Page tree

Contents

The Check Indicator of Compromise (Check IOC) utility allows for in-depth analysis of a returned result, available search methods are:

  • Domain Name
  • Wildcard
  • IP address
  • Threat Name

The utility itself returns known Targets, a DNS Lookup, Whois information, and Passive DNS data, as well as providing tools for Additional Research.

Once the lookup is complete the user can click on Copy Results to Clipboard to save the data to the clipboard to be pasted into a text editor.

Note:

This utility can be accessed via drilling down into target details, and can also be accessed through a search box at the top of the screen ().

Targets

Active

  • IOC: The requested Indicator Of Compromise (IOC). This should match the data provided to the query.
  • First Identified: First date the IOC was seen and recorded in the security feeds.
  • Last Time Present: Most recent time the IOC was seen and recorded in the security feeds.
  • Present In Targets: Targets the IOC is currently listing as an Active threat.

Historic

  • IOC: The requested Indicator Of Compromise (IOC). This should match the data provided to the query.
  • First Identified: First date the IOC was seen and recorded in the security feeds.
  • Last Time Present: Most recent time the IOC was seen and recorded in the security feeds.
  • Present In Targets: Targets the IOC has previously listed as a threat.

Related Records

  • IOC: The requested Indicator Of Compromise (IOC). This should match the data provided to the query.
  • Relationship: How the IOC has been related to other targets.
  • First Identified: First date the IOC was seen and recorded in the security feeds.
  • Last Time Present: Most recent time the IOC was seen and recorded in the security feeds.
  • Present In Targets: Targets with which the IOC is currently associated.

DNS Lookup

Performs a DiG search for DNS records on the Target being searched.

Command

Returns the DiG results provided by the ThreatSTOP DNS service.

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64860

flags: qr rd ra QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

Question

Returns the record type the threat is listed as.

0.2.0.192.in-addr.arpa. IN PTR

Authority

192.in-addr.arpa. 150 IN SOA z.arin.net. dns-ops.arin.net. 2016071615 1800 900 691200 10800

Whois

Whois aggregates contact information about Fully Qualified Domain Names (FQDN) to provide a point of contact for a given server.

  • Created: The date a record was created in the Domain Name System.
  • Last Updated: The last time the record was updated.
  • Expiration: The date a DNS record will expire and be removed from the DNS pool.
  • Contacts: Provides contact information regarding the DNS record. The following information is available:
    • Name: Person responsible for registering and maintaining the domain name record.
    • Organization: What organization or business they are with.
    • Email: A point of contact email, for the individual.
    • Street: The street address (if one is provided) for the contact or owner of the server.
    • City: Which city the contact is in.
    • State: Which state the contact lives in (may not apply outside of the United States).
    • Postal Code: The code established by the post office to speed up mail sorting.
    • Country: Which country the contact resides in.

Passive DNS

  • Resource Record Name: The Domain Name of the service being researched.
  • Record Data: Displays IP addresses, and DNS Name servers known to spread information about the Domain Name being researched.
  • Resource Record Type: Establishes the type of Resource Record provided by the listed host, possibilities include:
    • SOA - Indicating a Start Of Authority (SOA) for the listed zone.
    • NS - Indicating a nameserver for the listed zone.
    • A - For name-to-address mapping. That is, this record shows with which IP addresses a Domain Name is associated.
    • PTR - For address-to-name mapping. These records show with which Domain Names an IP address is mapped.
    • CNAME - Indicating that this is a canonical name. The the Domain Name being researched is an alias these records show what Domain Name is the canonical (or "real") Domain Name being reached.
  • Count: The number of passive DNS records associated with the Domain Name.
  • Last Time: The most recent time the Resource Record appears in the DNS record.
  • First Time: The first time the Resource Record appears in the DNS record.

If more records are returned than the limit established by the Show <##> Entries drop down, the extra results will be added to additional pages which can be reached through the Previous and Next buttons at the bottom of the field.

Additional Research

The Additional Research section provides links to tools provided by our partners.