Threat Intelligence Through NRD's ( New Registered Domain )

 

Threat actors are using compromised domains or registering new ones to set up Command and Control (C2) servers, allowing them to interact with victims or compromised networks. So what should we do just watch and do nothing? Absolutely not. We can actively monitor newly registered domains (NRDs) using a threat intelligence platform to detect potential malicious activity. This can include identifying if a domain is hosting malicious files, such as weaponized documents or PowerShell scripts acting as downloaders. Who knows what might be hidden behind that web server? That's why proactive monitoring is essential. 

In addition, we can even create an automated Python script and integrate it with VirusTotal to check whether newly registered domains are malicious or not. This operation not only simplifies our daily tasks but also provides a proactive layer of defense for our network . or your organization's network.

You can see the screenshot below as an example . where I obtained newly registered domains from one of the GitHub feeds and uploaded them into an automated script I created (with help from ChatGPT, of course!). Ask ChatGPT

Well, the first platform we’re using in this article is networksdb.io, which contains thousands of domains that can be helpful for your investigations. Ask ChatGPT

Please note that while some of the domains are available for free, others are part of a paid plan at an affordable price. You can access the dataset here: https://networksdb.io/datasets/domains 

Imagine you are a cyber threat intelligence or security researcher, and you'd like to search for top-level domains with the name ".spot" to determine which domains within this dataset are malicious or not.

Well, first of all, we need to search for ".spot" domains by using Ctrl+F, as shown below:

To download the dataset, simply click the "Free" button:

Then click "Download Zip": 

After downloading the ZIP file, please extract it. From there, you can either manually analyze the domains for malicious activity or use the automated Python script I created to streamline the detection process.

Here is a Python script you can use on your own: https://justpaste.it/baq3r

Then run the Python script and open 127.0.0.1:5000 in your preferred browser. Click "Choose File" and upload the dataset to start the scan, as shown in the image below :

Here you’ll see the output generated by the script, indicating which domains are flagged as malicious based on the integrated threat intelligence sources.