280. Hunting for Suspicious TLDs

Hello everyone!

We already looked how to use parts of URLs in our threat hunting missions, let's look at another similar artefact - TLDs.

In some cases adversaries use quite exotic TLDs for their infrastructure. Let's look at a recent example related to Rhadamanthys (yes, again). Most of the domains have quite suspicious TLDs, for example:

  • cloud341[.]autos
  • cloud341[.]baby
  • cloud341[.]icu
  • cloud341[.]lol
  • cloud341[.]monster
  • cloud34221[.]hair
  • cloud34221[.]homes
  • cloud34221[.]quest
  • cloud343[.]boats
  • cloud9342[.]beauty

Worth a hunting query, right?

event_type: "dnsreqwin"

AND

dns_rname: (*.autos OR *.baby OR *.icu OR *.lol OR *.monster OR *.hair OR *.homes OR *.quest OR *.boats OR *.beauty)

See you tomorrow!


Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access