Is This Domain Newly Registered?
Here is the adjacent step in my series of diaries related to domain names. Afterwards tracking suspicious domains with a dashboard[1] and proactively searching for malicious domains[two], let's focus on newly registered domains. They are a huge number of domain registrations performed every 24-hour interval (on average a few m per solar day all TLD's combined). Why focus on new domains? With the multiple DGA ("Domain Generation Algorithms") used by malware families, it is useful to runway newly created domains and correlate them with your local resolvers' logs. You could find some emerging threats or suspicious activities.
The challenge is to detect a listing of all those domains. They're enough of online services that provide this kind of data. Some of them allow to browse the new domains online[3], others sell this kind of database, usually linked with the corresponding whois information via a monthly fee (ordinarily around $65)[4]. Some registrars offer a list for their own TLD's (like the AFNIC in France[5]) merely they are limited.
I was looking for a global listing that includes all TLD'southward and, if possible, for costless. I found whoisds.com[half-dozen] which offers this service. They provide a complete database (domains + whois data) for a monthly fee merely the "elementary" list is bachelor for free (but domains) and without whatever registration.
I'1000 fetching the file via a elementary beat script and a cron job:
#!/bin/fustigate TODAY=`engagement --date="-2 24-hour interval" +"%Y-%m-%d"` DESTDIR="/dwelling house/domains" URL="https://whoisds.com/whois-database/newly-registered-domains/$TODAY.zippo/nrd" USERAGENT="XmeBot/1.0 (https://blog.rootshell.be/bot/)" TEMPFILE=`mktemp /tmp/wget_XXXXXX.nothing` LOGFILE=`mktemp /tmp/wget_XXXXXX.log` CSVFILE="/opt/splunk/etc/apps/search/lookups/newdomains.csv" # Check if the destination directory exists [ -d "$DESTDIR" ] || mkdir -p "$DESTDIR" # Ensure that the file does non exist already [ -r "$DESTDIR/$TODAY.txt" ] && rm "$DESTDIR/$TODAY.txt" wget -o $LOGFILE -O $TEMPFILE --user-agent="$USERAGENT" $URL RC=$? if [ "$RC" != "0" ]; then repeat "[Fault] Cannot fetch $URL" true cat $LOGFILE else unzip -d $DESTDIR $TEMPFILE >$LOGFILE 2>&i RC=$? if [ "$RC" != "0" ]; then echo "[ERROR] Cannot unzip $TEMPFILE" true cat $LOGFILE else echo "newdomain" >$CSVFILE true cat "$DESTDIR/$TODAY.txt" >>$CSVFILE rm $LOGFILE $TEMPFILE fi fi
This script is executed once a day to store the daily file in the specified directory. A CVS file is too created in the specific Splunk application. Note that the script fetches the file existence two days old (--appointment="-2 day") because I detected that sometimes, the previous day is published with some delay!
With the CVS file created in Splunk, I can now search for newly created domains in my Bro DNS logs:
index=securityonion sourcetype=bro_dns rcode="A" OR rcode="AAAA" |rex field=qclass ".*\.(?<newdomain>\w+\.\west+)" |search [|inputlookup newdomains.csv]
Yous can also search for specific keywords like brands, keywords related to your business:
# cat domains_keyword.csv keyword *banking company* *paypal* *apple tree* *ec2*
Hither is an interesting Splunk query:
|inputlookup newdomains.csv |rex field=newdomain "(?<keyword>\w+)\.\w+" |search [|inputlookup domains_keyword.csv]
This search returned for yesterday:
halk-bankbireysel.com storybankmaine.org summitbank.org towercommunitybankmortgage.org
Happy hunting!
[ane] https://isc.sans.edu/forums/diary/Suspicious+Domains+Tracking+Dashboard/23046/
[2] https://isc.sans.edu/forums/diary/Proactive+Malicious+Domain+Search/23065/
[3] https://domainpunch.com/tlds/daily.php
[4] https://world wide web.whoisxmlapi.com/newly-registered-domains.php
[5] https://world wide web.afnic.fr/en/products-and-services/services/daily-list-of-registered-domain-names/#
[6] https://whoisds.com/newly-registered-domains
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
I will be teaching next: Reverse-Engineering Malware: Malware Assay Tools and Techniques - SANS London June 2022
682 Posts
ISC Handler
Dec 13th 2017
iv years ago
Why not run it every two days, if information technology runs every day, and looks for 2 solar day onetime domains, you will be duping one-half of the domains.
iv years ago
I reread information technology, never mind...
4 years ago
I am trying to implement this in my environment, merely I have run into an issue. The script runs fine and creates the lookup file w/o any issues. Instead of using inputlookup, I went ahead and created a lookup definition for the lookup file. I besides just have access to firewall logs, then my logs do not contain domain names, only IP addresses. I am trying to get effectually this past using the dnsLookup function to convert the IP addresses to domain names. This appears to exist working fine, simply I am not matching anything as the lookup file contains only the domain proper noun while my logs are converted to FQDN (with a host proper noun). Thus, I recollect, I demand to strip the hostname off of my log records before trying to friction match them with the lookup file. Whatever input on making this work would be greatly appreciated! Here is my search sting:
sourcetype=cisco:asa src_ip!="aaa.bbb.0.0/sixteen" src_ip!="aaa.bbb.0.0/16" dest_ip="aaa.bbb.0.0/sixteen" (message_id=30214 OR message_id=302016)
| lookup dnsLookup ip every bit src_ip
| lookup newdomains newdomain every bit host OUTPUT newdomain as host_match
| where host_match!="NONE"
| table src_ip host host_match
| dedup src_ip host
"newdomains" is the lookup definition, "newdomain" is the supported field
Thanks!
Jon
four Posts
4 years agone
The .nu and .se ccTLD zone-data can be downloaded hither: https://zonedata.iis.se/
two Posts
4 years ago
Source: https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/
Posted by: brownthishe.blogspot.com
0 Response to "Is This Domain Newly Registered?"
Post a Comment