This article outlines a method for tracking malicious infrastructure through proactive threat hunting. It emphasizes starting with an IP address to unveil links to malware delivery via domains and certificates, leading to better detection of adversary command-and-control operations.
Affected: Cybersecurity, Threat Intelligence, Malware Detection
Affected: Cybersecurity, Threat Intelligence, Malware Detection
Keypoints :
- Malicious infrastructure hunting shifts focus from internal to external threat detection.
- Attackers utilize clusters of domains and IPs for malware and C2 operations.
- Initial investigation can begin with an IP address from threat feeds or unusual logs.
- Tools like Hunt can reveal associated domains, services, and SSL certificates.
- Analyzing open ports can provide insights into the serverβs purpose and potential malicious use.
- TLS certificates can expose hidden connections and are crucial for tracking adversarial infrastructure.
MITRE Techniques :
- Reconnaissance (T1598): Threat actors utilize multiple domains and servers for reconnaissance before launching attacks.
- Command and Control (T1071): Analysis of open ports and server responses indicates potential C2 channels.
- Collection (T1518): Collection of structured data from multiple indicators helps in mapping out malicious infrastructure.
- Credential Dumping (T1003): Use of defense evasion techniques through shared certificates.
Indicator of Compromise :
- [IP Address] 168.100.9[.]71
- [Domain] btc-winnings-made[.]com
- [SHA-256] D351D5F06EC229AF75442BE05C5C90F76471EF17EDCB1AF92E8532CA1854AF5D
- [JA4X Hash] 96a6439c8f5c_96a6439c8f5c_795797892f9c
Full Story: https://hunt.io/blog/practical-guide-unconvering-malicious-infrastructure