This article provides practical examples of using Passive DNS to uncover malicious infrastructure. By analyzing DNS records and utilizing pivots, analysts can identify related domains and enhance threat detection. Affected: cybersecurity analysts, organizations, malware victims
Keypoints :
- Passive DNS serves as a database of DNS snapshots over time.
- It allows analysts to discover relationships and commonalities in DNS records.
- The article discusses five methods of uncovering malicious infrastructure using Passive DNS.
- Analysts can pivot on IP addresses to find related domains.
- Identifying domains linked to malware such as Coyote, EugenLoader, Xworm, DCRat, and Mint Stealer is demonstrated.
- Utilizing HTML titles for pivoting can be beneficial when faced with Cloudflare-protected infrastructure.
- Validin provides an intuitive interface for implementing Passive DNS.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Analysts can utilize DNS protocols to uncover domain names linked to malware.
- T1086 – PowerShell: Analysts may use PowerShell commands to automate DNS queries against Passive DNS databases.
- T1195 – Transfer Data to Remote System: Pivots can lead to the identification of domains sharing infrastructure for command and control operations.
Indicator of Compromise :
- [Domain] cloridatosys[.]com
- [IP Address] 20.201.119[.]204
- [Domain] protonpin[.]com
- [IP Address] 206.206.123[.]151
- [Domain] aprilxrwonew8450.duckdns[.]org
- [Domain] 640740cm.nyashka[.]top
- [Domain] mint-stealer[.]top
Full Story: https://www.validin.com/blog/practical_malware_infrastructure_discovery_with_pdns/