Logical Method For Analyzing Malicious Domains/IPs

Hi all,

Is there a logical method for analysing malicious domains/IPs that any of you folks with significant cybersecurity experience have come across? I work with analysts who have programming backgrounds and this seems to be the best form of learning that they understand.

Sometimes when we have malicious sources at work some coworkers don't seem to be able to dig deeper than simply going to VirusTotal and inputting an IP address.

Analysis of malicious domains/IPs is of course is a significant part of "Incident Response" my primary job at work so thanks in advance for sharing your inputs and comments

Find more posts tagged with

Comments

SaltyHashes

The quickest:

Look at domains that are keyboard smashes.

Example:
ebkfwdqcz.com

No user is going to organically land on that domain.

Look at domains that have a domain creation date within the last 6 months

Example:
Creation Date: 2018-07-30T18:55:08Z

Whois record will have this information.

Look to see if common properties are being spoofed within the URL

Example:
icloud.apple.com.maliciousdomain.com/login.html

The malicious website is trying to trick the user that the website is Apple’s iCloud. A nefarious actor can prefix subdomains that look like a legitimate website.

Sylabicuma

The most effective way to analyze a potentially malicious domain would be to first, use OSINT (VirusTotal as you mentioned, ThreatCrowd, etc) to first determine if this domain has prior malicious reporting. Then, use a machine that is not attributed to your network (a lot of SOC teams have these, malware analysis teams, etc), and actually browse to that domain and see what is up with that domain. This is by far the most effective way. If you don't have a machine that you can safely do this from, a good option would be to input the URL into urlscan.io, and it will take a screenshot of the webpage. You can sometimes tell if this webpage is a credential theft attempt this way.

As SaltyHashes mentioned, looking for domain creation dates within the last 6 months is always good as well. And if you're lucky (really need to be lucky because most threat actors aren't this careless but some are!), you can get registration information from the whois record, and then pivot from there to see any related domains created from the same registrant (pivoting from email address, possibly name).

LionelTeo

1) Check Domain Dossier for the registrant date (name sometimes help too)
2) Run in Url Query to get a screengrab of the site with some analysis
3) Run Domain Sandbox to retrieve Pcap to grab html files, check extracted html code from pcap (for phishing)
4) Analyze proxy logs traffic, check if there is referrer for user traffic. See user browsing traffic before and after activity time to assess how user get to the site
5) Check proxy categorization
6) See proxy logs for bytes out to determine the data going to the size. Watch out for large outbound size or repeated traffic with same byte size that indicate this is a non-human traffic
7) Extract pcap http contents to determine the objects returns. Watch out for clear text exe with MZ header, suspicious js, flash file and application octet stream
8 ) An unusual large file size for application octet stream may indicate an encrypted binary download.
9) Analyze flash file with swfdump, swfextract and exiftool, watch out for flash file with minimal frames and small size which may indicate a flash exploit.
10) follow streams and check for rare HTTP RFC in used, such as content-disposition to serve malicious file to client.
11) Watch out for other HTTP objects such as PDF, Jar, silverlight which may not be related to what a legitimate site would intend to deliver.