Network-based IOC s for the current Ivanti attacks, these were collected from a ton of MISP feeds and other threat intelligence platforms. Hope this helps someone out

type value comment

domain gpoaccess.com Suspected UTA0178 domain discovered via domain registration patterns

domain webb-institute.com Suspected UTA0178 domain discovered via domain registration patterns

domain symantke.com UTA0178 domain used to collect credentials from compromised devices

domain symantke.com WARPWIRE C2 server

domain miltonhouse.nl WARPWIRE variant C2 server

domain entraide-internationale.fr WARPWIRE variant C2 server

domain clickcom.click WARPWIRE variant C2 server

domain clicko.click WARPWIRE variant C2 server

domain duorhytm.fun WARPWIRE variant C2 server

domain line-api.com WARPWIRE variant C2 server

domain areekaweb.com WARPWIRE variant C2 …

attacks collect compromised credentials current cybersecurity domain hope intelligence ioc ivanti misp network patterns platforms registration threat threat intelligence threat intelligence platforms ton value webb