Closed d3f3nder closed 1 year ago
zdhenard42
commented
1 year ago As far as I am aware, the only one not doing a passive lookup is https://otx.alienvault.com/ for the domain info. Everything else is cached results as far as I know. Please correct me if wrong.
d3f3nder
commented
1 year ago Hi, interesting, yeah thats really the question what the other sources do, you could be right, cached would imply that the lookup has already been done one way or another, which in new adversary infra i can't imagine that would be the case though, but not really sure. The last thing i want to do is give of possible signal because of a active lookup triggers unexpected traffic on the adversary infra.
zdhenard42
commented
1 year ago So going through the individual websites, virustotal is cached, abuseipdb is cached, whois is cached, torrelay is cached. The only website I believe would alert the source entity is alienvault which is located under IPInfo. Again, if you find an alternate answer please let me know.
zdhenard42
commented
1 year ago Going to be closing this. Please reopen if new info is discovered.
Hi, first of all, great tool, i like it great job.
My question though. it would someone be a great addition to do a true passive lookup of ip of domain. Some of these lookups do a active lookup if i am not mistaking which could mean that a actor could pickup these signals on their end and change ttp's / ip's or domains, this would result in losing the 'defenders advantage'
regards,
Mike