Blog

SERVICES:

Managed Detection Symbol (overlapping squares with red and black outlines) Managed Detection And Response Threat Hunting Symbol (overlapping squares with red and black outlines) Threat Hunting

New Tool Release: GoatRider - OTX, Artillery, and Alexa lookups

Binary Defense

During incident response practices, you may need to look up very quickly some abnormal activity. While using feeds such as Artillery and OTX is far from a bulletproof method - these feeds can quickly help identify known C2 or malicious IPs or hostnames. The purpose of GoatRider is to make it simple to look through multiple sources quickly and determine if theres anything abnormal from a hostname or IP address list. What you need (one of the other): A file that contains 1 or many IP addresses A file that contains 1 or many hostnames What GoatRider will do: Import the IP addresses file and convert them to hostnames Import the hostnames file and convert them to IP addresses Then GoatRider will go out to Artillery Banlist feeds, TOR exit nodes, and OTX and do a comparison to the IP addresses to see if there are any hits. What it will then do is automatically download the Alexa top 1 million sites and do a comparison to hostnames. If a hostname does not appear in the 1M it will let you know. Here's goatrider in action. Scenario: You have a list of egress IP addresses (outbound IP addresses) from your network. The file contains 50,000 IP addresses in the following format: ip1 ip2 ip3 ip4 etc. You run goatrider: root@stronghold:/home/relik/Desktop/git/goatrider# python goatrider.py moo.txt [*] This part might take a bit... Converting hostnames to IPs or IPs to hostnames. Be patient... [*] Checking Alexa, Artillery, TOR, and OTX... ARTILLERY_BANLIST_HIT_IP: 1.93.51.221 Same for Alexa hits, lets say you pull your DNS query logs from your DNS servers: root@stronghold:/home/relik/Desktop/git/goatrider# python goatrider.py moo.txt [*] This part might take a bit... Converting hostnames to IPs or IPs to hostnames. Be patient... [*] Checking Alexa, Artillery, TOR, and OTX... ALEXA_NOT_FOUND_HIT_HOST: woawoagoatsgoatseverywhere.com Again - this isn't the end-all-be-all for identifying threats, but is a quick way of going through things to try and find malicious activity in your network. You can get goatrider here: GoatRider Github Page Enjoy!