SlideShare una empresa de Scribd logo

Malicious Domain Profiling

E Hacking
E Hacking

Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.

Datos y análisis
1 de 47
Descargar para leer sin conexión
APT  A%ribu*on  and  DNS  Profiling   Frankie  Li   ran2@vxrl.org   Twi4er:  @espionageware  
•  APT  A4ribu<on:  Who  wrote  these  codes?   •  Tac<cs,  Techniques  and  Procedures  (TTP)   •  Behavior  of  APT  adversary   •  HUMINT  extracted  from  DNS  or  Whois   •  Gather  intelligence  from  open  source   •  Dynamically  monitoring  of  PassiveDNS  è   PassiveWhois   •  Analysis  by  visualiza<on  tool  (Maltego)   •  MalProfile  Tools  and  demo   Agenda  
•  From  a  place  in  China,  but  not  so  China  ;)   •  Sunday  researcher  in  malware  analysis  and   digital  forensics     •  Part  <me  lecturer   •  A  Lazy  blogger  (espionageware.blogspot.com)   •  NOT  associated  with  PLA  61398  or  Mandiant   •  NOT  associated  with  PLA  61486  or   CrowdStrike  or  Taia  Global   Who  am  I?  
APT  ATTRIBUTION  
•  Disclaimer:  Not  going  to  provide  any  opinion  on   the  latest  indictment  or  Yoke  Bun  or  Clock  Tower   •  Not  a  major  concern  for  private  sector,  but  for  LE   or  intelligence  agencies   •  Not  difficult,  if  you  have  source  code   •  Not  hard,  if  you  focus  only  on  strings  &  human   readable  data  within  a  malware  program   •  But,  to  a4ribute  responsibility  with  “Certainty”  is   almost  impossible,  unless  they  make  a  mistake   APT  A%ribu*on  
•  Source  code  a4ribu<on   •  A4ributes  of  Windows  binaries   •  A4ribu<on  malware   •  A4ribu<on  of  APT  by  digital  DNA   Who  wrote  these  codes?  
•  The  term  Stylometry  refers  the  applica<on  of   a4ribute  the  authorship  by  coding  style   •  Kind  of  profiling  by  wri<ng  style   •  Comments  and  coding  crumbs   •  JStylo:  By  comparing  unknown  documents   with  a  known  candidate  author’s  document*   •  Not  a  solu<on  because  most  APT  samples   collected  are  compiled  binaries   Source  code  a%ribu*on   *Islam,  A.  (2013).  Poster:  Source   Code  Authorship  A4ribu<on  
•  PE  headers  are  des-­‐constructed  and  metadata   (ar<facts)  are  categorized  (Yonts,  2012)   •  Extract  the  technical  and  contextual  a4ributes   or  “genes”  from  different  “layers”  to  group   the  malware  (Xecure-­‐Lab,  2012  and  Pfeffer,   2012)   •  By  a  proprietary  reverse  engineering  and   behavioral  analysis  technology  (Digital  DNA,   2014)   A%ributes  of  Windows  Malware  
PE  Deconstruc*on  
A%ribu*on  Using  Gene*c  Informa*on   From:  Xecure-­‐Lab,  2012  
TACTICS,  TECHNIQUES  AND   PROCEDURES  (TTP)  
•  A4ribu<on:  Tracking  Cyber  Spies  &  Digital  Criminals  (Hoglund,   2010)   •  Forensics  marks  that  could  be  extracted  from  raw  data  in  three   intelligence  layers   –  Net  Recon   –  Developer  Fingerprints     –  Tac<cs,  Techniques,  and  Procedures  (TTP)   •  Among  these  three  layers,  TTP  should  carry  the  highest  intelligence   value  for  iden<fying  human  a4ackers   •  But,  near  impossibility  of  finding  the  human  actors  with  defini<ve   intelligence   –  Social  Cyberspace  (i.e.,  DIGINT)   –  Physical  Surveillance  (i.e.,  HUMINT)     Human  is  the  key   h4p://www.youtube.com/ watch?v=k4Ry1trQhDk      
Hoglund’s  malware  intel  life  *me    
•  A  military  term?   •  A  term  to  describe  the  behavior  of  adversary?   •  A  modern  term  to  replace  modus  operandi?   – the  method  of  opera<on   – The  habits  of  working   •  TTP  are  human-­‐influenced  factors   TTP  
Pyramid  of  Pain   From  David  Bianco’s  Blog   h4p://detect-­‐respond.blogspot.hk/2013/03/ the-­‐pyramid-­‐of-­‐pain.html  
TTP  OR  BEHAVIOR  OF  APT   ADVERSARY  
APT  life  cycle  
Extended  APT  life  cycle  
•  Domain  registra<on   •  Naming  conven<on  is  not  typo  squarng,  but  follows  a  pa4ern  of   meaningful  Chinese  PingYing  (拼音)   •  Crea<on  DNS-­‐IP  address  pairs   •  Engaging  a  “friendly  ISP”  to  use  a  por<on  of  their  C-­‐class  subnet  of   IP  addresses  situated  at  the  domicile  of  the  targeted  vic<ms   •  DNS  names  and  IP  addresses  may  be  cycled  for  reuse  (a.k.a.   campaigns),  which  may  provide  indica<ons  or  links  to  the  a4acker   groups   •  Embedding  mul<ple  DNS  A-­‐records  in  exploits   •  Preparing  spear-­‐phishing  email  content  aser  reconnaissance  of  the   targeted  vic<ms   •  Launching  malicious  a4achments  through  spear-­‐phishing  emails   APT  infrastructure  tac*cs  
•  The  exploits  drop  binaries  that  extract  the  DNS  records  and  begin   communica<ng  with  the  C2  by  resolving  the  IP  addresses  from  DNS   servers.     •  The  C2  servers  or  C2  proxies  register  the  infec<ons  on  the  C2  database   •  The  intelligence  analysts  of  the  a4acker  groups  review  the  preliminary   collected  informa<on  of  the  targeted  vic<ms  through  C2  portals.     •  The  infected  machines  are  further  instructed  to  perform  exfiltra<on  of   collect  further  intelligence  from  the  infected  machines.   •  The  infrastructure  technical  persons  of  the  a4acker  group  apply  changes   (domain  manipula<on)  to  the  DNS-­‐IP  address  pair,  domain  name   registra<on  informa<on  (Whois  informa<on),  and  the  “parked  domains”   from  <me  to  <me  or  when  a  specific  incident  occurs     •  In  contrast  with  the  Fast-­‐Flux  Services  Networks  men<oned  by  the   HoneyNet  Project,  the  informa<on  does  not  change  with  high  frequency   APT  infrastructure  tac*cs-­‐2  
HUMINT  EXTRACTED  FROM  DNS  
•  Domain  names:  A  Record,  Cname,  NS  record   •  Whois  records:  valid  email  address  (once),   name,  street  address,  name  servers   •  Parked-­‐domains:  temporary  IP  address   assigned  crea<on  of  first  DNS  record  on  the   name  server  (newly  created  domains  are  kept   under  1  IP  address  for  future  use)   What  is  kept  in  DNS  &  Whois  
•  Extract  DNS  from  the  malicious  code  (sandbox)   •  Lookup  the  currently  assigned  IP  address   •  Retrieve  all  parked-­‐domains  from  the  iden<fied   IP  address   •  Retrieve  whois  informa<on  from  the  iden<fied   domains   •  Update  iden<fied  record  to  a  rela<onal  database   for  future  analysis   •  Repeat  the  process  and  record  all  changes  in  the   database   HUMINT  intel  collected  
Intel  collec*on  process  
QUERIES  FROM  OPEN  SOURCE  
•  Nslookup   •  Whois   •  Domain  tools:  reverse  DNS  and  reverse  whois   •  h4p://bgp.he.net   •  h4p://virustotal.com   •  h4p://passivedns.mnemonic.no   •  h4ps://www.farsightsecurity.com   •  h4ps://www.passivetotal.org   Open  source  
DomainTools  –  Ouch!  
h%p://bgp.he.net  
PASSIVE  DNS  TO  PASSIVE  WHOIS  
•  Passive  DNS  is  a  technology  that  constructs  zone  replicas   without  coopera<on  from  zone  administrators,  and  is   based  on  captured  name  server  response   •  Passive  DNS  is  a  highly  scalable  network  design  that  stores   and  indexes  both  historical  DNS  data  that  can  help  answer   ques<ons  such  as:   –  where  did  this  domain  name  point  to  in  the  past   –  which  domain  name  points  to  a  given  IP  network   •  VirusTotal  kept  passive  DNS  records  collected  from   malicious  samples   •  Higher  chance  malicious  historical  DNS-­‐IP  records     Passive  DNS  
VirusTotal  -­‐  PassiveDNS  
•  There  are  no  open  source  keeping  those   whois  changes,  like  VirusTotal  Passive  DNS   project  (or  whois  history  at  who.is)   •  By  stepping  through  the  IP  lookup,  retrieval  of   parked-­‐domains  and  whois  lookup,  any   changes  will  then  be  updated  to  a  rela<onal   database   Passive  Whois  
Passive  Whois  
ANALYSIS  BY  VISUALIZATION   MALTEGO  
Sample  called  OverProtect  
CONCLUSION  
•  Con<nuously  monitoring  “whois  servers”  and   DNS–IP  address  pairs   •  Intelligence  may  be  lost  if  they  change  their  TTP   in  the  future,  par<cularly  aser  the  publica<on  of   this  paper   •  TTP  are  determined  by  the  cultural  background   of  the  a4acker  groups   •  The  intelligence  collec<on  process  should  thus  be   adjusted  toward  these  changes  and  analysts   should  have  the  same  cultural  mindset   Intui*ve  views  on  the  a%ribu*on  of     APT  
•  All  discussed  methods  may  generate  some  value  to  the   a4ribu<on   •  But,  TTP  should  carry  the  highest  intelligence  value  for   iden<fying  human  a4ackers   •  Any  ar<facts  that  support  the  highest  human  link  should  be   allocated  with  highest  value  to  the  a4ribu<on   •  However,  the  increasing  sharing  of  TTP  and  tools  by  various   actors  may  reduce  the  reliability  to  associate  with  them.   (I’ve    read  a  paper  promo<ng  a  framework  called  OpenAPT)   •  Another  challenging  factor  is  a4ribu<on  intelligence  are   not  shared  enough  and  intelligence  community  are  not   fully  understood   Is  a%ribu*on  with  certainty  possible?  
TOOLS  
•  The  tools  consists  of  2  parts:   – MalProfile  script  to  grabbing  intelligence  from  the   Internet   – Maltego  Local  Transforms  to  help  analysis  process   MalProfile  Tools  and  MalProfile  Local   Transforms  
MalProfile.py  
•  Special  thanks  go  to  Kenneth  Tse  and  Eric  Yuen   who  is  upgrading  my  messy  code  into  a  class   •  You  can  find  the  code  at:  h4ps:// code.google.com/p/malicious-­‐domain-­‐profiling/   •  To  allow  more  intelligence  can  be  added  when   new  TTP  be  iden<fied   •  Any  interested  are  welcome  to  contribute  to  this   project.  Please  contact  ran2@vxrl.org  or   kennetht@gmail.com   Google  Project  
malicious-­‐domain-­‐profiling  
DEMO  
Sample  called  OverProtect  and   Insurance  
Frankie  Li   Ran2@vxrl.org   h4p://espionageware.blogspot.com       Thank  you!   Q&A  
Frankie  Li   Ran2@vxrl.org   h4p://espionageware.blogspot.com       Please  complete  the  Speaker   Feedback  Surveys  

Recomendados

Clean dns technical_enus
Clean dns technical_enusClean dns technical_enus
Clean dns technical_enusBruno Guerreiro, COBIT, ITIL, MCSO, LPIC3 Security
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Network based file carving
Network based file carvingNetwork based file carving
Network based file carvingGTKlondike
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesPluribus One
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 

Recomendados

Clean dns technical_enus
Clean dns technical_enusClean dns technical_enus
Clean dns technical_enusBruno Guerreiro, COBIT, ITIL, MCSO, LPIC3 Security
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Network based file carving
Network based file carvingNetwork based file carving
Network based file carvingGTKlondike
 
Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014Applied Detection and Analysis Using Flow Data - MIRCon 2014
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesPluribus One
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologySam Bowne
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Santosh Khadsare
 
Network security
Network securityNetwork security
Network securityGreater Noida Institute Of Technology
 
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...Neo4j
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCSheetal Dolas
 
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4jInvestigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4jNeo4j
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 

Más contenido relacionado

La actualidad más candente

Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Islam Azeddine Mennouchi
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration TestingJeffery Brown
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologySam Bowne
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration toolsJenishChauhan4
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsCisco Canada
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopPriyanka Aash
 
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...Neo4j
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationSam Bowne
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testingAbdul Rahman
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCSheetal Dolas
 
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4jInvestigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4jNeo4j
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsSam Bowne
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 

La actualidad más candente (20)

Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013Forensic Analysis - Empower Tech Days 2013
Forensic Analysis - Empower Tech Days 2013
 
Vulnerability and Penetration Testing
Vulnerability and Penetration TestingVulnerability and Penetration Testing
Vulnerability and Penetration Testing
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
 
Hacking - penetration tools
Hacking - penetration toolsHacking - penetration tools
Hacking - penetration tools
 
Leverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage ThreatsLeverage the Network to Detect and Manage Threats
Leverage the Network to Detect and Manage Threats
 
Network Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques WorkshopNetwork Forensic Tools & Techniques Workshop
Network Forensic Tools & Techniques Workshop
 
Lec 1 apln security(4pd)
Lec 1 apln security(4pd)Lec 1 apln security(4pd)
Lec 1 apln security(4pd)
 
Network security
Network securityNetwork security
Network security
 
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
Neo4j Partner Tag Berlin - Investigating the Panama Papers connections with n...
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
CNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident PreparationCNIT 152: 3 Pre-Incident Preparation
CNIT 152: 3 Pre-Incident Preparation
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
CNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 LeadsCNIT 152: 4 Starting the Investigation & 5 Leads
CNIT 152: 4 Starting the Investigation & 5 Leads
 
Phases of penetration testing
Phases of penetration testingPhases of penetration testing
Phases of penetration testing
 
Open Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOCOpen Security Operations Center - OpenSOC
Open Security Operations Center - OpenSOC
 
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4jInvestigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
Investigating the Panama Papers Connections with Neo4j - Stefan Komar, Neo4j
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
CNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World IncidentsCNIT 152: 1 Real-World Incidents
CNIT 152: 1 Real-World Incidents
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 

Similar a Malicious Domain Profiling

Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxAlfredObia1
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51martinvoelk
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Cyberscout Presentation
Cyberscout PresentationCyberscout Presentation
Cyberscout PresentationFiroze Hussain
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS MeasurementsAFRINIC
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber securityKAMALI PRIYA P
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 

Similar a Malicious Domain Profiling (20)

Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
 
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisDistributed Sensor Data Contextualization for Threat Intelligence Analysis
Distributed Sensor Data Contextualization for Threat Intelligence Analysis
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
 
Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51Penetration Testing Services Technical Description Cyber51
Penetration Testing Services Technical Description Cyber51
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditors
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Cyberscout Presentation
Cyberscout PresentationCyberscout Presentation
Cyberscout Presentation
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
ethical Hack
ethical Hackethical Hack
ethical Hack
 
Wm4
Wm4Wm4
Wm4
 

Más de E Hacking

CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyE Hacking
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devicesE Hacking
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attackE Hacking
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsE Hacking
 
Most Important steps to become a hacker
Most Important steps to become a hackerMost Important steps to become a hacker
Most Important steps to become a hackerE Hacking
 
Penetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldPenetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldE Hacking
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TORE Hacking
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkE Hacking
 
Hacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingHacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingE Hacking
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itE Hacking
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitE Hacking
 
The Machines that Betrayed their Masters
The Machines that Betrayed their MastersThe Machines that Betrayed their Masters
The Machines that Betrayed their MastersE Hacking
 
Detecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsDetecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsE Hacking
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouE Hacking
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCE Hacking
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at HomeE Hacking
 
Social Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceSocial Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceE Hacking
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperE Hacking
 

Más de E Hacking (20)

CEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH AcademyCEH and Security+ Training Outline - EH Academy
CEH and Security+ Training Outline - EH Academy
 
Threats against the next billion devices
Threats against the next billion devicesThreats against the next billion devices
Threats against the next billion devices
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
New Developments in the BREACH attack
New Developments in the BREACH attackNew Developments in the BREACH attack
New Developments in the BREACH attack
 
Exploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit SystemsExploiting Linux On 32-bit and 64-bit Systems
Exploiting Linux On 32-bit and 64-bit Systems
 
Most Important steps to become a hacker
Most Important steps to become a hackerMost Important steps to become a hacker
Most Important steps to become a hacker
 
Penetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the BattlefieldPenetrating the Perimeter - Tales from the Battlefield
Penetrating the Perimeter - Tales from the Battlefield
 
Website fingerprinting on TOR
Website fingerprinting on TORWebsite fingerprinting on TOR
Website fingerprinting on TOR
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon Talk
 
Hacking Wireless World, RFID hacking
Hacking Wireless World, RFID hackingHacking Wireless World, RFID hacking
Hacking Wireless World, RFID hacking
 
Abusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get itAbusing Microsoft Kerberos - Sorry you guys don’t get it
Abusing Microsoft Kerberos - Sorry you guys don’t get it
 
Searching Shodan For Fun And Profit
Searching Shodan For Fun And ProfitSearching Shodan For Fun And Profit
Searching Shodan For Fun And Profit
 
The Machines that Betrayed their Masters
The Machines that Betrayed their MastersThe Machines that Betrayed their Masters
The Machines that Betrayed their Masters
 
Detecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance SystemsDetecting Bluetooth Surveillance Systems
Detecting Bluetooth Surveillance Systems
 
Unmasking or De-Anonymizing You
Unmasking or De-Anonymizing YouUnmasking or De-Anonymizing You
Unmasking or De-Anonymizing You
 
WhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POCWhatsApp Chat Hacking/Stealing POC
WhatsApp Chat Hacking/Stealing POC
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at Home
 
Social Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligenceSocial Media Monitoring tools as an OSINT platform for intelligence
Social Media Monitoring tools as an OSINT platform for intelligence
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections Paper
 

Último

Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...amitlee9823
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightDelhi Call girls
 
Probability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsProbability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsJoseMangaJr1
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKTimothy Spann
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...amitlee9823
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...
➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...
➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...amitlee9823
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecurePooja Nehwal
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...
➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...
➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...amitlee9823
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...karishmasinghjnh
 
Detecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachDetecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachBoston Institute of Analytics
 
hybrid Seed Production In Chilli & Capsicum.pptx
hybrid Seed Production In Chilli & Capsicum.pptxhybrid Seed Production In Chilli & Capsicum.pptx
hybrid Seed Production In Chilli & Capsicum.pptx9to5mart
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Valters Lauzums
 
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 

Último (20)

Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
 
Probability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter LessonsProbability Grade 10 Third Quarter Lessons
Probability Grade 10 Third Quarter Lessons
 
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNKDATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
DATA SUMMIT 24 Building Real-Time Pipelines With FLaNK
 
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
Call Girls Jalahalli Just Call 👗 7737669865 👗 Top Class Call Girl Service Ban...
 
Anomaly detection and data imputation within time series
Anomaly detection and data imputation within time seriesAnomaly detection and data imputation within time series
Anomaly detection and data imputation within time series
 
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night StandCall Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Doddaballapur Road ☎ 7737669865 🥵 Book Your One night Stand
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...
➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...
➥🔝 7737669865 🔝▻ Dindigul Call-girls in Women Seeking Men 🔝Dindigul🔝 Escor...
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...
➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...
➥🔝 7737669865 🔝▻ malwa Call-girls in Women Seeking Men 🔝malwa🔝 Escorts Ser...
 
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
👉 Amritsar Call Girl 👉📞 6367187148 👉📞 Just📲 Call Ruhi Call Girl Phone No Amri...
 
Detecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachDetecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning Approach
 
hybrid Seed Production In Chilli & Capsicum.pptx
hybrid Seed Production In Chilli & Capsicum.pptxhybrid Seed Production In Chilli & Capsicum.pptx
hybrid Seed Production In Chilli & Capsicum.pptx
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
Digital Advertising Lecture for Advanced Digital & Social Media Strategy at U...
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
 
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night StandCall Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Attibele ☎ 7737669865 🥵 Book Your One night Stand
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 

Malicious Domain Profiling

  • 1. APT  A%ribu*on  and  DNS  Profiling   Frankie  Li   ran2@vxrl.org   Twi4er:  @espionageware  
  • 2. •  APT  A4ribu<on:  Who  wrote  these  codes?   •  Tac<cs,  Techniques  and  Procedures  (TTP)   •  Behavior  of  APT  adversary   •  HUMINT  extracted  from  DNS  or  Whois   •  Gather  intelligence  from  open  source   •  Dynamically  monitoring  of  PassiveDNS  è   PassiveWhois   •  Analysis  by  visualiza<on  tool  (Maltego)   •  MalProfile  Tools  and  demo   Agenda  
  • 3. •  From  a  place  in  China,  but  not  so  China  ;)   •  Sunday  researcher  in  malware  analysis  and   digital  forensics     •  Part  <me  lecturer   •  A  Lazy  blogger  (espionageware.blogspot.com)   •  NOT  associated  with  PLA  61398  or  Mandiant   •  NOT  associated  with  PLA  61486  or   CrowdStrike  or  Taia  Global   Who  am  I?  
  • 5. •  Disclaimer:  Not  going  to  provide  any  opinion  on   the  latest  indictment  or  Yoke  Bun  or  Clock  Tower   •  Not  a  major  concern  for  private  sector,  but  for  LE   or  intelligence  agencies   •  Not  difficult,  if  you  have  source  code   •  Not  hard,  if  you  focus  only  on  strings  &  human   readable  data  within  a  malware  program   •  But,  to  a4ribute  responsibility  with  “Certainty”  is   almost  impossible,  unless  they  make  a  mistake   APT  A%ribu*on  
  • 6. •  Source  code  a4ribu<on   •  A4ributes  of  Windows  binaries   •  A4ribu<on  malware   •  A4ribu<on  of  APT  by  digital  DNA   Who  wrote  these  codes?  
  • 7. •  The  term  Stylometry  refers  the  applica<on  of   a4ribute  the  authorship  by  coding  style   •  Kind  of  profiling  by  wri<ng  style   •  Comments  and  coding  crumbs   •  JStylo:  By  comparing  unknown  documents   with  a  known  candidate  author’s  document*   •  Not  a  solu<on  because  most  APT  samples   collected  are  compiled  binaries   Source  code  a%ribu*on   *Islam,  A.  (2013).  Poster:  Source   Code  Authorship  A4ribu<on  
  • 8. •  PE  headers  are  des-­‐constructed  and  metadata   (ar<facts)  are  categorized  (Yonts,  2012)   •  Extract  the  technical  and  contextual  a4ributes   or  “genes”  from  different  “layers”  to  group   the  malware  (Xecure-­‐Lab,  2012  and  Pfeffer,   2012)   •  By  a  proprietary  reverse  engineering  and   behavioral  analysis  technology  (Digital  DNA,   2014)   A%ributes  of  Windows  Malware  
  • 10. A%ribu*on  Using  Gene*c  Informa*on   From:  Xecure-­‐Lab,  2012  
  • 11. TACTICS,  TECHNIQUES  AND   PROCEDURES  (TTP)  
  • 12. •  A4ribu<on:  Tracking  Cyber  Spies  &  Digital  Criminals  (Hoglund,   2010)   •  Forensics  marks  that  could  be  extracted  from  raw  data  in  three   intelligence  layers   –  Net  Recon   –  Developer  Fingerprints     –  Tac<cs,  Techniques,  and  Procedures  (TTP)   •  Among  these  three  layers,  TTP  should  carry  the  highest  intelligence   value  for  iden<fying  human  a4ackers   •  But,  near  impossibility  of  finding  the  human  actors  with  defini<ve   intelligence   –  Social  Cyberspace  (i.e.,  DIGINT)   –  Physical  Surveillance  (i.e.,  HUMINT)     Human  is  the  key   h4p://www.youtube.com/ watch?v=k4Ry1trQhDk      
  • 13. Hoglund’s  malware  intel  life  *me    
  • 14. •  A  military  term?   •  A  term  to  describe  the  behavior  of  adversary?   •  A  modern  term  to  replace  modus  operandi?   – the  method  of  opera<on   – The  habits  of  working   •  TTP  are  human-­‐influenced  factors   TTP  
  • 15. Pyramid  of  Pain   From  David  Bianco’s  Blog   h4p://detect-­‐respond.blogspot.hk/2013/03/ the-­‐pyramid-­‐of-­‐pain.html  
  • 16. TTP  OR  BEHAVIOR  OF  APT   ADVERSARY  
  • 18. Extended  APT  life  cycle  
  • 19. •  Domain  registra<on   •  Naming  conven<on  is  not  typo  squarng,  but  follows  a  pa4ern  of   meaningful  Chinese  PingYing  (拼音)   •  Crea<on  DNS-­‐IP  address  pairs   •  Engaging  a  “friendly  ISP”  to  use  a  por<on  of  their  C-­‐class  subnet  of   IP  addresses  situated  at  the  domicile  of  the  targeted  vic<ms   •  DNS  names  and  IP  addresses  may  be  cycled  for  reuse  (a.k.a.   campaigns),  which  may  provide  indica<ons  or  links  to  the  a4acker   groups   •  Embedding  mul<ple  DNS  A-­‐records  in  exploits   •  Preparing  spear-­‐phishing  email  content  aser  reconnaissance  of  the   targeted  vic<ms   •  Launching  malicious  a4achments  through  spear-­‐phishing  emails   APT  infrastructure  tac*cs  
  • 20. •  The  exploits  drop  binaries  that  extract  the  DNS  records  and  begin   communica<ng  with  the  C2  by  resolving  the  IP  addresses  from  DNS   servers.     •  The  C2  servers  or  C2  proxies  register  the  infec<ons  on  the  C2  database   •  The  intelligence  analysts  of  the  a4acker  groups  review  the  preliminary   collected  informa<on  of  the  targeted  vic<ms  through  C2  portals.     •  The  infected  machines  are  further  instructed  to  perform  exfiltra<on  of   collect  further  intelligence  from  the  infected  machines.   •  The  infrastructure  technical  persons  of  the  a4acker  group  apply  changes   (domain  manipula<on)  to  the  DNS-­‐IP  address  pair,  domain  name   registra<on  informa<on  (Whois  informa<on),  and  the  “parked  domains”   from  <me  to  <me  or  when  a  specific  incident  occurs     •  In  contrast  with  the  Fast-­‐Flux  Services  Networks  men<oned  by  the   HoneyNet  Project,  the  informa<on  does  not  change  with  high  frequency   APT  infrastructure  tac*cs-­‐2  
  • 22. •  Domain  names:  A  Record,  Cname,  NS  record   •  Whois  records:  valid  email  address  (once),   name,  street  address,  name  servers   •  Parked-­‐domains:  temporary  IP  address   assigned  crea<on  of  first  DNS  record  on  the   name  server  (newly  created  domains  are  kept   under  1  IP  address  for  future  use)   What  is  kept  in  DNS  &  Whois  
  • 23. •  Extract  DNS  from  the  malicious  code  (sandbox)   •  Lookup  the  currently  assigned  IP  address   •  Retrieve  all  parked-­‐domains  from  the  iden<fied   IP  address   •  Retrieve  whois  informa<on  from  the  iden<fied   domains   •  Update  iden<fied  record  to  a  rela<onal  database   for  future  analysis   •  Repeat  the  process  and  record  all  changes  in  the   database   HUMINT  intel  collected  
  • 25. QUERIES  FROM  OPEN  SOURCE  
  • 26. •  Nslookup   •  Whois   •  Domain  tools:  reverse  DNS  and  reverse  whois   •  h4p://bgp.he.net   •  h4p://virustotal.com   •  h4p://passivedns.mnemonic.no   •  h4ps://www.farsightsecurity.com   •  h4ps://www.passivetotal.org   Open  source  
  • 29. PASSIVE  DNS  TO  PASSIVE  WHOIS  
  • 30. •  Passive  DNS  is  a  technology  that  constructs  zone  replicas   without  coopera<on  from  zone  administrators,  and  is   based  on  captured  name  server  response   •  Passive  DNS  is  a  highly  scalable  network  design  that  stores   and  indexes  both  historical  DNS  data  that  can  help  answer   ques<ons  such  as:   –  where  did  this  domain  name  point  to  in  the  past   –  which  domain  name  points  to  a  given  IP  network   •  VirusTotal  kept  passive  DNS  records  collected  from   malicious  samples   •  Higher  chance  malicious  historical  DNS-­‐IP  records     Passive  DNS  
  • 32. •  There  are  no  open  source  keeping  those   whois  changes,  like  VirusTotal  Passive  DNS   project  (or  whois  history  at  who.is)   •  By  stepping  through  the  IP  lookup,  retrieval  of   parked-­‐domains  and  whois  lookup,  any   changes  will  then  be  updated  to  a  rela<onal   database   Passive  Whois  
  • 37. •  Con<nuously  monitoring  “whois  servers”  and   DNS–IP  address  pairs   •  Intelligence  may  be  lost  if  they  change  their  TTP   in  the  future,  par<cularly  aser  the  publica<on  of   this  paper   •  TTP  are  determined  by  the  cultural  background   of  the  a4acker  groups   •  The  intelligence  collec<on  process  should  thus  be   adjusted  toward  these  changes  and  analysts   should  have  the  same  cultural  mindset   Intui*ve  views  on  the  a%ribu*on  of     APT  
  • 38. •  All  discussed  methods  may  generate  some  value  to  the   a4ribu<on   •  But,  TTP  should  carry  the  highest  intelligence  value  for   iden<fying  human  a4ackers   •  Any  ar<facts  that  support  the  highest  human  link  should  be   allocated  with  highest  value  to  the  a4ribu<on   •  However,  the  increasing  sharing  of  TTP  and  tools  by  various   actors  may  reduce  the  reliability  to  associate  with  them.   (I’ve    read  a  paper  promo<ng  a  framework  called  OpenAPT)   •  Another  challenging  factor  is  a4ribu<on  intelligence  are   not  shared  enough  and  intelligence  community  are  not   fully  understood   Is  a%ribu*on  with  certainty  possible?  
  • 40. •  The  tools  consists  of  2  parts:   – MalProfile  script  to  grabbing  intelligence  from  the   Internet   – Maltego  Local  Transforms  to  help  analysis  process   MalProfile  Tools  and  MalProfile  Local   Transforms  
  • 42. •  Special  thanks  go  to  Kenneth  Tse  and  Eric  Yuen   who  is  upgrading  my  messy  code  into  a  class   •  You  can  find  the  code  at:  h4ps:// code.google.com/p/malicious-­‐domain-­‐profiling/   •  To  allow  more  intelligence  can  be  added  when   new  TTP  be  iden<fied   •  Any  interested  are  welcome  to  contribute  to  this   project.  Please  contact  ran2@vxrl.org  or   kennetht@gmail.com   Google  Project  
  • 45. Sample  called  OverProtect  and   Insurance  
  • 46. Frankie  Li   Ran2@vxrl.org   h4p://espionageware.blogspot.com       Thank  you!   Q&A  
  • 47. Frankie  Li   Ran2@vxrl.org   h4p://espionageware.blogspot.com       Please  complete  the  Speaker   Feedback  Surveys