This article discusses a phishing campaign targeting high-profile accounts and introduces various pivoting techniques in the Validin platform to uncover related indicators. The authors provide detailed methods for discovering additional domains, IP addresses, and other infrastructure connected to this campaign through advanced searches. Affected: phishing campaign, high-profile accounts, threat hunters, Validin platform
Keypoints :
- The SentinelOne Labs reported an X Phishing campaign targeting high-profile accounts.
- Validin platform is utilized to expand the set of known infrastructure related to the phishing campaign.
- Bulk DNS Enrichment is one of the first techniques used to identify additional IPs and Name Servers.
- Indicators extracted from the initial report include various suspicious domains and activities.
- Meta tags in HTML responses provide opportunities for pivoting to discover further indicators.
- Title tags and favicon hash methods are employed to find related domains.
- Registration time pivoting helps identify additional domains registered at the same time as known threats.
- Validinβs tools assist threat hunters in building a clearer threat intelligence picture.
MITRE Techniques :
- T1071 β Application Layer Protocol: The phishing campaign utilized tactics involving communication over web applications.
- T1598 β Gather Victim Credentials: The campaign aimed to compromise high-profile accounts by luring victims.
- T1110 β Brute Force: Indicators suggest methods used to bypass security measures on high-profile accounts.
Indicator of Compromise :
- [Domain] x-sideprotocol[.]com
- [Domain] x-hotel-ads[.]com
- [Domain] hotel-ads-vip[.]com
- [Domain] google-ads-vip[.]com
- [Hash] 9d99a2372bbd5b28ef4b2eaecac8c805
Full Story: https://www.validin.com/blog/x-phishing-threat-hunting-pivotoing-techniques/