Hunting for suspicious domains

Suspicious domains

As mentioned previously, there are multiple reasons that a domain can be considered suspicious:

Domain information can be found in DNS, email and web logs and should be analyzed as part of the threat hunting process

URLs are a common IOC because they are often used as component of phishing spamming and malware attacks

URL-based attacks include:

Redirection attacks take advantage of users' unfamiliarity with how URLs work

These attacks often take advantage of lookalike characters like 1 an I

Some attackers place phishing sites at URLs designed to look similar to legitimate websites

A company was infected with malware due to employees mistyping www.netflix.com as www.netflix.om

This attack could have been detected by scanning for unusual TLDs, as Oman (.om) is not a commonly visited TLD

The standard that defines URLs distinguishes between unreserved and reserved characters

Any reserved characters in an URL must be encoded (i.e., "\" is encoded as %5c)

Attackers use multi-level encoding to evade detection

Escape encoding can also be used for injection attacks

Tools like VirusTool allow threat hunters to quickly identify malicious URLs

HTML response size is an important indicator

SQL injection attacks have large responses due to the exfiltrated data included in the response

Some log analyzer/SIEM solutions like SolarWinds Log and Event Manager (LEM) are designed to analyze for threats based on HTML response size

Web servers' logs are valuable when threat hunting for identifying attacks against web servers

Large HTML responses may indicate attempts at SQL injection and data exfiltration
500 Internal Server Errors and 501 Header Value errors may indicate scanning for vulnerabilities in the web app

Web server log data can be manipulated and changed by attackers attempting to hide their tracks

Last updated 4 months ago