Hunting Suspicious Clicks with ClickGrab and Nightly Reports

By /

Listen to this Post

Featured Image
Michael H., a Threat Researcher and maintainer of LOLDrivers & Atomic Red Team, shares valuable resources for hunting suspicious clicks and analyzing malicious behavior. His nightly reports, packed with indicators, redirects, and shady activity, are available for security professionals and threat hunters.

Key Resources:

📂 Nightly Reports (JSON format): https://lnkd.in/gs5h9gNZ
💻 ClickGrab Tool: https://lnkd.in/gEtwvr3w

You Should Know:

1. Analyzing Nightly Reports (JSON Format)

Security researchers can parse JSON reports to extract IOCs (Indicators of Compromise) such as:
– Malicious URLs
– IP addresses
– File hashes (MD5, SHA-1, SHA-256)

Example Command (Linux):

jq '.indicators[] | {url: .url, ip: .ip, hash: .hash}' nightly_report.json

2. Using ClickGrab for Threat Hunting

ClickGrab helps in tracking suspicious clicks and redirects. Below are some practical commands:

Extracting Redirect Chains with cURL:

curl -sILk "https://malicious-site.com" | grep -E "Location:|HTTP/"

Checking File Hashes (Windows):

Get-FileHash -Algorithm SHA256 "C:\suspicious_file.exe"

Monitoring Network Connections (Linux):

sudo netstat -tulnp | grep ESTABLISHED

3. Automating IOC Extraction with Python

import json

with open('nightly_report.json', 'r') as f:
data = json.load(f)

for entry in data['indicators']:
print(f"URL: {entry['url']}, IP: {entry['ip']}, Hash: {entry['hash']}")

4. Atomic Red Team for Testing Defenses

Since Michael maintains Atomic Red Team, test your defenses with:

Invoke-AtomicTest T1059.001 -TestNumbers 1,2

What Undercode Say:

Threat hunting requires constant monitoring of IOCs, automated log analysis, and understanding attacker TTPs (Tactics, Techniques, and Procedures). Tools like ClickGrab and Atomic Red Team help blue teams stay ahead.

Additional Useful Commands:

  • Linux: 
    grep -r "malicious_pattern" /var/log/
  • Windows: 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Select-Object -First 10
  • Network Analysis: 
    tshark -r capture.pcap -Y "http.request.uri contains 'malicious'"

Expected Output:

  • Extracted IOCs from JSON reports
  • Detected malicious redirects
  • Automated threat hunting scripts

References:

Reported By: Michaelahaag Clickgrabnightlyreports – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: