The code on this repository is GPLv3, (c) Arnim Eijkhoudt, 2022-2026.
- Official github repository: https://github.com/uforia/matterbot/
- Please do not approach the developers (including me) for API keys, CTI data, etc.; you need to provide your own :-)
- Pull/feature requests and comments are welcome: please open/post them on GitHub
- If you are looking to deploy MatterBot for commercial purposes, please reach out to me via the uforia[@]dhcp[.]net email adress
Code probably has bugs, but it is officially in a 'works for me' and 'works for others' state ;-)
MatterBot consists of two parts, matterbot and matterfeed, that can be run mostly independently. matterfeed aggregates information from various resources (see table below) on a set schedule and posts those in a channel. matterbot sits in at least one or more channels, and listens for commands/triggers to spring into action and e.g. collect information for you from various online and local resources via API calls.
Both matterbot and matterfeed should be run within a tmux or screen session. The code does not daemonize itself, and there are no plans to implement this currently.
Matterfeed reports news updates on a set schedule. The currently supported sources are listed in the table below:
| Name | Type | API Key Required | Paid Subscription |
|---|---|---|---|
| 0dayfans Security News | RSS | No | No |
| 1275 Новости (RU) | RSS | No | No |
| ABB Advisories | RSS | No | No |
| Akamai Security Blog | RSS | No | No |
| Any.run Cybersecurity Blog | RSS | No | No |
| Aqua Security Blog | RSS | No | No |
| Arctic Wolf Security Blog | RSS | No | No |
| Asec Ahnlab Threat Intelligence | RSS | No | No |
| Attackiq Threat Intelligence | RSS | No | No |
| Australian Cyber Security Centre | RSS | No | No |
| Bad Sector Labs Newsletter | RSS | No | No |
| Barracuda Threat Intelligence | RSS | No | No |
| Binary Defense | RSS | No | No |
| Bishop Fox Offensive Security | RSS | No | No |
| Bleepingcomputer News | RSS | No | No |
| Bluesky Social Network | RSS | No | No |
| Breakglass Intelligence Blog | RSS | No | No |
| Broadcom Symantec | RSS | No | No |
| Bruce Schneier's Blog | RSS | No | No |
| Canadian Centre for Cyber Security | RSS | No | No |
| CERT Bundesrepublik Deutschland | RSS | No | No |
| CERT Česká Republika | RSS | No | No |
| CERT Eesti Vabariik | RSS | No | No |
| CERT European Union | RSS | No | No |
| CERT Groussherzogtum Lëtzebuerg | RSS | No | No |
| CERT Instituto Nacional de Ciberseguridad | RSS | No | No |
| CERT Latvijas Republika | RSS | No | No |
| CERT Republica Moldova | RSS | No | No |
| CERT Repubblica Italiana | RSS | No | No |
| CERT Republik Österreich | RSS | No | No |
| CERT Republika e Shqipërisë (AL) | RSS | No | No |
| CERT Republika Slovenija | RSS | No | No |
| CERT République Française | RSS | No | No |
| CERT Rzeczpospolita Polska | RSS | No | No |
| CERT Slovenská republika | RSS | No | No |
| CERT Türkiye Cumhuriyeti (USOM) | RSS | No | No |
| CERT VDE Industrial Advisories | RSS | No | No |
| CERT Репу̀блика Бълга̀рия (BG) | RSS | No | No |
| CERT Україна (UA) | RSS | No | No |
| CERT 中華人民共和國香港特別行政區 (HK) | RSS | No | No |
| Checkmarx Application Security Blog | RSS | No | No |
| Checkpoint (Email) Security Research | RSS | No | No |
| Cisco Security Advisories | RSS | No | No |
| CiscoTalos Threat Intelligence | RSS | No | No |
| CISecurity | RSS | No | No |
| Citrix Netscaler Blog | RSS | No | No |
| Claroty Vulnerability Disclosures | RSS | No | No |
| Cloudseclist Newsletter | RSS | No | No |
| Cqure Blog | RSS | No | No |
| CSHub (configurable list of CSHub feeds) | RSS | No | No |
| Cybereason Threat Intelligence | RSS | No | No |
| Cyble Threat Intelligence | RSS | No | No |
| DarkNet Blog | RSS | No | No |
| Darkowl Darkweb Intelligence | RSS | No | No |
| Darkrelay Offensive Security Blog | RSS | No | No |
| DataBreaches.Net News | RSS | No | No |
| DataBreachToday News | RSS | No | No |
| Datadog Security Labs | RSS | No | No |
| Datalekt.nl Nieuwsfeed | RSS | No | No |
| Deepinstinct Threat Intelligence | RSS | No | No |
| DeiC Sikkerhed/DKCERT | RSS | No | No |
| Deutsche Telekom CERT | RSS | No | No |
| DIVD CSIRT | RSS | No | No |
| Dragos OT Security | RSS | No | No |
| Eclecticiq Intelligence Research | RSS | No | No |
| Eclypsium Threat Research | RSS | No | No |
| Elastic Security Labs | RSS | No | No |
| European Union Vulnerability Database | JSON | No | No |
| F5 Labs Threat Intelligence | RSS | No | No |
| FalconForce | RSS | No | No |
| FieldEffect Threat Intelligence | RSS | No | No |
| Forescout Cyber Alerts | RSS | No | No |
| Fortinet PSIRT/Threat Research Blogs | RSS | No | No |
| GBHackers News | RSS | No | No |
| Gendigital Threat Research | RSS | No | No |
| Google Cloud Threat Intelligence | RSS | No | No |
| Google Security Blog | RSS | No | No |
| GreyNoise Threat Intelligence | RSS | No | No |
| Group-IB Blog | RSS | No | No |
| Hacktron AI Threat Research | RSS | No | No |
| Hadrian Security Blog | RSS | No | No |
| Harfanglab Threat Intelligence | RSS | No | No |
| Helpnet Security | RSS | No | No |
| Horizon3 Threat Research | RSS | No | No |
| Hudson Rock Infostealers | RSS | No | No |
| Huntress Threat Intelligence | RSS | No | No |
| IBM X-Force Threat Reports | RSS | No | No |
| Internet Crime Complaint Center Industry Alerts | RSS | No | No |
| Internet Crime Complaint Center Press Releases | RSS | No | No |
| Imperva Security Blog | RSS | No | No |
| Jamf Apple Security Research | RSS | No | No |
| JPCERT/CC Warnings & Emergency Bulletins | RSS | No | No |
| Juniper Network Blogs | RSS | No | No |
| Kaspersky SecureList News | RSS | No | No |
| Kevin Beaumont@Medium (DoublePulsar) | RSS | No | No |
| Kela Cyber Threat Intelligence | RSS | No | No |
| Kitploit Tool Updates | RSS | No | No |
| KnowBe4 News | RSS | No | No |
| KQLQuery Blog | RSS | No | No |
| KrebsOnSecurity Blog | RSS | No | No |
| Kyberturvallisuuskeskuksen Suomi (NCSC-FI) | RSS | No | No |
| Lab52 Threat Intelligence | RSS | No | No |
| Lumen Black Lotus Labs | RSS | No | No |
| MajorLeagueHacking News | RSS | No | No |
| Mastodon Social Network | RSS | No | No |
| MatterBot Github | RSS | No | No |
| Microsoft Vulnerability & Threat Reports | RSS | No | No |
| Morphisec Threat Intelligence | RSS | No | No |
| Nasjonal sikkerhetsmyndighet (NorCERT) | RSS | No | No |
| Nationellt CSIRT Sverige | RSS | No | No |
| Netwitness Intelligence | RSS | No | No |
| Nextron Systems Blog | RSS | No | No |
| NCSC Nederland Nieuws | RSS | No | No |
| NCSC Nederland Advisories | RSS | No | No |
| NCSC United Kingdom Advisories | RSS | No | No |
| Nemzeti Koordinációs Központ (NCSC-HU) | RSS | No | No |
| Netskope Threat Labs | RSS | No | No |
| Nozomi Networks Advisories | RSS | No | No |
| NVISO Blog | RSS | No | No |
| OffSec Threat Research | RSS | No | No |
| Offseq Threat Feed | RSS | No | No |
| Okta Security | RSS | No | No |
| Onapsis SAP Security | RSS | No | No |
| OpenCVE feed of CVEs | RSS | Yes | No |
| Opensource Malware Threat Intelligence | RSS | Yes | No |
| Orange Cyberdefense SensePost | RSS | No | No |
| Osint10x Blog / News | RSS | No | No |
| Outpost24 Threat Intelligence | RSS | No | No |
| OX Security Blog | RSS | No | No |
| Palo Alto/Unit 42 Advisories | RSS | No | No |
| Patchstack Wordpress Security | RSS | No | No |
| Persistent Security News | RSS | No | No |
| Portswigger Threat Research | RSS | No | No |
| Prodaft Threat Intelligence | RSS | No | No |
| Pulsedive Threat Intelligence | RSS | No | No |
| Qualys Threat Research | RSS | No | No |
| Quesma LLM Blog | RSS | No | No |
| R136a1 Malware Analysis | RSS | No | No |
| RansomLook (with support for detection of keywords/regex) | JSON | No | No |
| Ransomwatch | JSON | No | No |
| Recorded Future Threat Research | RSS | No | No |
| Red Asgard Threat Intelligence | RSS | No | No |
| Redcanary Security Blog | RSS | No | No |
| Reddit (configurable list of subreddits) | RSS | No | No |
| Red Hat Product Advisories | RSS | No | No |
| Reliaquest Security Blog | RSS | No | No |
| RST Cloud Intelligence | RSS | No | No |
| runZero Threat Intelligence | RSS | No | No |
| S3 Eurom Research | RSS | No | No |
| SANS Internet Storm Center | RSS | No | No |
| Safedep Threat Intelligence | RSS | No | No |
| Searchlight Security Research | RSS | No | No |
| Security.nl Nieuws | RSS | No | No |
| SebDraven | RSS | No | No |
| Securitylab Новости (RU) | RSS | No | No |
| SecurityAffairs News | RSS | No | No |
| Sekoia Threat Intelligence | RSS | No | No |
| Sick Advisories | RSS | No | No |
| Siemens Product Advisories | JSON | No | No |
| SilentPush Threat Intelligence | RSS | No | No |
| Silobreaker Intelligence Blog | RSS | No | No |
| Snyk.io Security Blog | RSS | No | No |
| Socket.dev Blog | RSS | No | No |
| SOCPrime Threat Intelligence | RSS | No | No |
| Sonicwall Advisories | RSS | No | No |
| Sophos Threat Research | RSS | No | No |
| Specterops Security Blog | RSS | No | No |
| Spiceworks Tech News | RSS | No | No |
| Sploitus Exploits | RSS | No | No |
| Splunk Threat Research | RSS | No | No |
| Starlabs Threat Research | RSS | No | No |
| StepSecurity Security Blog | RSS | No | No |
| Sublime Security Blog | RSS | No | No |
| Synacktiv Threat Research | RSS | No | No |
| Synaptic Security Blog | RSS | No | No |
| Sysdig Threat Research | RSS | No | No |
| Thalium Threat Research | RSS | No | No |
| TheHackerNews News | RSS | No | No |
| The Record Media | RSS | No | No |
| The DFIR-Report Blog | RSS | No | No |
| Threatanatomy Security Research | RSS | No | No |
| Threatfabric Mobile | RSS | No | No |
| Threatmon Threat Intelligence | RSS | No | No |
| Threatpost News | RSS | No | No |
| TrailOfBits Security Blog | RSS | No | No |
| TrendMicro Research | RSS | No | No |
| Tripwire State of Security | RSS | No | No |
| Trustedsec Offensive Security | RSS | No | No |
| Trustwave SpiderLabs | RSS | No | No |
| Tweakers.net Nieuws | RSS | No | No |
| US-CERT National Cyber Awareness System (Advisories, Alerts, Analysis Reports, Current Activity) | RSS | No | No |
| Validin Threat Intelligence | RSS | No | No |
| Varonis Threat Research | RSS | No | No |
| Veeam Advisories | RSS | No | No |
| Velociraptor News/Updates | RSS | No | No |
| Volerion Threat Intelligence | RSS | No | No |
| Volexity Memory Forensics & Threat Intelligence Blog | RSS | No | No |
| Wallarm API Security | RSS | No | No |
| watchTowr Offensive Security Blog | RSS | No | No |
| ESET WeLiveSecurity News | RSS | No | No |
| WikiJS Page Updates | WikiJS GraphQL | Yes | No |
| Windows IR Blog | RSS | No | No |
| Wiz.io Cloud Research | RSS | No | No |
| Xintra (Inversecos) Research Blog | RSS | No | No |
| Yarix Threat Intelligence | RSS | No | No |
| Zero Day Initiative Upcoming Advisories | RSS | No | No |
| Zetier Threat Intelligence | RSS | No | No |
New Matterfeed modules can be created. A boilerplate example can be found in the modules directory.
Every module is categorized in one or more topic(s). Users can subscribe or unsubscribe to specific newsfeeds or to a whole topic.
The Matterbot component listens in a given set of channels (configurable per module) for user-definable commands, executes and returns the results of the module code. The currently supported commands are listed below:
| Name | Type | Functionality / Use Case | API Key Required | Paid Subscription |
|---|---|---|---|---|
| AbuseIPDB | Threat Intel | Look up IPv4, IPv6 and netblocks for indicators/reports of abuse | Yes | No, but higher tier API rate limits are only available to paid subscribers |
| AlienVault OTX | Threat Intel | Look up IPv4, IPv6, hostnames, domains, MD5/SHA1/SHA256 hashes and URLs | No | No, but some API limitations may apply |
| Analyze | Threat Intel | Auto-download an uploaded attachment, calculate common hashes, then automatically run the configured follow-up commands (e.g. @ioc) against the resulting values to automate triage of interesting files |
No | No |
| APIVoid | Threat Intel | APIVoid toolbox with iprep, domainrep, urlrep and dnslookup subcommands for IP/domain/URL reputation and DNS lookups. Requires an APIVoid account |
Yes | No, but each call consumes pay-as-you-go credits |
| Argos Translate | Documentation/Threat Intel | Offline translation model to translate strings | No | No |
| ASN WHOIS | Threat Intel | Look up Autonomous System Numbers and return the ownership, peering and location information | No | No |
| AttackMatrix | Threat Intel | Query an AttackMatrix instance for e.g. MITRE ATT&CK IDs, Actor- and TTP-overlap. Requires Python GraphViz bindings to display the accompanying Graph | No, unless the AttackMatrix API is configured to require an API key | No |
| Bootloaders | Threat Intel | Query 'Bootloaders' project for vulnerable/malicious bootloader information. Returns detailed information, hashes and detection rules | No | No |
| BotScout | Threat Intel | Query the BotScout project's API for IP addresses, email addresses and names (text). Returns whether or not the given IoC has been detected, how often and as what | No | No, but the free API usage has a lower query limit per day |
| Broadcom Symantec Security Cloud (BSSC) | Threat Intel | Retrieve 'Threat Intel Insight' information for SHA256 file hashes, IPs, reputations, domains and URLs | Yes | Yes |
| Censys | Threat Intel | Query Censys for IPs and SHA256 certificate fingerprints. Query results are returned as the original Censys JSON blob | Yes | No: basic functionality Yes: additional features, such as pagination |
| ChainAbuse | OSINT | Query ChainAbuse for abuse reports tied to a cryptocurrency address (BTC, ETH, SOL, ...); returns total report count, scam categories and recent report descriptions. Requires a free ChainAbuse account | Yes | No |
| ChatGPT | LLM / GPT queries | Ask OpenAI's ChatGPT singular questions (no support for chat history). Requires a paid subscription with sufficient credits | Yes | Yes |
| CIRCL Passive DNS | Threat Intel | Query CIRCL Passive DNS for records (rrtype/rrname/rdata, first/last seen) observed for a domain, IPv4/IPv6 address or CIDR. Requires a free CIRCL pDNS account | Yes | No |
| crt.sh | Threat Intel | Query crt.sh's repository for TLS certificates related to a domain name | No | No |
| CyberThreat.nl | Threat Intel | Query the cyberthreat.nl API for an IP, hostname, FQDN, URL or other IoC; returns actor handles and confidence levels that can be queried further | Yes | No |
| Diceroll | Fun | Roll any kind of dice combination: #d# format | No | No |
| DNSDumpster | Threat Intel | Query the DNSDumpster API for e.g. A, MX, NS, PTR records associated with a domain name | Yes | No: 50 queries per day Yes: higher rate limits |
| DNSTwist | Threat Intel | Generate typosquatting/lookalike domain permutations via the DNSTwist tool and resolve them against public DNS to find registered ones, for brand-protection and phishing triage | No | No |
| DocGen | Documentation | Automatically create documentation with templated variables, rendering and more. Probably useless unless you have all the required materials. | No | No |
| Docspell | Documentation | Query an existing Docspell collective for search terms(1) | Yes | Yes: there are no public instances, so you need to set this up yourself |
| Early Warning & Advisory (EWA) | Threat Intel | Create Early Warning & Advisory documents using the National Vulnerability Database (NVD) and WikiJS information. Requires pandoc, pypandoc, LaTeX, a WikiJS instance and a CSS template for final rendering | No (for NVD) Yes (for WikiJS) |
No |
| EUVD | Vulnerability Management | Query the ENISA Vulnerability Database for vulnerability information | No | No |
| FileSec | Threat Intel | Look up a file extension on filesec.io for attack-relevance metadata: weaponisation status, execution behaviour, common use cases and references | No | No |
| Fofa | Threat Intel | Fofa surface search; plain IP/domain input is auto-wrapped, anything else is passed verbatim as a Fofa query (e.g. port="22" && country="CN"). Requires a free Fofa account |
Yes | No |
| FullHunt | Threat Intel | FullHunt attack-surface lookup: bare query returns asset details (host count, tech fingerprints, countries, tags); subdomains <domain> enumerates subdomains. Requires a free FullHunt account |
Yes | No |
| GeoLocation | Threat Intel | Convert latitude/longitude values into an address | No | No |
| GeoLookup | Threat Intel | Reverse-geocode a <latitude> <longitude> pair via OpenStreetMap Nominatim and return the geolocation, if available |
No | No |
| GHunt | OSINT | Look up a Google account via the GHunt CLI - surfaces Gaia ID, profile picture, public reviews/maps activity and linked services. Wraps the ghunt binary (operator must run ghunt login first) |
No | No |
| Grayhat Warfare | Threat Intel | Query the Grayhat API for for public (eg. AWS, AZ, GCP) buckets and their contents. | Yes | No: Search in limited amount of buckets Yes: all available buckets, regex searching, sorting on size/last modified date; see the GrayhatWarfare website for more information |
| GreyNoise | Threat Intel | Query the GreyNoise API for IP address reputation, such as whether an IP has been observed scanning the internet, source & destination countries, fingerprints, ports scanned, whether it is benign or not, etc. | Yes | Yes: certain features require an additional subscription license, such as timeline and similarity features; see the GreyNoise website and API documentation for more information |
| GTFOBins | Threat Intel | Query the ' |
No | No |
| HackerTarget | Threat Intel | OSINT toolbox over api.hackertarget.com: DNS lookup, reverse DNS, subdomain enumeration, WHOIS, GeoIP, AS lookup, MTR and shared-DNS lookups | No | No, but the free tier is capped (~50 queries/day); an optional key raises limits |
| HaveIBeenPwned | Threat Intel | Query the HIBP project for information related to breaches | Yes | Yes |
| HaveIBeenRansomed | Threat Intel | Search HaveIBeenRansomed for a victim organisation; returns ransomware operator, date listed and defanged leak-page URL per hit. Complements RansomLook | Yes | No |
| Holehe | OSINT | Check an email address against ~120 online services via the Holehe CLI and report where it is already registered, for account-discovery and ATO-risk triage. Wraps the holehe binary |
No | No |
| HoneyDB | Threat Intel | Query HoneyDB for honeypot activity on an IP address (last seen, hit count, ports, services); add history for the per-day history endpoint. Requires a free HoneyDB account |
Yes | No |
| httpx | Threat Intel | Probe a single URL or hostname with the ProjectDiscovery httpx CLI and surface status, title, server, technologies, content length and TLS. Requires the httpx binary on $PATH (or set HTTPX_BIN) |
No | No |
| Hunter.how | Threat Intel | Surface search via Hunter.how; plain IP/domain input is auto-wrapped, anything else is passed verbatim as a Hunter.how query (e.g. port=22 country=NL). Requires a free Hunter.how account |
Yes | No |
| Hybrid-Analysis | Threat Intel | Look up IPs, hostnames, domains, URLs, MD5, SHA1, SHA256, Authentihash, Imphash, ssdeep hashes and VxFamily names, as well as known 'context' and 'similarity' | Yes: 'vetted' API key strongly recommended to prevent hitting API limits | No: basic functionality, Yes: additional features/details |
| IPinfo | Threat Intel | Look up IP address information, such as geolocation and ownership | Yes | No: basic functionality, Yes: increased query limits |
| IPLocation | Threat Intel | Look up general location information (country, ISP) for an IPv4 of IPv6 address | No | No |
| IPWHOIS | Threat Intel | Look up IP address information: ownership, ASN, geolocation information | No | No |
| KoboldCPP | AI | Query a KoboldCPP instance with a question | Yes | Yes: either a paid subscription with an existing provider, or requires your own resource |
| LeakIX | Threat Intel | Find subdomains and look up possible information/data leaks for hosts and domains | Yes: API key strongly recommended to prevent hitting API limits | No: basic functionality, Yes: additional data |
| LOLBAS | Threat Intel | Query the 'Living Off The Land Binaries, Scripts and Libraries' project for file information. Returns detailed information and detection rules | No | No |
| LOLDrivers | Threat Intel | Query 'Living Off The Land Drivers' project for driver information. Returns detailed information, hashes and detection rules | No | No |
| LOLRMM | Threat Intel | Query the 'Living Off The Land Remote Monitoring and Management' project for filenames, hostnames, descriptions, etc. Returns matching entries with links to the detail pages. | No | No |
| LOOBINS | Threat Intel | Query the 'Living-Off-the-Orchard Binaries' project for filenames, descriptions, paths. Returns matching entries with links to the detail pages. | No | No |
| MACVendors | Threat Intel | Query the IEEE Standards Association MAC Address database. Returns vendor of specified address | No, but is limited to 1 request per second per 1k requests per day | No |
| MalAPI | Threat Intel | Look up a Windows API on malapi.io; returns the owning library, short description, MSDN link and the malware tradecraft / MITRE ATT&CK techniques associated with it | No | No |
| Malpedia | Threat Intel | Look up malware families, threat actors and MD5/SHA256 malware hashes | No: basic functionality Yes: malware downloads |
No |
| MalShare | Threat Intel | Look up a malware sample by MD5/SHA1/SHA256 hash on MalShare, returning file type, family, source URL(s) and date observed. Requires a free MalShare account | Yes | No |
| Maltiverse | Threat Intel | Multi-resource IoC lookup (IP/hostname/URL/SHA256, auto-detected) returning classification, tags, blacklist entries and first/last seen. Requires a free Maltiverse account | Yes | No |
| MalwareBazaar | Threat Intel | Query MalwareBazaar for MD5/SHA1/SHA256 hashes of malware. Will also return include a downloadable malware sample, if available | Yes | No |
| MetaDefender | Threat Intel | OPSWAT MetaDefender Cloud reputation lookup - multi-engine scan results for hashes plus IP/domain reputation across threat feeds, with auto-detected input type. Requires a free MetaDefender account | Yes | No |
| MISP | Threat Intel | Search a MISP instance for the given search terms, e.g. exact (not partial!) IoCs. Returns links to the MISP Events where the search terms have been found. | Yes | No |
| MITRE Caldera | Threat Intel | Query a self-hosted MITRE Caldera v4+ instance with subcommands for adversaries, abilities (optionally tactic-filtered), operations and agents | Yes | No (self-hosted) |
| MITRE D3FEND | Threat Intel | Look up defensive D3FEND counter-techniques for a given ATT&CK technique ID (e.g. T1055, T1055.012); companion to the AttackMatrix command |
No | No |
| MWDB | Threat Intel | Query your own or the CERT.pl MWDB instance for information on malware samples, malware configs or text blobs extracted from malware | Yes | No |
| Netlas | Threat Intel | Netlas lookups: bare query returns the host record (ports, services, geolocation); whois <ip / domain> returns the whois record. Requires a free Netlas account |
Yes | No |
| Ollama | AI | Query an Ollama instance with a question. | Yes | Yes: either a paid subscription with an existing provider, or requires your own resources |
| Onion-Lookup | Threat Intel | Query CIRCL's Onion-Lookup API for information on TOR sites (.onion). Returns known metadata: first & last seen, tags, page titles and languages. | No | No |
| Onyphe | Threat Intel | Onyphe lookups: bare query returns the summary view; resolver for DNS, threatlist for threat-feed membership, ctl for Certificate Transparency entries. Requires a free Onyphe account |
Yes | No |
| Open Measures | OSINT | Search across alt-tech / fringe social platforms (Telegram, BitChute, Gab, Gettr, etc.) via Open Measures | No: free tier (~39 req/day) Yes: paid tier |
No: free tier Yes: higher limits |
| OpenCVE | Vulnerability Management | Query an OpenCVE instance for information about vulnerabilities. | Yes | No |
| PeeringDB | Threat Intel | Look up network info on PeeringDB for an autonomous system: organisation, network type, IRR AS-set, traffic estimate, IXPs and facilities | No | No |
| PhishStats | Threat Intel | Query PhishStats for recent phishing reports matching a domain or hostname substring; returns date, URL, score and page title per hit | No | No |
| ProxyCheck | Threat Intel | Query the ProxyCheck.io API for information about IP and email addresses and | No | No, but a free registration or paid subscription will substantially increase daily allowance and rate limits |
| Qualys | Vulnerability Management | Query the Qualys CSAM API for software/libraries present on systems. Extremely useful for Attack Surface Management / Vulnerability Management. Returns a collated dataset of found software and versions, as well as a CSV list of systems found | Yes | Yes: Qualys subscription required, as well as CSAM subscription and agent-based scans on hosts |
| RansomLook | Threat Intel | Search and view ransomware groups, markets, posts and telegram channels | No | No |
| ReversingsLabs A1000 / TitaniumCloud | Threat Intel | Look up IPv4, IPv6, hosts/domains, URLs and MD5/SHA1/SHA256/SHA512 hashes | Yes | Yes |
| RIPE WHOIS | Threat Intel | Look up IP address information: ownership, CIDR and geolocation information | No | No |
| Searchcode | Information Retrieval | Search public source code via Searchcode for credential/keyword leak hunting; returns filename, repo, language, line number and a code snippet | No | No |
| Shodan | Threat Intel | Query Shodan for IP address or host information, as well as performing count and search queries. Results will include the original Shodan JSON blob as a download |
Yes | No: basic functionality Yes: pagination, search queries, etc. |
| SSLMate | Threat Intel | Look up SSL/TLS SHA256 hashes in the Certificate Transparency logs. Returns historic data, related hostnames, revocation status and validity times | Yes | No |
| ThreatBook | Threat Intel | Query the ThreatBook community API for IP, domain or file-hash reputation (severity, judgments, tags). Requires a free ThreatBook account | Yes | No |
| ThreatFox | Threat Intel | Query ThreatFox for MD5/SHA1/SHA256 hashes, IP addresses | Yes | No |
| ThreatRip | Threat Intel | ThreatRip indicator lookup; auto-detects indicator type and returns severity/score, tags, threat-actor / campaign attribution and first/last seen. Requires a ThreatRip account | Yes | No |
| TLSGrab | Threat Intel | Connect to the given IP address + port, and attempt to retrieve the TLS certificate CNs. Note: this is an OPSEC risk, because the bot will actively attempt to connect to the host/port! | No | No |
| Tria.ge | Threat Intel | Search the tria.ge sandbox project for IPv4, IPv6, domains, urls, hashes, a Tria.ge ID, etc. Responses may include the malware sample, if available | Yes | No: basic functionality Yes: additional information |
| Tweetfeed | Threat Intel | Query the Tweetfeed API for the given IoC/tag | No | No |
| Unfurl | Information Retrieval | Parse a URL with the dfir Unfurl tool and return its components as a tree: decoded tracking params, embedded base64, JWT contents, timestamps, UUIDs and more, for triaging suspicious URLs without visiting them | No | No |
| Unprotect.it | Threat Intel | Search the Unprotect.it project for information on TTPs, code snippets and detection rules. Returns code snippets and detection rules as a download, if available | No | No |
| URLhaus | Threat Intel | Look up reputation info on URLhaus for URLs and MD5 / SHA1 / SHA256 URL hashes | Yes | No |
| Urlscan | Threat Intel | Query the Urlscan API for information on URLs/hostnames | Yes | Yes: Pro version has higher query and rate limits |
| VARIoT | Vulnerability Management | Search the VARIoT IoT vulnerability/exploit database by text, or look up a specific VAR vulnerability/exploit identifier (VAR-YEARMONTH-ENUMERATOR) |
No | No, but signing up raises the 100-queries/day limit |
| VirusTotal | Threat Intel | Search VirusTotal for IP addresses, MD5/SHA1/SHA256 hashes, URLs and domains. Returned results will include maliciousness, TTP sets, malware family names, etc., if available | Yes | No: basic functionality Yes: paid VT features, throttling limit removal, etc. |
| VulnCheck | Vulnerability Management | Query VulnCheck for CVE detail (description, CVSS, CWE, references) and known exploit count. Requires a free VulnCheck account | Yes | No |
| Wayback Machine | Information Retrieval | Search Archive.org's Internet Wayback Machine for a given URL, and display the availability and links to the oldest and newest snapshots. | No | No |
| WaybackLister | Information Retrieval | Enumerate paths the Wayback Machine has archived for a domain and filter for directory-shaped URLs (paths ending in /), as a first-pass open-directory hunt without touching the live domain |
No | No |
| WiGLE | OSINT | WiGLE wireless-network lookup; ssid <name> searches by network name, bssid <MAC> by access-point MAC, bare query auto-routes MAC-shaped input to bssid. Requires a free WiGLE account |
Yes | No |
| WikiJS | Information Retrieval | Search through WikiJS pages' contents for the given search terms. Returns links to the pages where the contents were found | Yes | Yes: currently requires a Microsoft Azure Search instance that indexes the WikiJS instance (Note: this is a WikiJS limitation!) |
| YARAify | Threat Intel | Query abuse.ch YARAify by MD5/SHA1/SHA256 hash for matched YARA rules, signature/family, tags and first-seen timestamp | No | No: anonymous tier; optional auth-key for higher limits |
| ZoomEye | Threat Intel | ZoomEye surface search; plain IP/domain input is auto-wrapped, anything else is passed verbatim as a ZoomEye query. Requires a free ZoomEye account | Yes | No |
(1) It is not possible to for the author(s) to share access to their own Docspell instances or any paid online resources. Please do not ask for this and be understanding, thank you!
New Matterbot modules can be created. A boilerplate example can be found in the commands directory.
- Tested with Python 3.10+, although earlier Python 3 versions might work (test at your own discretion). Most modern distributions should be able to run this.
- Make sure to install the Python requirements (see
requirements.txt). - For GraphViz support (e.g. AttackMatrix visual graph generation), you will need to install GraphViz for your distribution/OS. Make sure that it includes GTS (GNU Triangulated Surface) support.
- A Mattermost instance, preferably a recent version.
- A 'bot account' on that Mattermost instance. The bot should no longer need an 'admin' account on Mattermost to operate.
- Inviting the bot to the correct channels, both for outputting the results from its feed parsing and so it can listen to commands!
matterfeed.py goes through the modules directory and will run all detected modules every (by default) 10 minutes, outputting the results to the specified channels. Every module has its own custom configuration: you'll need to check the individual directories for more information. For example, the WikiJS module requires you to have a WikiJS instance with GraphQL API access, as well as a Microsoft Azure Search instance. You'll need to put the API key etc. in its configuration for it to work properly.
- Copy
config.defaults.yamltoconfig.yamland edit the settings. - For every module you want to use, check the respective configuration in
modules/.../. If you do not want to use afeedmodule, the easiest way to disable it is to move the directory somewhere else (or delete it), so it will not be detected on startup. - Start up the
matterfeed.pyand watch the logfile for errors.
Optionally, admins and users can create a channel with its own custom newsfeed. After adding the bot to the channel, there are commands to (un)subscribe from/to specific feeds or topics. Every feed module has an ADMIN_ONLY setting, which is either set to True or False. This is a hardcoded value which indicates that the module is user-(un)subscribable or not. Additionally, a global configuration setting in your config.yaml determines whether only bot admins or users may (de)activate feeds in a channel.
Usage is simple:
- Type
@feedsto see all available topics and (de)activated feeds; - To (un)subscribe from/to specific feed names, use the
@sub,@unsub,@subscribe,@unsubscribecommands followed by one or more feed names, e.g.:@sub <feedname1> <feedname2> ... <feednameN>; - It is also possible to (de)activate feeds based on topics. Use the same
@sub,@unsub,@subscribe,@unsubscribecommands but specify a topic, e.g.:@sub Advisories.
matterbot.py goes through the commands directory and will start listening in every specified channel for every specified bind (command). Every module has its own custom configuration: you'll need to check the individual directories for more information. For example, the ChatGPT module requires you to have an OpenAI account with API access, and you'll need to enter the API key etc. into the configuration for it to work. After starting up the bot, you can use the @bind, @unbind and @map commands to get an overview of, and enable/disable commands in other channels.
- Copy
config.defaults.yamltoconfig.yamland edit the settings. - For every module you want to use, check the respective configuration in
commands/.../. You must make create your ownsettings.pyfor every module in thecommands/.../directory you want to use! This is necessary so the bot can override the default configuration fromdefaults.py.. If you do not want to use a module, the easiest way to disable it is to move the directory somewhere else (or delete it), so it will not be detected on startup. - Start up the
matterbot.py.
When doing threat intelligence investigations, it is crucial to observe Operational Security (OPSEC) best practices. Therefore, by default:
-
MatterBot will not join any channels;
-
MatterBot does not run with or need Mattermost Administrator access;
-
MatterBot will not listen to any commands in a channel it gets added to.
Note: module configurations (e.g. in settings.py) may override this behavior!
-
After setting up a channel (public or private), manually add the MatterBot to that channel;
-
Use the
@mapcommand (these triggers may be changed in theconfig..yaml) to list all available modules and whether they are currently enabled for the channel or not; -
Use
@bind <modulename>or@unbind <modulename>to respectively enable and disable a specific module for a channel, or ... -
... use
@bind */@unbind *to enable/disable all modules.
-
Some modules will reach out to online internet services! Whether or not this is an OPSEC concern, may depend on your threat model, if you are using paid API access, etc. It is solely up to you to decide whether or not this is an acceptable risk! By using MatterBot, you agree not to hold the author(s) responsible/liable for any OPSEC failures or resulting damage;
-
Consider using separate Mattermost channels for:
-
projects;
-
incidents;
-
day-to-day discussions;
-
'security clearance' levels;
-
etc.
-
-
Use the MatterBot modules binding/unbinding feature (see above) to only enable MatterBot modules that align with your 'risk appetite' for each individual Mattermost channel.
-
For
matterfeed.py, it is relatively simple to copy an existing module and alter it to your own needs. Make sure to update thepathlibconstruct to reflect the right module and directory names. -
matterbot.pyis a fully asynchronous setup, which has both advantages and limitations. Theexamplecommand is a good place to learn more and start developing your own command handler. Pay particular attention to the description in thecommands/example/command.pyfile for more information on how to get started and to avoid common pitfalls.
- Code cleanups and optimizations
- Better (generalized) logging and error handling
MatterBot would not be possible without the amazing work and/or generous help of others. If I have erroneously failed to list you here, please let me know! In alphabetical order, the people/organisations/companies I would particularly like to thank are:
- Broadcom Symantec: For providing an API key that let me develop integration with Broadcom Symantec Security Cloud
- CERT Polska (CERT.pl): For their awesome MWDB analysis/sandboxing platform and excellent API documentation
- The Dutch Immigration and Naturalisation Service (IND): generous donation of time/code for crt.sh, HaveIBeenPwned and IPinfo
- GTFOBins: The GTFOBins project https://gtfobins.github.io/, in particular AИDREA for providing a simple single file download upon request
- LOLBAS: The LOLBAS project https://lolbas-project.github.io/#
- LOLDrivers: The LOLDrivers project https://www.loldrivers.io/
- LOOBINS: The LOOBINS project https://loobins.io/
- LOLRMM: The LOLRMM project https://lolrmm.io/
- Malpedia: Being an amazing community and accepting me into it many years ago https://malpedia.caad.fkie.fraunhofer.de/
- MalwareBazaar: The author(s), for helping me iron out some bugs https://bazaar.abuse.ch
- MISP: For being an absolutely amazing open-source platform for TI exchange https://misp-project.org
- ReversingLabs: For providing an API key to Spectra Analyze and TICloud to develop the integration (particular thank you to D.H.!)
- ThreatFox: The author(s), for helping me iron out some bugs https://threatfox.abuse.ch
- Tria.ge: For providing an API key to build the MatterBot integration;
- Tycho van Marle: for his countless suggestions and contributions to the project
- Unprotect.it: The author(s), for being receptive, kind and open to me including default (download) support for their project https://unprotect.it
- URLhaus: The author(s), for helping me iron out some bugs https://urlhaus.abuse.ch
Additional thanks to AlienVault, Censys, RecordedFuture, Shodan, Tweetfeed, VirusTotal for providing good API documentation, letting me easily write plugins for their services.