Skip to content

Domain

Overview

  • Definition

    A fully qualified domain name (FQDN) is the technical term for what are typically called domains (e.g., google.com) and subdomains (e.g., drive.google.com).

  • Usecase

    Threat actors acquire FQDNs and configure them to resolve to servers they control. This allows them to direct phishing victims to FQDNs which resolve to malicious landing pages, and allow malware-infected devices to send an initial DNS resolution request for FQDNs associated with C&C servers.

  • Example

    realbumblebee[.]net, recentbee[.]net, and currentbee[.]net were domains that resolved to Cobalt Strike C&C servers operated by the threat actor known as Black Basta.1

  • Pivot Map
    flowchart LR
        classDef primary stroke-width: 2px
        classDef secondary stroke-dasharray: 5 5
    
        %% define nodes
        IP_ADDRESS(IP Address)
        DOMAIN(Domain):::primary
        DOMAIN_(Domain):::secondary
        TLS_CERT(TLS Certificate)
        SAMPLE(Sample)
    
        %% define edges
        DOMAIN -- forward DNS --> IP_ADDRESS
        IP_ADDRESS -- reverse DNS ---> DOMAIN
        DOMAIN <-- DNS history --> IP_ADDRESS
        TLS_CERT -- CN ---> DOMAIN
        DOMAIN <-- similar name ---> DOMAIN_
        DOMAIN <-- registrant ---> DOMAIN_
        DOMAIN <-- registrar --> DOMAIN_
        DOMAIN <-- NS --> DOMAIN_
        DOMAIN <-- TLD --> DOMAIN_
        DOMAIN <-- reg. time --> DOMAIN_
        DOMAIN <-- URL path --> DOMAIN_
        SAMPLE -- references ---> DOMAIN
        SAMPLE -- queries --> DOMAIN
    
        %% define links
        click IP_ADDRESS "#ip-addresses"
        click DOMAIN_ "#domains"
        click SAMPLE "#samples"
        click TLS_CERT "#tls-certificates"
    

Actor-controlled subdomains of shared domains

Some domains resolve to platforms owned by legitimate entities, but threat actors abuse them by registering subdomains (usually for free) which they use for maliicous purposes. For example, oast.pro is a legitimate domain operated by Project Discovery for use with a pentesting tool they maintain called Interactsh. However, malicious actors might register subdomains of oast.pro (e.g., c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.oast.pro). In this case, only the subdomain would be uniquely associated with specific malicious activity, whereas the domain would not.

Pivots

Domains

Domains with similar names

Threat actors may register multiple domains with a similar naming scheme, which can be levereged by analysts to discover additional potentially related domains by querying DNS databases. Additionally, threat actors may use names similar to their target organizations' domain names, which can be a useful indicator of malicious intent when reviewing potentially related domains.

Example

Black Basta registered various bee-themed domains which resolved to C&C servers. These included realbumblebee[.]net, recentbee[.]net, and currentbee[.]net.1

Domains with same TLD

Threat actors may have a preference for certain top-level domains (TLD), such as .xyz, which is usually very cheap or even free (for this reason, some organizations block this TLD as a precautionary measure). In such cases, applying a TLD filter alongside filters for other parameters (such as registrar) can narrow domain search results within DNS databases to a number reasonably small enough to manually review.

Domains with same registrar

A domain name registrar handles registrations of domains and leases them to customers. Some threat actors may show preference for certain registrars when registering their domains for malicious use (possible reasons may include minimal anti-fruad mechanisms in place or acceptance of cryptocurrency as payment). This preference can then be leveraged by analysts for pivoting purposes by querying WHOIS databases.

Domains with similar registrant details

Domains registered by the same threat actor might have overlapping registration details, which can be retrieved through a reverse WHOIS query or by querying WHOIS databases. In some cases the details might be exactly the same, while in others there might be commonalities in certain registration fields that match the same regular expressions. In some cases these fields might contain genuine information that could prove useful for other investigative purposes (including attribution), such as an email address or physical location associated with the threat actor. However, these details are often anonymized by privacy protection, particularly if the threat actor has strict operational security.

  • Features

    The registrant details of gopivoting.org are protected and therefore not very pivotable:

    Registrant Contact Information:
        Name:               REDACTED FOR PRIVACY
        Organization:       Domains By Proxy, LLC
        Address:            REDACTED FOR PRIVACY
        Address:            REDACTED FOR PRIVACY
        City:               REDACTED FOR PRIVACY
        State / Province:   Arizona
        Postal Code:        REDACTED FOR PRIVACY
        Country:            US
        Phone:              REDACTED FOR PRIVACY
        Email:              Please query the WHOIS server
                            of the owning registrar identified
                            in this output for information on
                            how to contact the Registrant, Admin,
                            or Tech contact of the queried domain name.
    

Domains registered in same timeframe

Threat actors perform registration in bulk of domains meant for malicious purposes, or at the very least they may register domains around the same time if they're to be used for the same campaign. In such cases, these timeframes can be leveraged by analysts as an effective filter to narrow down the number of results for otherwise noisy registration detail queries within WHOIS databases. Furthermore, if an analyst is lucky, the threat actor may have registered other artifacts during the same timeframe as well, such as IP addresses and TLS certificates.

Domain with same URL path

Threat actors may set up various API endpoints on their servers to facilitate the required functionality for their malicious infrastructure. Each of these endpoints may be available on a different URL path (e.g., malware may connect to an /upload/ endpoint to exfiltrate data). Similarly, threat actors may hijack legitimate servers and deploy a file containing malicious code, which may be located on a consistent URL path across multiple compromised servers.

Given a domain resolving to an attacker-controlled server, analysts can query for any of its known URL paths in the databases of URL scanning services such as URLScan. This can surface other domains with the same paths which might resolve to potentially related servers.

Try it out
https://urlscan.io/search/#page.url%3A%22{PATH}%22
TO DO

TLS Certificates

Certificates listing it as common name (CN)

TLS certificates contain a common name field (CN) indicating which domain or subdomains the certificate applies to. Therefore, pivoting on a domain by querying certificate databases can lead to certificates listing the domain itself or its subdomains in its common name field (CN). The resulting certificates might reveal new information listed in their other various fields, and further pivoting on the certificates' hashes might lead to other IP addresses that have previously resolved the same domain.

Example

Embee Research analyzed certificate data related to a domain associated with MatanBuchus in order to surface additional domains using certificates with the same subdomains, certificate authority, and registration period.2


IP Addresses

IP address to which it resolves

A domain operated by a threat actor can resolve to an IP address hosting one or more servers. Note that the same IP address might be used for multiple purposes at once (e.g., malware C2, serving phishing pages, proxying traffic, etc.), with every server fronted by a different domain or subdomain.

While querying a domain for its resolving IP address is called forward DNS (fDNS for short), the opposite query is known as reverse DNS (or rDNS). Analysts can perform such lookups using DNS tools such as DNSChecker.

IP addresses to which it previously resolved

Pivoting to past DNS records is especially useful when investigating a long-term campaign or cases in which a threat actor has already shut down their operations.

Historic DNS resolutions can be based on either passive DNS collection (pDNS), which involves continuously recording DNS queries from various sources and aggregating their results into a queryable database, or active forward DNS collection (fDNS), which involves regularly querying for known domains and storing their resolutions.

Example

Embee Research analyzed passive DNS data related to several domains associated with ACTINIUM in order to surface additional IP addresses to which they previously resolved.3

Try it out
https://app.validin.com/detail?type=dom&find={DOMAIN}#tab=resolutions

Samples

Samples that reference or query it

Threat actors often configure their malware to communicate with one or more C&C servers, and this usually involves listing a domain within the malware's code (in such instances, the domain is said to be "hardcoded" in the malware). When executed (on an infected device, honeypot, or in a sandboxed environment), the malware will send a DNS request to resolve the domain, and then communicate with the server hosted on the resolving IP address. By running a static analysis of a sample (even through something as simple as using strings), one can reveal any such hardcoded domains it may contain.

However, some threat actors may obfuscate hardcoded domains as an anti-analysis technique, in which case one must use dynamic analysis to record the malware's DNS requests, or reverse engineer the sample to overcome the obfuscation.

Regardless, given a domain, analysts can use "malware zoo" platforms such as VirusTotal to query for any such previously encountered samples.