Content is user-generated and unverified.

Vulnerabilities, Feeds, OSIs - Complete Documentation

Initial Assessment List
Wibix AWS Instance API Feeds and Data Dumps
Breachdata from Kaggle
Data from MISP Instance
Data from OpenCTI
Comparative Analysis

Initial Assessment List

1. Malicious IP Sources

Source	Status	Notes
AbuseIPDB	✅ Done
Greynoise	🔄 Query Endpoint
Firehol	✅ Done

2. Malicious URL Sources

Source	Status	Notes
URLhaus	✅ Done
Phishtank	✅ Done
Threatfox	✅ Done

3. Blacklisted IP Sources

Source	Status	Notes
Alienvault	✅ Done
CyberCrimeTracker	📱 Telegram

4. Phishing Sources

Source	Status	Notes
Openphish	❌ Not Free
Phishstats	✅ Done
MISP	✅ Covered with MISP

5. Domain Intelligence

Source	Status	Notes
ThreatCrowd	❌ Not Free
Emerging Threats	❌ Not Free

6. Subdomain Intelligence

Source	Status	Notes
PassiveTotal	❌ Not Free
SecurityTrails	🔄 Query Endpoint
Censys	❌ Not Free

7. Zero-day Intelligence

Source	Status	Notes
NVD	❌ Not Free
Vuldb	🔄 Ongoing

8. File Hash Intelligence

Source	Status	Notes
MalwareBazaar	✅ Done
Virustotal	❌ Not Free
Hybrid Analysis	❌ Old Github, Not updated

9. Email Intelligence

Source	Status	Notes
PhishTank	✅ Done
Have I been Emotet	❌ No access

10. Dark Web Intelligence

Source	Status	Notes
Dark Feed	✅ Done
Intsights	❌ No access
Darktracer	❌ Old Github

11. Credential Breach Intelligence

Source	Status	Notes
HaveIBeenPwned	❌ No free access
Scylla.sh	❌ No free access
BreachDirectory	⏳ Waiting for access

Wibix AWS Instance API Feeds and Data Dumps

1. IP Intelligence

Source	Status
Firehol	✅ Done
Alienvault	✅ Done
Threatfox	✅ Done

2. URL Intelligence

Source	Status
Alienvault	✅ Done
Threatfox	✅ Done
URLhaus	✅ Done

3. Blacklisted IP

Source	Status
Alienvault	✅ Done
Abuseipdb	✅ Done

4. Phishing

Source	Status
Phishstats	✅ Done
Phishtank	✅ Done

5. Domain Intelligence

Source	Status
Alienvault	✅ Done
Threatfox	✅ Done

6. Subdomain Intelligence

Source	Status
Threatfox	✅ Done

7. Zero-day Intelligence

Source	Status
VulDB	🔄 Ongoing

8. File Hashes

Source	Status
Threatfox	✅ Done
Alienvault	✅ Done
MalwareBazaar	✅ Done
URLhaus	✅ Done

9. Email Intelligence

Source	Status
URLhaus	✅ Done

10. Dark Web

Source	Status
DarkFeed	✅ Done

11. Credential Breaches

Source	Status
Chronology	✅ Done
Kaggle	✅ Done

12. SSL Certificate

Source	Status
Abuse.ch	✅ Done

13. Hostname Intelligence

Source	Status
Alienvault	✅ Done

14. YARA Rules

Source	Status
Yarafy	✅ Done

Breachdata from Kaggle

Available Datasets

Blockchain Network Transaction
Company Data
HIPAA Data
Credit Card Transactions
Education Institute Email
Public Profiles
Twitter IDs - https://github.com/elliotwutingfeng/Twitter200M - Remaining

Data from MISP Instance

IOC Types (Complete List - 92 Types)

ID	IOC Type	Description
1	as	Autonomous System Number (ASN) used to identify network owners
2	attachment	Base64-encoded file or email attachment
3	authentihash	Windows PE file hash that excludes checksum, signature, and timestamp
4	btc	Bitcoin wallet address, used in crypto-related fraud or ransomware
5	campaign-id	Identifier for a threat campaign or operation
6	comment	Analyst or automated comment describing context or relevance
7	cookie	HTTP cookie used in tracking or malware C2
8	counter	Numerical value representing event counts or thresholds
9	cpe	Common Platform Enumeration string to identify software/hardware
10	dns-soa-email	Email in SOA DNS record, identifies domain admin
11	domain	Fully Qualified Domain Name (FQDN), often for C2 or phishing
12	domain\|ip	Hybrid of domain and IP to preserve resolution relationships
13	email-attachment	File name or metadata of an email attachment
14	email-body	Body content of an email, used in phishing analysis
15	email-dst	Recipient email address (`To:` field)
16	email-header	Raw email header lines (e.g., `Received:`, `X-Mailer:`)
17	email-message-id	Email's unique identifier (`Message-ID` header)
18	email-mime-boundary	MIME boundary used to segment email parts
19	email-reply-to	Address in `Reply-To:` header — often spoofed
20	email-src	Sender email address (`From:` field)
21	email-src-display-name	Display name of sender — used in spoofing
22	email-subject	Subject line of the email
23	email-x-mailer	Email client or tool used to send the message
24	filename	Name of a file, useful in malware or phishing campaigns
25	filename-pattern	Regex or wildcard pattern of filenames
26	filename\|md5	Filename paired with an MD5 hash
27	filename\|sha1	Filename paired with a SHA1 hash
28	filename\|sha256	Filename paired with a SHA256 hash
29	github-repository	URL or name of a GitHub repo (threat actor infra)
30	github-username	GitHub handle of an author or threat actor
31	hex	Arbitrary hex-encoded data (e.g., shellcode, keys)
32	hostname	Hostname (often internal), not FQDN
33	http-method	HTTP verbs like GET, POST, PUT — used in traffic profiling
34	iban	International Bank Account Number (often in fraud)
35	imphash	Import hash of PE files for clustering malware
36	ip-dst	Destination IP address
37	ip-dst\|port	IP and port tuple for destination socket
38	ip-src	Source IP address
39	ip-src\|port	IP and port tuple for source socket
40	ja3-fingerprint-md5	TLS client fingerprint (JA3), MD5 hash of fingerprint
41	jabber-id	XMPP/Jabber ID — used for threat actor comms
42	jarm-fingerprint	TLS server fingerprint (JARM), detects infra reuse
43	link	External link to blog, report, or malware download
44	malware-sample	Malware binary attached as a sample or hash reference
45	md5	MD5 hash of a file or object
46	mime-type	File MIME type (e.g., `application/pdf`)
47	mobile-application-id	App ID (e.g., Android package name or iOS bundle ID)
48	mutex	Named mutual exclusion object — malware often uses these
49	named pipe	Windows IPC pipe name used by malware or legit software
50	other	Miscellaneous custom value (avoid when possible)
51	pattern-in-file	Known byte/text pattern found inside a file
52	pattern-in-memory	Pattern found in process memory (YARA-like match)
53	pattern-in-traffic	Pattern match in network packet/stream
54	pdb	Path to debug symbol (PDB) — used to fingerprint builds
55	pehash	Structural PE hash (for malware clustering)
56	phone-number	International-format phone number
57	port	Network port number (0–65535)
58	regkey	Windows Registry key path
59	regkey\|value	Registry key and its value together
60	sha1	SHA1 hash of a file or object
61	sha224	SHA224 hash (rare, but supported)
62	sha256	SHA256 hash (standard for most malware)
63	sha384	SHA384 hash (rare in threat intel)
64	sha512	SHA512 hash (used in large file validation)
65	sigma	Sigma rule used for detecting behavior in logs
66	size-in-bytes	File size in bytes
67	snort	Snort IDS signature rule
68	ssdeep	Context-triggered fuzzy hash (used in clustering)
69	stix2-pattern	STIX 2.0 pattern for structured indicator sharing
70	target-external	Organization/individual being targeted (external to reporting org)
71	target-location	Geographic location of the intended victim
72	target-org	Name or ID of target organization
73	text	Generic text block (useful for strings or descriptions)
74	threat-actor	Name of an actor or group (APT29, FIN7, etc.)
75	tlsh	Trend Micro Locality Sensitive Hash (used for clustering)
76	twitter-id	Twitter handle or numeric ID
77	uri	Relative URI path — useful for URL pattern matching
78	url	Full URL including scheme (e.g., http://evil.com/payload)
79	user-agent	HTTP `User-Agent` string
80	vhash	Symantec VHASH — structural hash for malware
81	vulnerability	CVE or other vulnerability ID (e.g., `CVE-2023-23397`)
82	weakness	CWE identifier describing vulnerability class
83	whois-registrant-email	Email of domain registrant from WHOIS data
84	whois-registrant-name	Name of domain registrant
85	whois-registrant-phone	Phone of domain registrant
86	whois-registrar	WHOIS registrar (e.g., GoDaddy, Namecheap)
87	windows-scheduled-task	Name of scheduled task in Windows
88	windows-service-name	Name of a service installed on Windows
89	x509-fingerprint-md5	MD5 fingerprint of an X.509 cert
90	x509-fingerprint-sha1	SHA1 fingerprint of an X.509 cert
91	x509-fingerprint-sha256	SHA256 fingerprint of an X.509 cert
92	yara	YARA rule used to detect file or behavior

MISP Feeds (57 Active Feeds)

ID	Feed Name	Provider	URL
1	CIRCL OSINT Feed	CIRCL	https://www.circl.lu/doc/misp/feed-osint
2	The Botvrij.eu Data	Botvrij.eu	https://www.botvrij.eu/data/feed-osint
3	blockrules of rules.emergingthreats.net	rules.emergingthreats.net	https://rules.emergingthreats.net/blockrules/compromised-ips.txt
4	Tor exit nodes	TOR Node List from dan.me.uk	https://www.dan.me.uk/torlist/?exit
5	Tor ALL nodes	TOR Node List from dan.me.uk	https://www.dan.me.uk/torlist/
6	cybercrime-tracker.net - all	cybercrime-tracker.net	https://cybercrime-tracker.net/all.php
7	Phishtank online valid phishing	Phishtank	https://data.phishtank.com/data/online-valid.csv
8	ip-block-list - snort.org	https://snort.org	https://snort.org/downloads/ip-block-list
9	diamondfox_panels	pan-unit42	https://raw.githubusercontent.com/pan-unit42/iocs/master/diamondfox/diamondfox_panels.txt
10	pop3gropers	home.nuug.no	https://home.nuug.no/~peter/pop3gropers.txt
11	Feodo IP Blocklist	abuse.ch	https://feodotracker.abuse.ch/downloads/ipblocklist.csv
12	OpenPhish url list	openphish.com	https://openphish.com/feed.txt
13	firehol_level1	iplists.firehol.org	https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset
14	IPs from High-Confidence DGA...	osint.bambenekconsulting.com	https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
15	Domains from High-Confidence DGA...	osint.bambenekconsulting.com	https://osint.bambenekconsulting.com/feeds/c2-dommasterlist-high.txt
16	ci-badguys.txt	cinsscore.com	https://cinsscore.com/list/ci-badguys.txt
17	alienvault reputation generic	.alienvault.com	https://reputation.alienvault.com/reputation.generic
18	blocklist.de/lists/all.txt	blocklist.de	https://lists.blocklist.de/lists/all.txt
19	VNC RFB	dataplane.org	https://dataplane.org/vncrfb.txt
20	URLhaus URL Feed	abuse.ch	https://urlhaus.abuse.ch/downloads/csv_recent/
21	URLhaus Payloads Feed	abuse.ch	https://urlhaus.abuse.ch/downloads/payloads/csv_recent/
22	ThreatFox Indicators	abuse.ch	https://threatfox.abuse.ch/downloads/
23	SSL Blacklist	abuse.ch	https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
24	Maltrail Anomalies	maltrail	https://github.com/stamparm/maltrail
25	Bambenek DGA Domains - High	Bambenek Consulting	https://osint.bambenekconsulting.com/feeds/dga-feed-high.csv
26	MalwareBazaar Recent Binaries	abuse.ch	https://bazaar.abuse.ch/downloads/csv/
27	Malc0de Database Feed	malc0de.com	http://malc0de.com/bl/IP_Blacklist.txt
28	Emerging Threats Compromised IPs	Proofpoint Emerging Threats	https://rules.emergingthreats.net/blockrules/compromised-ips.txt
29	AlienVault IP Reputation	AlienVault	https://reputation.alienvault.com/reputation.snort
30	Cisco Talos IP Blacklist	Cisco Talos	https://www.talosintelligence.com/documents/ip-blacklist
31	SANS Suspicious Domains	SANS ISC	https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
32	SANS Suspicious IPs	SANS ISC	https://isc.sans.edu/feeds/block.txt
33	GreenSnow IP Blacklist	GreenSnow	https://blocklist.greensnow.co/greensnow.txt
34	BruteForceBlocker IP List	danger.rulez.sk	http://danger.rulez.sk/projects/bruteforceblocker/blist.php
35	Zeus Tracker Domain Blocklist	abuse.ch	https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
36	Zeus Tracker IP Blocklist	abuse.ch	https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
37	Zeus Tracker URL Blocklist	abuse.ch	https://zeustracker.abuse.ch/blocklist.php?download=urlblocklist
38	DNS-BH Malware Domains	malwaredomains.com	https://mirror1.malwaredomains.com/files/justdomains
39	MalwareDomains.com Hosts	malwaredomains.com	https://mirror1.malwaredomains.com/files/hosts
40	CIRCL Passive DNS Feed	CIRCL	https://www.circl.lu/doc/misp/feed-passive-dns/
41	CIRCL Passive SSL Feed	CIRCL	https://www.circl.lu/doc/misp/feed-passive-ssl/
42	CIRCL SSL Blacklist Feed	CIRCL	https://sslbl.abuse.ch/blacklist/
43	CIRCL APT Groups Feed	CIRCL	https://www.circl.lu/doc/misp/feed-apt/
44	CIRCL Botnet C2 Feed	CIRCL	https://www.circl.lu/doc/misp/feed-botcc/
45	CIRCL Phishing Feed	CIRCL	https://www.circl.lu/doc/misp/feed-phishing/
46	CIRCL Spamhaus Drop Feed	Spamhaus	https://www.spamhaus.org/drop/drop.txt
47	CIRCL Spamhaus eDrop Feed	Spamhaus	https://www.spamhaus.org/drop/edrop.txt
48	CIRCL Malc0de IP Feed	CIRCL	http://malc0de.com/bl/IP_Blacklist.txt
49	CIRCL MalwareBazaar Hash Feed	abuse.ch	https://bazaar.abuse.ch/downloads/hashlist.csv
50	CIRCL ThreatFox Feed	abuse.ch	https://threatfox.abuse.ch/downloads/
51	CIRCL ThreatFox URL Feed	abuse.ch	https://threatfox.abuse.ch/downloads/url/
52	CIRCL Feodo Tracker IP Feed	abuse.ch	https://feodotracker.abuse.ch/downloads/ipblocklist.csv
53	CIRCL SSLBL Feed	abuse.ch	https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
54	CIRCL OpenPhish Feed	OpenPhish	https://openphish.com/feed.txt
55	CIRCL Bambenek Consulting DGA Domains	Bambenek Consulting	https://osint.bambenekconsulting.com/feeds/dga-feed-high.csv
56	CIRCL SANS Suspicious IPs Feed	SANS ISC	https://isc.sans.edu/feeds/block.txt
57	CIRCL AlienVault IP Reputation Feed	AlienVault	https://reputation.alienvault.com/reputation.snort

Data from OpenCTI

Observable Types (17 Core Types)

Type	Description	Examples	Usage
artifact	A file or piece of data collected from a system that may indicate compromise	Memory dumps, dropped files, disk images, log files	Used to analyze malware, detect persistence, or identify data exfiltration
autonomous-system	A globally unique identifier (ASN - Autonomous System Number) assigned to a network managed by a single organization	AS13335 (Cloudflare), AS15169 (Google)	Often tied to malicious infrastructure or C2 hosting
cryptocurrency-wallet	A unique wallet address on a blockchain used for storing or transferring cryptocurrency	BTC: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT ETH: 0x742d35Cc6634C0532925a3b844Bc454e4438f44e	Tied to ransomware payments, laundering, or illicit finance
domain-name	A fully qualified domain name (FQDN) used in attacks	evil-c2.example.com	Domains for phishing, malware delivery, or C2
email-addr	An email address used for attack orchestration or exfiltration	attacker@malicious.com	Found in phishing, spear-phishing, BEC campaigns
email-message	Full email content or headers that can provide context	Email with malicious link or payload	Tied to phishing kits or social engineering campaigns
hostname	Name of a computer on a network (often internal)	WIN-7V45U6, DC01.corp.local	Useful in lateral movement tracking or internal recon
ipv4-addr	A 32-bit IPv4 address involved in malicious activity	192.168.1.10, 8.8.8.8	Common for IP-based IOC tracking like C2 servers, scanners
ipv6-addr	A 128-bit IPv6 address	2001:4860:4860::8888	Growing use in modern C2 comms or stealth ops
mutex	A named object in OS used by malware to avoid multiple instances or sync	Global\MyMalwareMutex123	Used in memory for malware identification or behavior tracking
software	A specific piece of software, typically identified by vendor, name, version	Apache Log4j 2.14.1	Tied to vulnerabilities (e.g., CVEs), exploited apps
stixfile	STIX (Structured Threat Information eXpression) formatted file containing threat intel	.stix or .json files with threat data	Used for intel sharing and correlation across platforms
text	Freeform text string that doesn't fit other IOC types	Exploit strings, malware family names, TTPs	Descriptions, labels, or pivoting identifiers
url	A full web address used in phishing, redirection, or C2	http://malicious[.]com/download.exe	Common in phishing or malvertising campaigns
windows-registry-key	A Windows Registry path or key associated with malware	Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malware	Tracks persistence, privilege escalation, or configuration changes
x509-certificate	A digital certificate used in SSL/TLS or code signing, often stolen or abused	Certs with fake or compromised CNs	Tracks malicious HTTPS traffic or signed malware
Malware Hashes	sha1, md5, sha256	Various hash formats for file identification	Standard malware identification and tracking

Feed Information Sources

1. OpenCTI Live Streams

Intrinsec - https://www.intrinsec.com/cyber-threat-intelligence-feeds-en/

2. TAXII Collections

CISA - https://ais2.cisa.dhs.gov/taxii2/
ESET - https://taxii.eset.com/taxii2

3. Data Import Sources (80+ Connectors)

Category	Sources
Abuse/Malware	Abuse SSL, AbuseIPDB IP Blacklist, MalwareBazaar, MalwareBazaar Recent Additions
Threat Intelligence	Accenture ACTI, Alienvault, Bambenek Labs, Cybersixgill, Flashpoint, Intel 471, Intel 471 V2
Sandboxes	Anyrun Feed, Cape Sandbox, Cuckoo Sandbox, Hybrid Analysis, Joe Sandbox
Campaigns	APT & Cybercriminals Campaign Collection, Catalyst, Crowdstrike, Dragos
Vulnerability	CISA Known Exploited Vulnerabilities, NIST NVD CPE Database, NIST NVD CVE Database
Email	Cofense ThreatHQ, Email Intel IMAP, Email Intel Microsoft
Framework	DISARM Framework, MITRE Atlas, MITRE ATT&CK
Commercial	Mandiant, Microsoft Defender Incidents, Microsoft Sentinel Incidents, Recorded Future
Open Source	OpenCTI Datasets, Malpedia, Maltiverse, Phishunt.io
Certificates	Cert.PL MWDB, crt.sh
Feeds	MISP, MISP Feed, Orange Cyberdefense, Ransomware.live
Cloud	S3 Bucket, RST Cloud
Dark Web	Disinfox, Hunt IO
Security	SEKOIA.IO, Silobreaker, SOC Prime, SOC Radar
Incident Response	SentinelOne Incidents, SentinelOne Threats, Tanium Incidents, TheHive
Threat Feeds	Threat Fox by Abuse.ch, ThreatMatch, URLhaus by Abuse.ch, URLhaus Recent Payloads
Vulnerability	Tenable Security Center, Tenable Vulnerability Management, Vulmatch, VulnCheck
Scanning	Urlscan.io, Valhalla, VX Vault
Enterprise	WIZ, ZeroFox, Zvelo

4. Enrichment Sources (40+ Connectors)

Category	Sources
IP/Domain	AbuseIPDB, DNSTwist, DomainTools, Google DNS, Host.io, IPinfo, IPQS, Shodan, Shodan InternetDB
Sandboxes	Any.run task, CAPE Sandbox, Cuckoo Sandbox, Hatching Triage Sandbox, Hybrid Analysis Sandbox, Intezer Sandbox, Joe Sandbox
Threat Intelligence	CrowdSec, FIRST EPSS, Gatewatcher Lastinfos

Content is user-generated and unverified.

Vulnerabilities, Feeds, OSIs - Complete Documentation

Table of Contents

Initial Assessment List

1. Malicious IP Sources

2. Malicious URL Sources

3. Blacklisted IP Sources

4. Phishing Sources

5. Domain Intelligence

6. Subdomain Intelligence

7. Zero-day Intelligence

8. File Hash Intelligence

9. Email Intelligence

10. Dark Web Intelligence

11. Credential Breach Intelligence

Wibix AWS Instance API Feeds and Data Dumps

1. IP Intelligence

2. URL Intelligence

3. Blacklisted IP

4. Phishing

5. Domain Intelligence

6. Subdomain Intelligence

7. Zero-day Intelligence

8. File Hashes

9. Email Intelligence

10. Dark Web

11. Credential Breaches

12. SSL Certificate

13. Hostname Intelligence

14. YARA Rules

Breachdata from Kaggle

Available Datasets

Data from MISP Instance

IOC Types (Complete List - 92 Types)

MISP Feeds (57 Active Feeds)

Data from OpenCTI

Observable Types (17 Core Types)

Feed Information Sources

1. OpenCTI Live Streams

2. TAXII Collections

3. Data Import Sources (80+ Connectors)

4. Enrichment Sources (40+ Connectors)