Detailing Daily Domain Hunting
Contents
Updated 23 Nov 1355 MST: Added some additional observations related to logon spoofing infrastructure.
Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and patterns associated with adversary infrastructure creation and management. This is especially effective when viewing individual network observables – or indicators – as natural composite objects, items that accrue multiple sub-observations relating to the given object’s creation, use, and potentially even intention.
One historical example of such activity is ThreatConnect’s analysis of (then) long-running infrastructure tendencies linked to APT28, also known as FancyBear, but associated with Russian Military Intelligence (GRU) 85th Main Special Service Center (GTsSS). ThreatConnect’s reporting publicized patterns used by intelligence professionals for several years prior, using a combination of x509 certificate information, domain registration tendencies, and domain hosting patterns to …
Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and patterns associated with adversary infrastructure creation and management. This is especially effective when viewing individual network observables – or indicators – as natural composite objects, items that accrue multiple sub-observations relating to the given object’s creation, use, and potentially even intention.
One historical example of such activity is ThreatConnect’s analysis of (then) long-running infrastructure tendencies linked to APT28, also known as FancyBear, but associated with Russian Military Intelligence (GRU) 85th Main Special Service Center (GTsSS). ThreatConnect’s reporting publicized patterns used by intelligence professionals for several years prior, using a combination of x509 certificate information, domain registration tendencies, and domain hosting patterns to …
IoC
92.38.135.213
9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed
http://msn-imap.com
http://onkrdot.info
9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed
http://msn-imap.com
http://onkrdot.info