Eric Partington

Feed - Suspicious TLD's

Blog Post created by Eric Partington Employee on Dec 4, 2017

Every year Symantec and McAfee and others provide research on the top shady domains on the internet based on TLD's.  With the increase in vanity TLD's the options increase to registering domains quickly with potentially little oversight and security.

 

How can we use this knowledge in NetWitness to detect when traffic may be accessed or looked up to these potentially shady domains?

 

White papers:

 

Larger list of extracted domains and use-case

 

The description of the yml seems like a good place to start

 

description: Detects download of certain file types from hosts in suspicious TLDs 

 

we will focus on the first part of detecting the TLD communication, the second part would be a simple application rule to wrap that data up.

 

With some notepad++ magic we get a list of domains and other information:

#tld,analysis.session,threat.category
country,suspect_tld,sigma_symantec_shady_domain_2017
stream,suspect_tld,sigma_symantec_shady_domain_2017
gdn,suspect_tld,sigma_symantec_shady_domain_2017
mom,suspect_tld,sigma_symantec_shady_domain_2017
xin,suspect_tld,sigma_symantec_shady_domain_2017
kim,suspect_tld,sigma_symantec_shady_domain_2017
men,suspect_tld,sigma_symantec_shady_domain_2017
loan,suspect_tld,sigma_symantec_shady_domain_2017

...

 

Now we create a feed xml file to make mapping this information easy

 

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

<FlatFileFeed comment="#" separator="," path="feed-sigma-proxydownloadsusptldsblacklist.csv" name="unified">

<MetaCallback name="InspectMeta" valuetype="Text" ignorecase="true">
<Meta name="tld"/>
</MetaCallback>

<LanguageKeys>
<LanguageKey name="analysis.session" valuetype="Text"/>
<LanguageKey name="threat.category" valuetype="Text"/>
</LanguageKeys>

<Fields>
<Field index="1" type="index" key="InspectMeta"/>
<Field index="2" type="value" key="analysis.session"/>
<Field index="3" type="value" key="threat.category"/>
</Fields>
</FlatFileFeed>
</FDF>

 

Now create the feed and push to decoders

We will look for matches in our feed from the TLD metakey and write into analysis.session and threat.category

Those events can now be wrapped into an apprule if looking for specific downloads from those TLD's or can be leveraged in ESA rules.

 

Apprule:

name="suspicious_download_shady_domain" rule="analysis.session='suspect_tld' && extension='exe','vbs','bat','rar','ps1','doc','docm','xls','xlsm','pptm','rtf','hta','dll','ws','wsf','sct','zip' " type=application alert=eoc

Outcomes