbalinesecattery.com
 Skip domain amazingbichonfrisehome.com
 Skip domain amazinggraceliving.com
 Skip domain amazingpuppyhome.com
 Skip domain amazonamazingdiscount.com
 Skip domain amen-housing.com
 Skip domain americaneducationservices.club
 Skip domain amfeiixportal.com
 Skip domain amixtar.com
 Skip domain amjad.website
 Skip domain amoreringa.com
 Skip domain amtar.live
 Skip domain amxwork.live
 Skip domain amyklimt.com
 Skip domain amz4.com
 Skip domain anakiki.com
 Skip domain anakma-osatopia.com
 Skip domain analyticsshed.com
 Skip domain ananichita.com
 Skip domain anapecannonces.com
 Skip domain anatoliy-kavun.info
 Skip domain anazana.wallpaperspin.com
 Skip domain anderb.com
 Skip domain andiamotrav.com
 Skip domain andiesavestheday.com
 Skip domain andreastroppa.com
 Skip domain andreloss.com
 Skip domain andrewcolumber.com
 Skip domain aneqon.com
 Skip domain aneva.live
 Skip domain animablade.com
 Skip domain animablade.net
 Skip domain animablade.org
 Skip domain animalsouk.ma
 Skip domain animalstore.ma
 Skip domain animexis.com
 Skip domain animexis.com.mx
 Skip domain animexis.mx
 Skip domain animexis.org
 Skip domain anka-gourltaminator.com
 Skip domain anloko.com
 Skip domain anmolkakkar.com
 Skip domain annyash.com
 Skip domain anstontankfarm.com
 Skip domain ant-shop.org
 Skip domain antbuddy.co.uk
 Skip domain antichristawareness.org
 Skip domain antispam.graniteexcavation.com
 Skip domain antonio-oilcorporation.com
 Skip domain anyaborissova.com
 Skip domain anyangpools.com
 Skip domain anything22334.uk
 Skip domain apaxarticles.blog
 Skip domain apexminer.me
 Skip domain apexwaylog.com
 Skip domain api.eastnorfolktalkapp.xyz
 Skip domain api.hedge.technology
 Skip domain api.portofolion.ikta.dev
 Skip domain api.portogit.ikta.dev
 Skip domain api.tokenpricelist.com
 Skip domain api.zyap.media
 Skip domain apisstudios.website
 Skip domain apkhot.xyz
 Skip domain apkmaxtube.xyz
 Skip domain apkurge.com
 Skip domain aplusmom.com
 Skip domain apotheke-vertrauen.com
 Skip domain app-care.cfd
 Skip domain app.bitnad.com
 Skip domain app.counter-event.ai
 Skip domain app.demo.gricd.com
 Skip domain app.drhoda.net
 Skip domain app.enterprise.gricd.com
 Skip domain app.fintexinvest.com
 Skip domain app.hedge.technology
 Skip domain app.kiraaknews.com
 Skip domain app.malker.store
 Skip domain app.reflectionautomotive.ca
 Skip domain app.studiofootwear.com
 Skip domain app2.drhoda.net
 Skip domain app2020-plataformavirtual-gt.com
 Skip domain app6.drhoda.net
 Skip domain apparekkia.com
 Skip domain appiver.com
 Skip domain apple.isuporte-br.com
 Skip domain appletreesnursery.com
 Skip domain applyformat.info
 Skip domain appqatarairways.com
 Skip domain apush.us
 Skip domain apxbafinance.com
 Skip domain aquacoins.live
 Skip domain aquariaknowledge.com
 Skip domain ar-finance.com
 Skip domain ar.buentrade.com
 Skip domain ar.vitamasr.com
 Skip domain aracnephobia.website
 Skip domain aragsan.cabdul.site
 Skip domain archlinesdesigns.com
 Skip domain arcobadara.com
 Skip domain ardexgroup.club
 Skip domain areis.ca
 Skip domain arewepatriots.com
 Skip domain argenta.achterstand.online
 Skip domain argenta.foutieve-domiciliering.website
 Skip domain argylehr.com
 Skip domain ariscourier.net
 Skip domain arkachowdhury.com
 Skip domain arkadiosltd.com
 Skip domain arkadmining.com
 Skip domain arkhorizonsimmigration.ca
 Skip domain arlingtonalliance4youth.org
 Skip domain arni.site
 Skip domain arquitectoszaragoza.net
 Skip domain arsipgadget.com
 Skip domain artanthonyart.com
 Skip domain artisansng.com
 Skip domain artisticfilmproductions.com
 Skip domain artisticooking.com
 Skip domain artofanalu.com
 Skip domain arturandmariya.com
 Skip domain arzparsi.club
 Skip domain asaman.net
 Skip domain asfafqw.eter.shtepia-ks.com
 Skip domain ashevilleorganicfarmandgarden.com
 Skip domain ashevilleweddingphotography.org
 Skip domain ashrafulmallik.com
 Skip domain asiapostdelivery.com
 Skip domain askonline.online
 Skip domain aso-ebi.biz
 Skip domain asoebiconcierge.com
 Skip domain aspresets.com
 Skip domain assets.e-minbar.com
 Skip domain assgardia.space
 Skip domain assignments.help
 Skip domain assignmentwritings.net
 Skip domain asthil.xyz
 Skip domain astonishinglegends.org
 Skip domain astonishingparanormal.com
 Skip domain astontankfarm.com
 Skip domain astralyx.space
 Skip domain astridoutsourcing.com
 Skip domain astroidit.com
 Skip domain astroquiz.us
 Skip domain astrozi.testingstage.website
 Skip domain astuce-verte.com
 Skip domain asumitea.com
 Skip domain athletesphysiques.com
 Skip domain atifrafiq.website
 Skip domain atiglobals.com
 Skip domain atlantaglassartguild.org
 Skip domain atlantaplanetarium.org
 Skip domain atlantic-pvp.com
 Skip domain atlanticexpressshipping.com
 Skip domain atlantismysteries.com
 Skip domain atlantisrisingtimes.com
 Skip domain atlas-idiomas.com
 Skip domain atlas.fail
 Skip domain atnatgh.com
 Skip domain atownhome.com
 Skip domain attlst.net
 Skip domain auchan.gadgetvector.shop
 Skip domain audi-a4-voiture.com
 Skip domain audioloopz.com
 Skip domain audiomackcareer.com
 Skip domain auguryst2.xyz
 Skip domain aurexi.com
 Skip domain austinheartvet.com
 Skip domain auth.4extrapressure.com
 Skip domain auth.droptheacid.com
 Skip domain auth.graniteexcavation.com
 Skip domain auth.matthewant.com
 Skip domain authme-lloyds.net
 Skip domain authorizedevice-new-s-plc.com
 Skip domain authsmtp.droptheacid.com
 Skip domain authsmtp.graniteexcavation.com
 Skip domain authtransactions-change.com
 Skip domain auto-id.tech
 Skip domain auto-market.counter-event.ai
 Skip domain auto.wingmanvn.com
 Skip domain autobytel-logistics.com
 Skip domain autodiscover.berkshirebar.com
 Skip domain autodiscover.elitevisionit.com
 Skip domain autodiscover.promoteng.com
 Skip domain autodiscover.smarterpsolutions.online
 Skip domain automatic.codesbazaar.com
 Skip domain automation.jacobkhalili.com
 Skip domain automotive.manecom.co.uk
 Skip domain autoshop.to
 Skip domain autosystemrectify.live
 Skip domain av-lawyer.com
 Skip domain avalonbatory.com
 Skip domain avjamcomics.com
 Skip domain avohado.website
 Skip domain awakeningschoolofthedivinearts.com
 Skip domain award9ja.com
 Skip domain awardshdlive.co
 Skip domain awesomedealschoice.com
 Skip domain awla.africa
 Skip domain awla.international
 Skip domain awoofpay.com
 Skip domain awsxsjtqdsdwzd6jirddsdb5bu4rfqdsd.liberalforumegypt.org
 Skip domain axa-fx.com
 Skip domain axa.achterstand.online
 Skip domain ayovaservices.com
 Skip domain azaraproduction.com
 Skip domain b2b-email-list.co.uk
 Skip domain b2tradeoption.com
 Skip domain baby.manecom.co.uk
 Skip domain babycare-center.com
 Skip domain backflowdigital.com
 Skip domain backpack.prim4t.art
 Skip domain backup.trendingknowledge.com
 Skip domain bacter.pharmaax.xyz
 Skip domain baidu.com.thecarguys.info
 Skip domain bak.homoeohealers.com
 Skip domain bakasuki.com
 Skip domain bakermiller.co
 Skip domain bakerywoodworks.com
 Skip domain bakingsodant.net
 Skip domain baktiar.com
 Skip domain balliah.com
 Skip domain bamboo-tv.info
 Skip domain bancaras.com
 Skip domain bancavirtual-appbanrural.com
 Skip domain bancoenestadochile-bancaenlinea.com
 Skip domain bandottoto.org
 Skip domain bangkokaestheticplasticsurgery.com
 Skip domain bangla.technohacks.net
 Skip domain banglababy.ca
 Skip domain banglarun.com
 Skip domain banifbnk.online
 Skip domain bank-postale.priloznost-resitev.com
 Skip domain bank.propsnstructs.com
 Skip domain bankid-nettbank.com
 Skip domain banking.alytrust.com
 Skip domain bankloggon.online
 Skip domain banksiafurniture.com.au
 Skip domain banksmine.com
 Skip domain banporinternet.bnkbif.com
 Skip domain banzarapk.online
 Skip domain baobabconsult.org
 Skip domain bapes.live
 Skip domain bara.zipfizz.online
 Skip domain barber.lucarimediotti.com
 Skip domain barbybeautystudio.com
 Skip domain barcalayagroup.com
 Skip domain barcelonacoffee.shop
 Skip domain barracuda.droptheacid.com
 Skip domain barracuda.graniteexcavation.com
 Skip domain bartertag.esellors.com
 Skip domain basira.website
 Skip domain basket4livesweb.com
 Skip domain bastioncontracting.com
 Skip domain baundule.com
 Skip domain bbjgkiozdsddn8vn88zdsdx6qea04pdsdwowfm0kidsd.liberalforumegypt.org
 Skip domain bbostonmarathon.com
 Skip domain bbvacontinetal.com
 Skip domain bbvanet.digital
 Skip domain bcasuperviellie.online
 Skip domain bcityentertainment.com
 Skip domain bcp.clientemovil.com
 Skip domain bcpcartoes.mobi
 Skip domain bd.titudas.com
 Skip domain bdtb23xhdsdgucancdodsd.ethraaegypt.com
 Skip domain beardedclamreviews.com
 Skip domain beatkidneydisease.gq
 Skip domain beauty-care.mndubai.com
 Skip domain beautyandthedeceased.enterbrainment.net
 Skip domain beautycare.manecom.co.uk
 Skip domain beautytippro.com
 Skip domain beautytips3.com
 Skip domain becksoccer.com
 Skip domain beerfest.ninja
 Skip domain beesmartsoltions.com
 Skip domain beheer.home-app-bevestigen.website
 Skip domain behypenft.co
 Skip domain beinmatsh.com
 Skip domain belcem-digital.com
 Skip domain belf-shortlink.info
 Skip domain belfi-info.foutieve-domiciliering.website
 Skip domain belfius.achterstand.online
 Skip domain belizeanamericanjerk.com
 Skip domain bellanadia.com
 Skip domain bellapiel.com.co
 Skip domain bems.club
 Skip domain benigna.us
 Skip domain benignaparfums.com
 Skip domain bennbuy.com
 Skip domain bensedira.news
 Skip domain beo-verificatieplicht.pw
 Skip domain berkshirebar.com
 Skip domain berwickwindowcleaning.com.au
 Skip domain best-layer.com
 Skip domain best10casinoincanada.com
 Skip domain bestbedroomfurnitures.com
 Skip domain bestcoffeemakerreviewed.com
 Skip domain bestdealpk.com
 Skip domain bestdiscountsshop.com
 Skip domain bestemail.club
 Skip domain bestgeneratorpoint.com
 Skip domain besthelmetreview.com
 Skip domain bestnespressomachine.net
 Skip domain bestoffunnels.com
 Skip domain bestreviewgroup.com
 Skip domain bestsellertootbrush.com
 Skip domain beststores.xyz
 Skip domain bestwebdevlopers.com
 Skip domain beta.condala.com
 Skip domain beta.geniuscircle.id
 Skip domain beta.graniteexcavation.com
 Skip domain beta.gricd.com
 Skip domain beta.papigoshop.com
 Skip domain beta.seaofchampions.com
 Skip domain betaalpas-herstellen.website
 Skip domain betro.com
 Skip domain betterselfmedia.com
 Skip domain betwithbtc.io
 Skip domain beuvbuilt.com
 Skip domain bevygold.xyz
 Skip domain bevymonstr.xyz
 Skip domain bevynew.xyz
 Skip domain bhabutarealestates.co.uk
 Skip domain bhartiyegyan.com
 Skip domain bhendersonhosting.com
 Skip domain bhtswap.online
 Skip domain bianaryopt.pw
 Skip domain bibutalep.com
 Skip domain bictskills.com
 Skip domain biharshs.in
 Skip domain bijoyerdak.com
 Skip domain bikefromthisroad.com
 Skip domain bikyastore.com
 Skip domain bilalsaghir.teachsol.com
 Skip domain billing-option-update.com
 Skip domain billing.netsolutionbd.com
 Skip domain billingtongroup.us
 Skip domain billionbrand.co
 Skip domain billionbrand.us
 Skip domain billslaboratory.com
 Skip domain binadamservices.com
 Skip domain binancenasiluyeolunur.win
 Skip domain bingads.site
 Skip domain bio-lagann.zuxboxes.london
 Skip domain biocore.uk
 Skip domain biohealthylabs.com
 Skip domain birds.minting-now.me
 Skip domain birix-groupe.com
 Skip domain birkenslidesusa.com
 Skip domain bissteam.website
 Skip domain bit-address.live
 Skip domain bit-nadex.com
 Skip domain bit-wax.com
 Skip domain bitbux.xyz
 Skip domain bitcoin-generator.earn-hub.me
 Skip domain bitcoin-up.elmasryah.com
 Skip domain bitcoin-up.ethraaegypt.com
 Skip domain bitcoin-up.liberalforumegypt.org
 Skip domain bitcoin507.fun
 Skip domain bitcoinfast.pro
 Skip domain bitcoinup.elmasryah.com
 Skip domain bitcoinup.ethraaegypt.com
 Skip domain bitcoinup.liberalforumegypt.org
 Skip domain bitconet.co
 Skip domain bitnad.com
 Skip domain bitrise.eu
 Skip domain bitrise.trade
 Skip domain bitstarz.host
 Skip domain biwjomiwy.site
 Skip domain biznes.gold
 Skip domain bk8xid5mdsdjcqsocmudsdnzhziyxadsd.elmasryah.com
 Skip domain bklimt.com
 Skip domain bkovgrp.com
 Skip domain blacksheepwoolens.com
 Skip domain blank.travell.me
 Skip domain blazegp.com
 Skip domain bleezzermusic.com
 Skip domain blingbling.sale
 Skip domain blinkstudios.in
 Skip domain blitzworldnft.live
 Skip domain blockcchain.cc
 Skip domain blockchainbossbaby.io
 Skip domain blockchainminingoptions.com
 Skip domain blockchaintrack.couriertrack.online
 Skip domain blog-webcrab.herbalattic.com
 Skip domain blog.4extrapressure.com
 Skip domain blog.adriansolca.com
 Skip domain blog.alternativestorylab.com
 Skip domain blog.bestoffunnels.com
 Skip domain blog.boardmenngr.com
 Skip domain blog.condala.com
 Skip domain blog.coonmate.com
 Skip domain blog.ditcoin.io
 Skip domain blog.enterbrainment.net
 Skip domain blog.krazy.site
 Skip domain blog.laodi.id
 Skip domain blog.mosmer.win
 Skip domain blog.philipp-trommler.me
 Skip domain blog.undergames.com.co
 Skip domain blog.wasimrana.com
 Skip domain bloggermix.com
 Skip domain bloggerskorner.com
 Skip domain bloggerstopic.com
 Skip domain blogiweb.com
 Skip domain blogsolo.com
 Skip domain bloomlouisville.com
 Skip domain bloomtherapy.net
 Skip domain bluebaybd.com
 Skip domain bluecap.xyz
 Skip domain bluemerlepitbull.amakittens.com
 Skip domain bluetxinsurance.com
 Skip domain bmkltd-kr.co
 Skip domain bmwnew.com
 Skip domain bnb-reactivate.com
 Skip domain bnkbif.com
 Skip domain bo-isecureverifications365.online
 Skip domain boaml.us
 Skip domain boardmenngr.com
 Skip domain bobmadeley.com
 Skip domain bodyfatloss4idiots.com
 Skip domain bof0-4-aut.online
 Skip domain boguravaly.com
 Skip domain bohemianwatches.com
 Skip domain boi-onlinehelp.com
 Skip domain boldandbeaus.com
 Skip domain boltforexpips.com
 Skip domain bomb-news.info
 Skip domain bonocasio.com
 Skip domain bonus.cosmixcargoservices.com
 Skip domain bonus.e-store.club
 Skip domain bonus.uniteddirectcargo.com
 Skip domain bookievn.website
 Skip domain bookshop.lucarimediotti.com
 Skip domain boontouick.com
 Skip domain boosted.vinefex.com
 Skip domain boostsmm.com
 Skip domain borrowloanstoday.com
 Skip domain boscrazycomedy.com
 Skip domain bosgadget.com
 Skip domain bostonterrierpetfarm.com
 Skip domain bot.tara.services
 Skip domain botrades247.com
 Skip domain box.graniteexcavation.com
 Skip domain box.turksmartiptv.com
 Skip domain bradesco.net1netempresas.digital
 Skip domain bradleychicoine.com
 Skip domain brainwashedbravado.com
 Skip domain brandexpress.uk
 Skip domain brandexpressdc.com
 Skip domain branding-planet.com
 Skip domain brandpeg.com
 Skip domain brandpull.com
 Skip domain bratvafaucet.xyz
 Skip domain bravebrowser.download
 Skip domain brawndoltd.com
 Skip domain brbg6tjqdsdchkwzqpydsd.ethraaegypt.com
 Skip domain breliance.io
 Skip domain breminetint.org
 Skip domain bridgettesolis.website
 Skip domain brittanyfowler.everyocean.studio
 Skip domain brodiegraphics.com
 Skip domain brokechefs.com
 Skip domain brooke.localgirl.club
 Skip domain brookevillers.ca
 Skip domain brother.earth
 Skip domain brovchana.me
 Skip domain brucenewmedia.com
 Skip domain brucetapes.com
 Skip domain brunopaquin.com
 Skip domain brvp.org
 Skip domain btc-generator.live
 Skip domain btc.coinmaker.website
 Skip domain btc.fxdcryptomining.com
 Skip domain btcinvestclub.digital
 Skip domain btcking.earn-hub.me
 Skip domain btcpawn.net
 Skip domain btcukraine.org
 Skip domain bticonnect.co
 Skip domain buckeyenailspa.com
 Skip domain buddhistlesson.com
 Skip domain buentrade.com
 Skip domain buffalomedia1.com
 Skip domain build.droptheacid.com
 Skip domain buildbetterbalance.com
 Skip domain builddreams.pk
 Skip domain bulldog1media.network
 Skip domain bungalowtorremolinos.com
 Skip domain burgerways.com
 Skip domain burgettstojapan.org
 Skip domain burkek.com
 Skip domain businessfinancified.com
 Skip domain businessnachrichten.com
 Skip domain businessplanpioneers.com
 Skip domain bustabit.gb.net
 Skip domain bustabit.me.uk
 Skip domain busywriter.com
 Skip domain buy-online.website
 Skip domain buy.gricd.com
 Skip domain buygroceriesdirect.com
 Skip domain buyhyip.seotoolkit.center
 Skip domain bvjdubai.com
 Skip domain byvianca.com
 Skip domain c25.website
 Skip domain c3nejx3qdsdvywhvmxbdsdpcp6irmrdsdxgrjkmh5dsd.liberalforumegypt.org
 Skip domain cabdul.site
 Skip domain cabin.4extrapressure.com
 Skip domain cabinet-armandduviain.com
 Skip domain cabinetdentaireapex.com
 Skip domain cabinetdoor.club
 Skip domain cadceed.cabdul.site
 Skip domain cairnsroofrestoration.com
 Skip domain caixaglobal.com
 Skip domain calendariosperlas.com
 Skip domain callmeneo.hostilica.co
 Skip domain caltonco.com
 Skip domain calzadonuevamoda.xyz
 Skip domain cambio-marketplace.site
 Skip domain camerbornawards.com
 Skip domain campaignzed.com
 Skip domain camprofile.live
 Skip domain canadianwebdeveloper.ca
 Skip domain canary.zyap.media
 Skip domain cancel-unrecognised-devicepairing.com
 Skip domain cancunelopementweddings.com
 Skip domain candlesofconsciousness.com
 Skip domain candogloves.com
 Skip domain cannabisconnection.website
 Skip domain cannabisforhealth.store
 Skip domain cantherapeutics.com
 Skip domain caodandongydoor.com
 Skip domain capacitacion.pinsoluciones.com
 Skip domain capefearcribs.com
 Skip domain capital.epicslainmedia.com
 Skip domain capital0ne.36obk.com
 Skip domain capitechtrade.com
 Skip domain car-center-market-place.com
 Skip domain car88.club
 Skip domain cardano-2021.info
 Skip domain career101.info
 Skip domain career247.info
 Skip domain cargo.relexglobal.com
 Skip domain carlisting.kiwiweb.online
 Skip domain carlpadilla.com
 Skip domain carona.io
 Skip domain carterlawson.com
 Skip domain cartoys.shop
 Skip domain carvivid.com
 Skip domain carwebsite.waleedapp.com
 Skip domain cash365.com
 Skip domain cashhomeclosers.com
 Skip domain casinojones.com
 Skip domain casinovip.world
 Skip domain cassinicourt.com
 Skip domain casualfunmeet.me
 Skip domain cauvangmienbac62.com
 Skip domain cbd-colombia.com
 Skip domain cbdcolombia.life
 Skip domain cbdpetgoodies.xyz
 Skip domain ccnmediaweb.com
 Skip domain ccokonkwo.com
 Skip domain cdfcashpay.com
 Skip domain cdmsoftechsolution.com
 Skip domain cdn-dextools.com
 Skip domain cdsccrp.ca
 Skip domain cebuhouse.us
 Skip domain cebuhouserealty.com
 Skip domain cediway.com
 Skip domain celestinegoods.com
 Skip domain cellphonerepairchilliwack.com
 Skip domain cellphonexperts.com
 Skip domain cenqq.com
 Skip domain centralcarolinamoparclub.com
 Skip domain cepassion.com
 Skip domain ceritasexdewasa.club
 Skip domain certifica.ora.app.shtepia-ks.com
 Skip domain cesarnoticias.co
 Skip domain cfdfinanc.com
 Skip domain cfit-iq.com
 Skip domain cgladataprom.online
 Skip domain chachakahini.com
 Skip domain chadobermans.com
 Skip domain chagno.com
 Skip domain cham.shop
 Skip domain champions.help
 Skip domain chancroide.info
 Skip domain chandlersconcrete.com
 Skip domain change.org.bd
 Skip domain charityaid.gives
 Skip domain charlieoscardelta.com
 Skip domain charmingpenny.com
 Skip domain charsheet.fun
 Skip domain chase.support.livehelpdesk.xyz
 Skip domain chaturbate.com.rebeccasadultproducts.cc
 Skip domain cheapappleipodtouch.com
 Skip domain cheapnailpolish.us
 Skip domain cheappromiserings.us
 Skip domain check2check.xyz
 Skip domain check3.project-conceptangles.com
 Skip domain cheeryzone.com
 Skip domain chef.tours
 Skip domain chef.zuxfox.online
 Skip domain cheikh-maghribi.com
 Skip domain chel-invest.ru
 Skip domain chequeapp.com
 Skip domain cherrycreekdiva.com
 Skip domain cherryred.xyz
 Skip domain chiajna.online
 Skip domain chiappafirearmsltd.com
 Skip domain chickenrecipesfordinner.com
 Skip domain chietkhaumuahang.com
 Skip domain chilahati.com
 Skip domain childactfoundation.com
 Skip domain chinabrasserie.co.uk
 Skip domain chofna.com
 Skip domain choicers.ca
 Skip domain choiione.com
 Skip domain choosekar.com
 Skip domain chrisdonnellymarketing.com
 Skip domain christian-louboutinshoes.com
 Skip domain christinaclary.com
 Skip domain chrysoincorporated.com
 Skip domain chuckcohen.com
 Skip domain chuxal.com
 Skip domain cibex.ca
 Skip domain cimafoxoil.com
 Skip domain citiftbank.com
 Skip domain cititrusfx.com
 Skip domain citizencs.kiraaknews.com
 Skip domain citizencsc.kiraaknews.com
 Skip domain citizenspay.com
 Skip domain cittogel-group.com
 Skip domain citybaze.com
 Skip domain citystoresng.com
 Skip domain civilbarta.com
 Skip domain cl.buentrade.com
 Skip domain claipresa.com
 Skip domain clanagnew.info
 Skip domain clarkson-abmbaki.com
 Skip domain class.digitalinfluence.in
 Skip domain classics.enterbrainment.net
 Skip domain classified.mediangr.com
 Skip domain claudiatrevinomusic.com
 Skip domain claudiomarialerario.com
 Skip domain cleanqualitygadget.com
 Skip domain clickbyte.digital
 Skip domain clickdeals.tech
 Skip domain clickergamesunblocked.com
 Skip domain clickestimating.com
 Skip domain client.premierstall.com
 Skip domain client.wizardwriters.net
 Skip domain clientemovil.com
 Skip domain clientescadastropj.online
 Skip domain climatenest.com
 Skip domain climatetactics.com
 Skip domain clinical.pharmaax.xyz
 Skip domain cliplup.com
 Skip domain clippersvs.co
 Skip domain clock-news.com
 Skip domain clothyclothy.com
 Skip domain cloud.ghadan.website
 Skip domain cmctradepro.com
 Skip domain cmgiftspin.website
 Skip domain cnbfinance.com
 Skip domain cne-machines.world
 Skip domain cnfgrerennu-tct2dnstenweb.info
 Skip domain cnvrt.club
 Skip domain cnvrtpdf.club
 Skip domain co.buentrade.com
 Skip domain cobule.com
 Skip domain cocobestdog.com
 Skip domain codatait.com
 Skip domain code-link.me
 Skip domain codecrowd.co
 Skip domain codesbazaar.com
 Skip domain codevipers.com
 Skip domain codilitytestshelp.com
 Skip domain codypar.com
 Skip domain cognatetrustib.online
 Skip domain coin-daomaker.cloud
 Skip domain coin-trendz.uk
 Skip domain coinmaker.website
 Skip domain coinmastermovies.com
 Skip domain coinsafeindia.com
 Skip domain cointraderadvice.com
 Skip domain cointrendz.uk
 Skip domain coinzlord.com
 Skip domain coldweatherbaseball.com
 Skip domain colheradacultural.com.br
 Skip domain colinvidelock.com
 Skip domain collaborat3.com
 Skip domain collaborate.repair
 Skip domain collection.phonicroom.com
 Skip domain collectivecontent.co.uk
 Skip domain collectivelyretirement.net
 Skip domain collegehomeworkhelp.org
 Skip domain com.lr-u.website
 Skip domain com.ref.nr527.online
 Skip domain comfykids.co.uk
 Skip domain commau-login.com
 Skip domain community.0x40.pw
 Skip domain communitypartnersedu.org
 Skip domain comparebear.net
 Skip domain comparezella.co.uk
 Skip domain compila-start.com
 Skip domain completeconcretesystem.com
 Skip domain completecs.org
 Skip domain comune.graniteexcavation.com
 Skip domain conclavejournal.com
 Skip domain condala.com
 Skip domain conference.nemaevents.org
 Skip domain conferencehr.com
 Skip domain congdongxiaomi.com
 Skip domain connect.enterbrainment.net
 Skip domain connect2ee.com
 Skip domain connectedworldwide.icu
 Skip domain connectivitysolutionsfixed.me
 Skip domain connexarms.com
 Skip domain connieferguson.com
 Skip domain conservativepatriot.us
 Skip domain conspiracyintelligenceagency.com
 Skip domain conspiracyoutpost.org
 Skip domain consultant.fyi
 Skip domain consultation.pharmaax.xyz
 Skip domain contacts.counter-event.ai
 Skip domain continentaladjusters.com
 Skip domain contractjack.net
 Skip domain controldealmacen.com
 Skip domain convention.nemaevents.org
 Skip domain cool.travell.me
 Skip domain coolerthan.me
 Skip domain coonmate.com
 Skip domain copernicanijmstech.com
 Skip domain copperstateco.com
 Got ip-dst 199.188.200.96 as part of object domain-ip
Sleeping for 3 seconds
Finished VirusTotal enrichment.

VirusTotal enrichment table

The results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

This table returns only those matches corresponding with the source VirusTotal.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Enriched"] = "l"
table._max_width = {"Enriched": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "VirusTotal":
            table.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
print(table.get_string(sortby="Value"))
table_virustotal = table

+------------+------------------+------------------+--------+----------------------------------------------------+
|   Source   | Value            | Category         | Type   | Enriched                                           |
+------------+------------------+------------------+--------+----------------------------------------------------+
| VirusTotal | 104.194.215.229  | Network activity | AS     | 8100                                               |
| VirusTotal | 104.194.215.229  | Network activity | ip-dst | 104.194.215.229                                    |
| VirusTotal | 104.194.215.229  | Other            | text   | US                                                 |
| VirusTotal | 199.188.200.96   | Network activity | AS     | 22612                                              |
| VirusTotal | 199.188.200.96   | Network activity | ip-dst | 199.188.200.96                                     |
| VirusTotal | 199.188.200.96   | Other            | text   | US                                                 |
| VirusTotal | 50.116.17.41     | Network activity | AS     | 63949                                              |
| VirusTotal | 50.116.17.41     | Network activity | ip-dst | 50.116.17.41                                       |
| VirusTotal | 50.116.17.41     | Other            | text   | US                                                 |
| VirusTotal | mikeylinehan.com | Network activity | ip-dst | 198.185.159.145                                    |
| VirusTotal | mikeylinehan.com | Network activity | ip-dst | 198.49.23.144                                      |
| VirusTotal | mikeylinehan.com | Network activity | ip-dst | 198.49.23.145                                      |
| VirusTotal | mikeylinehan.com | Network activity | ip-dst | 199.59.243.222                                     |
| VirusTotal | mikeylinehan.com | Network activity | ip-dst | 91.195.240.117                                     |
| VirusTotal | mikeylinehan.com | Other            | whois  | Administrative city: Tempe                         |
|            |                  |                  |        | Administrative country: United States              |
|            |                  |                  |        | Administrative state: Arizona                      |
|            |                  |                  |        | Create date: 2022-12-07 00:00:00                   |
|            |                  |                  |        | Domain name: mikeylinehan.com                      |
|            |                  |                  |        | Domain registrar id: 146                           |
|            |                  |                  |        | Domain registrar url: https://www.godaddy.com      |
|            |                  |                  |        | Expiry date: 2023-12-07 00:00:00                   |
|            |                  |                  |        | Name server 1: ns2.bodis.com                       |
|            |                  |                  |        | Name server 2: ns3.bd-verify-gu7sqsxf6r.com        |
|            |                  |                  |        | Name server 3: ns1.bodis.com                       |
|            |                  |                  |        | Query time: 2022-12-09 01:17:50                    |
|            |                  |                  |        | Registrant city: a7319ae5e6c95df5                  |
|            |                  |                  |        | Registrant company: 7f270b624abce87e               |
|            |                  |                  |        | Registrant country: United States                  |
|            |                  |                  |        | Registrant email: 501c8f3031df1b66s@               |
|            |                  |                  |        | Registrant fax: 73632f3e7db2cc41                   |
|            |                  |                  |        | Registrant name: 80315b2e6ac1a801                  |
|            |                  |                  |        | Registrant phone: b03d5abc696b79f6                 |
|            |                  |                  |        | Registrant state: 30bdd2917a604c83                 |
|            |                  |                  |        | Registrant zip: 052e5bd148f904f9                   |
|            |                  |                  |        | Technical city: Tempe                              |
|            |                  |                  |        | Technical country: United States                   |
|            |                  |                  |        | Technical state: Arizona                           |
|            |                  |                  |        | Update date: 2022-12-07 00:00:00                   |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 103d93ab0996ed79df9184183fb63f3c37c2fbd0aa505174e2 |
|            |                  |                  |        | 9256ddf02208b5                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 51c93eda00d090aae0d3e211fb1679aa6456df7dc51a7cd45b |
|            |                  |                  |        | f4d3b990b531c7                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 5596dc862bd9aea2981ebe1f8a638557d1383ccd9a47c94c96 |
|            |                  |                  |        | 10300325f94a0e                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 69fb7b96d2da05f2aef88efc9e788ede343c9112ae164fe026 |
|            |                  |                  |        | e504449d56464e                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 75d6289e33dbf05543f8a850e40c7bb3e3f8b9e2872015f8a7 |
|            |                  |                  |        | b09906aabb7b5e                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1 |
|            |                  |                  |        | 112a4e670c97d4                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | 86749d3e3233d7a75a618c98eac9f31f508aed4492849f65b9 |
|            |                  |                  |        | 07787b0bd1d047                                     |
| VirusTotal | mikeylinehan.com | Payload delivery | sha256 | c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f12 |
|            |                  |                  |        | 94d260f220aea8                                     |
| VirusTotal | qwepoi123098.com | Network activity | ip-dst | 139.162.120.150                                    |
| VirusTotal | qwepoi123098.com | Network activity | ip-dst | 146.70.87.109                                      |
| VirusTotal | qwepoi123098.com | Other            | whois  | Administrative city: Reykjavik                     |
|            |                  |                  |        | Administrative country: Iceland                    |
|            |                  |                  |        | Administrative email:                              |
|            |                  |                  |        | 3ff625069fc77a81s@withheldforprivacy.com           |
|            |                  |                  |        | Administrative state: Capital Region               |
|            |                  |                  |        | Create date: 2022-11-17 00:00:00                   |
|            |                  |                  |        | Domain name: qwepoi123098.com                      |
|            |                  |                  |        | Domain registrar id: 1068                          |
|            |                  |                  |        | Domain registrar url: http://www.namecheap.com     |
|            |                  |                  |        | Expiry date: 2023-11-17 00:00:00                   |
|            |                  |                  |        | Name server 1: dns1.registrar-servers.com          |
|            |                  |                  |        | Name server 2: dns2.registrar-servers.com          |
|            |                  |                  |        | Query time: 2022-11-19 01:25:51                    |
|            |                  |                  |        | Registrant city: ddbf76e4e8cee320                  |
|            |                  |                  |        | Registrant company: 4b7a0912c26a13e2               |
|            |                  |                  |        | Registrant country: Iceland                        |
|            |                  |                  |        | Registrant email:                                  |
|            |                  |                  |        | 3ff625069fc77a81s@withheldforprivacy.com           |
|            |                  |                  |        | Registrant name: 37bfbc24cafea5d2                  |
|            |                  |                  |        | Registrant phone: fc40cd552aeaa6b8                 |
|            |                  |                  |        | Registrant state: 3e0204199d8ebf9c                 |
|            |                  |                  |        | Registrant zip: f206c9d9737ad45d                   |
|            |                  |                  |        | Technical city: Reykjavik                          |
|            |                  |                  |        | Technical country: Iceland                         |
|            |                  |                  |        | Technical email:                                   |
|            |                  |                  |        | 3ff625069fc77a81s@withheldforprivacy.com           |
|            |                  |                  |        | Technical state: Capital Region                    |
|            |                  |                  |        | Update date: 2022-11-17 00:00:00                   |
| VirusTotal | qwepoi123098.com | Payload delivery | sha256 | 2b6282da522f1f51ee6e0ed5e37aa55a191d34ffbb3c287cb2 |
|            |                  |                  |        | 0d71ad2bf25b4b                                     |
| VirusTotal | qwepoi123098.com | Payload delivery | sha256 | ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f12 |
|            |                  |                  |        | 6e8965d777fbf0                                     |
+------------+------------------+------------------+--------+----------------------------------------------------+

ER:7 Enrich with information from Shodan

If the Shodan module is enabled in MISP modules you can now query Shodan.

By default the playbook will query Shodan for results related to the original domains you specified as input in the first section of the playbook. But you can extend this list via shodan_include_enrichment. Be aware that some attributes (such as IPs) can create a lot of additional attributes when the domain points to a shared hosting facility.

You can also ignore additional results returned by Shodan with shodan_result_skip_category_type. This variable is a Python list containing a combination of MISP category and type (format: category/type) that you do not want to include the summary and event.

And finally you can also indicate if you want to keep the to_ids value set by the Shodan module or always set it to False (shodan_to_ids). The latter is advised. If you set shodan_to_ids to True, then the playbook keeps the value returned by the Shodan module.

# In addition to the domains, query Shodan for the below enrichment values
# Beware of IPs pointing to hosting facilities. Note that the MISP Shodan module only accepts IPs as input
shodan_include_enrichment = ["ip-dst"]
#shodan_include_enrichment = []

# Do not include category_type of the below returned by Shodan. For some domains this can result a large result set
shodan_result_skip_category_type = ["Other/text", "Other/float", "Other/datetime", "Network activity/port", "External analysis/link"]

# to_ids: False: always set to False ; True: keep what's returned by the MISP module
shodan_to_ids = False

# Code block to query Shodan
shodan_query = []
for domain in query_domain:
    if re.match(r"{}".format(regular_expressions["hostname"]), domain):
        shodan_query.append(domain)

for domain in playbook_results:
    for element in playbook_results[domain]:
        if element.get("type", False) in shodan_include_enrichment and len(element["enriched"]) > 0 and element["enriched"] not in shodan_query:
            shodan_query.append(element["enriched"])

# Code block to query Shodan
module_name = "shodan"
module_source = "Shodan"
if misp_modules[module_name]["enabled"]:
    for value in shodan_query:
        module_comment = "From {} for {}".format(module_source, value)
        attribute_type = False
        for expr in regular_expressions:
            if re.match(r"{}".format(regular_expressions[expr]), value):
                attribute_type = expr
                break

        if attribute_type in misp_modules[module_name]["input"]:
            data = {
                "attribute": {
                    "type": f"{attribute_type}",
                    "uuid": str(uuid.uuid4()),
                    "value": f"{value}",
                },
                "module": module_name,
                "config": {"apikey": shodan_apikey}
            }
            print("Query \033[92m{}\033[90m as \033[92m{}\033[90m".format(value, attribute_type))
            result = requests.post("{}/query".format(misp_modules_url), headers=misp_modules_headers, json=data)
            #pprint(result.json())
            if "results" in result.json() and len(result.json()["results"]) > 0:
                result_json = result.json()["results"]
                for misp_object in result_json["Object"]:
                    misp_object["comment"] = "{}{}".format(module_comment, misp_object.get("comment", ""))
                    new_attribute_list = []
                    for misp_attribute in misp_object.get("Attribute", []):
                        category_type = "{}/{}".format(misp_attribute["category"], misp_attribute["type"])
                        if category_type not in shodan_result_skip_category_type:
                            if misp_attribute["to_ids"] == True and not shodan_to_ids:
                                misp_attribute["to_ids"] = False
                            entry = {"source": module_source, "category": misp_attribute["category"], "type": misp_attribute["type"], "enriched": misp_attribute["value"]}
                            playbook_results = pb_add_enrichment(playbook_results, value, entry, "enriched", misp_attribute["value"])
                            misp_attribute["comment"] = module_comment
                            new_attribute_list.append(misp_attribute)
                            print(" Got {} {} as part of object {}".format(misp_attribute["type"], misp_attribute["value"], misp_object["name"]))
                    misp_object["Attribute"] = new_attribute_list
                    if len(misp_object["Attribute"]) > 0:
                        created_object = misp.add_object(misp_event.uuid, misp_object, pythonify=True)
                        if not "errors" in created_object:
                            if value in case_objects:
                                misp.add_object_reference(case_objects[value].add_reference(created_object.uuid, "related-to"))
            print("Sleeping for {} seconds".format(misp_modules_wait))
            time.sleep(misp_modules_wait)
        else:
            print("Skipping \033[91m{}\033[90m. Not a valid query type ({}).".format(value, misp_modules[module_name]["input"]))

print("Finished Shodan enrichment.\n\n")

Skipping qwepoi123098.com. Not a valid query type (['ip-src', 'ip-dst']).
Skipping mikeylinehan.com. Not a valid query type (['ip-src', 'ip-dst']).
Query 50.116.17.41 as ip-src
 Got AS AS63949 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via VirusTotal
 Got ip-src 50.116.17.41 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via VirusTotal
 Got ip-src 50.116.17.41 as part of object ip-port
 Got domain linode.com as part of object ip-port
 Got hostname li601-41.members.linode.com as part of object ip-port
 Got x509-fingerprint-sha256 70435e54dd434ae295a76cd0bb98375c7162e66c69a7b92bf79cfe29bff32ad5 as part of object x509
 Got x509-fingerprint-sha1 306654bab3f48527a550b23c2b7a2d9431fc2ff8 as part of object x509
Sleeping for 3 seconds
Query 104.194.215.229 as ip-src
 Got AS AS8100 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via VirusTotal
 Got ip-src 104.194.215.229 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via VirusTotal
 Got ip-src 104.194.215.229 as part of object ip-port
 Got domain www3iwebonline.com as part of object ip-port
 Got hostname ntx5.www3iwebonline.com as part of object ip-port
 Got vulnerability CVE-2019-12528 as part of object vulnerability
 Got vulnerability CVE-2019-12529 as part of object vulnerability
 Got vulnerability CVE-2019-12520 as part of object vulnerability
 Got vulnerability CVE-2019-12521 as part of object vulnerability
 Got vulnerability CVE-2019-12522 as part of object vulnerability
 Got vulnerability CVE-2019-12523 as part of object vulnerability
 Got vulnerability CVE-2019-12524 as part of object vulnerability
 Got vulnerability CVE-2019-12525 as part of object vulnerability
 Got vulnerability CVE-2019-12526 as part of object vulnerability
 Got vulnerability CVE-2021-31808 as part of object vulnerability
 Got vulnerability CVE-2018-19132 as part of object vulnerability
 Got vulnerability CVE-2020-15811 as part of object vulnerability
 Got vulnerability CVE-2021-31807 as part of object vulnerability
 Got vulnerability CVE-2021-28116 as part of object vulnerability
 Got vulnerability CVE-2018-19131 as part of object vulnerability
 Got vulnerability CVE-2020-8450 as part of object vulnerability
 Got vulnerability CVE-2021-31806 as part of object vulnerability
 Got vulnerability CVE-2019-18677 as part of object vulnerability
 Got vulnerability CVE-2020-8517 as part of object vulnerability
 Got vulnerability CVE-2020-25097 as part of object vulnerability
 Got vulnerability CVE-2016-10002 as part of object vulnerability
 Got vulnerability CVE-2016-10003 as part of object vulnerability
 Got vulnerability CVE-2020-24606 as part of object vulnerability
 Got vulnerability CVE-2019-18676 as part of object vulnerability
 Got vulnerability CVE-2019-18678 as part of object vulnerability
 Got vulnerability CVE-2019-18679 as part of object vulnerability
 Got vulnerability CVE-2019-13345 as part of object vulnerability
 Got vulnerability CVE-2019-18860 as part of object vulnerability
 Got vulnerability CVE-2020-14058 as part of object vulnerability
 Got vulnerability CVE-2019-12519 as part of object vulnerability
 Got vulnerability CVE-2020-15810 as part of object vulnerability
 Got vulnerability CVE-2021-46784 as part of object vulnerability
 Got vulnerability CVE-2020-11945 as part of object vulnerability
 Got vulnerability CVE-2021-28652 as part of object vulnerability
 Got vulnerability CVE-2021-28651 as part of object vulnerability
 Got vulnerability CVE-2020-15049 as part of object vulnerability
 Got vulnerability CVE-2020-8449 as part of object vulnerability
 Got vulnerability CVE-2021-33620 as part of object vulnerability
 Got vulnerability CVE-2018-1000024 as part of object vulnerability
 Got vulnerability CVE-2022-41318 as part of object vulnerability
 Got vulnerability CVE-2018-1000027 as part of object vulnerability
Sleeping for 3 seconds
Query 139.162.120.150 as ip-src
 Got AS AS63949 as part of object ip-api-address
 Got ip-src 139.162.120.150 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 139.162.120.150 as part of object ip-port
 Got domain linode.com as part of object ip-port
 Got hostname li1604-150.members.linode.com as part of object ip-port
Sleeping for 3 seconds
Query 146.70.87.109 as ip-src
Sleeping for 3 seconds
Query 198.185.159.144 as ip-src
 Got AS AS53831 as part of object ip-api-address
 Got ip-src 198.185.159.144 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 198.185.159.144 as part of object ip-port
 Got domain sqsp.net as part of object ip-port
 Got domain squarespace.com as part of object ip-port
 Got domain sqspcdn.com as part of object ip-port
 Got domain squarespace-mail.com as part of object ip-port
 Got domain campaign-preferences.com as part of object ip-port
 Got hostname static1.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname campaign-preferences.com as part of object ip-port
 Got hostname engage.squarespace-mail.com as part of object ip-port
 Got hostname static2.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname squarespace.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqsp.net as part of object ip-port
 Got hostname cdn1.1.sqspcdn.com as part of object ip-port
 Got hostname static1.2.sqspcdn.com as part of object ip-port
 Got x509-fingerprint-sha256 b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb2367541bd7d93b5cf as part of object x509
 Got x509-fingerprint-sha1 e0acde08badb08ae9930936e26bc713100a1d57e as part of object x509
Sleeping for 3 seconds
Query 199.188.200.96 as ip-src
 Got AS AS22612 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via VirusTotal
 Got ip-src 199.188.200.96 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via VirusTotal
 Got ip-src 199.188.200.96 as part of object ip-port
 Got domain web-hosting.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname web-hosting.com as part of object ip-port
 Got hostname server247-4.web-hosting.com as part of object ip-port
 Got x509-fingerprint-sha256 8e27b911c83499ee5d010e179fee08846da6f444e6f9a84bed504f20ee423120 as part of object x509
 Got x509-fingerprint-sha1 02db451c9a07018198d21b3372f90ae8094db291 as part of object x509
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got x509-fingerprint-sha256 8e27b911c83499ee5d010e179fee08846da6f444e6f9a84bed504f20ee423120 as part of object x509
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got x509-fingerprint-sha1 02db451c9a07018198d21b3372f90ae8094db291 as part of object x509
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got x509-fingerprint-sha256 8e27b911c83499ee5d010e179fee08846da6f444e6f9a84bed504f20ee423120 as part of object x509
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got x509-fingerprint-sha1 02db451c9a07018198d21b3372f90ae8094db291 as part of object x509
Sleeping for 3 seconds
Query 198.185.159.145 as ip-src
 Got AS AS53831 as part of object ip-api-address
 Got ip-src 198.185.159.145 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 198.185.159.145 as part of object ip-port
 Got domain sqsp.net as part of object ip-port
 Got domain squarespace.com as part of object ip-port
 Got domain sqspcdn.com as part of object ip-port
 Got domain squarespace-mail.com as part of object ip-port
 Got domain campaign-preferences.com as part of object ip-port
 Got hostname static1.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname campaign-preferences.com as part of object ip-port
 Got hostname engage.squarespace-mail.com as part of object ip-port
 Got hostname static2.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname squarespace.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqsp.net as part of object ip-port
 Got hostname cdn1.1.sqspcdn.com as part of object ip-port
 Got hostname static1.2.sqspcdn.com as part of object ip-port
 Got x509-fingerprint-sha256 b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb2367541bd7d93b5cf as part of object x509
 Got x509-fingerprint-sha1 e0acde08badb08ae9930936e26bc713100a1d57e as part of object x509
Sleeping for 3 seconds
Query 198.49.23.144 as ip-src
 Got AS AS53831 as part of object ip-api-address
 Got ip-src 198.49.23.144 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 198.49.23.144 as part of object ip-port
 Got domain sqsp.net as part of object ip-port
 Got domain squarespace.com as part of object ip-port
 Got domain sqspcdn.com as part of object ip-port
 Got domain squarespace-mail.com as part of object ip-port
 Got domain campaign-preferences.com as part of object ip-port
 Got hostname static1.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname campaign-preferences.com as part of object ip-port
 Got hostname engage.squarespace-mail.com as part of object ip-port
 Got hostname static2.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname squarespace.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqsp.net as part of object ip-port
 Got hostname cdn1.1.sqspcdn.com as part of object ip-port
 Got hostname static1.2.sqspcdn.com as part of object ip-port
 Got x509-fingerprint-sha256 b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb2367541bd7d93b5cf as part of object x509
 Got x509-fingerprint-sha1 e0acde08badb08ae9930936e26bc713100a1d57e as part of object x509
Sleeping for 3 seconds
Query 198.49.23.145 as ip-src
 Got AS AS53831 as part of object ip-api-address
 Got ip-src 198.49.23.145 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 198.49.23.145 as part of object ip-port
 Got domain sqsp.net as part of object ip-port
 Got domain squarespace.com as part of object ip-port
 Got domain sqspcdn.com as part of object ip-port
 Got domain squarespace-mail.com as part of object ip-port
 Got domain campaign-preferences.com as part of object ip-port
 Got hostname static1.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname campaign-preferences.com as part of object ip-port
 Got hostname engage.squarespace-mail.com as part of object ip-port
 Got hostname static2.1.sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqspcdn.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname squarespace.com as part of object ip-port
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got hostname sqsp.net as part of object ip-port
 Got hostname cdn1.1.sqspcdn.com as part of object ip-port
 Got hostname static1.2.sqspcdn.com as part of object ip-port
 Got x509-fingerprint-sha256 b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb2367541bd7d93b5cf as part of object x509
 Got x509-fingerprint-sha1 e0acde08badb08ae9930936e26bc713100a1d57e as part of object x509
Sleeping for 3 seconds
Query 199.59.243.222 as ip-src
 Got AS AS16509 as part of object ip-api-address
 Got ip-src 199.59.243.222 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 199.59.243.222 as part of object ip-port
 Got x509-fingerprint-sha256 6a1bb309aa4dde8d590e9b1200dd9981dab62536ed0d8421e90c6a67a8b9bc62 as part of object x509
 Got x509-fingerprint-sha1 5cc899fcdffdb78fdc35e29f22ce47caeb574c19 as part of object x509
Sleeping for 3 seconds
Query 91.195.240.117 as ip-src
 Got AS AS47846 as part of object ip-api-address
 Got ip-src 91.195.240.117 as part of object ip-api-address
 Not adding to playbook results because of duplicate. Already added via Shodan
 Got ip-src 91.195.240.117 as part of object ip-port
Sleeping for 3 seconds
Finished Shodan enrichment.

Shodan enrichment table

The results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

This table returns only those matches corresponding with the source Shodan.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Enriched"] = "l"
table._max_width = {"Enriched": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "Shodan":
            table.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
print(table.get_string(sortby="Value"))
table_shodan = table

+--------+-----------------+-------------------+-------------------------+----------------------------------------------------+
| Source | Value           | Category          | Type                    | Enriched                                           |
+--------+-----------------+-------------------+-------------------------+----------------------------------------------------+
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2016-10002                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2016-10003                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2018-1000024                                   |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2018-1000027                                   |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2018-19131                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2018-19132                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12519                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12520                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12521                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12522                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12523                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12524                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12525                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12526                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12528                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-12529                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-13345                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-18676                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-18677                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-18678                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-18679                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2019-18860                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-11945                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-14058                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-15049                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-15810                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-15811                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-24606                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-25097                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-8449                                      |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-8450                                      |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2020-8517                                      |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-28116                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-28651                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-28652                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-31806                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-31807                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-31808                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-33620                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2021-46784                                     |
| Shodan | 104.194.215.229 | External analysis | vulnerability           | CVE-2022-41318                                     |
| Shodan | 104.194.215.229 | Network activity  | AS                      | AS8100                                             |
| Shodan | 104.194.215.229 | Network activity  | domain                  | www3iwebonline.com                                 |
| Shodan | 104.194.215.229 | Network activity  | hostname                | ntx5.www3iwebonline.com                            |
| Shodan | 139.162.120.150 | Network activity  | AS                      | AS63949                                            |
| Shodan | 139.162.120.150 | Network activity  | domain                  | linode.com                                         |
| Shodan | 139.162.120.150 | Network activity  | hostname                | li1604-150.members.linode.com                      |
| Shodan | 139.162.120.150 | Network activity  | ip-src                  | 139.162.120.150                                    |
| Shodan | 198.185.159.144 | Network activity  | AS                      | AS53831                                            |
| Shodan | 198.185.159.144 | Network activity  | domain                  | campaign-preferences.com                           |
| Shodan | 198.185.159.144 | Network activity  | domain                  | sqsp.net                                           |
| Shodan | 198.185.159.144 | Network activity  | domain                  | sqspcdn.com                                        |
| Shodan | 198.185.159.144 | Network activity  | domain                  | squarespace-mail.com                               |
| Shodan | 198.185.159.144 | Network activity  | domain                  | squarespace.com                                    |
| Shodan | 198.185.159.144 | Network activity  | hostname                | cdn1.1.sqspcdn.com                                 |
| Shodan | 198.185.159.144 | Network activity  | hostname                | engage.squarespace-mail.com                        |
| Shodan | 198.185.159.144 | Network activity  | hostname                | static1.1.sqspcdn.com                              |
| Shodan | 198.185.159.144 | Network activity  | hostname                | static1.2.sqspcdn.com                              |
| Shodan | 198.185.159.144 | Network activity  | hostname                | static2.1.sqspcdn.com                              |
| Shodan | 198.185.159.144 | Network activity  | ip-src                  | 198.185.159.144                                    |
| Shodan | 198.185.159.144 | Network activity  | x509-fingerprint-sha1   | e0acde08badb08ae9930936e26bc713100a1d57e           |
| Shodan | 198.185.159.144 | Network activity  | x509-fingerprint-sha256 | b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236 |
|        |                 |                   |                         | 7541bd7d93b5cf                                     |
| Shodan | 198.185.159.145 | Network activity  | AS                      | AS53831                                            |
| Shodan | 198.185.159.145 | Network activity  | domain                  | campaign-preferences.com                           |
| Shodan | 198.185.159.145 | Network activity  | domain                  | sqsp.net                                           |
| Shodan | 198.185.159.145 | Network activity  | domain                  | sqspcdn.com                                        |
| Shodan | 198.185.159.145 | Network activity  | domain                  | squarespace-mail.com                               |
| Shodan | 198.185.159.145 | Network activity  | domain                  | squarespace.com                                    |
| Shodan | 198.185.159.145 | Network activity  | hostname                | cdn1.1.sqspcdn.com                                 |
| Shodan | 198.185.159.145 | Network activity  | hostname                | engage.squarespace-mail.com                        |
| Shodan | 198.185.159.145 | Network activity  | hostname                | static1.1.sqspcdn.com                              |
| Shodan | 198.185.159.145 | Network activity  | hostname                | static1.2.sqspcdn.com                              |
| Shodan | 198.185.159.145 | Network activity  | hostname                | static2.1.sqspcdn.com                              |
| Shodan | 198.185.159.145 | Network activity  | ip-src                  | 198.185.159.145                                    |
| Shodan | 198.185.159.145 | Network activity  | x509-fingerprint-sha1   | e0acde08badb08ae9930936e26bc713100a1d57e           |
| Shodan | 198.185.159.145 | Network activity  | x509-fingerprint-sha256 | b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236 |
|        |                 |                   |                         | 7541bd7d93b5cf                                     |
| Shodan | 198.49.23.144   | Network activity  | AS                      | AS53831                                            |
| Shodan | 198.49.23.144   | Network activity  | domain                  | campaign-preferences.com                           |
| Shodan | 198.49.23.144   | Network activity  | domain                  | sqsp.net                                           |
| Shodan | 198.49.23.144   | Network activity  | domain                  | sqspcdn.com                                        |
| Shodan | 198.49.23.144   | Network activity  | domain                  | squarespace-mail.com                               |
| Shodan | 198.49.23.144   | Network activity  | domain                  | squarespace.com                                    |
| Shodan | 198.49.23.144   | Network activity  | hostname                | cdn1.1.sqspcdn.com                                 |
| Shodan | 198.49.23.144   | Network activity  | hostname                | engage.squarespace-mail.com                        |
| Shodan | 198.49.23.144   | Network activity  | hostname                | static1.1.sqspcdn.com                              |
| Shodan | 198.49.23.144   | Network activity  | hostname                | static1.2.sqspcdn.com                              |
| Shodan | 198.49.23.144   | Network activity  | hostname                | static2.1.sqspcdn.com                              |
| Shodan | 198.49.23.144   | Network activity  | ip-src                  | 198.49.23.144                                      |
| Shodan | 198.49.23.144   | Network activity  | x509-fingerprint-sha1   | e0acde08badb08ae9930936e26bc713100a1d57e           |
| Shodan | 198.49.23.144   | Network activity  | x509-fingerprint-sha256 | b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236 |
|        |                 |                   |                         | 7541bd7d93b5cf                                     |
| Shodan | 198.49.23.145   | Network activity  | AS                      | AS53831                                            |
| Shodan | 198.49.23.145   | Network activity  | domain                  | campaign-preferences.com                           |
| Shodan | 198.49.23.145   | Network activity  | domain                  | sqsp.net                                           |
| Shodan | 198.49.23.145   | Network activity  | domain                  | sqspcdn.com                                        |
| Shodan | 198.49.23.145   | Network activity  | domain                  | squarespace-mail.com                               |
| Shodan | 198.49.23.145   | Network activity  | domain                  | squarespace.com                                    |
| Shodan | 198.49.23.145   | Network activity  | hostname                | cdn1.1.sqspcdn.com                                 |
| Shodan | 198.49.23.145   | Network activity  | hostname                | engage.squarespace-mail.com                        |
| Shodan | 198.49.23.145   | Network activity  | hostname                | static1.1.sqspcdn.com                              |
| Shodan | 198.49.23.145   | Network activity  | hostname                | static1.2.sqspcdn.com                              |
| Shodan | 198.49.23.145   | Network activity  | hostname                | static2.1.sqspcdn.com                              |
| Shodan | 198.49.23.145   | Network activity  | ip-src                  | 198.49.23.145                                      |
| Shodan | 198.49.23.145   | Network activity  | x509-fingerprint-sha1   | e0acde08badb08ae9930936e26bc713100a1d57e           |
| Shodan | 198.49.23.145   | Network activity  | x509-fingerprint-sha256 | b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236 |
|        |                 |                   |                         | 7541bd7d93b5cf                                     |
| Shodan | 199.188.200.96  | Network activity  | AS                      | AS22612                                            |
| Shodan | 199.188.200.96  | Network activity  | domain                  | web-hosting.com                                    |
| Shodan | 199.188.200.96  | Network activity  | hostname                | server247-4.web-hosting.com                        |
| Shodan | 199.188.200.96  | Network activity  | x509-fingerprint-sha1   | 02db451c9a07018198d21b3372f90ae8094db291           |
| Shodan | 199.188.200.96  | Network activity  | x509-fingerprint-sha256 | 8e27b911c83499ee5d010e179fee08846da6f444e6f9a84bed |
|        |                 |                   |                         | 504f20ee423120                                     |
| Shodan | 199.59.243.222  | Network activity  | AS                      | AS16509                                            |
| Shodan | 199.59.243.222  | Network activity  | ip-src                  | 199.59.243.222                                     |
| Shodan | 199.59.243.222  | Network activity  | x509-fingerprint-sha1   | 5cc899fcdffdb78fdc35e29f22ce47caeb574c19           |
| Shodan | 199.59.243.222  | Network activity  | x509-fingerprint-sha256 | 6a1bb309aa4dde8d590e9b1200dd9981dab62536ed0d8421e9 |
|        |                 |                   |                         | 0c6a67a8b9bc62                                     |
| Shodan | 50.116.17.41    | Network activity  | AS                      | AS63949                                            |
| Shodan | 50.116.17.41    | Network activity  | domain                  | linode.com                                         |
| Shodan | 50.116.17.41    | Network activity  | hostname                | li601-41.members.linode.com                        |
| Shodan | 50.116.17.41    | Network activity  | x509-fingerprint-sha1   | 306654bab3f48527a550b23c2b7a2d9431fc2ff8           |
| Shodan | 50.116.17.41    | Network activity  | x509-fingerprint-sha256 | 70435e54dd434ae295a76cd0bb98375c7162e66c69a7b92bf7 |
|        |                 |                   |                         | 9cfe29bff32ad5                                     |
| Shodan | 91.195.240.117  | Network activity  | AS                      | AS47846                                            |
| Shodan | 91.195.240.117  | Network activity  | ip-src                  | 91.195.240.117                                     |
+--------+-----------------+-------------------+-------------------------+----------------------------------------------------+

ER:8 Enrich with information from URLhaus

If the URLhaus module is enabled in MISP modules you can now query URLhaus.

By default the playbook will query URLhaus for results related to the original domains you specified as input in the first section of the playbook. But you can extend this list via urlhaus_include_enrichment. Be aware that some attributes (such as IPs) can create a lot of additional attributes when the domain points to a shared hosting facility.

You can also ignore additional results returned by URLhaus with urlhaus_result_skip_category_type. This variable is a Python list containing a combination of MISP category and type (format: category/type) that you do not want to include the summary and event.

And finally you can also indicate if you want to keep the to_ids value set by the URLhaus module or always set it to False (urlhaus_to_ids). The latter is advised. If you set urlhaus_to_ids to True, then the playbook keeps the value returned by the URLhaus module.

# In addition to the domains, query URLhaus for the below enrichment values
# Beware of IPs pointing to hosting facilities.
#urlhaus_include_enrichment = []
urlhaus_include_enrichment = ["ip-src", "domain", "md5", "sha256"]

# Do not include category_type of the below returned by URLhaus. For some domains this can result a large result set
urlhaus_result_skip_category_type = ["Other/text", "Other/float", "Other/datetime", "Network activity/port", "External analysis/link"]

# to_ids: False: always set to False ; True: keep what's returned by the MISP module
urlhaus_to_ids = False

# Code block to query URLhaus
urlhaus_query = []
for domain in query_domain:
    if re.match(r"{}".format(regular_expressions["hostname"]), domain):
        urlhaus_query.append(domain)
for domain in playbook_results:
    for element in playbook_results[domain]:
        if element.get("type", False) in urlhaus_include_enrichment and len(element["enriched"]) > 0 and element["enriched"] not in urlhaus_query:
            urlhaus_query.append(element["enriched"])

# Code block to query URLHaus
module_name = "urlhaus"
module_source = "URLhaus"
if misp_modules[module_name]["enabled"] and len(urlhaus_query) > 0:
    for value in urlhaus_query:
        module_comment = "From {} for {}".format(module_source, value)
        attribute_type = False
        for expr in regular_expressions:
            if re.match(r"{}".format(regular_expressions[expr]), value):
                attribute_type = expr
                break

        if attribute_type in misp_modules[module_name]["input"]:
            data = {
                "attribute": {
                    "type": f"{attribute_type}",
                    "uuid": str(uuid.uuid4()),
                    "value": f"{value}",
                },
                "module": module_name,
            }
            print("Query \033[92m{}\033[90m as \033[92m{}\033[90m".format(value, attribute_type))
            result = requests.post("{}/query".format(misp_modules_url), headers=misp_modules_headers, json=data)
            if "results" in result.json() and len(result.json()["results"]) > 0:
                result_json = result.json()["results"]

                for misp_attribute in result_json.get("Attribute", []):
                    del misp_attribute["uuid"]
                    misp_attribute["comment"] = "{}{}".format(module_comment, misp_attribute.get("comment", ""))
                    if misp_attribute["to_ids"] == True and not urlhaus_to_ids:
                        misp_attribute["to_ids"] = False
                    try:
                        created_attribute = misp.add_attribute(misp_event.uuid, misp_attribute, pythonify=True)
                        if not "errors" in created_attribute:
                            if value in case_objects:
                                misp.add_object_reference(case_objects[value].add_reference(created_attribute.uuid, "related-to"))
                            print(" Got {} {}".format(misp_attribute["type"], misp_attribute["value"]))
                            entry = {"source": module_source, "category": misp_attribute["category"], "type": misp_attribute["type"], "enriched": misp_attribute["value"]}
                            playbook_results = pb_add_enrichment(playbook_results, value, entry, "enriched", misp_attribute["value"])
                    except:
                        print(" Unable to add {} {} to MISP event".format(misp_attribute["type"], misp_attribute["value"]))

                for misp_object in result_json.get("Object", []):
                    del misp_object["uuid"]
                    misp_object["comment"] = "{}{}".format(module_comment, misp_object.get("comment", ""))
                    new_attribute_list = []
                    for attribute in misp_object.get("Attribute", []):
                        attribute["comment"] = module_comment
                        if attribute["to_ids"] == True and not urlhaus_to_ids:
                            attribute["to_ids"] = False
                        new_attribute_list.append(attribute)
                    misp_object["Attribute"] = new_attribute_list
                    created_object = misp.add_object(misp_event.uuid, misp_object, pythonify=True)
                    if not "errors" in created_object:
                        if value in case_objects:
                            misp.add_object_reference(case_objects[value].add_reference(created_object.uuid, "related-to"))

            print("Sleeping for {} seconds".format(misp_modules_wait))
            time.sleep(misp_modules_wait)
        else:
            print("Skipping \033[91m{}\033[90m. Not a valid query type ({}).".format(value, misp_modules[module_name]["input"]))

print("Finished URLhaus enrichment.\n\n")

Query qwepoi123098.com as hostname
Sleeping for 3 seconds
Query mikeylinehan.com as hostname
Sleeping for 3 seconds
Query 44d88612fea8a8f36de82e1278abb02f as md5
Sleeping for 3 seconds
Query 2b6282da522f1f51ee6e0ed5e37aa55a191d34ffbb3c287cb20d71ad2bf25b4b as sha256
Sleeping for 3 seconds
Query ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f126e8965d777fbf0 as sha256
Sleeping for 3 seconds
Query 51c93eda00d090aae0d3e211fb1679aa6456df7dc51a7cd45bf4d3b990b531c7 as sha256
Sleeping for 3 seconds
Query 69fb7b96d2da05f2aef88efc9e788ede343c9112ae164fe026e504449d56464e as sha256
Sleeping for 3 seconds
Query 86749d3e3233d7a75a618c98eac9f31f508aed4492849f65b907787b0bd1d047 as sha256
Sleeping for 3 seconds
Query 75d6289e33dbf05543f8a850e40c7bb3e3f8b9e2872015f8a7b09906aabb7b5e as sha256
Sleeping for 3 seconds
Query 5596dc862bd9aea2981ebe1f8a638557d1383ccd9a47c94c9610300325f94a0e as sha256
Sleeping for 3 seconds
Query 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1112a4e670c97d4 as sha256
Sleeping for 3 seconds
Query c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f1294d260f220aea8 as sha256
Sleeping for 3 seconds
Query 103d93ab0996ed79df9184183fb63f3c37c2fbd0aa505174e29256ddf02208b5 as sha256
Sleeping for 3 seconds
Query linode.com as hostname
Sleeping for 3 seconds
Query www3iwebonline.com as hostname
Sleeping for 3 seconds
Query web-hosting.com as hostname
Sleeping for 3 seconds
Query 139.162.120.150 as ip-src
Sleeping for 3 seconds
Query 198.185.159.144 as ip-src
Sleeping for 3 seconds
Query sqsp.net as hostname
Sleeping for 3 seconds
Query squarespace.com as hostname
Sleeping for 3 seconds
Query sqspcdn.com as hostname
Sleeping for 3 seconds
Query squarespace-mail.com as hostname
Sleeping for 3 seconds
Query campaign-preferences.com as hostname
Sleeping for 3 seconds
Query 198.185.159.145 as ip-src
Sleeping for 3 seconds
Query 198.49.23.144 as ip-src
Sleeping for 3 seconds
Query 198.49.23.145 as ip-src
Sleeping for 3 seconds
Query 199.59.243.222 as ip-src
Sleeping for 3 seconds
Query 91.195.240.117 as ip-src
Sleeping for 3 seconds
Finished URLhaus enrichment.

URLhaus enrichment table

The results are now stored in playbook_results. Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

This table returns only those matches corresponding with the source URLhaus.

# Put the correlations in a pretty table. We can use this table later also for the summary
table = PrettyTable()
table.field_names = ["Source", "Value", "Category", "Type", "Enriched"]
table.align["Value"] = "l"
table.align["Category"] = "l"
table.align["Type"] = "l"
table.align["Enriched"] = "l"
table._max_width = {"Enriched": 50}
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "URLhaus":
            table.add_row([match["source"], domain, match["category"], match["type"], match["enriched"]])
print(table.get_string(sortby="Value"))
table_urlhaus = table

+--------+-------+----------+------+----------+
| Source | Value | Category | Type | Enriched |
+--------+-------+----------+------+----------+
+--------+-------+----------+------+----------+

ER:9 Add screenshots from URLscan to playbook

This section displays the screenshots retrieved earlier from URLscan.

You can use the screenshots for a visual verification of the URLs without the need to visit them in a sandbox. All these screenshots are also added to the MISP event and link to the URL objects.

If you want to skip this step then don't execute the next cell. Not executing the cell has no negative impact on the progress of the playbook.

# Store the displayed results in a list. If you want to print them later you can just use this list
displayed = []
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "URLscan.io": 
            if "screenshot_name" in match:
                if match["screenshot"] not in displayed:
                    print("{} for {} at {}".format(match["screenshot_url"], domain, match.get("screenshot_time", "Unknown")))
                    display(Image(base64.b64decode(match["screenshot"]), width=240))
                    displayed.append(match["screenshot"])
                    print("\n")

http://qwepoi123098.com/ for qwepoi123098.com at 2023-04-26T13:52:44.555Z

https://qwepoi123098.com/ for qwepoi123098.com at 2023-04-26T02:27:22.838Z

http://qwepoi123098.com/ for qwepoi123098.com at 2023-03-29T21:54:44.992Z

https://www.mikeylinehan.com/ for mikeylinehan.com at 2019-01-18T08:05:55.338Z

http://mikeylinehan.com/ for mikeylinehan.com at 2018-03-09T09:39:05.105Z

http://mikeylinehan.com/kjdfhg874 for mikeylinehan.com at 2018-03-09T09:37:29.736Z

http://mikeylinehan.com/kjdfhg874 for mikeylinehan.com at 2018-01-14T05:06:53.045Z

ER:10 Review and export final MISP event graph

Once the object relations have been added you can also display them on a graph, similar as we did in an earlier cell. Head over again to MISP and use the Event graph tab. This allows you to visually represent the objects, attributes and relations. Did you know you can also export these graphs to JSON, JPEG, PNG or the dot format? Under the Export button you can choose to export type. It's also possible to save the graph so that when you re-visit the event you can immediately have access to the lay of the objects you picked earlier.

Access the graph via the API

Additionally, it's also possible to access these "saved" event graphs via the API. If you have a graph, you can access them via /event_graph/viewPicture/<mispevent_id>/<misp_eventgraph_id>.

First, save a graph in the MISP interface under Event graph and then execute the next cell. Don't worry if you don't want to save the graph right away, the playbook will catch the error and continue without it.

# Start with the first MISP Event graph
misp_eventgraph_id = 10

# We use the requests library and need to set the headers
misp_headers = {"Authorization": misp_key,  "Content-Type": "application/json", "Accept": "application/json"}
event_graph = requests.get("{}/event_graph/viewPicture/{}/{}".format(misp_url, misp_event.id, misp_eventgraph_id), headers=misp_headers, verify=misp_verifycert)
if event_graph.status_code == 200:
    display(Image(event_graph.content, width=480))
else:
    print("Event \033[91mgraph not found\033[90m. Continue with the playbook.\n\n")

Closure

In this closure or end step we create a summary of the actions that were performed by the playbook. The summary is printed in the playbook and can also be send to a chat channel.

EN:1 MISP indicators

The next section first queries MISP for the indicators added to the MISP event that is linked to the execution of this playbook.

The indicators are stored in the variable indicator_table (table format) and indicator_raw_list (in raw format) which is used in a later section to create the playbook summary.

# Get all the indicators for our event and store this is in a table. We can also use this for the summary.
indicator_search = misp.search("attributes", uuid=misp_event.uuid, to_ids=True, pythonify=True)
indicator_raw_list = []
indicator_table = PrettyTable()
if len(indicator_search) > 0:
    indicator_table.field_names = ["Type", "Category", "Indicator", "Comment"]
    indicator_table.align["Type"] = "l"
    indicator_table.align["Category"] = "l"
    indicator_table.align["Indicator"] = "l"
    indicator_table.align["Comment"] = "l"
    indicator_table.border = True
    for indicator in indicator_search:
        if indicator.value not in indicator_raw_list:
            indicator_table.add_row([indicator.type, indicator.category, indicator.value, indicator.comment])
            indicator_raw_list.append(indicator.value)
    print("Got \033[92m{}\033[90m indicator(s) from the event \033[92m{}\033[90m ({}).\n\n".format(len(indicator_raw_list), misp_event.info, misp_event.id))
else:
    print("\033[93mNo indicators found in the event \033[92m{}\033[90m ({})".format(misp_event.info, misp_event.id))

Got 12 indicator(s) from the event Domain reputation investigation for qwepoi123098.com mikeylinehan.com (2653).

Raw list of MISP indicators

The indicators are now stored in indicator_search (as Python objects) and indicator_raw_list (in raw format, only the indicators). Execute the next cell to display them in a table format. The table is also included in the summary sent to Mattermost and TheHive.

if len(indicator_raw_list) > 0:
    print(indicator_table.get_string(sortby="Type"))
    print("\n\nIndicator list in raw format:")
    print("---------------------------------------------------")
    for el in indicator_raw_list:
        print("{}".format(el))
    print("---------------------------------------------------")

+--------+------------------+-----------------------------------+-----------------------------------------+
| Type   | Category         | Indicator                         | Comment                                 |
+--------+------------------+-----------------------------------+-----------------------------------------+
| domain | Network activity | mikeylinehan.com                  | Added by playbook                       |
| domain | Network activity | qwepoi123098.com                  | Added by playbook                       |
| ip-dst | Network activity | 104.194.215.229                   | From URLscan.io                         |
| ip-dst | Network activity | 198.185.159.144                   | From URLscan.io                         |
| ip-dst | Network activity | 199.188.200.96                    | From URLscan.io                         |
| ip-dst | Network activity | 50.116.17.41                      | From URLscan.io                         |
| md5    | Payload delivery | 44d88612fea8a8f36de82e1278abb02f  | Added as custom enrichment - EICAR hash |
| url    | Network activity | http://mikeylinehan.com/          | From URLscan.io                         |
| url    | Network activity | http://mikeylinehan.com/kjdfhg874 | From URLscan.io                         |
| url    | Network activity | http://qwepoi123098.com/          | From URLscan.io                         |
| url    | Network activity | https://qwepoi123098.com/         | From URLscan.io                         |
| url    | Network activity | https://www.mikeylinehan.com/     | From URLscan.io                         |
+--------+------------------+-----------------------------------+-----------------------------------------+


Indicator list in raw format:
---------------------------------------------------
qwepoi123098.com
mikeylinehan.com
http://qwepoi123098.com/
50.116.17.41
https://qwepoi123098.com/
104.194.215.229
https://www.mikeylinehan.com/
198.185.159.144
http://mikeylinehan.com/
199.188.200.96
http://mikeylinehan.com/kjdfhg874
44d88612fea8a8f36de82e1278abb02f
---------------------------------------------------

EN:2 Create the summary of the playbook

The next section creates a summary and stores the output in the variable summary in Markdown format. It also stores an intro text in the variable intro. These variables are later used when sending information to Mattermost or TheHive.

summary = "## MISP Playbook summary\nQuery domain reputation with MISP event: **{}** ({}/events/view/{}). ".format(misp_event.info, misp_url, misp_event.id)

summary_domains = ""
for domain in query_domain:
    summary_domains = "{}{} ".format(summary_domains, domain)
summary += "This concerned the investigation of domains **{}**\n\n".format(summary_domains)
intro = summary

summary += "### Indicators\n\n"
summary += "#### Indicators table\n\n"
if len(indicator_raw_list) > 0:
    indicator_table.set_style(MARKDOWN)
    summary += indicator_table.get_string(sortby="Type")
    summary += "\n\n\n" 
    summary += "#### Indicators in **raw format**\n\n"
    for indicator in indicator_raw_list:
        summary += "{}\n\n".format(indicator)
    summary += "\n" 
else:
    summary += "There are no indicators"
summary += "\n\n"

summary += "### Correlations\n\n"
summary += "#### MISP event matches\n\n"
table_mispevents.set_style(MARKDOWN)
summary += table_mispevents.get_string()
summary += "\n\n"

summary += "#### MISP feed matches\n\n"
table_mispfeeds.set_style(MARKDOWN)
summary += table_mispfeeds.get_string()
summary += "\n\n"

summary += "### Enrichment\n\n"
summary += "#### URLscan\n\n"
table_urlscan.set_style(MARKDOWN)
summary += table_urlscan.get_string()
summary += "\n\n"

summary_second = "## MISP Playbook summary\nQuery domain reputation with MISP event: **{}** ({}/events/view/{}) (continuation). ".format(misp_event.info, misp_url, misp_event.id)
# Some tables are optional, if previous cells are skipped
if table_dns:
    summary += "#### DNS\n\n"
    table_dns.set_style(MARKDOWN)
    summary += table_dns.get_string()
    summary += "\n\n"
    
if table_abuse:
    summary += "#### Abuse information\n\n"
    table_abuse.set_style(MARKDOWN)
    summary += table_abuse.get_string()
    summary += "\n\n"    
    
if table_customentries:
    summary += "#### Custom enrichment information\n\n"
    table_customentries.set_style(MARKDOWN)
    summary += table_customentries.get_string()
    summary += "\n\n" 
    
if table_virustotal:
    summary += "#### VirusTotal\n\n"
    table_virustotal.set_style(MARKDOWN)
    summary += table_virustotal.get_string()
    summary += "\n\n"

if table_shodan:
    summary += "#### Shodan\n\n"
    table_shodan.set_style(MARKDOWN)
    summary += table_shodan.get_string()
    summary += "\n\n"

if table_urlhaus:
    summary += "#### URLhaus\n\n"
    table_urlhaus.set_style(MARKDOWN)
    summary += table_urlhaus.get_string()
    summary += "\n\n"

summary += "### Screenshots via URLscan\n\n"
summary_urls = []
for domain in playbook_results:
    for match in playbook_results[domain]:
        if match["source"] == "URLscan.io": 
            if "screenshot_name" in match:
                summary_urls.append({"image_url": match["screenshot_urlscan"]})
                summary += "- {}\n".format(match["screenshot_urlscan"])
summary += "\n\n"

print("The \033[92msummary\033[90m of the playbook is available.\n")

The summary of the playbook is available.

Print the summary

display_markdown(summary, raw=True)

MISP Playbook summary

Query domain reputation with MISP event: Domain reputation investigation for qwepoi123098.com mikeylinehan.com (https://misp.demo.cudeso.be//events/view/2653). This concerned the investigation of domains **qwepoi123098.com mikeylinehan.com **

Indicators

Indicators table

Type	Category	Indicator	Comment
domain	Network activity	mikeylinehan.com	Added by playbook
domain	Network activity	qwepoi123098.com	Added by playbook
ip-dst	Network activity	104.194.215.229	From URLscan.io
ip-dst	Network activity	198.185.159.144	From URLscan.io
ip-dst	Network activity	199.188.200.96	From URLscan.io
ip-dst	Network activity	50.116.17.41	From URLscan.io
md5	Payload delivery	44d88612fea8a8f36de82e1278abb02f	Added as custom enrichment - EICAR hash
url	Network activity	http://mikeylinehan.com/	From URLscan.io
url	Network activity	http://mikeylinehan.com/kjdfhg874	From URLscan.io
url	Network activity	http://qwepoi123098.com/	From URLscan.io
url	Network activity	https://qwepoi123098.com/	From URLscan.io
url	Network activity	https://www.mikeylinehan.com/	From URLscan.io

Indicators in raw format

qwepoi123098.com

mikeylinehan.com

http://qwepoi123098.com/

50.116.17.41

https://qwepoi123098.com/

104.194.215.229

https://www.mikeylinehan.com/

198.185.159.144

http://mikeylinehan.com/

199.188.200.96

http://mikeylinehan.com/kjdfhg874

44d88612fea8a8f36de82e1278abb02f

Correlations

MISP event matches

Source	Value	Category	Type	Event	Event ID
MISP	qwepoi123098.com	Network activity	domain	CrowdStrike Falcon Platform Detects and Prevents	2540
				Active Intrusion Campaign Targeting 3CXDesktopApp
				Customers
MISP	mikeylinehan.com	Network activity	hostname	M2M - GlobeImposter "..doc" 2018-01-12 : "Unpaid	2051
				invoice " - "1234567.7z"

MISP feed matches

Source	Value	Feed	URL
Feeds	mikeylinehan.com	CIRCL OSINT Feed	https://misp.demo.cudeso.be/feeds/previewEvent/1/5a607314-de88-4309-ba06-c4a9950d210f

Enrichment

URLscan

Source	Value	Category	Type	Enriched
URLscan.io	qwepoi123098.com	Network activity	url	http://qwepoi123098.com/
URLscan.io	qwepoi123098.com	Network activity	ip-dst	50.116.17.41
URLscan.io	qwepoi123098.com		screenshot	screenshot-qwepoi123098.com-0ebce94f-7291-4067-99e
				1-049c29992008.png for http://qwepoi123098.com/
URLscan.io	qwepoi123098.com	Other	umbrellaRank	468477
URLscan.io	qwepoi123098.com	Network activity	url	https://qwepoi123098.com/
URLscan.io	qwepoi123098.com		screenshot	screenshot-qwepoi123098.com-
				bb24693a-59f8-4e77-a939-9eca17126484.png for
				https://qwepoi123098.com/
URLscan.io	qwepoi123098.com	Other	umbrellaRank	752465
URLscan.io	qwepoi123098.com	Network activity	ip-dst	104.194.215.229
URLscan.io	qwepoi123098.com		screenshot	screenshot-qwepoi123098.com-b3402713-fa1e-4e47-a16
				c-624c0450aa8a.png for http://qwepoi123098.com/
URLscan.io	qwepoi123098.com	Other	server	Microsoft-HTTPAPI/2.0
URLscan.io	mikeylinehan.com	Network activity	url	https://www.mikeylinehan.com/
URLscan.io	mikeylinehan.com	Network activity	ip-dst	198.185.159.144
URLscan.io	mikeylinehan.com		screenshot	screenshot-mikeylinehan.com-
				aabf1a98-03f6-497b-a5de-9b6a74f35854.png for
				https://www.mikeylinehan.com/
URLscan.io	mikeylinehan.com	Network activity	url	http://mikeylinehan.com/
URLscan.io	mikeylinehan.com	Network activity	ip-dst	199.188.200.96
URLscan.io	mikeylinehan.com		screenshot	screenshot-mikeylinehan.com-5078b872-1baa-41be-a2d
				4-55d097ebc0ef.png for http://mikeylinehan.com/
URLscan.io	mikeylinehan.com	Other	server	Apache
URLscan.io	mikeylinehan.com	Network activity	url	http://mikeylinehan.com/kjdfhg874
URLscan.io	mikeylinehan.com		screenshot	screenshot-mikeylinehan.com-f2ec917b-e9be-4497-a4e
				b-a55401dd1a2a.png for
				http://mikeylinehan.com/kjdfhg874
URLscan.io	mikeylinehan.com		screenshot	screenshot-mikeylinehan.com-083df698-5833-403d-86c
				9-c831d88efd79.png for
				http://mikeylinehan.com/kjdfhg874

DNS

Source	Value	Category	Type	Enriched
DNS	mikeylinehan.com	Network activity	ip-dst	50.116.17.41

Abuse information

Source	Value	Category	Type	Enriched
abuse_finder	qwepoi123098.com	Attribution	whois-registrant-name	NameCheap, Inc.
abuse_finder	qwepoi123098.com	Attribution	whois-registrant-email	abuse@namecheap.com
abuse_finder	50.116.17.41	Attribution	whois-registrant-name	Akamai Technologies, Inc.
abuse_finder	50.116.17.41	Attribution	whois-registrant-name	Linode
abuse_finder	50.116.17.41	Attribution	whois-registrant-email	abuse@akamai.com
abuse_finder	50.116.17.41	Attribution	whois-registrant-email	abuse@linode.com

Custom enrichment information

Source	Value	Category	Type	Enriched
Custom	qwepoi123098.com	Payload delivery	md5	44d88612fea8a8f36de82e1278abb02f

VirusTotal

Source	Value	Category	Type	Enriched
VirusTotal	qwepoi123098.com	Payload delivery	sha256	2b6282da522f1f51ee6e0ed5e37aa55a191d34ffbb3c287cb2
				0d71ad2bf25b4b
VirusTotal	qwepoi123098.com	Payload delivery	sha256	ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f12
				6e8965d777fbf0
VirusTotal	qwepoi123098.com	Other	whois	Administrative city: Reykjavik
				Administrative country: Iceland
				Administrative email:
				3ff625069fc77a81s@withheldforprivacy.com
				Administrative state: Capital Region
				Create date: 2022-11-17 00:00:00
				Domain name: qwepoi123098.com
				Domain registrar id: 1068
				Domain registrar url: http://www.namecheap.com
				Expiry date: 2023-11-17 00:00:00
				Name server 1: dns1.registrar-servers.com
				Name server 2: dns2.registrar-servers.com
				Query time: 2022-11-19 01:25:51
				Registrant city: ddbf76e4e8cee320
				Registrant company: 4b7a0912c26a13e2
				Registrant country: Iceland
				Registrant email:
				3ff625069fc77a81s@withheldforprivacy.com
				Registrant name: 37bfbc24cafea5d2
				Registrant phone: fc40cd552aeaa6b8
				Registrant state: 3e0204199d8ebf9c
				Registrant zip: f206c9d9737ad45d
				Technical city: Reykjavik
				Technical country: Iceland
				Technical email:
				3ff625069fc77a81s@withheldforprivacy.com
				Technical state: Capital Region
				Update date: 2022-11-17 00:00:00
VirusTotal	qwepoi123098.com	Network activity	ip-dst	139.162.120.150
VirusTotal	qwepoi123098.com	Network activity	ip-dst	146.70.87.109
VirusTotal	mikeylinehan.com	Payload delivery	sha256	51c93eda00d090aae0d3e211fb1679aa6456df7dc51a7cd45b
				f4d3b990b531c7
VirusTotal	mikeylinehan.com	Payload delivery	sha256	69fb7b96d2da05f2aef88efc9e788ede343c9112ae164fe026
				e504449d56464e
VirusTotal	mikeylinehan.com	Payload delivery	sha256	86749d3e3233d7a75a618c98eac9f31f508aed4492849f65b9
				07787b0bd1d047
VirusTotal	mikeylinehan.com	Payload delivery	sha256	75d6289e33dbf05543f8a850e40c7bb3e3f8b9e2872015f8a7
				b09906aabb7b5e
VirusTotal	mikeylinehan.com	Payload delivery	sha256	5596dc862bd9aea2981ebe1f8a638557d1383ccd9a47c94c96
				10300325f94a0e
VirusTotal	mikeylinehan.com	Payload delivery	sha256	77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1
				112a4e670c97d4
VirusTotal	mikeylinehan.com	Payload delivery	sha256	c45ef4a35047e14d8eaf54cab44a432be18e93915ac26a2f12
				94d260f220aea8
VirusTotal	mikeylinehan.com	Payload delivery	sha256	103d93ab0996ed79df9184183fb63f3c37c2fbd0aa505174e2
				9256ddf02208b5
VirusTotal	mikeylinehan.com	Other	whois	Administrative city: Tempe
				Administrative country: United States
				Administrative state: Arizona
				Create date: 2022-12-07 00:00:00
				Domain name: mikeylinehan.com
				Domain registrar id: 146
				Domain registrar url: https://www.godaddy.com
				Expiry date: 2023-12-07 00:00:00
				Name server 1: ns2.bodis.com
				Name server 2: ns3.bd-verify-gu7sqsxf6r.com
				Name server 3: ns1.bodis.com
				Query time: 2022-12-09 01:17:50
				Registrant city: a7319ae5e6c95df5
				Registrant company: 7f270b624abce87e
				Registrant country: United States
				Registrant email: 501c8f3031df1b66s@
				Registrant fax: 73632f3e7db2cc41
				Registrant name: 80315b2e6ac1a801
				Registrant phone: b03d5abc696b79f6
				Registrant state: 30bdd2917a604c83
				Registrant zip: 052e5bd148f904f9
				Technical city: Tempe
				Technical country: United States
				Technical state: Arizona
				Update date: 2022-12-07 00:00:00
VirusTotal	mikeylinehan.com	Network activity	ip-dst	198.185.159.145
VirusTotal	mikeylinehan.com	Network activity	ip-dst	198.49.23.144
VirusTotal	mikeylinehan.com	Network activity	ip-dst	198.49.23.145
VirusTotal	mikeylinehan.com	Network activity	ip-dst	199.59.243.222
VirusTotal	mikeylinehan.com	Network activity	ip-dst	91.195.240.117
VirusTotal	50.116.17.41	Network activity	AS	63949
VirusTotal	50.116.17.41	Other	text	US
VirusTotal	50.116.17.41	Network activity	ip-dst	50.116.17.41
VirusTotal	104.194.215.229	Network activity	AS	8100
VirusTotal	104.194.215.229	Other	text	US
VirusTotal	104.194.215.229	Network activity	ip-dst	104.194.215.229
VirusTotal	199.188.200.96	Network activity	AS	22612
VirusTotal	199.188.200.96	Other	text	US
VirusTotal	199.188.200.96	Network activity	ip-dst	199.188.200.96

Shodan

Source	Value	Category	Type	Enriched
Shodan	50.116.17.41	Network activity	AS	AS63949
Shodan	50.116.17.41	Network activity	domain	linode.com
Shodan	50.116.17.41	Network activity	hostname	li601-41.members.linode.com
Shodan	50.116.17.41	Network activity	x509-fingerprint-sha256	70435e54dd434ae295a76cd0bb98375c7162e66c69a7b92bf7
				9cfe29bff32ad5
Shodan	50.116.17.41	Network activity	x509-fingerprint-sha1	306654bab3f48527a550b23c2b7a2d9431fc2ff8
Shodan	104.194.215.229	Network activity	AS	AS8100
Shodan	104.194.215.229	Network activity	domain	www3iwebonline.com
Shodan	104.194.215.229	Network activity	hostname	ntx5.www3iwebonline.com
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12528
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12529
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12520
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12521
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12522
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12523
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12524
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12525
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12526
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-31808
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2018-19132
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-15811
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-31807
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-28116
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2018-19131
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-8450
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-31806
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-18677
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-8517
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-25097
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2016-10002
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2016-10003
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-24606
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-18676
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-18678
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-18679
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-13345
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-18860
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-14058
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2019-12519
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-15810
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-46784
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-11945
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-28652
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-28651
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-15049
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2020-8449
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2021-33620
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2018-1000024
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2022-41318
Shodan	104.194.215.229	External analysis	vulnerability	CVE-2018-1000027
Shodan	199.188.200.96	Network activity	AS	AS22612
Shodan	199.188.200.96	Network activity	domain	web-hosting.com
Shodan	199.188.200.96	Network activity	hostname	server247-4.web-hosting.com
Shodan	199.188.200.96	Network activity	x509-fingerprint-sha256	8e27b911c83499ee5d010e179fee08846da6f444e6f9a84bed
				504f20ee423120
Shodan	199.188.200.96	Network activity	x509-fingerprint-sha1	02db451c9a07018198d21b3372f90ae8094db291
Shodan	139.162.120.150	Network activity	AS	AS63949
Shodan	139.162.120.150	Network activity	ip-src	139.162.120.150
Shodan	139.162.120.150	Network activity	domain	linode.com
Shodan	139.162.120.150	Network activity	hostname	li1604-150.members.linode.com
Shodan	198.185.159.144	Network activity	AS	AS53831
Shodan	198.185.159.144	Network activity	ip-src	198.185.159.144
Shodan	198.185.159.144	Network activity	domain	sqsp.net
Shodan	198.185.159.144	Network activity	domain	squarespace.com
Shodan	198.185.159.144	Network activity	domain	sqspcdn.com
Shodan	198.185.159.144	Network activity	domain	squarespace-mail.com
Shodan	198.185.159.144	Network activity	domain	campaign-preferences.com
Shodan	198.185.159.144	Network activity	hostname	static1.1.sqspcdn.com
Shodan	198.185.159.144	Network activity	hostname	engage.squarespace-mail.com
Shodan	198.185.159.144	Network activity	hostname	static2.1.sqspcdn.com
Shodan	198.185.159.144	Network activity	hostname	cdn1.1.sqspcdn.com
Shodan	198.185.159.144	Network activity	hostname	static1.2.sqspcdn.com
Shodan	198.185.159.144	Network activity	x509-fingerprint-sha256	b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236
				7541bd7d93b5cf
Shodan	198.185.159.144	Network activity	x509-fingerprint-sha1	e0acde08badb08ae9930936e26bc713100a1d57e
Shodan	198.185.159.145	Network activity	AS	AS53831
Shodan	198.185.159.145	Network activity	ip-src	198.185.159.145
Shodan	198.185.159.145	Network activity	domain	sqsp.net
Shodan	198.185.159.145	Network activity	domain	squarespace.com
Shodan	198.185.159.145	Network activity	domain	sqspcdn.com
Shodan	198.185.159.145	Network activity	domain	squarespace-mail.com
Shodan	198.185.159.145	Network activity	domain	campaign-preferences.com
Shodan	198.185.159.145	Network activity	hostname	static1.1.sqspcdn.com
Shodan	198.185.159.145	Network activity	hostname	engage.squarespace-mail.com
Shodan	198.185.159.145	Network activity	hostname	static2.1.sqspcdn.com
Shodan	198.185.159.145	Network activity	hostname	cdn1.1.sqspcdn.com
Shodan	198.185.159.145	Network activity	hostname	static1.2.sqspcdn.com
Shodan	198.185.159.145	Network activity	x509-fingerprint-sha256	b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236
				7541bd7d93b5cf
Shodan	198.185.159.145	Network activity	x509-fingerprint-sha1	e0acde08badb08ae9930936e26bc713100a1d57e
Shodan	198.49.23.144	Network activity	AS	AS53831
Shodan	198.49.23.144	Network activity	ip-src	198.49.23.144
Shodan	198.49.23.144	Network activity	domain	sqsp.net
Shodan	198.49.23.144	Network activity	domain	squarespace.com
Shodan	198.49.23.144	Network activity	domain	sqspcdn.com
Shodan	198.49.23.144	Network activity	domain	squarespace-mail.com
Shodan	198.49.23.144	Network activity	domain	campaign-preferences.com
Shodan	198.49.23.144	Network activity	hostname	static1.1.sqspcdn.com
Shodan	198.49.23.144	Network activity	hostname	engage.squarespace-mail.com
Shodan	198.49.23.144	Network activity	hostname	static2.1.sqspcdn.com
Shodan	198.49.23.144	Network activity	hostname	cdn1.1.sqspcdn.com
Shodan	198.49.23.144	Network activity	hostname	static1.2.sqspcdn.com
Shodan	198.49.23.144	Network activity	x509-fingerprint-sha256	b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236
				7541bd7d93b5cf
Shodan	198.49.23.144	Network activity	x509-fingerprint-sha1	e0acde08badb08ae9930936e26bc713100a1d57e
Shodan	198.49.23.145	Network activity	AS	AS53831
Shodan	198.49.23.145	Network activity	ip-src	198.49.23.145
Shodan	198.49.23.145	Network activity	domain	sqsp.net
Shodan	198.49.23.145	Network activity	domain	squarespace.com
Shodan	198.49.23.145	Network activity	domain	sqspcdn.com
Shodan	198.49.23.145	Network activity	domain	squarespace-mail.com
Shodan	198.49.23.145	Network activity	domain	campaign-preferences.com
Shodan	198.49.23.145	Network activity	hostname	static1.1.sqspcdn.com
Shodan	198.49.23.145	Network activity	hostname	engage.squarespace-mail.com
Shodan	198.49.23.145	Network activity	hostname	static2.1.sqspcdn.com
Shodan	198.49.23.145	Network activity	hostname	cdn1.1.sqspcdn.com
Shodan	198.49.23.145	Network activity	hostname	static1.2.sqspcdn.com
Shodan	198.49.23.145	Network activity	x509-fingerprint-sha256	b71e1567892a49c81404008fbfe4bab7f7c23428d3c2bdb236
				7541bd7d93b5cf
Shodan	198.49.23.145	Network activity	x509-fingerprint-sha1	e0acde08badb08ae9930936e26bc713100a1d57e
Shodan	199.59.243.222	Network activity	AS	AS16509
Shodan	199.59.243.222	Network activity	ip-src	199.59.243.222
Shodan	199.59.243.222	Network activity	x509-fingerprint-sha256	6a1bb309aa4dde8d590e9b1200dd9981dab62536ed0d8421e9
				0c6a67a8b9bc62
Shodan	199.59.243.222	Network activity	x509-fingerprint-sha1	5cc899fcdffdb78fdc35e29f22ce47caeb574c19
Shodan	91.195.240.117	Network activity	AS	AS47846
Shodan	91.195.240.117	Network activity	ip-src	91.195.240.117

URLhaus

Source	Value	Category	Type	Enriched

Screenshots via URLscan

• https://urlscan.io/screenshots/0ebce94f-7291-4067-99e1-049c29992008.png
• https://urlscan.io/screenshots/bb24693a-59f8-4e77-a939-9eca17126484.png
• https://urlscan.io/screenshots/b3402713-fa1e-4e47-a16c-624c0450aa8a.png
• https://urlscan.io/screenshots/aabf1a98-03f6-497b-a5de-9b6a74f35854.png
• https://urlscan.io/screenshots/5078b872-1baa-41be-a2d4-55d097ebc0ef.png
• https://urlscan.io/screenshots/f2ec917b-e9be-4497-a4eb-a55401dd1a2a.png
• https://urlscan.io/screenshots/083df698-5833-403d-86c9-c831d88efd79.png

EN:3 Send a summary to Mattermost

Now you can send the summary to Mattermost. You can send the summary in two ways by selecting one of the options for the variable send_to_mattermost_option in the next cell.

• The default option where the entire summary is in the chat, or
• a short intro and the summary in a card

For this playbook we rely on a webhook in Mattermost. You can add a webhook by choosing the gear icon in Mattermost, then choose Integrations and then Incoming Webhooks. Set a channel for the webhook and lock the webhook to this channel with "Lock to this channel".

send_to_mattermost_option = "via a chat message"
#send_to_mattermost_option = "via a chat message with card"

# Set a bit below maximum size for message length https://docs.mattermost.com/upgrade/important-upgrade-notes.html
mattermost_max_length = 16300

message = False
lines = textwrap.wrap(summary, mattermost_max_length,  fix_sentence_endings=True, replace_whitespace=False)
line_count = 0
for line in lines:
    if send_to_mattermost_option == "via a chat message":
        message = {"username": mattermost_playbook_user, "text": line}
    elif send_to_mattermost_option == "via a chat message with card":
        message = {"username": mattermost_playbook_user, "text": intro, "props": {"card": line}}
    if message:
        r = requests.post(mattermost_hook, data=json.dumps(message))
        r.raise_for_status()
    if message and r.status_code == 200:
        print("Summary {} of {} is \033[92msent to Mattermost\033[90m.".format(line_count, len(lines) - 1))
        line_count += 1
    else:
        print("\033[91mFailed to sent summary\033[90m to Mattermost.\n")

if len(summary_urls) > 0:        
    message = {"username": mattermost_playbook_user, "text": "Screenshots", "attachments": summary_urls}
    if message:
        r = requests.post(mattermost_hook, data=json.dumps(message))
        r.raise_for_status()
    if message and r.status_code == 200:
        print("Screenshots are \033[92msent to Mattermost\033[90m.\n")
    else:
        print("\033[91mFailed to sent screenshots \033[90m to Mattermost.\n")    

Summary 0 of 2 is sent to Mattermost.
Summary 1 of 2 is sent to Mattermost.
Summary 2 of 2 is sent to Mattermost.
Screenshots are sent to Mattermost.

EN:4 Send an alert to TheHive

Next to informing your colleagues via Mattermost you can also send an alert to TheHive. The alert contains the summary, and a list of indicators as 'observables'.

You can change the alert title with thehive_alert_title and provide a reference type with thehive_alert_reference. Note that this reference needs to be unique in TheHive. If you want to create multiple alerts for the same MISP event then add some random value at the end.

# The title of the TheHive alert
thehive_alert_title = "MISP Playbook Summary"

# A unique reference for the TheHive (we include the MISP event UUID)
thehive_alert_reference = "MISP event - {} - {}".format(misp_event.info, misp_event.uuid)

# Alert type in TheHive
thehive_alert_type = "MISP Playbook alert"

# TLP:Amber for TheHive
thehive_tlp = 2

# PAP:GREEN for TheHive
thehive_pap = 1

# Code block to send an alert to TheHive
# We use the Python requests library
thehive_headers = {'Content-Type': 'application/json', 'Authorization': f'Bearer {thehive_key}'}
thehive_url_create = "{}/api/v1/alert".format(thehive_url)

thehive_observables = []
for indicator in indicator_search:
    dataType = False
    if indicator.type == "ip-src" or indicator.type == "ip-dst":
        dataType = "ip"
    elif indicator.type == "url":
        dataType = "url"
    elif indicator.type == "hostname":
        dataType = "hostname"        
    elif indicator.type == "email-dst" or indicator.type == "email-src":        
        dataType = "mail"
    if dataType:
        thehive_observables.append({"dataType": dataType, "data": indicator.value, "pap": thehive_pap, "tlp": thehive_tlp})
thehive_alert = {"title": thehive_alert_title, 
                 "description": intro,
                 "summary": summary[0:1048576],
                 "type": thehive_alert_type, 
                 "source": "playbook", 
                 "sourceRef": thehive_alert_reference, 
                 "tlp": thehive_tlp, "pap": thehive_pap,
                 "observables": thehive_observables}

result = requests.post(thehive_url_create, headers=thehive_headers, data=json.dumps(thehive_alert))
if result.json()['status'] == 'New':
    thehive_alert_id = result.json()['_id']
    print('The TheHive \033[92malert {} is added'.format(thehive_alert_id))
else:
    print('\033[91mFailed\033[90m to add TheHive alert')
    print(result.text)

The TheHive alert ~41029736 is added

EN:5 Publish MISP event

As a final step, you can choose the publish the MISP event.

Remaining workflow todo's

This step will remove the workflow states incomplete, add a workflow state complete and then publish the event.

The playbook will also remove the workflow todo tags. If you have not addressed them yet then now might be a good time to do that before publishing the event.

Publish

Publishing MISP events makes the event available to your users and, depending on the synchronisation and distribution rules, will also sync it with other connected MISP servers. Publishing an event also typically makes the indicators available for your security controls to import them in their ruleset.

try:
    misp.untag(misp_event.uuid, "workflow:state=\"incomplete\"")
    misp.untag(misp_event.uuid, "workflow:todo=\"review-for-privacy\"")    
    misp.untag(misp_event.uuid, "workflow:todo=\"review-for-false-positive\"")        
    misp.tag(misp_event.uuid, "workflow:state=\"complete\"", local=True)
    print("Removed workflow todo tags and removed incomplete tag. Added complete tag.")
    misp.publish(misp_event.uuid)
    print("Event {} ({} - {}) is \033[92mpublished.\n".format(misp_event.info, misp_event.id, misp_event.uuid))
except:
    print("\033[91mFailed to publish\033[90m event {} ({} - {}).\n".format(misp_event.info, misp_event.id, misp_event.uuid))

Something went wrong (405): {'name': 'Could not remove tag as it is not attached to the target Event', 'message': 'Could not remove tag as it is not attached to the target Event', 'url': '/tags/removeTagFromObject'}
Something went wrong (405): {'name': 'Could not remove tag as it is not attached to the target Event', 'message': 'Could not remove tag as it is not attached to the target Event', 'url': '/tags/removeTagFromObject'}

Removed workflow todo tags and removed incomplete tag. Added complete tag.
Event Domain reputation investigation for qwepoi123098.com mikeylinehan.com (2653 - d8a4e911-6d65-4076-b563-76dcdf4ce0cf) is published.

EN:6 End of the playbook

print("\033[92m End of the playbook")

 End of the playbook

External references

• The MISP Project

• Mattermost

• TheHive

• OSINT domain name investigations

Technical details

Documentation

This playbook requires these Python libraries to exist in the environment where the playbook is executed. You can install them with pip install <library>.

pyfaup
chardet
PrettyTable
ipywidgets
mattermostdriver

You need to have network access to

• your MISP server (HTTP or HTTPS)
• to your Mattermostand TheHive server
• to the website of URLscan.io, VirusTotal, Shodan and URLhaus (HTTPS)

These MISP modules need to be enabled

• dns
• virustotal_public
• shodan
• urlhaus

You need

• an API key with MISP
• • Under Global Actions, My Profile. Add an extra authentication key.
• • Add the API key (misp_key) and the MISP URL (misp_url) to keys.py
• • If you use a self-signed certificate set misp_verifycert to False
• an API key with URLscan.io
• • Click on your username (upper right corner), select Settings & API and Create a new API key.
• • Add the API key (urlscan_apikey) to keys.py. Leave urlscan_url to https://urlscan.io/api/v1/search
• an API key with VirusTotal
• • Click on your username (upper right corner), select API key.
• • Add the API key (virustotal_apikey) to keys.py.
• an API key with Shodan
• • Click on your Shodan (upper left corner), click on Account.
• • Add the API key (shodan_apikey) to keys.py.
• an incoming webhook in your Mattermost server
• • Set this up under Integrations, Incoming Webhooks. Set as default channel your SOC/CSIRT team channel. For additional protection, lock the webhook so that the incoming webhook can post only to the selected channel.
• • Add the webhook to mattermost_hook. It is displayed under 'integrations/incoming_webhooks' and set a username under mattermost_playbook_user
• an API key with your TheHive server
• • Click on your username (upper right corner), Settings and then API key
• • Make sure that your user has 'manageAlert/create' privileges
• • Add the API key (thehive_key) to keys.py and add the URL to TheHive (thehive_url)

Helper functions

pb_get_misp_tags

def pb_get_misp_tags(tags=[], local_tags=[]):
    '''
    Get a list of MISP tags based on a Python list

    :param misp: MISP object
    :param object_template: which object template to return
    '''

pb_add_enrichment

def pb_add_enrichment(playbook_results, field, entry, key, value):
    '''
    Add an enrichment (or correlation) entry but first check that the value is not already there
    
    : param playbook_results: all the enrichment results
    : param field
    : param entry
    : param key
    : param value
    '''

Colour codes

The output from Python displays some text in different colours. These are the colour codes

Red = '\033[91m'
Green = '\033[92m'
Blue = '\033[94m'
Cyan = '\033[96m'
White = '\033[97m'
Yellow = '\033[93m'
Magenta = '\033[95m'
Grey = '\033[90m'
Black = '\033[90m'
Default = '\033[99m'