RISK INDICATORS
FREE OSINT Data Feeds
Why use OSINT in cybersecurity?
Open source threat intelligence (OSINT) is critical for strengthening defenses against evolving cyber threats. It serves as an early warning system, enabling identification and mitigation of potential threats before they become security incidents.
Malware Patrol collects open source intelligence from reputable sources within the cybersecurity industry as part of our ongoing research and daily operations. This information is carefully curated and provided via three free OSINT data feeds:
1) High Risk IPs: Addresses involved in a range of malicious activities, such as spam, malware distribution, botnets, and command-and-control communications.
2) Risk Indicators: A variety of threat-related IoCs, including: MD5, SHA1, and SHA256 hashes, email addresses, cryptocurrency addresses, and CVEs.
3) Tor Exit Nodes: Addresses of active Tor exit nodes as reported by the Tor Project.
Security teams can utilize this intelligence in many ways, including to block malicious IPs and email addresses, blacklist identified hashes to prevent malware execution, and patch vulnerabilities associated with disclosed CVEs. Our feeds can also be correlated with existing data sources for improved decision making.
We enhance the value of our OSINT data feeds by correlating them, whenever possible, with the MITRE ATT&CK framework to provide deeper context and insights. This correlation helps us map out the tactics, techniques, and procedures (TTPs) and associated threat actors, providing a clearer understanding of potential threats. By integrating MITRE, we ensure that our feeds are not only informative but also strategically valuable.
Feed Sample
{
“alias”: [
“APT34”,
“ATK40”,
“Cobalt Gypsy”,
“Crambus”,
“Evasive Serpens”,
“G0049”,
“Helix Kitten”,
“IRN2”,
“Oilrig”,
“Twisted Kitten”
],
“category”: “Group”,
“credibility”: 3,
“family”: [
“OilRig”
],
“indicator”: “0b676ea2ad205b70b9feb1eedbfdec72137e08e5”,
“mitre_attack”: {
“alias”: [],
“created”: “2017-12-14T16:46:06.044Z”,
“defense_bypass”: [],
“description”: “ftp”,
“group”: [
{
“alias”: [],
“description”: null,
“id”: “G0057”,
“name”: “APT34”,
“url”: “https://attack.mitre.org/groups/G0057”
},
{
“alias”: [],
“description”: “The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.”,
“id”: “ics-attack”,
“name”: “ATT&CK for ICS”,
“url”: “https://attack.mitre.org/matrices/ics/”
},
{
“alias”: [],
“description”: null,
“id”: “G0057”,
“name”: “APT34”,
“url”: “https://attack.mitre.org/groups/G0057”
},
{
“alias”: [],
“description”: “The full ATT&CK for ICS Matrix includes techniques spanning various ICS assets and can be used to navigate through the knowledge base.”,
“id”: “ics-attack”,
“name”: “ATT&CK for ICS”,
“url”: “https://attack.mitre.org/matrices/ics/”
},
{
“alias”: [],
“description”: null,
“id”: “G0057”,
“name”: “APT34”,
“url”: “https://attack.mitre.org/groups/G0057”
},
{
“alias”: [],
“description”: null,
“id”: “G0057”,
“name”: “APT34”,
“url”: “https://attack.mitre.org/groups/G0057”
}
],
“modified”: “2024-04-11T16:06:34.698Z”,
“platform”: [],
“reference”: [
{
“description”: “(Citation: Crowdstrike Helix Kitten Nov 2018)”,
“id”: null,
“name”: “IRN2”,
“url”: null
},
{
“description”: “Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.”,
“id”: null,
“name”: “Palo Alto OilRig Oct 2016”,
“url”: null
},
{
“description”: “Check Point. (2021, April 8). Irans APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.”,
“id”: null,
“name”: “Check Point APT34 April 2021”,
“url”: null
},
{
“description”: “Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.”,
“id”: null,
“name”: “Unit42 OilRig Playbook 2023”,
“url”: null
},
{
“description”: “Meyers, A. (2018, November 27). Meet CrowdStrikes Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.”,
“id”: null,
“name”: “Crowdstrike Helix Kitten Nov 2018”,
“url”: null
},
{
“description”: “This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)”,
“id”: null,
“name”: “APT34”,
“url”: null
},
{
“description”: “(Citation: Microsoft Threat Actor Naming July 2023)”,
“id”: null,
“name”: “Hazel Sandstorm”,
“url”: null
},
{
“description”: “Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.”,
“id”: null,
“name”: “Palo Alto OilRig April 2017”,
“url”: null
},
{
“description”: “Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.”,
“id”: null,
“name”: “Microsoft Threat Actor Naming July 2023”,
“url”: null
},
{
“description”: “Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.”,
“id”: null,
“name”: “Secureworks COBALT GYPSY Threat Profile”,
“url”: null
},
{
“description”: “Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.”,
“id”: null,
“name”: “Unit 42 QUADAGENT July 2018”,
“url”: null
},
{
“description”: null,
“id”: “G0049”,
“name”: “mitre-attack”,
“url”: null
},
{
“description”: “(Citation: Unit42 OilRig Playbook 2023)”,
“id”: null,
“name”: “Evasive Serpens”,
“url”: null
},
{
“description”: “(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)”,
“id”: null,
“name”: “OilRig”,
“url”: null
},
{
“description”: “(Citation: Secureworks COBALT GYPSY Threat Profile)”,
“id”: null,
“name”: “COBALT GYPSY”,
“url”: null
},
{
“description”: “(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)”,
“id”: null,
“name”: “Helix Kitten”,
“url”: null
},
{
“description”: “Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.”,
“id”: null,
“name”: “Unit 42 Playbook Dec 2017”,
“url”: null
},
{
“description”: “(Citation: Microsoft Threat Actor Naming July 2023)”,
“id”: null,
“name”: “EUROPIUM”,
“url”: null
}
],
“technique”: [
{
“description”: “Scheduled Task”,
“id”: “T1053.005”,
“reference”: “https://attack.mitre.org/techniques/T1053/005”
},
{
“description”: “Encrypted/Encoded File”,
“id”: “T1027.013”,
“reference”: “https://attack.mitre.org/techniques/T1027/013”
},
{
“description”: “Local Groups”,
“id”: “T1069.001”,
“reference”: “https://attack.mitre.org/techniques/T1069/001”
},
{
“description”: “Protocol Tunneling”,
“id”: “T1572”,
“reference”: “https://attack.mitre.org/techniques/T1572”
},
{
“description”: “System Network Configuration Discovery”,
“id”: “T1016”,
“reference”: “https://attack.mitre.org/techniques/T1016”
},
{
“description”: “Cached Domain Credentials”,
“id”: “T1003.005”,
“reference”: “https://attack.mitre.org/techniques/T1003/005”
},
{
“description”: “Query Registry”,
“id”: “T1012”,
“reference”: “https://attack.mitre.org/techniques/T1012”
},
{
“description”: “ftp”,
“id”: “S0095”,
“reference”: “https://attack.mitre.org/software/S0095”
},
{
“description”: “ATT&CK for ICS”,
“id”: “ics-attack”,
“reference”: “https://attack.mitre.org/matrices/ics/”
},
{
“description”: “Command and Scripting Interpreter”,
“id”: “T1059”,
“reference”: “https://attack.mitre.org/techniques/T1059”
},
{
“description”: “Scripting”,
“id”: “T0853”,
“reference”: “https://attack.mitre.org/techniques/T0853”
},
{
“description”: “Keylogging”,
“id”: “T1056.001”,
“reference”: “https://attack.mitre.org/techniques/T1056/001”
},
{
“description”: “Malicious File”,
“id”: “T1204.002”,
“reference”: “https://attack.mitre.org/techniques/T1204/002”
},
{
“description”: “System Checks”,
“id”: “T1497.001”,
“reference”: “https://attack.mitre.org/techniques/T1497/001”
},
{
“description”: “certutil”,
“id”: “S0160”,
“reference”: “https://attack.mitre.org/software/S0160”
},
{
“description”: “Domain Account”,
“id”: “T1087.002”,
“reference”: “https://attack.mitre.org/techniques/T1087/002”
},
{
“description”: “File Deletion”,
“id”: “T1070.004”,
“reference”: “https://attack.mitre.org/techniques/T1070/004”
},
{
“description”: “LaZagne”,
“id”: “S0349”,
“reference”: “https://attack.mitre.org/software/S0349”
},
{
“description”: “Reg”,
“id”: “S0075”,
“reference”: “https://attack.mitre.org/software/S0075”
},
{
“description”: “Net”,
“id”: “S0039”,
“reference”: “https://attack.mitre.org/software/S0039”
},
{
“description”: “Domain Groups”,
“id”: “T1069.002”,
“reference”: “https://attack.mitre.org/techniques/T1069/002”
},
{
“description”: “LSA Secrets”,
“id”: “T1003.004”,
“reference”: “https://attack.mitre.org/techniques/T1003/004”
},
{
“description”: “POWRUNER”,
“id”: “S0184”,
“reference”: “https://attack.mitre.org/software/S0184”
},
{
“description”: “BONDUPDATER”,
“id”: “S0360”,
“reference”: “https://attack.mitre.org/software/S0360”
},
{
“description”: “Exfiltration Over Unencrypted Non-C2 Protocol”,
“id”: “T1048.003”,
“reference”: “https://attack.mitre.org/techniques/T1048/003”
},
{
“description”: “netstat”,
“id”: “S0104”,
“reference”: “https://attack.mitre.org/software/S0104”
},
{
“description”: “Brute Force”,
“id”: “T1110”,
“reference”: “https://attack.mitre.org/techniques/T1110”
},
{
“description”: “LSASS Memory”,
“id”: “T1003.001”,
“reference”: “https://attack.mitre.org/techniques/T1003/001”
},
{
“description”: “ISMInjector”,
“id”: “S0189”,
“reference”: “https://attack.mitre.org/software/S0189”
},
{
“description”: “Automated Collection”,
“id”: “T1119”,
“reference”: “https://attack.mitre.org/techniques/T1119”
},
{
“description”: “Remote Desktop Protocol”,
“id”: “T1021.001”,
“reference”: “https://attack.mitre.org/techniques/T1021/001”
},
{
“description”: “Web Shell”,
“id”: “T1505.003”,
“reference”: “https://attack.mitre.org/techniques/T1505/003”
},
{
“description”: “Web Protocols”,
“id”: “T1071.001”,
“reference”: “https://attack.mitre.org/techniques/T1071/001”
},
{
“description”: “ATT&CK for ICS”,
“id”: “ics-attack”,
“reference”: “https://attack.mitre.org/matrices/ics/”
},
{
“description”: “Helminth”,
“id”: “S0170”,
“reference”: “https://attack.mitre.org/software/S0170”
},
{
“description”: “Valid Accounts”,
“id”: “T1078”,
“reference”: “https://attack.mitre.org/techniques/T1078”
},
{
“description”: “Credentials from Password Stores”,
“id”: “T1555”,
“reference”: “https://attack.mitre.org/techniques/T1555”
},
{
“description”: “Valid Accounts”,
“id”: “T0859”,
“reference”: “https://attack.mitre.org/techniques/T0859”
},
{
“description”: “Standard Application Layer Protocol”,
“id”: “T0869”,
“reference”: “https://attack.mitre.org/techniques/T0869”
},
{
“description”: “RGDoor”,
“id”: “S0258”,
“reference”: “https://attack.mitre.org/software/S0258”
},
{
“description”: “ATT&CK for ICS”,
“id”: “ics-attack”,
“reference”: “https://attack.mitre.org/matrices/ics/”
},
{
“description”: “Indicator Removal from Tools”,
“id”: “T1027.005”,
“reference”: “https://attack.mitre.org/techniques/T1027/005”
},
{
“description”: “Windows Credential Manager”,
“id”: “T1555.004”,
“reference”: “https://attack.mitre.org/techniques/T1555/004”
},
{
“description”: “Peripheral Device Discovery”,
“id”: “T1120”,
“reference”: “https://attack.mitre.org/techniques/T1120”
},
{
“description”: “Spearphishing via Service”,
“id”: “T1566.003”,
“reference”: “https://attack.mitre.org/techniques/T1566/003”
},
{
“description”: “System Service Discovery”,
“id”: “T1007”,
“reference”: “https://attack.mitre.org/techniques/T1007”
},
{
“description”: “Systeminfo”,
“id”: “S0096”,
“reference”: “https://attack.mitre.org/software/S0096”
},
{
“description”: “RDAT”,
“id”: “S0495”,
“reference”: “https://attack.mitre.org/software/S0495”
},
{
“description”: “External Remote Services”,
“id”: “T1133”,
“reference”: “https://attack.mitre.org/techniques/T1133”
},
{
“description”: “Fallback Channels”,
“id”: “T1008”,
“reference”: “https://attack.mitre.org/techniques/T1008”
},
{
“description”: “Mimikatz”,
“id”: “S0002”,
“reference”: “https://attack.mitre.org/software/S0002”
},
{
“description”: “Malicious Link”,
“id”: “T1204.001”,
“reference”: “https://attack.mitre.org/techniques/T1204/001”
},
{
“description”: “Spearphishing Link”,
“id”: “T1566.002”,
“reference”: “https://attack.mitre.org/techniques/T1566/002”
},
{
“description”: “Asymmetric Cryptography”,
“id”: “T1573.002”,
“reference”: “https://attack.mitre.org/techniques/T1573/002”
},
{
“description”: “Spearphishing Attachment”,
“id”: “T1566.001”,
“reference”: “https://attack.mitre.org/techniques/T1566/001”
},
{
“description”: “Tasklist”,
“id”: “S0057”,
“reference”: “https://attack.mitre.org/software/S0057”
},
{
“description”: “Local Account”,
“id”: “T1087.001”,
“reference”: “https://attack.mitre.org/techniques/T1087/001”
},
{
“description”: “PowerShell”,
“id”: “T1059.001”,
“reference”: “https://attack.mitre.org/techniques/T1059/001”
},
{
“description”: “Password Policy Discovery”,
“id”: “T1201”,
“reference”: “https://attack.mitre.org/techniques/T1201”
},
{
“description”: “Credentials In Files”,
“id”: “T1552.001”,
“reference”: “https://attack.mitre.org/techniques/T1552/001”
},
{
“description”: “System Information Discovery”,
“id”: “T1082”,
“reference”: “https://attack.mitre.org/techniques/T1082”
},
{
“description”: “Masquerading”,
“id”: “T1036”,
“reference”: “https://attack.mitre.org/techniques/T1036”
},
{
“description”: “Compiled HTML File”,
“id”: “T1218.001”,
“reference”: “https://attack.mitre.org/techniques/T1218/001”
},
{
“description”: “Windows Command Shell”,
“id”: “T1059.003”,
“reference”: “https://attack.mitre.org/techniques/T1059/003”
},
{
“description”: “Outlook Home Page”,
“id”: “T1137.004”,
“reference”: “https://attack.mitre.org/techniques/T1137/004”
},
{
“description”: “Process Discovery”,
“id”: “T1057”,
“reference”: “https://attack.mitre.org/techniques/T1057”
},
{
“description”: “ATT&CK for ICS”,
“id”: “ics-attack”,
“reference”: “https://attack.mitre.org/matrices/ics/”
},
{
“description”: “ATT&CK for ICS”,
“id”: “ics-attack”,
“reference”: “https://attack.mitre.org/matrices/ics/”
},
{
“description”: “DNS”,
“id”: “T1071.004”,
“reference”: “https://attack.mitre.org/techniques/T1071/004”
},
{
“description”: “OopsIE”,
“id”: “S0264”,
“reference”: “https://attack.mitre.org/software/S0264”
},
{
“description”: “Screen Capture”,
“id”: “T1113”,
“reference”: “https://attack.mitre.org/techniques/T1113”
},
{
“description”: “Network Service Discovery”,
“id”: “T1046”,
“reference”: “https://attack.mitre.org/techniques/T1046”
},
{
“description”: “Drive-by Compromise”,
“id”: “T0817”,
“reference”: “https://attack.mitre.org/techniques/T0817”
},
{
“description”: “Deobfuscate/Decode Files or Information”,
“id”: “T1140”,
“reference”: “https://attack.mitre.org/techniques/T1140”
},
{
“description”: “Ingress Tool Transfer”,
“id”: “T1105”,
“reference”: “https://attack.mitre.org/techniques/T1105”
},
{
“description”: “Visual Basic”,
“id”: “T1059.005”,
“reference”: “https://attack.mitre.org/techniques/T1059/005”
},
{
“description”: “Credentials from Web Browsers”,
“id”: “T1555.003”,
“reference”: “https://attack.mitre.org/techniques/T1555/003”
},
{
“description”: “SideTwist”,
“id”: “S0610”,
“reference”: “https://attack.mitre.org/software/S0610”
},
{
“description”: “System Owner/User Discovery”,
“id”: “T1033”,
“reference”: “https://attack.mitre.org/techniques/T1033”
},
{
“description”: “System Network Connections Discovery”,
“id”: “T1049”,
“reference”: “https://attack.mitre.org/techniques/T1049”
}
],
“type”: “intrusion-set”
},
“reference”: [
“https://cloud.google.com/blog/topics/threat-intelligence/targeted-attack-in-middle-east-by-apt34”,
“https://cyberpedia.reasonlabs.com/EN/oilrig.html”,
“https://unit42.paloaltonetworks.com/tag/oilrig/”,
“https://www.darkreading.com/ics-ot-security/iran-oilrig-cyberattackers-target-israel-critical-infrastructure”,
“https://threatintelligenceplatform.com/threat-reports/tracing-the-dns-spills-of-the-oilrig-cyber-espionage-group”,
“https://www.ironnet.com/blog/iranian-cyber-attack-updates”,
“https://www.picussecurity.com/resource/blog/oilrig-apt”,
“https://live.paloaltonetworks.com/t5/Community-Blog/OilRig-Uses-Updated-BONDUPDATER-to-Target-Middle-Eastern/ba-p/230706”,
“https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/”,
“https://www.trendmicro.com/en_us/research/23/i/apt34-deploys-phishing-attack-with-new-malware.html”,
“https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/”,
“https://attack.mitre.org/groups/G0049/”,
“https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae”,
“https://therecord.media/alleged-iran-hackers-target-saudi-arabia-with-new-spy-malware”,
“https://www.darkreading.com/cyberattacks-data-breaches/iran-linked-apt34-spy-campaign-targets-saudis”,
“https://socprime.com/blog/saitama-backdoor-detection-apt34-aims-new-malware-at-jordans-foreign-ministry/”,
“https://www.broadcom.com/support/security-center/protection-bulletin/new-backdoor-malware-dubbed-saitama-used-by-apt34”,
“https://intezer.com/blog/research/new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/”,
“https://www.cisa.gov/news-events/alerts/2019/10/21/nsa-and-ncsc-release-joint-advisory-turla-group-activity”,
“https://partnernews.sophos.com/en-us/2022/11/resources/sophos-mdr-results-from-the-first-mitre-engenuity-attck-evaluation-for-security-service-providers/”,
“https://threatpost.com/oilrig-apt-continues-its-ongoing-malware-evolution/137444/”,
“https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/”,
“https://www.bleepingcomputer.com/news/security/iranian-hackers-are-selling-access-to-corporate-networks/”,
“https://www.fortinet.com/blog/threat-research/please-confirm-you-received-our-apt”,
“https://www.paloaltonetworks.com/blog/tag/oilrig/”,
“https://www.reactionarytimes.com/exploring-crambus-activity-connected-iranian-apt34-muddywater/”,
“https://www.enigmasoftware.com/apt34-removal/”,
“https://ics-cert.kaspersky.com/publications/reports/2020/04/24/threat-landscape-for-industrial-automation-systems-apt-attacks-on-industrial-companies-in-2019/”,
“https://www.helpnetsecurity.com/2023/12/15/oilrig-downloaders-attacks-israeli-organizations/”,
“https://www.cyclonis.com/menorah-malware-employed-by-iranian-apt/”,
“https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government”,
“https://cloud.google.com/blog/topics/threat-intelligence/hard-pass-declining-apt34-invite-to-join-their-professional-network/”,
“https://therecord.media/oilrig-apt34-iran-linked-hackers-new-downloaders-israel”,
“https://www.socinvestigation.com/apt34-returns-with-new-ttps-and-delivers-malicious-files/”,
“https://redcanary.com/blog/threat-detection/2022-mitre-attack-evals/”,
“https://threatpost.com/iranian-apts-fox-kitten-global-spy-campaign/152974/”,
“https://gbhackers.com/hacker-group-disguised-as-marketing/”,
“https://help.fortinet.com/fsiem/Public_Resource_Access/7_1_0/rules/PH_RULE_OilRig_APT_Registry_Persistence.htm”,
“https://me-en.kaspersky.com/about/press-releases/2023_kaspersky-experts-warn-of-increased-it-supply-chain-attacks-by-oilrig-apt-in-the-middle-east-and-turkiye”,
“https://blackpointcyber.com/resources/blog/shedding-light-on-cyberthreats-apt34s-menorah-malware/”,
“https://securelist.com/oilrigs-poison-frog/95490/”,
“https://asec.ahnlab.com/en/tag/apt34/”,
“https://www.csoonline.com/article/2142372/cisos-may-be-too-reliant-on-edr-xdr-defenses.html”,
“https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/”,
“https://cyble.com/threat-actor-profiles/threat-actor-profile-oilrig/”,
“https://www.hivepro.com/threat-advisory/prolonged-pursuit-of-oilrig-apt-targeting-middle-east-government/”,
“https://www.bitdefender.com/blog/hotforsecurity/iranian-backed-apt34-tries-to-compromise-company-linked-to-u-s-government/”,
“https://www.reddit.com/r/netsec/comments/18mvcli/a_detailed_analysis_of_the_menorah_malware_used/”,
“https://www.rewterz.com/threat-advisory/oilrig-apt-targets-middle-eastern-organizations-and-individuals”,
“https://www.darkreading.com/threat-intelligence/apt34-toolset-victim-data-leaked-via-telegram”,
“https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2023-q1-2024/”,
“https://www.csoonline.com/article/2112546/global-stability-issues-alter-cyber-threat-landscape-eset-reports.html”,
“https://malpedia.caad.fkie.fraunhofer.de/actor/oilrig”
],
“reliability”: “C”,
“source”: “external”,
“tag”: [],
“timestamp”: 1715370086,
“timestamp_human”: “2024/07/31 20:45:25 UTC”,
“type”: “sha1”
}
CONTENTS
– Cryptocurrency Addresses
– CVEs
– Email addresses
– Hashes (MD5, SHA-1, and SHA-256)
– IPs
FEATURES
– Free subscription
– JSON gzip format
– Hourly updates
– MITRE ATT&CK correlation