Takaaki Mori

Investigating the Maricious Site using Netwitness Live

Discussion created by Takaaki Mori Employee on Sep 17, 2016

In the case of the investigate Malware site Using  LIVE.


Bambenek Consulting Live contents of relatively high accuracy and fast update is following .

Also it includes false positives, but actually detected.

I hope I can be of any help to you.


http://firstwat.ch/bekfp0 : DGA
http://firstwat.ch/3q1sow : C2 Domain


Report Rule:

threat.desc = 'http://firstwat.ch/bekfp0','http://firstwat.ch/3q1sow'


threat.desc http://firstwat.ch/amg69b:C2 IPAddress

'http://firstwat.ch/amg69b' include IPaddres of Hosting site IPAdress.

So.DGA, C2 Domain Threat.desc are better.