Skip to content

Domain

Overview

  • Definition

    A fully qualified domain name (FQDN) is the technical term for what are typically called domains (e.g., google.com) and subdomains (e.g., drive.google.com).

  • Usecase

    Threat actors acquire FQDNs and configure them to resolve to servers they control. This allows them to to direct phishing victims to FQDNs which resolve to malicious landing pages, and allow malware-infected devices to send an initial DNS resolution request for FQDNs associated with C&C servers.

  • Example

    realbumblebee[.]net, recentbee[.]net, and currentbee[.]net were domains that resolved to Cobalt Strike C&C servers operated by the threat actor known as Black Basta.1

  • Pivot Map 
    flowchart LR
    classDef secondary stroke-dasharray: 5 5

    %% define nodes
    IP_ADDRESS(IP Address)
    DOMAIN(Domain)
    DOMAIN_(Domain):::secondary
    TLS_CERT(TLS Certificate)
    SAMPLE(Sample)

    %% define edges
    DOMAIN -- resolves --> IP_ADDRESS
    IP_ADDRESS -- rDNS --> DOMAIN
    DOMAIN -- prev. resolved --> IP_ADDRESS
    TLS_CERT -- CN --> DOMAIN
    DOMAIN <-- similar name --> DOMAIN_
    DOMAIN <-- registrar --> DOMAIN_
    DOMAIN <-- TLD --> DOMAIN_
    DOMAIN <-- time --> DOMAIN_
    SAMPLE -- references --> DOMAIN

Actor-controlled subdomains of shared domains

Some domains resolve to platforms owned by legitimate entities, but threat actors abuse them by registering subdomains (usually for free) which they use for maliicous purposes. For example, oast.pro is a legitimate domain operated by Project Discovery for use with a pentesting tool they maintain called Interactsh. However, malicious actors might register subdomains of oast.pro (e.g., c59e3crp82ke7bcnedq0cfjqdpeyyyyyn.oast.pro). In this case, only the subdomain would be uniquely associated with specific malicious activity, whereas the domain would not.

Pivots

Domains

Example

Black Basta registered various bee-themed domains which resolved to C&C servers. These included realbumblebee[.]net, recentbee[.]net, and currentbee[.]net.1

Domains with similar names

Threat actors may register multiple domains with a similar naming scheme, which can be levereged by analysts to discover additional potentially related domains. Additionally, threat actors may use names similar to their target organizations' domain names, which can be a useful indicator of malicious intent when reviewing potentially related domains.

Try it out 
TO DO

TO DO

Domains with the same TLD

Threat actors may have a preference for certain top-level domains (TLD), such as .xyz, which is usually very cheap or even free (for this reason, some organizations block this TLD as a precautionary measure). In such cases, applying a TLD filter alongside filters for other parameters (such as registrar) can narrow domain search results to a number reasonably small enough to manually review.

Domains with the same registrar

A domain name registrar handles registrations of domains and leases them to customers. Some threat actors may show preference for certain registrars when registering their domains for malicious use (possible reasons may include minimal anti-fruad mechanisms in place or acceptance of cryptocurrency as payment). This preference can then be leveraged by analysts for pivoting purposes.

Domains registered in the same timeframe

Threat actors perform registration in bulk of domains meant for malicious purposes, or at the very least they may register domains around the same time if they're to be used for the same campaign. In such cases, these timeframes can be leveraged by analysts as an effective filter to narrow down the number of results for otherwise noisy queries. Furthermore, if an analyst is lucky, the threat actor may have registered other artifacts during the same timeframe as well, such as IP addresses and TLS certificates.

TLS Certificates

Example

Embee Research analyzed certificate data related to a domain associated with MatanBuchus in order to surface additional domains using certificates with the same subdomains, certificate authority, and registration period.2

TLS certificates listing it as common name (CN)

TLS certificates contain a common name field (CN) indicating which domain or subdomains the certificate applies to. Therefore, pivoting on a domain can lead to certificates listing the domain itself or its subdomains in its common name field (CN). The resulting certificates might reveal new information listed in their other various fields, and further pivoting on the certificates' hashes might lead to other IP addresses that have previously resolved the same domain.

IP Addresses

IP address to which it currently resolves

A domain operated by a threat actor can resolve to an IP address hosting one or more servers. Note that the same IP address might be used for multiple purposes at once (e.g., malware C2, serving phishing pages, proxying traffic, etc.), with every server fronted by a different domain or subdomain.

While querying a domain for its resolving IP address is called forward DNS (fDNS for short), the opposite query is known as reverse DNS (or rDNS).

Example

Embee Research analyzed passive DNS data related to several domains associated with ACTINIUM in order to surface additional IP addresses to which they previously resolved.3

IP addresses to which it previously resolved

Pivoting to past DNS records is especially useful when investigating a long-term campaign or cases in which a threat actor has already shut down their operations.

Historic DNS resolutions can be based on either passive DNS collection (pDNS), which involves continuously recording DNS queries from various sources and aggregating their results into a queryable database, or active forward DNS collection (fDNS), which involves regularly querying for known domains and storing their resolutions.

Try it out 
https://app.validin.com/detail?type=dom&find={DOMAIN}#tab=resolutions

Samples

Samples that reference it

Threat actors often configure their malware to communicate with one or more C&C servers, and this usually involves listing a domain within the malware's code (in such instances, the domain is said to be "hardcoded" in the malware). When executed, the infected device will send a DNS request to resolve the domain, and then communicate with the server hosted on the resolving IP address. By running a static analysis of the sample (even through something as simple as using strings), one can reveal any such hardcoded domains it may contain.

  1. #StopRansomware: Black Basta 

  2. Identifying MatanBuchus Domains Through Hardcoded Certificate Values 

  3. Passive DNS Pivoting - Uncovering APT Infrastructure Through Historical Records and Subdomain Analysis