RISE Latvia 2024

TTP-based threat hunting

Ken Bagnall, CEO

Colm Diver, Head of Product

Case study data

Before you start, please ensure you’ve signed up for a Community Edition account using the button below.

Case Study 1

Tracking nameserver changes to uncover DarkMe trojan C2 infrastructure.

Input parameters

Case Study 2

HTML title and favicon pivoting to hunt for Meduza infostealer C2 Infrastructure 

Input parameters

Case Study 3Using naming patterns, registrar information, nameserver and ASN data to track the Bazar Call scam.

Input parameters

  • Query link
  • domain_regex = ^(www\.|)[a-z0-9]{0,}(help|care|support)[a-z0-9]{0,}\.(live|us|cc|to|org|xyz|info|online|live|us)$
  • nsname = *.dnsowl.com
  • asnum = 200019
  • asnum = 36352

Case Study 4Using HTML body SSDeep data to expose Prolific Puma infrastructure.

Input parameters

  • Query link
  • html_body_ssdeep = 3:YRc8f2AerEIifHBrfzi/yIHXf:Y2Aer6hjziz3f

Case Study 5Unusual SOA record format shared by ransomware and other underground cybercriminals.

Input parameters

  • Query link
  • ns = *.org
  • mbox = self
  • serial = 1234567
  • refresh = 150
  • retry = 150
  • expire = 150
  • min_ttl = 150
API URL

Case Study 6SSL and server information, or “etag” pivot, to expose IcedID clusters

Input parameters

Case Study 7Using nameserver, IP and ASN diversity to track Raspberry Robin.

Input parameters

  • Query link
  • nsname = *.cloudns.net
  • regex = ^[a-z0-9]{2,3}\.[a-z]{2}$
  • ip_diversity_all_min = 5
  • asn_diversity_min = 5
API URL