What Feeds are Available?
A high level summary of the different feeds available via the AiTM service
Named Locations
Our named location feeds are how we share infrastructure with you that you may wish to block or control access to your environment/systems.
If you are not in the Microsoft eco system you can still use these feeds, just pull the “cidrAddress” value from the JSON.
AiTM
Description: Feed of backend AiTM infrastructure (the infrastructure that performs authentication to the target environment)
Update frequency: Real time (multiple updates per hour)
Intended usage: Block AiTM infrastructure from authenticating to your environments
Considerations: none
API Endpoint: https://aitm.lab539.io/v1.0/named-location/aitm
Express VPN
Description: Infrastructure used by the Express VPN service
Update frequency: Ad-hoc (usually weekly)
Intended usage: Block attacks where adversaries use Express VPN for anonymity
Considerations: Express VPN is a legitimate service. If your users make use of ExpressVPN this may impact their access. Express VPN’s infrastructure is huge and somewhat dynamic - this should not be considered a complete list.
API Endpoint: https://aitm.lab539.io/v1.0/named-location/expressvpn
Stark Industries
Description: Network ranges used by Stark Industries Solutions
Update frequency: Ad-hoc (usually weekly)
Intended usage: Block attacks originating from systems in networks operated by Stark Industries Solutions
Considerations: Stark is a go-to bulletproof hosting provider for many adversaries. We see it as extremely unlikely that you’ll see legitimate usage from these ranges, and highly unlikely that you’ll want to permit authentication from them - but it remains a slight possibility. Stark’s infrastructure does change occasionally, there is a possibility that our feed holds historic data for a short while.
API Endpoint: https://aitm.lab539.io/v1.0/named-location/stark
Tor Exits
Description: Exit nodes from this Tor traffic reaches the public internet.
Update frequency: Every 30 minutes
Intended usage: Block attacks originating from the Tor network. Adversaries often utilise Tor to mask their activities.
Considerations: Tor is an anonymity network which some people rely on and use legitimately. If you have users/customers that may rely on this then you may be blocking their access. Note: this list does not include tor-relays or other components of the Tor network from which user traffic does not exit.
API Endpoint: https://aitm.lab539.io/v1.0/named-location/tor-exits
Xhost
Description: Network ranges used by Xhost Interenet Solutions LP (not to be confused with other companies with similar names)
Update frequency: Ad-hoc (usually weekly)
Intended usage: Block attacks originating from systems in networks operated by Xhost.
Considerations: Xhost is sanctioned by some countries, we see it as extremely unlikely that you would want to permit authentication from their network ranges. Xhost infrastructure does change, there is a possibility that our feed holds historic data for a short while.
API Endpoint: https://aitm.lab539.io/v1.0/named-location/xhost
Indicators
Our indicators feeds are feeds designed for direct ingestion into Microsoft Defender as indicators. They are therefore geared towards preventing users from accessing AiTM related infrastructure (e.g. AiTM phishing pages).
If you are not in the Microsoft ecosystem or which to use these indicators elsewhere then you can extract the information you require from the JSON. The “indicatorValue” field contains the hostname/domain.
AiTM
Description: Frontend AiTM indicators (i.e. indicators relating to infrastructure that users may interact with).
Update frequency: Real time (every few minutes)
Intended usage: Prevent users from accessing frontend infrastructure that is involved in AITM attacks.
Considerations: Adversaries frequently host infrastructure on legitimately used platforms, this shouldn’t, but potentially could, lead to indicators inadvertently flagging that platform. Note: our indicators don’t “block” access they “warn” - meaning a user can still chose to ignore the warning, an alert will be raised either way.
API Endpoint: https://aitm.lab539.io/v1.0/indicators/aitm