Domain Information

Domain Puchasing

Domain of choise for attacks is crucial if no CDN is used for C2 Redirector servers or no domain fronting is possible due to X, Y, Z reasons.

• https://expireddomains.com - Domains which have expired or are on the marketplace for sale are listed. Good for identifying old domains that can be bought for cheap to host a benign website or a clone of an existing one. (Can also be used for phishing depending on the target)

Domain Reputation

Domain reputation classifies if automated reputation checking tools are used by the target. These can trigger on newly purchased domains which were not catergorized or have a bad reputation.

Automated checking systems can alert on things such as:

• Bad domain reputation

• Newly purchased domain

• Domain categorization

• Blacklisted domains

When a defense system is triggered, connection will likely be dropped or at least the necessary defense team will be alerted of connections made to unreputable domains.

Domains checks such as categorization and reputation can be done via some of the following links (list is not extensive) :

• https://www.spamhaus.org/domain-reputation/

• https://www.talosintelligence.com/reputation_center

• https://mxtoolbox.com/domain

• https://check.spamhaus.org/

• https://website-categorization.whoisxmlapi.com/lookup

• https://www.safedns.com/features#id-check-categorization (no result = no categorization)

• https://sitereview.bluecoat.com/#/

• https://phishtank.org/

• https://www.virustotal.com/

• https://phishtank.org/

• https://web.archive.org/ - Try to find what the domain hosted in the past

• https://www.fortiguard.com/webfilter