Threat Hunting - Suspicious TLDs (2024)

Top-level domains (TLDs) hold significant influence in the domain name system (DNS) hierarchy and can serve as indicators for threat detection.

Properties and policies associated with TLDs, such as pricing, registration restrictions, and security practices, contribute to their attractiveness for malicious activities. Notably, TLDs offering free domain registration or from developing countries have emerged as prime targets for the deployment of phishing domains, highlighting the need to ThreatHunting for suspicious TLDs !

Multiple researches indicates that a significant proportion of malicious domain registrations are concentrate within a limited number of TLDs. While these TLDs themselves may not be inherently malicious, their susceptibility to abuse is high.

• www.cybercrimeinfocenter.org

Great insights into the malicious TLD trends compared to the previous quarter

• https://www.spamhaus.org/statistics/tlds/

TOP 10 most abused TLDs by spamhaus

• https://trends.netcraft.com/cybercrime/tlds

Great insight on the cybercrime incidents trend, for example:

See Also

Cybersecurity Spotlight - Top-Level Domains (TLD)

These resources provide regular updates on TLDs with the highest number of malicious domains, along with a ratio and trend indicator. For instance, the netcraft.com list highlights that 10% of the domains with the TLD .lat are malicious … a significant percentage that deserves to be hunted for !

Additionally, here is another research example on the malicious TLD trend in 2021 by PaloAlto categorized by threat:

Using these resources, I have compiled a list of suspicious TLDs for Threat Hunting in your proxy or DNS logs within your environment. The list is categorized by threat category (most known for), popularity, and severity, which aids us in hunting more efficiently. I have intentionally excluded some highly popular TLDs to prevent an excessive number of results for analysis, even in Threat Hunting scenarios. I have retained those with the highest ratio of malicious domains and the recently trending TLDs that attackers have been exploiting. The list is available on GitHub and will be regularly updated: https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_tlds_list.csv

Upload the list suspicious_tlds_list.csv on Splunk

Create a definition lookup named suspicious_tlds_list for the lookup suspicious_tlds_list.csv with the option WILDCARD(url_domain)

Use the List to Hunt for Suspicious TLDs in proxy logs:

you can speed up the search process by including a
|[|inputlookup suspicious_tlds_list | table url_domain | rename url_domain as dest_host]
before the |lookup but it can consume more CPU on your indexers

you might also want to include src_ip, src_user, category, severity, process fields when available

Additinals searches options:

after the |lookup instead of the |where you can search specific values from the lookup:

filtering on low popularity tlds associated with phishing with a high and critical severity for example

You can also search in your mail logs by focusing on the sender domain of incoming emails (make sure the field is parsed), and apply the same filters to identify senders with suspicious TLDs based on the sources I’ve mentioned.

Using these splunk searches, we searched through our proxy logs for the suspicious TLDs requested by our users using our list suspicious_tlds_list, We initiated a simple | stats command, which yielded thousands of results.

send the job to background or copy the job id of your search:

load it:

an example result :

If you have too many results, check what is causing the most noise:

This helps us identify which TLDs are creating the most disturbance in our environment. In this example, we have .pro .me .info .cc .ru .link .support .id .space .live .pics .pub .cn .il

This is why I included a popularity indicator in the list, enabling you to filter out the most popular ones. However, if you still wish to hunt for popular and suspicious TLDs, we can examine the number of domains requested by each TLD:

This isn’t too many domains to search for in this example result. We can further exclude more domains using these methods:

• TOP 1Million: Exclude the most prominent domains from the results, using the Majestic Million list (which includes the most requested 1 million domains) https://downloads.majesticseo.com/majestic_million.csv

• Virustotal: Check the reputation of all domains using the VirusTotal API |vt4splunk https://splunkbase.splunk.com/app/6654

Example dashboards with hashes https://x.com/mthcht/status/1692122508420358353 although this can also be done for domains and URLs.

• AbuseIPDB: Use the AbuseIPDB API to check all the domain IP addresses with a free license (allowing 1000 checks per day), this can help identify domains with reported or blacklisted IP addresses. https://www.abuseipdb.com/splunk
• HTTP Method: Filter on the HTTP method, Data exfiltration to a suspicious TLD could be more important to investigate |search http_method=POST after the |loadjob

reducing even more our results:

• Phishing: Filter potential phishing domains with DNSTWIST https://detect.fyi/detecting-phishing-attempts-with-dnstwist-37c426b3bbb8
• File extensions: Filter based on file extensions in the requested URL. You can use the list available at https://github.com/mthcht/awesome-lists/blob/main/Lists/all_file_extensions_list.csv to search for url ending with archive extensions, document extensions or executables extensions.
• Keywords: Search offensive keywords in urls, for a detailed guide, check https://github.com/mthcht/ThreatHunting-Keywords?tab=readme-ov-file#use-the-list-to-hunt-with-splunk
• Filter with your proxy intelligence: Some proxy will give you categories, reputation and severity scores, IP location, domain creation date and even process names, use these fields when available to focus on higher threats, for instance, with the proxy McAfee WebGateway i can have:

• Domain IP address location: Sometimes looking at the domain IP address locations can help you identify anomalies from the usual network traffic of an user, you can use | iplocation dest_ip with splunk to get more informations about the destination IP addresses
• Destination Port: Include the dest_port in your initial search, if available in your proxy logs. You can filter based on specific ports using the list of suspicious ports, accessible at https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_ports_list.csv, for more guidance, check https://mthcht.medium.com/hunting-for-suspicious-ports-activities-50ef56d5cef
• Suspicious User agent: Search for suspicious user agents in your results related to suspicious TLDs using my list of suspicious user agents https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv
• Baseline: I recommend having a scheduled search that saves some information on the SIEM. For instance, when a domain is requested for the first time in the last 30 days, you’d want the date of the first request and the domain. You can then use this information in your hunting search to only keep the newly contacted domains in your environment if necessary.
• Aggregatation: Aggregate by src_user or src_ip to quickly identify the users who have made the most requests to suspicious TLDs.

By implementing these filters, you should have a reasonable number of URLs to check, enabling you to find something interesting to investigate !

The process of hunting for suspicious TLDs demands significant effort and attention to detail. I highly recommend focusing on using the suspicious TLDs list only for ThreatHunting purposes or with low signal alerts that can be cross-referenced with other alerts on your SIEM

Happy Hunting !