This blog post is sponsored by DomainTools. For more information and product trials please visit https://securityweekly.com/domaintools.
Malicious or Not?
The above question runs through the brains of SOC analysts across the world multiple times per day. When you are analyzing security events looking for the “bad” things, you often come across a domain that requires investigation. Domains are an integral part of a security investigation as a whole as they can appear in malware samples, malicious JavaScript, several different types of logs, and of course directly from your network (via a SPAN port) or directly from your DNS servers if you are logging all queries. If you are not analyzing all of your DNS queries, you should be as a domain can be a reliable indicator of malicious activity. While there are several tools and techniques available to gather information about a domain, DomainTools has consolidated this information, making it easy to pivot and investigate domains using Iris. I had a chance to use Iris to investigate some domains, and was very impressed. My methodology from start to finish is outlined below.
Collecting Domain Data
My setup is fairly traditional as I use a network SPAN port along with The Security Onion to collect data about my network for security analysis. I used a Cisco switch with the following commands to setup the SPAN port:
monitor session 1 source vlan 172 monitor session 1 destination interface Gi0/39 encapsulation replicate
By default, the first command will monitor traffic in both directions on the specified VLAN. We then send the monitor session traffic to port Gi0/39, using the encapsulation method as the source interface, giving us BPDU and Layer 2 traffic as well (Further reading)
I setup the Security Onion on an Ubuntu server. Documentation for this setup can be found over at the Security Onion Website.
Additional Modules – Baby Domains
I installed the DomainStats add-on, written by Mark Bagget and implemented in Docker by Justin Henderson, Security Onion, using DomainStats, will report on domain age, listing domains that are younger than 60 days. New domains can be suspect as C2 channels will often register new domains for communication.
https://github.com/SMAPPER/docker_domain_stats
https://github.com/Security-Onion-Solutions/security-onion/wiki/DomainStats
Parsing Query Logs
By default Bro, as part of the Security Onion, will beging to log all of the DNS queries observed on the network. It stores them in /nsm/bro/logs/current (and archives older logs into separate directories by date). I use the following command to save all of the queried domains to a file:
$ zcat dns.* | jq .query | uniq -c | sort -n | uniq | egrep -v '(.com|.net|.org|.edu)' > ~/domain.list
The “jq query” command is a newer addition to the Security Onion and will parse the JSON output and return just the domain names in the logs. Next we use basic Bash commands to get a unique list and remove common top-level domains. This was an approach I used to pair down the list into the domains that may be more interesting. I then searched through the results for specific top-level domains. Using the following commands I reviewed the domains from China and Russia as I thought that might be a good start:
$ egrep -v '(in-addr.|psw.io|.local|.io)' domain.list | grep ".ru" $ egrep -v '(in-addr.|psw.io|.local|.io)' domain.list | grep ".cn"
As it turns out, one of the domains from Russia was identified by DomainTools Iris as being “bad”, earning a score of 100:
You can also see the list of other domains that are associated with ns.parens.ru. While most also earn a score of 100, there is a shorter list of domains that have a lower score, but are likely malicious by association. Their score is lower because they likely have not yet been used in an active command and control channel by an attacker (or group of attackers). It should also be noted that you can paste in multiple domains at once, consolidating them into one investigation.
Conclusion
DomainTools Iris is a fantastic addition to your analysis toolset, providing insights into domains that are malicious, and even cooler those domains that will be malicious in the future! To see the full technical segment and Iris demo check out my segment on Paul’s Security Weekly:
While I used Iris on my own, there are some great collaborative features as you can add notes to your investigation and share with others on your team.