SANSFIRE 2022 Bonus Session - DNS Data Driven Threat Hunting with DomainTools

When adversaries register malicious domains for C2 servers, phishing servers, or payload servers, the choices they make when it comes to registration, hosting, certificates, mail servers and more can be useful in determining their targets and discovering a fuller picture of their operations in DNS.

This can help defenders by increasing the speed at which they can assess and act on this activity. In this session attendees will learn how to use DomainTools to:
  • Identify attacks while they are still in the setup stage
  • Take a single element, like a domain name, and pivot on it to discover a broader map of adversary infrastructure
  • Monitor for new activity matching adversary patterns in DNS