Being a Good Domain Shepherd

A domain name’s categorization and age are important considerations when it comes time to select one for a phishing campaign or command-and-control infrastructure. Much has been written on that subject. Something that does not seem to be as thoroughly explored is how to efficiently manage dozens of domain names and monitor their statuses after purchase. While there are a few tools that have addressed how to select domains, such as Joe Vest and Andrew Chiles’ DomainHunter (https://github.com/threatexpress/domainhunter), the SpecterOps team saw a need for a tool that would help manage domains that we already owned and those being actively used on an assessment.

Tending to Your Domain Flock

A domain’s categorization can change over time and that awesome new domain name that was just purchased probably needs time to age. Tracking dozens of domains is tedious. To get the full picture, operators also need to track WhoisGuard statuses, potential VirusTotal detections, passive DNS detections, spam blacklist statuses, and other data points.

Tracking that data is just as tedious. When a large team is sharing domains, that difficulty ramps up as new domains are added to the ever growing list and constantly being used, parked, burned, or retired. To address this issue, I worked with another SpecterOps team member, Kelly Villanueva (@fuzzzynoise), to come up with questions we want answered for each of the team’s domains:

• How old is this domain?
• Is the domain on a spam blacklist?
• What is it currently categorized as across the various trackers (e.g. Bluecoat, McAfee, Palo Alto, etc.)?
• Should this domain be considered burned and in retirement?
• Is anyone currently using the domain?
• What is the domain’s current DNS configuration?
• Is the domain configured with a valid TLS certificate?
• What is the domain’s project history?
• Just how do we get all of this data?
• Finally, can it be tracked in real-time?

We do not yet have a solution to track of all this data how we would like, but the first step is data collection. Automating as much of the data collection as possible allows the data to be formatted into a convenient package for tracking and updating.

With a lot of great input and ideas from the SpecterOps team, the bulk of these questions are now answered and completely automated. Domain check-out and project history will always require some human input, but can be made easier and more convenient.

The most exciting thing about this is the answer to the last question is yes, all of this data can be updated in real-time for monitoring your active domains!

Introducing Your Shepherd’s Crook

Shepherds use their crooks to gather sheep, fend off predators, and keep their balance. DomainCheck is a new tool that can be used as your domain shepherding crook.

Find it here: https://github.com/GhostManager/DomainCheck

DomainCheck was designed to assist operators with monitoring changes related to their domain names. This includes negative changes in categorization, VirusTotal detections, and appearances on malware blacklists. DomainCheck currently works only with Namecheap, but could be adapted for other registrars that offer API access.

DomainCheck pulls a list of domains registered under the provided Namecheap account, collects the DNS records set for each domain, and then reviews each one to ensure it is ready to be used. This involves checking to see if WhoisGuard is enabled, the domain is not expired, the domain is properly categorized, the domain has not been flagged in VirusTotal or tagged with a bad category, and the domain is not blacklisted for spam.

The DomainReview class uses the following sources to check the health of a domain name:

• Cisco Talos
• Bluecoat
• IBM X-Force
• Fortiguard
• TrendMicro
• OpenDNS
• MXToolbox
• VirusTotal
• Cymon

Additionally, DomainCheck pulls the latest list of “bad” domains from malwaredomains.com and checks if any of the Namecheap domain names make an appearance.

DomainCheck supports two modes:

Checkup Mode

In checkup mode, DomainCheck pulls the list of domain names and checks each one just once. Once the checks are finished, DomainCheck outputs the data in a csv file. Optionally, if the --wiki flag is provided, DomainCheck also produces the results in the markup language understood by Confluence wikis. This markup can be copy and pasted into a wiki to create a nicely formatted table.

To do this, edit a Confluence wiki page, click “Insert,” insert a Markup section, and paste in the DomainCheck-generated markup.

The following command checks all domains under the Namecheap account:

domaincheck.py checkup --wiki

This command checks only the domains provided for the --filter-list parameter:

domaincheck.py checkup wiki --filter-list domaincheck.com,spectreoops.net

Monitor Mode

In monitor mode, DomainCheck will continuously check the domains, either all of the Namecheap account’s domain names or just those the user provides on the command line. A time interval is set (in minutes) and DomainCheck will sleep for that amount of time before re-checking the domains.

If the --slack flag is provided and a Slack WebHook is configured, DomainCheck will send a pre-configured Slack message whenever an issue (negative categorization, VirusTotal hit, domain added to a watch list) is detected. These messages are sent in addition to warnings displayed in the terminal.

The following command checks the named domains every 60 minutes and sends a Slack message if an issue is detected:

domaincheck.py monitor --domains domaincheck.com,spectreoops.net -i 60 --slack

Future Work

In keeping with Will’s work on GhostPack, this project will is shared under the new GhostManager organization.

There will be more to discuss in the coming months as development work on a domain management system is completed. That project, and other projects focused on management and organization, will also be shared under GhostManager. Look there for additional projects starting in 2019!