Pattern-Sentry

A 3-layer CTI (Cyber Threat Intelligence) automation framework for hunting malicious look-alike domains and phishing infrastructure.

🎯 Purpose

Pattern-Sentry automates the discovery and analysis of malicious domains that:

• Impersonate legitimate services using look-alike patterns (e.g., flx-pkg.com, add-fig.cc)
• Use common threat actor infrastructure (Gname registrar, Cloudflare CDN)
• Redirect victims to LINE messenger for scam operations

🏗️ Architecture

┌─────────────────────────────────────────────────────────┐
│  Layer 1: DIRECTIVES (The SOPs)                         │
│  └── directives/*.md - What to hunt and why             │
├─────────────────────────────────────────────────────────┤
│  Layer 2: ORCHESTRATION (The Brain)                     │
│  └── AI Agent routes between directives and scripts     │
├─────────────────────────────────────────────────────────┤
│  Layer 3: EXECUTION (The Tools)                         │
│  └── execution/*.py - Deterministic API scripts         │
└─────────────────────────────────────────────────────────┘

📁 Project Structure

Pattern-Sentry/
├── sentry.py                       # Unified CLI entry point
├── AGENTS.md                       # Agent persona and principles
├── requirements.txt                # Python dependencies
│
├── directives/                     # Layer 1: SOPs
│   ├── hunt_malicious_lookalikes.md
│   ├── hunt_brand_impersonation.md
│   └── pivot_threat_infrastructure.md
│
├── execution/                      # Layer 3: Python tools
│   ├── search_crt_sh.py            # Certificate Transparency search
│   ├── enrich_domain_intel.py      # WHOIS/DNS/ASN enrichment
│   ├── check_line_redirect.py      # Redirect chain analysis
│   ├── lookup_virustotal.py        # VirusTotal reputation
│   ├── lookup_shodan.py            # Shodan infrastructure
│   ├── export_deliverables.py      # CSV/JSON reports
│   ├── export_iocs.py              # IOC feeds (TXT/MISP/STIX)
│   └── generate_abuse_report.py    # Abuse report generation
│
├── .tmp/                           # Research artifacts (gitignored)
├── deliverables/                   # Final reports and IOCs
│   ├── threat_summary_*.csv
│   ├── iocs/                       # IOC feeds
│   └── abuse_reports/              # Abuse reports
│
└── .env                            # API keys (gitignored)

🚀 Quick Start

Installation

# Clone the repository
git clone https://github.com/pisut-muangsamai/Pattern-Sentry.git
cd Pattern-Sentry

# Create virtual environment
python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate

# Install dependencies
pip install -r requirements.txt

# Configure API keys (optional)
cp .env.example .env
# Edit .env with your VIRUSTOTAL_API_KEY and SHODAN_API_KEY

Using the CLI

Pattern-Sentry provides a unified CLI through sentry.py:

# Analyze a single domain
python sentry.py analyze --domain "suspicious.com"

# Run full hunting pipeline
python sentry.py pipeline --pattern "___-___.cc" --min-score 50

# Individual commands
python sentry.py hunt --pattern "___-___.cc" --limit 100
python sentry.py enrich --input .tmp/crt_results.json --verbose
python sentry.py redirect --input .tmp/enriched_domains.json
python sentry.py export --combine
python sentry.py iocs --combine --format all
python sentry.py report --combine --format all

Available Commands

Command	Description
hunt	Search crt.sh for domain patterns
enrich	Enrich domains with WHOIS/DNS/ASN data
redirect	Check for malicious redirects
vt	VirusTotal reputation lookup
shodan	Shodan infrastructure analysis
export	Export threat summary CSV
iocs	Export IOC feeds (TXT/CSV/MISP/STIX)
report	Generate abuse reports
analyze	Full analysis of a single domain
pipeline	Run complete hunting pipeline

📋 Directives

Directives are markdown SOPs that define hunting strategies:

Directive	Purpose
hunt_malicious_lookalikes.md	Hunt pattern-based phishing domains
hunt_brand_impersonation.md	Hunt brand typosquatting/impersonation
pivot_threat_infrastructure.md	Expand from seed to full threat actor

📊 Threat Scoring

Domains are scored based on indicators:

Indicator	Score
Registrar = Gname.com	+30
Behind Cloudflare	+10
Redirects to LINE	+40
Domain < 7 days old	+20
VirusTotal detections	+5 per vendor (max +30)
Confirmed Malicious	≥ 70

📦 Deliverables

Threat Reports (deliverables/)

File	Format	Description
threat_summary_*.csv	CSV	Combined threat report with verdicts

IOC Feeds (deliverables/iocs/)

File	Format	Use Case
blocklist_*.txt	TXT	Firewall/DNS blocklist
iocs_*.csv	CSV	SIEM ingestion
misp_event_*.json	MISP	Threat sharing platform
stix_bundle_*.json	STIX 2.1	Standard threat intel format

Abuse Reports (deliverables/abuse_reports/)

File	Format	Description
abuse_report_*.md	Markdown	Full report with evidence
abuse_report_*.csv	CSV	Tracking spreadsheet
email_*.txt	Text	Ready-to-send abuse emails

🔐 API Keys

Configure in .env for enhanced intelligence:

Key	Service	Required
VIRUSTOTAL_API_KEY	VirusTotal	Optional
SHODAN_API_KEY	Shodan	Optional

Get your keys:

• VirusTotal: https://www.virustotal.com/gui/my-apikey
• Shodan: https://account.shodan.io/

🔄 Workflow: The /hunt-lookalikes

Use the slash command for guided workflow:

/hunt-lookalikes

This follows the steps in .agent/workflows/hunt-lookalikes.md.

📜 License

MIT License - See LICENSE for details.

---

Built for defenders. Hunt the hunters. 4