This blog post is sponsored by DomainTools. For more information and product trials please visit https://securityweekly.com/domaintools.
Malicious or Not?
Collecting Domain Data
My setup is fairly traditional as I use a network SPAN port along with The Security Onion to collect data about my network for security analysis. I used a Cisco switch with the following commands to setup the SPAN port:
monitor session 1 source vlan 172
monitor session 1 destination interface Gi0/39 encapsulation replicate
By default, the first command will monitor traffic in both directions on the specified VLAN. We then send the monitor session traffic to port Gi0/39, using the encapsulation method as the source interface, giving us BPDU and Layer 2 traffic as well (Further reading)
I setup the Security Onion on an Ubuntu server. Documentation for this setup can be found over at the Security Onion Website.
Additional Modules – Baby Domains
I installed the DomainStats add-on, written by Mark Bagget and implemented in Docker by Justin Henderson, Security Onion, using DomainStats, will report on domain age, listing domains that are younger than 60 days. New domains can be suspect as C2 channels will often register new domains for communication.
A list of baby domains in the Security Onion Kibana interface.
Parsing Query Logs
By default Bro, as part of the Security Onion, will beging to log all of the DNS queries observed on the network. It stores them in /nsm/bro/logs/current (and archives older logs into separate directories by date). I use the following command to save all of the queried domains to a file:
$ zcat dns.* | jq .query | uniq -c | sort -n |
uniq | egrep -v ‘(.com|.net|.org|.edu)’ > ~/domain.list
The “jq query” command is a newer addition to the Security Onion and will parse the JSON output and return just the domain names in the logs. Next we use basic Bash commands to get a unique list and remove common top-level domains. This was an approach I used to pair down the list into the domains that may be more interesting. I then searched through the results for specific top-level domains. Using the following commands I reviewed the domains from China and Russia as I thought that might be a good start:
$ egrep -v ‘(in-addr.|psw.io|.local|.io)’ domain.list | grep “.ru”
$ egrep -v ‘(in-addr.|psw.io|.local|.io)’ domain.list | grep “.cn”
As it turns out, one of the domains from Russia was identified by DomainTools Iris as being “bad”, earning a score of 100:
You can also see the list of other domains that are associated with ns.parens.ru. While most also earn a score of 100, there is a shorter list of domains that have a lower score, but are likely malicious by association. Their score is lower because they likely have not yet been used in an active command and control channel by an attacker (or group of attackers). It should also be noted that you can paste in multiple domains at once, consolidating them into one investigation.
DomainTools Iris is a fantastic addition to your analysis toolset, providing insights into domains that are malicious, and even cooler those domains that will be malicious in the future! To see the full technical segment and Iris demo check out my segment on Paul’s Security Weekly:
While I used Iris on my own, there are some great collaborative features as you can add notes to your investigation and share with others on your team.