From f282a5c1101435c10dc76aad9789d6ed6db53e5b Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Thu, 2 Jan 2025 10:44:02 +0100 Subject: [PATCH 1/4] adding new domain --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index ea62645a..20a33495 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -31,7 +31,7 @@ rules: - pattern: ("...") - pattern-either: # complete domains - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net))\b) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net))|trycloudflare\.com\b) - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co|ply\.gg|ngrok-free\.(app|dev)|ipinfo\.io)\b) # top-level domains - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) From 58c051c5a7df1d5cf90fa3f478b3c0c9c7e7bb6e Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Wed, 8 Jan 2025 16:42:43 +0100 Subject: [PATCH 2/4] improve shady-links patterns --- guarddog/analyzer/sourcecode/shady-links.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 20a33495..7543aae4 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -30,9 +30,16 @@ rules: - patterns: - pattern: ("...") - pattern-either: - # complete domains - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly|discord\.com|workers\.dev|transfer\.sh|filetransfer\.io|sendspace\.com|appdomain\.cloud|backblazeb2\.com\|paste\.ee|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net))|trycloudflare\.com\b) - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|api\.telegram\.org|rentry\.co|ply\.gg|ngrok-free\.(app|dev)|ipinfo\.io)\b) + # complete domains: shorteners + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly)\b) + # complete domains: ephimerals,tunnels + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(workers\.dev|appdomain\.cloud|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net)|trycloudflare\.com)\b) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|ngrok-free\.(app|dev))\b) + # complete domains: exfil + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(discord\.com|transfer\.sh|filetransfer\.io|sendspace\.com|backblazeb2\.com|paste\.ee|pastebin\.com|api\.telegram\.org|rentry\.co)\b) + # complete domains: intel + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(ipinfo\.io)\b) + # top-level domains - pattern-regex: (https?:\/\/[^\n\[\/\?#"']*?\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream)\/) # IPv4 From 4404c89f04b362c03902a7c70bed874c4b070381 Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Fri, 10 Jan 2025 14:18:58 +0100 Subject: [PATCH 3/4] adding new shady link --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index 7543aae4..e5212d48 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -34,7 +34,7 @@ rules: - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly)\b) # complete domains: ephimerals,tunnels - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(workers\.dev|appdomain\.cloud|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net)|trycloudflare\.com)\b) - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|ngrok-free\.(app|dev))\b) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|pipedream\.net|ngrok-free\.(app|dev))\b) # complete domains: exfil - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(discord\.com|transfer\.sh|filetransfer\.io|sendspace\.com|backblazeb2\.com|paste\.ee|pastebin\.com|api\.telegram\.org|rentry\.co)\b) # complete domains: intel From 2daea34aac8b5778a209f253fb4f932884c5cf7a Mon Sep 17 00:00:00 2001 From: Sebastian Obregoso Date: Fri, 10 Jan 2025 14:20:18 +0100 Subject: [PATCH 4/4] adding link --- guarddog/analyzer/sourcecode/shady-links.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/shady-links.yml b/guarddog/analyzer/sourcecode/shady-links.yml index e5212d48..4daffd79 100644 --- a/guarddog/analyzer/sourcecode/shady-links.yml +++ b/guarddog/analyzer/sourcecode/shady-links.yml @@ -34,7 +34,7 @@ rules: - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(bit\.ly)\b) # complete domains: ephimerals,tunnels - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(workers\.dev|appdomain\.cloud|ngrok\.io|termbin\.com|localhost\.run|webhook\.site|oastify\.com|burpcollaborator\.(me|net)|trycloudflare\.com)\b) - - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|pipedream\.net|ngrok-free\.(app|dev))\b) + - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(oast\.(pro|live|site|online|fun|me)|ply\.gg|pipedream\.net|dnslog\.cn|ngrok-free\.(app|dev))\b) # complete domains: exfil - pattern-regex: ((?:https?:\/\/)?[^\n\[\/\?#"']*?(discord\.com|transfer\.sh|filetransfer\.io|sendspace\.com|backblazeb2\.com|paste\.ee|pastebin\.com|api\.telegram\.org|rentry\.co)\b) # complete domains: intel