Threat Intelligence
IOC Repositories
These repo’s contain threat intelligence generally updated manually when the respective orgs publish threat reports.
- https://github.com/aptnotes/data
- https://github.com/citizenlab/malware-indicators
- https://github.com/da667/667s_Shitlist
- https://github.com/eset/malware-ioc
- https://github.com/fireeye/iocs
- https://github.com/Neo23x0/signature-base/tree/master/iocs
- https://github.com/pan-unit42/iocs
- https://github.com/stamparm/maltrail/tree/master/trails/static/malware
- https://github.com/stamparm/maltrail/tree/master/trails/static/suspicious
IOC Feeds
These URLs are data feeds of various types from scanning IPs from honeypots to C2 domains from malware sandboxes, and many other types. They were compiled from several sources, including (but not limited to): 1, 2, 3, 4, 5, 6. They are in alphabetical order.
- http://antispam.imp.ch/wormlist
- http://app.webinspector.com/recent_detections
- http://atrack.h3x.eu/api/asprox_suspected.php
- http://autoshun.org/files/shunlist.csv
- http://blocklist.greensnow.co/greensnow.txt
- http://botscout.com/last.htm
- http://botscout.com/last_caught_cache.htm
- http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
- http://cinsscore.com/list/ci-badguys.txt
- http://cybercrime-tracker.net/all.php
- http://cybercrime-tracker.net/ccam.php
- http://cybercrime-tracker.net/ccpmgate.php
- http://danger.rulez.sk/projects/bruteforceblocker/blist.php
- http://data.netlab.360.com/feeds/dga/dga.txt
- http://data.netlab.360.com/feeds/ek/magnitude.txt
- http://data.netlab.360.com/feeds/ek/neutrino.txt
- http://data.netlab.360.com/feeds/mirai-scanner/scanner.list
- http://data.phishtank.com/data/online-valid.csv
- http://dns-bh.sagadc.org/dynamic_dns.txt
- http://feeds.dshield.org/top10-2.txt
- http://hosts-file.net/?s=Browse&f=2014
- http://labs.snort.org/feeds/ip-filter.blf
- http://labs.sucuri.net/?malware
- http://lists.blocklist.de/lists/all.txt
- http://malc0de.com/bl/BOOT
- http://malc0de.com/bl/IP_Blacklist.txt
- http://malc0de.com/rss/
- http://malwaredb.malekal.com/
- http://malwaredomains.lehigh.edu/files/domains.txt
- http://malwareurls.joxeankoret.com/normal.txt
- http://mirror2.malwaredomains.com/files/immortal_domains.txt
- http://mirror2.malwaredomains.com/files/justdomains
- http://multiproxy.org/txt_all/proxy.txt
- http://openphish.com/feed.txt
- http://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
- http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt
- http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
- http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
- http://osint.bambenekconsulting.com/feeds/c2-masterlist.txt
- http://osint.bambenekconsulting.com/feeds/dga-feed.txt
- http://ransomwaretracker.abuse.ch
- http://report.rutgers.edu/DROP/attackers
- http://reputation.alienvault.com/reputation.data
- http://rules.emergingthreats.net/blockrules/emerging-ciarmy.rules
- http://rules.emergingthreats.net/blockrules/emerging-compromised.rules
- http://rules.emergingthreats.net/fwrules/emerging-PF-CC.rules
- http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
- http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
- http://sblam.com/blacklist.txt
- http://support.clean-mx.de/clean-mx/xmlviruses.php
- http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_EXIT.csv
- http://tracker.h3x.eu/api/sites_1day.php
- http://virbl.org/download/virbl.dnsbl.bit.nl.txt
- http://vmx.yourcmc.ru/BAD_HOSTS.IP4
- http://vxvault.net/URL_List.php
- http://vxvault.siri-urz.net/URL_List.php
- http://vxvault.siri-urz.net/ViriList.php
- http://www.autoshun.org/files/shunlist.csv
- http://www.blocklist.de/lists/apache.txt
- http://www.blocklist.de/lists/asterisk.txt
- http://www.blocklist.de/lists/bots.txt
- http://www.blocklist.de/lists/courierimap.txt
- http://www.blocklist.de/lists/courierpop3.txt
- http://www.blocklist.de/lists/email.txt
- http://www.blocklist.de/lists/ftp.txt
- http://www.blocklist.de/lists/imap.txt
- http://www.blocklist.de/lists/ircbot.txt
- http://www.blocklist.de/lists/pop3.txt
- http://www.blocklist.de/lists/postfix.txt
- http://www.blocklist.de/lists/proftpd.txt
- http://www.blocklist.de/lists/sip.txt
- http://www.blocklist.de/lists/ssh.txt
- http://www.botvrij.eu/data/ioclist.url
- http://www.ciarmy.com/list/ci-badguys.txt
- http://www.dshield.org/ipsascii.html?limit=10000
- http://www.falconcrest.eu/IPBL.aspx
- http://www.joewein.net/dl/bl/dom-bl-base.txt
- http://www.joewein.net/dl/bl/dom-bl.txt
- http://www.malware-traffic-analysis.net
- http://www.malwareblacklist.com/showAllMalwareURL.php?userName=Guest&sessionID=&downloadOption=0
- http://www.malwaredomainlist.com/hostslist/ip.txt
- http://www.malwaredomainlist.com/updatescsv.php
- http://www.malwaregroup.com/ipaddresses
- http://www.michaelbrentecklund.com/whm-cpanel-cphulk-banlist-whm-cpanel-cphulk-blacklist/
- http://www.mirc.com/servers.ini
- http://www.nothink.org/blacklist/blacklist_malware_dns.txt
- http://www.nothink.org/blacklist/blacklist_malware_http.txt
- http://www.nothink.org/blacklist/blacklist_malware_irc.txt
- http://www.nothink.org/blacklist/blacklist_snmp_2015.txt
- http://www.nothink.org/blacklist/blacklist_ssh_day.txt
- http://www.projecthoneypot.org/list_of_ips.php
- http://www.spamhaus.org/drop/drop.txt
- http://www.spamhaus.org/drop/edrop.txt
- http://www.stopforumspam.com/downloads/listed_ip_1_all.zip
- http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt
- http://www.urlvir.com/export-hosts/
- http://www.voipbl.org/update/
- https://atlas.arbor.net/summary/domainlist
- https://dataplane.org/sshclient.txt
- https://dataplane.org/sshpwauth.txt
- https://disconnect.me/lists/malvertising
- https://disconnect.me/lists/malwarefilter
- https://dragonresearchgroup.org/insight/sshpwauth.txt
- https://dragonresearchgroup.org/insight/vncprobe.txt
- https://feodotracker.abuse.ch
- https://github.com/stamparm/maltrail/blob/master/trails/static/mass_scanner.txt
- https://gitlab.com/ZeroDot1/CoinBlockerLists/blob/master/list.txt
- https://isc.sans.edu/feeds/daily_sources
- https://isc.sans.edu/feeds/suspiciousdomains_High.txt
- https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
- https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
- https://isc.sans.edu/feeds/topips.txt
- https://isc.sans.edu/ipsascii.html
- https://lists.malwarepatrol.net/cgi/getfile?receipt=f1417692233&product=8&list=dansguardian
- https://malc0de.com/bl/ZONES
- https://malsilo.gitlab.io/feeds/dumps/url_list.txt
- https://malwared.malwaremustdie.org/rss.php
- https://malwared.malwaremustdie.org/rss_bin.php
- https://malwared.malwaremustdie.org/rss_ssh.php
- https://myip.ms/files/blacklist/htaccess/latest_blacklist.txt
- https://onionoo.torproject.org/details?type=relay&running=true
- https://palevotracker.abuse.ch
- https://paste.cryptolaemus.com/feed.xml
- https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/bitcoin_nodes_1d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/botscout_1d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/cruzit_web_attacks.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/malwaredomainlist.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists_1d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyrss_1d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxyspy_1d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/ri_web_proxies_30d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/socks_proxy_7d.ipset
- https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslproxies_1d.ipset
- https://raw.githubusercontent.com/futpib/policeman-rulesets/master/examples/simple_domains_blacklist.txt
- https://raw.githubusercontent.com/Neo23x0/signature-base/master/iocs/otx-c2-iocs.txt
- https://rules.emergingthreats.net/open/suricata/rules/emerging-dns.rules
- https://secure.dshield.org/ipsascii.html?limit=1000
- https://sslbl.abuse.ch
- https://techhelplist.com/maltlqr/reports/dyreza.txt
- https://techhelplist.com/pastes
- https://techhelplist.com/spam-list
- https://threatfeeds.io/
- https://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
- https://urlhaus.abuse.ch/downloads/csv/
- https://www.badips.com/get/list/any/2?age=7d
- https://www.circl.lu/doc/misp/feed-osint/
- https://www.dan.me.uk/torlist/
- https://www.hidemyass.com/vpn-config/l2tp/
- https://www.malwaredomainlist.com/hostslist/hosts.txt
- https://www.maxmind.com/en/anonymous_proxies
- https://www.maxmind.com/en/high-risk-ip-sample-list
- https://www.openbl.org/lists/base.txt
- https://www.openbl.org/lists/base_all_ftp-only.txt
- https://www.openbl.org/lists/base_all_http-only.txt
- https://www.openbl.org/lists/base_all_smtp-only.txt
- https://www.openbl.org/lists/base_all_ssh-only.txt
- https://www.packetmail.net/iprep.txt
- https://www.packetmail.net/iprep_CARISIRT.txt
- https://www.packetmail.net/iprep_ramnode.txt
- https://www.trustedsec.com/banlist.txt
- https://www.turris.cz/greylist-data/greylist-latest.csv
- https://zeustracker.abuse.ch