Most IOCs these days are shared without time context, thus analysts wasting time investigating hit in their envirenment that have been taken place before or even after an malicious campaign.
Therefore this repository shall give a time context / extract of published reports as CSV files.
There was also a discussion on Twitter: https://twitter.com/alexanderjaeger/status/1070311545874337792
To showcase the idea thie repository was created.
Use the CSV however you want, if you make them a product, please make a reference back.
All csv files should be ready to be imported directly as CSV into Timesketch to enable analysts use the timelines as an overlay to their internal analysis.
Every year has a folder containing a csv per OSINT report.
It was decided to use the mandatory header fields of timesketch to ensure compatibility.
- String with an informative message of the event
- ISO8601 format
- Ex: 2015-07-24T19:01:01+00:00
- String explaining what type of timestamp it is. E.g file created
- Ex: "Time created"
You need to provide the CSV header with the column names as the first line in the file.
message,timestamp,datetime,timestamp_desc,extra_field_1,extra_field_2 A message,1331698658276340,2015-07-24T19:01:01+00:00,Write time,foo,bar ...
You can add as much optional fields as you want. E.g. attribution if it is attributed to a certain group / campaign.
It is also recommended to provide a source field which contains the link to the source of the data point.
Why not format xyz
There are already a good amount of formats out there to cover various aspects of threat intel. For timelines in particular, there is no well established standard / format, so csv seems to be the way to go. It is usable in Office as well as various other tools to be easily imported / exported.
How to contribute
Every contribution is highly welcome. If you come across a OSINT report that is not yet covered, feel free to make it a csv.
- open an issue to cover an new report
- provide a csv file for a report
|2019-01-10||Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware||Yes||Link|
|2018-12-29||Parsing the Cozy Bear LNK File||Yes||Link|
|2018-12-21||OVERRULED: Containing a Potentially Destructive Adversary||yes||Link|
|2018-12-19||When Best Practice Isn’t Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users||yes||Link|
|2018-12-05||Flash 0day + Hacking Team RAT: Activities of Exploiting Latest Flash 0day Vulnerability and Correlation Analysis||yes||Link|
|2018-12-03||Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers||yes||Link|
|2018-11-19||Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign||yes||Link|
|2018-11-16||New Strain of Olympic Destroyer Droppers||yes||Link|
|2018-09-13||APT10 Targeting Japanese Corporations Using Updated TTPs||yes||Link|
|2018-06-19||Olympic Destroyer is still alive||Yes||Link|
|2017-04-??||Operation Cloud Hopper APT10||Yes||Link|
Some good sources of OSINT reports to be covered: