Threat Hunting for URLs as an IoC

July 31, 2018 by

Greg Belding

Introduction

Unfortunately, cyber-attacks are just a fact of life in today’s world. Anyone with a laptop or smartphone can quickly write malicious code to victimize an organization and sometimes they can even penetrate an organization’s network defenses with the same ease. Despite their best efforts, attackers often leave clues behind that threat hunters can use to identify and stop attackers in their tracks. This article will detail Threat Hunting for URLs as an Indicator of Compromise including where to look and what to look for.

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Get Pricing

Indicators of Compromise

When investigating, Information Security professionals need to look to what is called Indicators of Compromise, or IoC artifacts, to aid them in their investigation. IoC artifacts are pieces of forensic data or evidence that can be used as a proverbial trail of breadcrumbs to lead threat hunters to the identity and network location of the attacks. Monitoring for IoC artifacts helps organizations respond promptly so they will have a better chance to act on the threat to mitigate damage before it gets any worse.

URLs as an IoC

URLs have been typically considered to be part of the family of IoC artifacts because malicious URLs are widely used to spearhead various cyber-attacks including spamming, phishing, and malware. Detection of these malicious URLs and identification of associated threat types are critical to hunting treats.

Threat Hunting for URLs

A good hunt begins with a good hypothesis. The hypothesis should combine general knowledge of your environment, what threats are present in your environment, where the threats may be located, and how threats might take advantage of users and organizational processes to get around your security appliances. Some hunters opt for the Crown Jewels model where priority is placed on the systems that contain the most vital of data and assets, mitigating risk with passive defenses and hardening techniques, and drilling down to the hypothesis of what attackers may do.

After you have your hypothesis, there are to areas that you need to focus on – what data is available and how to use/sort it which will be addressed below. Once you have the data that you are looking for you, need to look a level deeper and determine any patterns or abnormalities that you see. Clearly, this is done on a case by case basis, and every threat hunt is different.

Focusing on URLs

URLs are vital for threat hunting. They serve as the link between your environment and the threat infrastructure of the attacker.

One of, if not the, most common type of URL attack scheme is called URL redirection attack. This type of attack is a kind of vulnerability that redirects you to another page when clicked or typed into a browser URL bar and is typically integrated with a phishing attack. For example:

http://www.example.com/login.php?redirect=
http://www.examp1e.com/home.php

If you click on this URL, you will instead be redirected to:

http://www.examp1e.com/home.php

This page could lead to a malicious website that seems like the original page above but instead tries to con the user into revealing their login credentials. It should be noted that the “l” and “1” can look very similar at first glance, which can catch some incautious users by surprise.

In another type of attack, the URL itself, if mistyped, can expose your environment to malware. Recently, it was determined that an organization had been exposed to malware simply by mistyping the URL for www.netflix.com. Instead of typing the real URL, one user reportedly typed the URL as www.netflix.om. This type of an attack is known as typosquatting, and it is interesting because .om is the top-level domain for the country of Oman but rather than bringing unfortunate web surfers to a website in Oman, it brought them to a malware-infested website.

Another type of attack is called escape-encoding. To understand escape-encoding you must understand that for data to be transferred by a URL, it must be encoded to obey proper URL syntax rules. For example – the standard, RFC2396, distinguishes between two types of character classes for URLs. The first class, called unreserved, is composed of the characters a-z, A-Z, 0-9 _ . ! ~ * # (). The second class, the reserved class, is composed of ; / ? : @ & = + $ ,.

Characters considered reserved may conflict with the correct interpretation of a URL. Multiple instances of escape-encoding can get around security checks that occur during the initial decoding pass. For example, the backslash character “” can also be described as “%5c” or any of the following permutations:

• %255c
• %%35c
• %%35%63
• %25%35%63

The above escape-encoding sequences provide an example of possible entry points for a URL attack as shown below:

http://TARGET/scripts/..%255c..%%35cwinnt/system32/cmd.exe?/c+dir+c:

What the above URL will do is show the c: directory list to the attackers. This is clearly not what any Information Security wants to have happen.

Another possibility is that you can be set up for an SQL injection attack. An example of a malicious URL is:

http://target/login.asp?userid=bob%27%3b%20update%20logintable%20set%20 passwd%3d%270wn3d%27%3b--%00

The above malicious URL will produce a result of:

SELECT preferences FROM logintable WHERE userid='bob' update logintable set password='0wn3d'

As you can see, this malicious URL will deliver your database data right into the hands of the attackers.

The Hunt

So, you have seen just how malicious URLs can be. The next step is being able to detect them. The easiest way to do this is to use a third-party lookup tool. Virus Total is a third-party tool that lets you search for a suspicious URL to see if it is malicious. The search bar below lets you input any URL that you suspect and search it against any AV engine that has picked up the URL as being malicious. It can be found here:

The suspected URL that I searched for is trafficconverter.biz:80/. The result returned from Virus Total is below:

As you can see, this URL is malicious. While not every AV engine picked up this URL, at least one did. Threat hunters should black any URL that shows up as malware on any engine.

Conclusion

URLs are great examples of IoC artifacts that can assist you in a threat hunt if the breadcrumbs the attackers left was a URL. Malicious URLs can cause much damage if they are not addressed promptly. If you find a URL that is suspicious, run it through a third-party lookup tool and let the result determine the next steps for your threat hunt.

References

https://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/d/d-id/1140647

https://www.virustotal.com/#/home/url

https://www.microsoft.com/en-us/research/publication/detecting-malicious-web-links-and-identifying-their-attack-types/

https://www.microsoft.com/en-us/research/publication/detecting-malicious-web-links-and-identifying-their-attack-types/

https://help.sap.com/saphelp_nw73/helpdata/en/ce/1d3fc8da774366aa633a953f02a71a/frameset.htm

Become a certified threat hunter

Learn how to find, assess and remove threats from your organization — and become a Certified Cyber Threat Hunting Professional, guaranteed!

Get Pricing

http://www.slate.com/blogs/future_tense/2016/03/17/hackers_use_om_urls_for_typosquatting_malware_attacks.html