Passive DNS Alert Details
Alert ID: PDNS-INFRA-ACQUIRE-7842
Alert Time: 2024-02-09 08:15:33 EST
Severity: HIGH (75/100)
Source: Farsight Security DNSDB (Passive DNS)
Rule: “New Domains Registered with Company Name Pattern”
MITRE ATT&CK: T1583 – Acquire Infrastructure
Alert Details:
Passive DNS Discovery: Newly registered domains matching company naming patterns
Domain 1: company-secure-login[.]com
– Registrar: Namecheap
– Registration Date: 2024-02-08
– Nameservers: ns1.digitalocean[.]com, ns2.digitalocean[.]com
– IP History: 159.89.120.45 (DigitalOcean – Germany)
– SSL Certificate: Issued to “*.company-secure-login.com” (Let’s Encrypt)
Domain 2: company-verify-account[.]net
– Registrar: GoDaddy
– Registration Date: 2024-02-08
– Nameservers: ns1.cloudflare[.]com, ns2.cloudflare[.]com
– IP History: 185.143.221[.]89 (Bulgaria VPS)
Domain 3: internal-company-portal[.]org
– Registrar: NameSilo
– Registration Date: 2024-02-08
– Nameservers: Custom (likely attacker-controlled)
– IP History: 194.165.16[.]89 (Romania)
Pattern Analysis:
– All 3 domains registered within 24 hours
– All contain company name or variations
– All hosted on offshore VPS providers
– No legitimate business relationship with these domains
– High confidence of phishing/campaign infrastructure
Threat Intelligence:
– Similar registration patterns seen before credential phishing campaigns
– IP 185.143.221[.]89 previously associated with credential harvesting
– Infrastructure likely being prepared for attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify domain registrations
Farsight DNSDB, WHOIS
All 3 domains confirmed malicious
2. Infrastructure Analysis
Investigate hosting/providers
Shodan, VirusTotal
IPs known for phishing; no content yet (parked)
3. Proactive Blocking
Block domains before use
Palo Alto, Cisco Umbrella
All domains added to blocklists
4. Registrar Takedown
Report to registrars
Namecheap, GoDaddy Abuse
Takedown requests submitted
5. Monitoring
Watch for similar registrations
DomainTools, Recorded Future
Enhanced monitoring implemented
Jira Incident Report
Ticket: SOC-2024-049
Summary: T1583 – Attackers Acquire Infrastructure for Impending Campaign
Status: RESOLVED
Resolution: INFRASTRUCTURE BLOCKED – Preemptive Action
Priority: P2 – MEDIUM
Labels: T1583, acquire-infrastructure, domain-registration, phishing-prep, pdns
Components: Threat-Intelligence, Perimeter-Defense
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Farsight Security DNSDB (Passive DNS).
Alert: “New Domains Registered with Company Name Pattern”.
Domains: 3 suspicious domains registered 2024-02-08.
Time: 2024-02-09 08:15 EST.
Technique: MITRE ATT&CK T1583 – Acquire Infrastructure.
2. Technical Analysis:
Domain Details:
Domain 1: company-secure-login[.]com
Registrar: Namecheap
Hosting: 159.89.120.45 (DigitalOcean – Germany)
Pattern: “secure-login” – common phishing theme
Status: Parked (no active content yet)
Domain 2: company-verify-account[.]net
Registrar: GoDaddy
Hosting: 185.143.221[.]89 (Bulgaria VPS)
Pattern: “verify-account” – credential harvesting theme
Status: Parked
Domain 3: internal-company-portal[.]org
Registrar: NameSilo
Hosting: 194.165.16[.]89 (Romania)
Pattern: “internal-portal” – impersonation theme
Status: Parked
Pattern Analysis:
All registered within 24-hour window (2024-02-08)
All contain company name or obvious variations
All hosted on offshore VPS providers
No legitimate business relationship
Typical of phishing campaign preparation
Threat Intelligence:
IP 185.143.221[.]89 known for previous credential harvesting
Similar registration patterns seen before tax-season phishing
Infrastructure likely being prepared for imminent campaign
3. Investigation Findings:
Timeline:
2024-02-08: All 3 domains registered
2024-02-09 08:15: Passive DNS detects and alerts
2024-02-09 08:30: SOC investigation begins
2024-02-09 09:00: All domains added to blocklists
2024-02-09 10:00: Takedown requests submitted
Current Status:
No active content on domains (parked)
No observed phishing emails using these domains yet
Preemptive blocking in place
4. Containment Actions:
Proactive Blocking (08:30-09:00 EST):
Added all 3 domains to Palo Alto blocklist.
Added to Cisco Umbrella DNS filtering.
Added to email gateway blocklist (Proofpoint).
Added to web proxy blocklist (Zscaler).
Takedown Requests (09:00-10:00 EST):
Reported to Namecheap, GoDaddy, NameSilo abuse departments.
Provided evidence of malicious intent.
Requested domain suspension.
Monitoring Enhancement:
Created DomainTools watch for similar patterns.
Added to Recorded Future monitoring.
Enhanced email filtering for related themes.
5. Root Cause Analysis:
Primary Cause: Attackers preparing infrastructure for phishing campaign.
Contributing Factors: Company is high-value target for credential phishing.
6. Business Impact:
Current Impact: None (domains blocked before use).
Potential Impact: Would have been used for credential phishing.
Prevented: Likely hundreds of customers protected.
7. Remediation & Prevention:
Completed Actions:
All domains blocked across security stack.
Takedown requests submitted.
Enhanced monitoring implemented.
Employee awareness about phishing domains.
8. Conclusion:
This incident involved threat actors acquiring infrastructure (domains) for an impending phishing campaign targeting our company. Through passive DNS monitoring, we identified and blocked the domains before they could be used. No impact to customers or employees.
Closure Rationale: Infrastructure blocked; no active campaign observed.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 11:00 EST
End of Batch 2
Ready for your next batch of 5 prompts whenever you are.
Batch 3: Reconnaissance & Resource Development Incident Reports (Continued)
Here are the next 6 detailed SOC incident reports.