Passive DNS Alert Details
Alert ID: PDNS-INFRA-ACQUIRE-7842
Alert Time: 2024-02-09 08:15:33 EST
Severity: HIGH (75/100)
Source: Farsight Security DNSDB (Passive DNS)
Rule: “New Domains Registered with Company Name Pattern”
MITRE ATT&CK: T1583 – Acquire Infrastructure
Alert Details:
Passive DNS Discovery: Newly registered domains matching company naming patterns
Domain 1: company-secure-login[.]com
– Registrar: Namecheap
– Registration Date: 2024-02-08
– Nameservers: ns1.digitalocean[.]com, ns2.digitalocean[.]com
– IP History: 159.89.120.45 (DigitalOcean – Germany)
– SSL Certificate: Issued to “*.company-secure-login.com” (Let’s Encrypt)
Domain 2: company-verify-account[.]net
– Registrar: GoDaddy
– Registration Date: 2024-02-08
– Nameservers: ns1.cloudflare[.]com, ns2.cloudflare[.]com
– IP History: 185.143.221[.]89 (Bulgaria VPS)
Domain 3: internal-company-portal[.]org
– Registrar: NameSilo
– Registration Date: 2024-02-08
– Nameservers: Custom (likely attacker-controlled)
– IP History: 194.165.16[.]89 (Romania)
Pattern Analysis:
– All 3 domains registered within 24 hours
– All contain company name or variations
– All hosted on offshore VPS providers
– No legitimate business relationship with these domains
– High confidence of phishing/campaign infrastructure
Threat Intelligence:
– Similar registration patterns seen before credential phishing campaigns
– IP 185.143.221[.]89 previously associated with credential harvesting
– Infrastructure likely being prepared for attack
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify domain registrations | Farsight DNSDB, WHOIS | All 3 domains confirmed malicious |
| 2. Infrastructure Analysis | Investigate hosting/providers | Shodan, VirusTotal | IPs known for phishing; no content yet (parked) |
| 3. Proactive Blocking | Block domains before use | Palo Alto, Cisco Umbrella | All domains added to blocklists |
| 4. Registrar Takedown | Report to registrars | Namecheap, GoDaddy Abuse | Takedown requests submitted |
| 5. Monitoring | Watch for similar registrations | DomainTools, Recorded Future | Enhanced monitoring implemented |
Jira Incident Report
Ticket: SOC-2024-049
Summary: T1583 – Attackers Acquire Infrastructure for Impending Campaign
Status: RESOLVED
Resolution: INFRASTRUCTURE BLOCKED – Preemptive Action
Priority: P2 – MEDIUM
Labels: T1583, acquire-infrastructure, domain-registration, phishing-prep, pdns
Components: Threat-Intelligence, Perimeter-Defense
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Farsight Security DNSDB (Passive DNS).
- Alert: “New Domains Registered with Company Name Pattern”.
- Domains: 3 suspicious domains registered 2024-02-08.
- Time: 2024-02-09 08:15 EST.
- Technique: MITRE ATT&CK T1583 – Acquire Infrastructure.
2. Technical Analysis:
- Domain Details:
Domain 1: company-secure-login[.]com
- Registrar: Namecheap
- Hosting: 159.89.120.45 (DigitalOcean – Germany)
- Pattern: “secure-login” – common phishing theme
- Status: Parked (no active content yet)
Domain 2: company-verify-account[.]net
- Registrar: GoDaddy
- Hosting: 185.143.221[.]89 (Bulgaria VPS)
- Pattern: “verify-account” – credential harvesting theme
- Status: Parked
Domain 3: internal-company-portal[.]org
- Registrar: NameSilo
- Hosting: 194.165.16[.]89 (Romania)
- Pattern: “internal-portal” – impersonation theme
- Status: Parked
- Pattern Analysis:
- All registered within 24-hour window (2024-02-08)
- All contain company name or obvious variations
- All hosted on offshore VPS providers
- No legitimate business relationship
- Typical of phishing campaign preparation
- Threat Intelligence:
- IP 185.143.221[.]89 known for previous credential harvesting
- Similar registration patterns seen before tax-season phishing
- Infrastructure likely being prepared for imminent campaign
3. Investigation Findings:
- Timeline:
2024-02-08: All 3 domains registered
2024-02-09 08:15: Passive DNS detects and alerts
2024-02-09 08:30: SOC investigation begins
2024-02-09 09:00: All domains added to blocklists
2024-02-09 10:00: Takedown requests submitted
- Current Status:
- No active content on domains (parked)
- No observed phishing emails using these domains yet
- Preemptive blocking in place
4. Containment Actions:
- Proactive Blocking (08:30-09:00 EST):
- Added all 3 domains to Palo Alto blocklist.
- Added to Cisco Umbrella DNS filtering.
- Added to email gateway blocklist (Proofpoint).
- Added to web proxy blocklist (Zscaler).
- Takedown Requests (09:00-10:00 EST):
- Reported to Namecheap, GoDaddy, NameSilo abuse departments.
- Provided evidence of malicious intent.
- Requested domain suspension.
- Monitoring Enhancement:
- Created DomainTools watch for similar patterns.
- Added to Recorded Future monitoring.
- Enhanced email filtering for related themes.
5. Root Cause Analysis:
- Primary Cause: Attackers preparing infrastructure for phishing campaign.
- Contributing Factors: Company is high-value target for credential phishing.
6. Business Impact:
- Current Impact: None (domains blocked before use).
- Potential Impact: Would have been used for credential phishing.
- Prevented: Likely hundreds of customers protected.
7. Remediation & Prevention:
Completed Actions:
All domains blocked across security stack.
Takedown requests submitted.
Enhanced monitoring implemented.
Employee awareness about phishing domains.
8. Conclusion:
This incident involved threat actors acquiring infrastructure (domains) for an impending phishing campaign targeting our company. Through passive DNS monitoring, we identified and blocked the domains before they could be used. No impact to customers or employees.
Closure Rationale: Infrastructure blocked; no active campaign observed.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 11:00 EST