Friday, February 22, 2013

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to 0.0.0.0:



Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. Only the people that registered the domains would know. Which might be the APT1 group. If they're really a group. And we don't really care...

Here's a graph that clearly shows multiple IPs in use, and obvious collusion between domain owners.



We've also looked at countries, NS records, netblocks, AS numbers, whois details (some are interesting!) etc. It's hard to conclude anything from the info without knowing how the data was obtained. There are some patterns for sure. Names pop up more than once. Some address schema.

In the end we can only hope that you enjoyed our marketing material.
RT

No comments:

Post a Comment