Domain
Overview
-
Definition
A fully qualified domain name (FQDN) is the technical term for what are typically called domains (e.g.,
google.com
) and subdomains (e.g.,drive.google.com
). -
Usecase
Threat actors acquire FQDNs and configure them to resolve to servers they control. This allows them to to direct phishing victims to FQDNs which resolve to malicious landing pages, and allow malware-infected devices to send an initial DNS resolution request for FQDNs associated with C&C servers.
-
Example
realbumblebee[.]net
,recentbee[.]net
, andcurrentbee[.]net
were domains that resolved to Cobalt Strike C&C servers operated by the threat actor known as Black Basta.1
- Pivot Map
flowchart LR classDef secondary stroke-dasharray: 5 5 %% define nodes IP_ADDRESS(IP Address) DOMAIN(Domain) DOMAIN_(Domain):::secondary TLS_CERT(TLS Certificate) SAMPLE(Sample) %% define edges DOMAIN -- resolves --> IP_ADDRESS IP_ADDRESS -- rDNS --> DOMAIN DOMAIN -- prev. resolved --> IP_ADDRESS TLS_CERT -- CN --> DOMAIN DOMAIN <-- similar name --> DOMAIN_ DOMAIN <-- registrar --> DOMAIN_ DOMAIN <-- TLD --> DOMAIN_ DOMAIN <-- time --> DOMAIN_ SAMPLE -- references --> DOMAIN
Actor-controlled subdomains of shared domains
Some domains resolve to platforms owned by legitimate entities, but threat actors abuse them by registering subdomains (usually for free) which they use for maliicous purposes. For example, oast.pro
is a legitimate domain operated by Project Discovery for use with a pentesting tool they maintain called Interactsh. However, malicious actors might register subdomains of oast.pro
(e.g., c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.oast.pro
). In this case, only the subdomain would be uniquely associated with specific malicious activity, whereas the domain would not.
Pivots
Domains
Example
Black Basta registered various bee-themed domains which resolved to C&C servers. These included realbumblebee[.]net
, recentbee[.]net
, and currentbee[.]net
.1
Domains with similar names
Threat actors may register multiple domains with a similar naming scheme, which can be levereged by analysts to discover additional potentially related domains. Additionally, threat actors may use names similar to their target organizations' domain names, which can be a useful indicator of malicious intent when reviewing potentially related domains.
Try it out
TO DO
TO DO
Domains with the same TLD
Threat actors may have a preference for certain top-level domains (TLD), such as .xyz
, which is usually very cheap or even free (for this reason, some organizations block this TLD as a precautionary measure). In such cases, applying a TLD filter alongside filters for other parameters (such as registrar) can narrow domain search results to a number reasonably small enough to manually review.
Domains with the same registrar
A domain name registrar handles registrations of domains and leases them to customers. Some threat actors may show preference for certain registrars when registering their domains for malicious use (possible reasons may include minimal anti-fruad mechanisms in place or acceptance of cryptocurrency as payment). This preference can then be leveraged by analysts for pivoting purposes.
Domains registered in the same timeframe
Threat actors perform registration in bulk of domains meant for malicious purposes, or at the very least they may register domains around the same time if they're to be used for the same campaign. In such cases, these timeframes can be leveraged by analysts as an effective filter to narrow down the number of results for otherwise noisy queries. Furthermore, if an analyst is lucky, the threat actor may have registered other artifacts during the same timeframe as well, such as IP addresses and TLS certificates.
TLS Certificates
Example
Embee Research analyzed certificate data related to a domain associated with MatanBuchus in order to surface additional domains using certificates with the same subdomains, certificate authority, and registration period.2
TLS certificates listing it as common name (CN)
TLS certificates contain a common name field (CN) indicating which domain or subdomains the certificate applies to. Therefore, pivoting on a domain can lead to certificates listing the domain itself or its subdomains in its common name field (CN). The resulting certificates might reveal new information listed in their other various fields, and further pivoting on the certificates' hashes might lead to other IP addresses that have previously resolved the same domain.
IP Addresses
IP address to which it currently resolves
A domain operated by a threat actor can resolve to an IP address hosting one or more servers. Note that the same IP address might be used for multiple purposes at once (e.g., malware C2, serving phishing pages, proxying traffic, etc.), with every server fronted by a different domain or subdomain.
While querying a domain for its resolving IP address is called forward DNS (fDNS for short), the opposite query is known as reverse DNS (or rDNS).
Example
Embee Research analyzed passive DNS data related to several domains associated with ACTINIUM in order to surface additional IP addresses to which they previously resolved.3
IP addresses to which it previously resolved
Pivoting to past DNS records is especially useful when investigating a long-term campaign or cases in which a threat actor has already shut down their operations.
Historic DNS resolutions can be based on either passive DNS collection (pDNS), which involves continuously recording DNS queries from various sources and aggregating their results into a queryable database, or active forward DNS collection (fDNS), which involves regularly querying for known domains and storing their resolutions.
Try it out
https://app.validin.com/detail?type=dom&find={DOMAIN}#tab=resolutions
Samples
Samples that reference it
Threat actors often configure their malware to communicate with one or more C&C servers, and this usually involves listing a domain within the malware's code (in such instances, the domain is said to be "hardcoded" in the malware). When executed, the infected device will send a DNS request to resolve the domain, and then communicate with the server hosted on the resolving IP address. By running a static analysis of the sample (even through something as simple as using strings
), one can reveal any such hardcoded domains it may contain.