This article discusses how Validinβs database of Passive DNS and web data can be utilized for threat intelligence analysis. The platform enables analysts to identify changes in domain infrastructure through workflows involving passive DNS lookups, subdomain analysis, and web data pivoting. The analysis showcases how a single domain indicator can lead to discoveries of further IPs and domains related to potential threats. Affected: Poseidon domains, CloudFlare, Alibaba
Keypoints :
- Validin offers a robust analysis framework using Passive DNS and web data.
- Users can track the hosting history and infrastructure changes of a domain over time.
- The article demonstrates how to analyze a list of Poseidon domains shared on Twitter/X.
- Subdomain enumeration can reveal additional targets associated with a primary domain.
- Web responses, such as HTML titles, can serve as pivot points for further investigation.
- The timeline view helps visualize the overlap of domain data for better clarity.
- Filtering capabilities allow focus on specific data types such as IP addresses and HTML titles.
- Validin aids in identifying cryptocurrency-related phishing sites and other malicious infrastructure.
MITRE Techniques :
- TA0001 β Initial Access: Leveraging social media platforms (Twitter/X) to distribute domain indicators.
- TA0002 β Execution: Using features of Validin to execute queries on domain infrastructure.
- TA0008 β Lateral Movement: Pivoting on web data and DNS histories to discover related infrastructure.
- TA0009 β Collection: Analyzing the data collected from subdomain records and hosting history.
- TA0007 β Impact: Investigating potential risks and implications of associated infrastructures.
Indicator of Compromise :
- [Domain] poseidon[.]cool
- [IP Address] 172.67.203[.]144
- [IP Address] 79.137.192[.]4
- [Domain] btcpay.poseidon[.]cool
- [Domain] alma.ns.cloudflare.com
Full Story: https://www.validin.com/blog/pivoting-to-expand-threat-intelligence/