[Documentation] What's the maintainance plan with iocs.json #14
Comments
|
Yes, maintenance or better: "transparency" of the utilized IOCs would be great. @felixaime : It's been said before - great work. My first runs with it are promising. |
|
Hello jbrinksmeier,
Yes you're right. Strange for the Tek repo, I though to have integrated all of them. We are thinking to do a special export on another github repo centralizing only stalkerware IOCs and maintained by guys working on this kind of threats - which is not my case. I'm just passing through and gave this idea to the community.
Really, IOCs management is still a pain in the ass (for example, I'm not mentioning the source, validity period associated to them etc.). I wanted something very easy and small to begin. As of today, trust me that there is no "strategy" to maintain it except inputs/PRs from the community and myself. I came with this bucket of few IOCs to launch the projet. I'm thinking to create a Wiki page on them (we definitely need a wiki-like stuff to share ideas and improvements). Anyway, here is a list of what's integrated: To hunt the "unknown" threats:
To hunt the "unknown" threats:
You're welcome! |
|
great summary, thank you. that's been exactly what I wanted to know. |
|
Your URL doesn't work yet :/ After that, yeah I can check and integrate the URL to the default watchers ;) Félix. |
|
ups, my bad. The url is obviously not working as the PR is not been accepted yet. Indeed I wanted to link to the PR: AssoEchap/stalkerware-indicators#5 |
|
I have updated the Github action to build the JSON file automatically, thanks @jbrinksmeier ! So I think anyone can use that If I am right the certificates in the TinyCheck list are TLS certificates, not android app certificates? If yes, it does not make sense to have the android app certificates in this list, but I can do some work to have a list of IP addresses if it helps Tiny Check detection. Regarding IOCs, I have tried to integrate in this repository all the indicators I have seen from different public sources, so it should be quite complete. I am totally open to add some more if you see some missing indicators (and I am going to do some more reversing soon to get some more domains) |
|
Cool! Thanks Te-k! I'm gonna to test it and integrate it in the watchers this week if I have time! Have a good sunday, |
Related to the issue #14, thanks for his time and his contribution!
|
Hello, I've added the feed this evening to the default watchers IOCs. Thanks Te-k for your contribution! Have a great evening, |
|
Oh mighty wizards |
|
Hello posixpoet, I think yes (possible medium alerts at least) because some of their domains used some DNS name servers which are already referenced in the iocs.json. Yeah, that's why I wanted to use what I name "extended-IOCs". Moreover, I hesitate to add the certificates issuer, but I think that it will be more FP than Let's Encrypt. I need to test this issuer, so see if any big domain/service use it or not (like in the whole Alexa 1M...) to prevent the false positive if any. Anyway, I'm in holiday so I haven't had the time to investigate more deeply on their case. |
While searching for possible extensions to the IOCs used by tinycheck, I found myself missing some information about how this iocs.json is to be maintained by this project. You mentioned some sources in the docs, for example https://github.com/Te-k/stalkerware-indicators, but it looks like not all of the available iocs from there made it into the iocs.json. I am creating a watcher for them right now and it is painfree with the architecture you came up with.
In general it would be good to know how plans are to maintain the iocs.json in this repo. Are you watching sources like Te-k/stalkerware-indicators proactively and update the iocs.json? Is the plan to maintain this repository as a comprehensive list of IOCs with input/PRs from the community as
suggests?
Thanks for a feedback on this matter :)
The text was updated successfully, but these errors were encountered: