-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Trail classes
A special class of trails, containing addresses known to be used for Advanced Persistent Threat (APT) attacks, where threat actor is currently unknown.
Domains having a bad history because of known usage for malicious purposes in past.
IP addresses that are known to be used for perpetrating brute force attacks, web attacks and any other form of unwanted behavior toward Internet exposed services.
A special class of trails, containing addresses for malicious web-pages which provide various services, tools, malware collections (etc.), that can be used to compromise the local system(s).
Web Proxy Autodiscovery Protocol (WPAD) is a system that allows computers to automatically discover Web proxy configurations inside the corporate environment. The .company.example domain is private to the organization's network and DNS lookups for *.company.example domains are supposed to be answered by the organization's own DNS servers. If attackers are able to purchase the domain name .company.example they could put up a website at wpad.company.example and publish their own PAC-file that tells browsers to use the attacker’s proxy server. Bad WPAD trails are used to detect related attempts from local networks toward one of such "bad" domains.
References:
- https://www.trendmicro.com/en_us/research/16/h/badwpad-doubtful-legacy-wpad-protocol.html
- https://nakedsecurity.sophos.com/2016/05/25/when-domain-names-attack-the-wpad-name-collision-vulnerability/
Detect DNS query resolutions through decentralized blockchain name system web APIs. This same mechanism is known to be abused by various malware families.
References:
- https://pam2020.cs.uoregon.edu/files/slides/01_Leopard_ZhangrongHuang.pdf
- https://github.com/B-DNS/Resolver
- https://www.virustotal.com/gui/domain/bdns.im/relations
Malicious JavaScript that disrupts regular web-browser work, such as preventing tab switching, closing of tabs, playing uncomfortable sounds, etc.
A special case of Potential directory traversal heuristics, that detects attacker's attempts to read configuration files on the target system.
Contacted non-existing domain name having an unusually high ratio of consonants, characteristics found in malicious (e.g. DGA) domains.
Domain shadowing is a subcategory of DNS hijacking attack, where attackers attempt to stay unnoticed. Cybercriminals stealthily insert subdomains under the compromised domain name. Also they keep existing records to allow the normal operation of services (websites, email servers, etc) using the compromised domain. By ensuring the undisturbed operation of existing services, the criminals make the compromise inconspicuous to the domain owners and the cleanup of malicious entries unlikely. As a result, domain shadowing provides attackers access to virtually unlimited subdomains inheriting the compromised domain’s benign reputation.
References:
Contacted non-existing domain name having an unusually high entropy, characteristics found in malicious (e.g. DGA) domains.
Contacted non-existing domain name having an unusually high number of queries.
An exploit kit (synonym: exploit pack) is a type of toolkit, that cybercriminals use to attack vulnerabilities in web client systems. Their most common purpose is the (unwilling) installation of malware or potentially unwanted software.
References:
- https://www.trendmicro.com/vinfo/us/security/definition/exploit-kit
- https://www.paloaltonetworks.com/cyberpedia/what-is-an-exploit-kit
A special class of Internet services known to be (ab)used by malware for geolocating the infected victims.
References:
A number of organizations maintain reputation lists of IP addresses operated by known attackers, such as spammers, malware distributors, and botnets. Maltrail leverages this kind of information from multiple reputation lists to help you identify requests from such malicious IP addresses.
References:
Heuristic detection, that tracks attempts of DNS query requests for long-named domains. This behavior could be an early sign of suspicious behavior, such as DNS tunneling, malware C&C communication, etc.
Mass scanners are special services for periodical scanning of various Internet resources. In the general case, they allow public access to the list of Internet exposed services, automatic checking service versions to known vulnerabilities, and identification of those that could be used for distributed denial of service attacks. It should be noted that such services usually have their own public web-pages, where organizations can apply for exclusion from the scanning process.
Domain parking services offer a simple solution for domain owners to monetize their sites’ traffic through third-party advertisements. While domain parking might appear harmless at first glance, parked domains pose a significant threat, as they can redirect visitors to malicious or unwanted landing pages or turn entirely malicious at any point in time. Additionally, periodic visits to such domains could be a late sign of malware infection.
References:
Port proxing (synonyms: port forwarding, port mapping) is a technique used for allowing external devices access to computer services inside private networks. It does this by mapping an external (service) IP address and port to an internal IP address and port. Besides their legal usage, this type of service is very popular in usage by some specific types of malware.
References:
Heuristic detection that tracks attempts of sensitive data leakage, where unauthorized transmission of data occurs from within an organization to an external destination or recipient.
References:
Heuristic detection that tracks attacker's attempt to read arbitrary server files, stored outside the web root folder on the server, via (unknown) web security vulnerabilities. See also Config File Access chapter.
References:
Heuristic detection that tracks attempts to substitute DNS-server settings in routers, vulnerable to DNS Hijacking attacks via HTTP-requests.
See also Rogue DNS description.
References:
- https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/
- https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
Heuristic detection, that tracks attempts of multiple simultaneous connections to target IP address(-es) via specific TCP ports, which were met in security reports on various malware (e.g. worm) infections, via vulnerabilities in system service ports.
The most famous case was in April 2017, when Shadow Brokers
hacker group released an SMB vulnerability named “EternalBlue”, described in Microsoft Security Bulletin MS17-010.
References:
- https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html
- https://digital.nhs.uk/cyber-alerts/2017/cc-1411
Heuristic detection, that tracks attempts to download malicious files for Internet-of-Things (IOT) operation systems.
References:
Heuristic detection that tracks attempts of LDAP injection attacks.
LDAP Injection is an attack used to exploit web-based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP injection.
References:
- https://owasp.org/www-community/attacks/LDAP_Injection
- https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html
Heuristic detection that tracks scanning attempts for finding open proxy servers.
Detection of open proxy access, based on public lists of open proxy servers. An open proxy is that configured so that anyone can use it. Such proxy servers are widely used by spammers to send spam because the proxy hides the spammer's IP address from recipients.
References:
Heuristic detection that tracks attempts of PHP injection attacks.
PHP injection is the general term for attack types which consists of injecting arbitrary PHP code that should be executed by the vulnerable application. This type of attack exploits the poor handling of untrusted data.
References:
- https://portswigger.net/kb/issues/00100c00_php-code-injection
- https://owasp.org/www-community/attacks/Code_Injection
Heuristic detection that tracks attempts of port scanning execution.
Port scanning is one of the most popular forms of remote reconnaissance, helping attackers determine which server ports are available for potential compromise.
References:
Heuristic detection that tracks attempts of remote code execution attacks.
Remote Code Execution (RCE) is the general term for attack type which consists of injecting arbitrary OS code that should be executed by the vulnerable application. In case of success, it can lead to a full compromise of the vulnerable web application, web server, or even entire target system.
References:
Heuristic detection that tracks attempts of SQL injection attacks.
SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploitation can lead to compromise of sensitive data from the database, modification of database data, execution of administration operations on the database, etc.
References:
Heuristic detection that tracks attempts of SSTI injection attacks.
Server-side template injection (SSTI) is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web-pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.
References:
Heuristic detection that tracks attempts of web scanning attempts.
Web scan represents the initial phase of an attack on web applications. During this phase, the attacker gathers information about the site's structure (pages, parameters, etc.) and the supporting infrastructure (operating system, databases, etc.) Additionally, target sites are scanned for known vulnerabilities in infrastructure software based on gathered information.
References:
Heuristic detection that tracks attempts of XML attack execution.
XML Injection is an attack technique used to manipulate or compromise the logic of an XML application or service. The injection of unintended XML content and/or structures into an XML message can alter the intended logic of the application.
References:
Heuristic detection that tracks attempts of XSS attack execution.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end-user. A successful attack can lead to session hijacking, execution of arbitrary actions without the user's knowledge and/or stealing of any other sensitive information retained from the browser.
References:
- https://owasp.org/www-community/attacks/xss/
- https://owasp.org/www-community/Types_of_Cross-Site_Scripting
Heuristic detection that tracks attempts of XXE attacks execution.
XML External Entity (XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
References:
Detection of requests to attacker's DNS server infrastructure, imposed through the compromised network configuration (e.g. via DNS-Hijacking), redirecting regular user's network traffic to malicious sites.
See also Potential DNS Changer description.
References:
Generic detection (SDrop ==> script dropper) for cases, when downloaded script payload drops another malicious file(-s) from its body.
Generic detection (SLoad ==> script loader) for cases, when script payload is downloaded from some resource (compromised legit site or explcit malcious site).
Sinkhole is a name for a server used by anti-malware researchers to collect information about a botnet. It masquerades as one of the C2 (command-and-control) servers in the botnet so that DNS requests (from compromised computers in the botnet) for the related domain are re-directed to the sinkhole, where they can be further analyzed by researchers.
References:
Sofware toolkit or online service that is used to massively send email spam or messages to social media sites.
TDS (Traffic Direction System) is a specialized system used for directing victim's traffic to cash in on referrals. Problem is that those systems are often abused for malicious purposes, such as redirecting users to exploit kits (EK) or drive-by download sites.
References:
The Tor network provides adversaries with a multitude of source locations from which to conduct malicious activities against targets. By ensuring that different Tor exit nodes are used, adversaries are able to make it more difficult for defenders to correlate activities, block malicious attempts and make attribution more difficult. Maltrail detects related connection attempts based on the public Tor exit/relay list.
References:
- FAQ - Frequently Asked Questions
- Trail classes - Information about different classes of trails
- Specific detections - Information about Maltrail specific detections
- Maltrail trails structure - Information about Maltrail trails structure
- Maltrail trails base format - Information about Maltrail trails base format
- Maltrail trails contribution - Information about Maltrail trails contribution
- Maltrail detection nuances - Information about Maltrail detection nuances
- Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform - Information about Maltrail verdicts on Validin Threat Hunting and DNS Enrichment Platform
- UI tips and tricks - Brief list of user interface features
- CLI management for Maltrail - Information about CLI management for Maltrail
- Miscellaneous - Miscellaneous HOWTOs