Threat Hunting Resources
Intro
The first few minutes of a threat investigation or incident response are the toughest. You know something appears wrong, but you don’t have the details to prove it. The following sites take a piece of information you have — like the remote IP address to which one of your systems is talking — and give back more detail on what it is and whether it’s benign or malicious.
Resources
Port Lookups
- https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
- https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
- https://www.speedguide.net/ports.php
- https://isc.sans.edu/data/port.html
- Google search for “tcp port portnumber” or “udp port portnumber”
Domains
- https://www.ipvoid.com/domain-reputation-check/
- https://dnsdumpster.com/
- Top level domains
https://en.wikipedia.org/wiki/Top-level_domain - Top level country codes
https://en.wikipedia.org/wiki/ISO_3166-1
- Top level domains
IP Addresses
- https://ipinfo.io/
- https://ipregistry.co/
- https://www.abuseipdb.com/
- https://otx.alienvault.com/
- https://www.shodan.io/
- https://www.virustotal.com/gui/home/search
- https://securitytrails.com/
From a Linux/Unix/Mac OS command line, run:
dig +short -x ip.add.re.ss
What Is My External IP Address?
(Handy if you’re on a lan that shares a single IP address!)
- https://www.whatismyip.net/
- https://whatismyipaddress.com/
- https://icanhazip.com/
- This simple service goes through two petabytes of data per month:
https://blog.apnic.net/2021/06/17/how-a-small-free-ip-tool-survived/
- This simple service goes through two petabytes of data per month:
Reserved IP Address Blocks
Hostnames
- https://www.virustotal.com/gui/home/search
- https://securitytrails.com/
- https://sitereview.bluecoat.com/#/
- https://urlscan.io/
ASNs
(Autonomous System Numbers, which are blocks of addresses owned by an organization)
Possible Malware (Files and URLs)
User Agent Strings
- https://www.whatismyip.net/tools/user-agent-lookup.php
- https://developers.whatismybrowser.com/useragents/parse/#parse-useragent
JA3 Hashes
TOR Servers
Multiple Categories
- https://github.com/nitefood/asn
- https://hackertarget.com/ip-tools/
- https://search.arin.net/rdap/
- https://maltiverse.com/search
Everything Else
Reference
Wrap-up
For more articles like this, subscribe to receive the PROMPT# Magazine!
www.blackhillsinfosec.com/prompt-zine/
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.