Tracking Adversary Activity
  • 27 Mar 2024
  • 3 Minutes to read
  • Dark
    Light

Tracking Adversary Activity

  • Dark
    Light

Article Summary

Overview

Reverse Whois Tracks in ThreatConnect® leverage DomainTools®, an external data service that interfaces with ThreatConnect to actively detect and issue alerts about new associations discovered in Whois records between Adversary assets and hosts. After the initial execution, when all current Whois records are examined, the Track searches daily for new Whois records to analyze.

Tracks are created through two methods. The first method uses the Create option on the top navigation bar. While this method offers more options to customize a Track via the Contains/Does Not Contain fields, Hosts imported from Track results will not be automatically associated to an Adversary. The second method, detailed in this article, creates a Track based on an Adversary’s assets.

Before You Start

Minimum Role(s)Organization role of Standard User
Prerequisites
  • Reverse Whois tracking enabled by an Organization Administrator
  • An Adversary Group with at least one asset added to it

Tracking from Adversary Assets

  1. Navigate to the legacy Details screen for an Adversary Group.
  2. Click the Assets tab. The Assets screen will be displayed (Figure 1).

    Graphical user interface, application, Teams  Description automatically generated

     

  3. Verify that at least one asset is listed in the table. If the table shows No Assets Found, follow the steps outlined in Adding Adversary Assets to add an asset to the selected Adversary.
  4. Click the Tracking tab. The Tracking screen will be displayed with a results table of assets (Figure 2).

    Graphical user interface, application, Teams  Description automatically generated

     

  5. Click the gray paw print in the Enabled column. The paw print will turn orange, and the Results column will display results of the initial Reverse Whois lookup (Figure 3).

    Graphical user interface, application, Teams  Description automatically generated

     

  6. Click the link in the Results column displaying the results total (11 total new results in this example). The Overview tab of the Details screen for the Track will be displayed (Figure 4).
    Note
    You can also access the Overview tab of the Details screen for a Track by viewing Tracks on the Browse screen, selecting a Track, and clicking the View full detailsView full details_Details drawericon at the upper-right corner of its Details drawer or hovering over the Track’s entry in the results table and clicking the View full detailsView full details_Browseicon displayed to the right of its Summary cell.

    Graphical user interface, application  Description automatically generated

     

  7. Select the Follow Item checkbox at the top right to receive push-notification or email updates when changes are made to the Track, if desired.
  8. Click the Results tab. The Results screen will be displayed with a results table of domains found in the lookup (Figure 5).

    Table  Description automatically generated

     

  9. Click the DNS or Whois link in the Options column for a given domain to display DNS or Whois information, respectively, for that domain.
  10. To import domains as Host Indicators into one or more Groups of a selected type, select the desired domains and click the IMPORT button. The Import window will be displayed (Figure 6).

    Graphical user interface, application, Teams  Description automatically generated

     

    • DNS Resolution Active: Select this checkbox to activate DNS resolutions for the imported Hosts.
    • Whois Active: Select this checkbox to activate Whois registration information for the imported Hosts.
    • Select Type: To add the Hosts as associated Indicators to one or more Groups, select a Group type from the dropdown menu. The table will display all available Groups of that type. Select the Groups to which the Hosts should be added as associated Indicators. Only one Group type may be selected at a time, but multiple Groups within that type may be selected, even if those Groups are displayed on different pages. After all Groups are selected, click the SAVE button.
    • To save the Host Indicators without association, click the SAVE button without selecting any Groups.
  11. Click the Associations tab to view the associated Indicators (Figure 7).

    Graphical user interface, application, table, Teams  Description automatically generated

     

  12. To export the associated Indicators into a comma-separated values (CSV) file, select ThreatConnect CSV from the EXPORT menu at the lower-left corner of the screen. The Export Data window will be displayed (Figure 8).

    Graphical user interface, application  Description automatically generated

     

    • Please select which fields to include in the export: Each checkbox represents a piece of data that can be included in the CSV file. By default, all checkboxes are selected. Clear any checkboxes for data not to be included in the CSV file, if desired.
    • Click the EXPORT button. A file named ThreatConnectExport.csv will be downloaded to the default download location on your computer.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
DomainTools®is a registered trademark of DomainTools, LLC.

20041-01 v.06.D


Was this article helpful?