Closed SwiftOnSecurity closed 7 years ago
Because sysmon logs the final destination DNS, and not the start, usually these redirect to CDNs. need to research each one
<!--Hack tools hosting - UNDERGOING RENOVATION, NOT RELIABLE--> <!--TESTING <DestinationHostname condition="end with">githubusercontent.com</DestinationHostname> --> <!--Github: Malicious tools often loaded from here, not used except by developers--> <!--Suspicious destinations - UNDERGOING RENOVATION, NOT RELIABLE--> <!--TESTING <DestinationHostname condition="is">api.ipify.org</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">whatismyipaddress.com</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">edns.ip-api.com</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">checkip.dyndns.org</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">icanhazip.com</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">ifconfig.me</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">ifconfig.co</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--TESTING <DestinationHostname condition="is">ipaddress.com</DestinationHostname> --> <!--Malware uses to get external IP address--> <!--Dynamic DNS Providers - UNDERGOING RENOVATION, NOT RELIABLE--> <!--TESTING <DestinationHostname condition="end with">dlinkddns.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">no-ip.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">no-ip.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">no-ip.biz</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">no-ip.info</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">noip.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">afraid.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">duckdns.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">changeip.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">ddns.net</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">hopto.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">zapto.org</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">servehttp.com</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher --> <!--TESTING <DestinationHostname condition="end with">sytes.net</DestinationHostname> --> <!--Malware frequently uses dynamic DNS providers for C2 traffic | credit @daniel-gallagher -->
Because sysmon logs the final destination DNS, and not the start, usually these redirect to CDNs. need to research each one