This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Feed - Suspicious TLD's

EricPartington
Employee
Employee
‎2017-12-04 12:23 PM

Every year Symantec and McAfee and others provide research on the top shady domains on the internet based on TLD's.  With the increase in vanity TLD's the options increase to registering domains quickly with potentially little oversight and security.

 

How can we use this knowledge in NetWitness to detect when traffic may be accessed or looked up to these potentially shady domains?

 

White papers:

 

Larger list of extracted domains and use-case

 

The description of the yml seems like a good place to start

 

description: Detects download of certain file types from hosts in suspicious TLDs 

 

we will focus on the first part of detecting the TLD communication, the second part would be a simple application rule to wrap that data up.

 

With some notepad++ magic we get a list of domains and other information:

#tld,analysis.session,threat.category
country,suspect_tld,sigma_symantec_shady_domain_2017
stream,suspect_tld,sigma_symantec_shady_domain_2017
gdn,suspect_tld,sigma_symantec_shady_domain_2017
mom,suspect_tld,sigma_symantec_shady_domain_2017
xin,suspect_tld,sigma_symantec_shady_domain_2017
kim,suspect_tld,sigma_symantec_shady_domain_2017
men,suspect_tld,sigma_symantec_shady_domain_2017
loan,suspect_tld,sigma_symantec_shady_domain_2017

...

 

Now we create a feed xml file to make mapping this information easy

 

<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">

<FlatFileFeed comment="#" separator="," path="feed-sigma-proxydownloadsusptldsblacklist.csv" name="unified">

<MetaCallback name="InspectMeta" valuetype="Text" ignorecase="true">
<Meta name="tld"/>
</MetaCallback>

<LanguageKeys>
<LanguageKey name="analysis.session" valuetype="Text"/>
<LanguageKey name="threat.category" valuetype="Text"/>
</LanguageKeys>

<Fields>
<Field index="1" type="index" key="InspectMeta"/>
<Field index="2" type="value" key="analysis.session"/>
<Field index="3" type="value" key="threat.category"/>
</Fields>
</FlatFileFeed>
</FDF>

 

Now create the feed and push to decoders

We will look for matches in our feed from the TLD metakey and write into analysis.session and threat.category

pastedImage_9.png

Those events can now be wrapped into an apprule if looking for specific downloads from those TLD's or can be leveraged in ESA rules.

 

Apprule:

name="suspicious_download_shady_domain" rule="analysis.session='suspect_tld' && extension='exe','vbs','bat','rar','ps1','doc','docm','xls','xlsm','pptm','rtf','hta','dll','ws','wsf','sct','zip' " type=application alert=eoc

feed-sigma-proxydownloadsusptldsblacklist.csv.zip
feed-sigma-proxydownloadsusptldsblacklist.xml.zip
shadydomain-apprule.nwr.zip
feed-sigma-proxydownloadsusptldsblacklist.csv.zip
feed-sigma-proxydownloadsusptldsblacklist.xml.zip
shadydomain-apprule.nwr.zip
1 Comment
© 2022 RSA Security LLC or its affiliates. All rights reserved.