Brand impersonation, fraud and phishing are significant in the ever-evolving threat landscape, even the biggest brands can be susceptible. A malicious actor could purchase a lookalike/typosquat domain with no identity checks, it could then be used to facilitate a plethora of malicious activity that could be directed at your organisation, clients, third parties and the public.
In 2018, business email compromise (BEC) accounted for 23% of cyber insurance claims received from Europe, the Middle East and Asia, according to statistics released by AIG.
DREWS is intended to provide a basic capability to identify unauthorised domain registrations that could pose a threat from a malicious actor or shadow IT etc. DREWS uses regular expressions to match results in Newly Registered Domain (NRD) lists and posts results to webhook capable services such as Mattermost or Slack (or to file).
The aim is to reduce the detection time, enabling responders to raise complaints with registrars or hosting providers in a timely fashion. Therefore disrupting the threat actors operations and reducing the campaign lifespan. Ultimately frustrating and imposing cost on the actor.
Many thanks to WhoisDownload.com for providing the data for free.
- DREWS will iterate over n previous days. For each day/iteration;
- It will read the "runcheck" file and skip the current iteration if previously completed, otherwise;
- The day's NRD list is downloaded from WhoisDownload.com, extracted on-the-fly and stored in the "domlist" variable.
- Custom regular expressions are read in from "regex_patterns.txt" and are run against "domlist".
- Regular expression matches are stored in the "search_results" variable.
- "search_results" is then passed into any enabled alert/output function.
- The "runcheck" file is updated with the a successful marker for the day.
- Proceeds to the next day, stopping having completed yesterdays run (current day -1).
Output | Description | Status |
---|---|---|
File | Output to file, 'YYYY-MM-DD_Results.txt' | Tested, Reliable |
Mattermost | Post to a Mattermost channel via an incoming webhook | Tested, Reliable |
Slack | Post to a Slack channel via an incoming webhook | Tested, Reliable |
Send and email via SMTP open relay, authentication to be added | Tested, Reliable | |
TheHive | Create an alert within TheHive | Future Feature |
- WhoisDownload.com data does not include all TLDs.
- Results are only as good your regex patterns.
- Download error handling, a failed NRD list download will result in a badzip error, it will exit but will try again next time.
- Posting to a webhook that is not available result in a hang/wait for timeout. File output will still function.
- TheHive output has yet to be added.
- It isn't perfect but it works well.
- python3
- Internet access
- Mattermost configured to allow incoming webhooks, or;
- Slack configured to allow incoming webhooks, or;
- An open SMTP relay, or;
- Some other means of monitoring file creation, perhaps the Power Automate SFTP connector.
git clone https://github.com/SecOpsSteve/DREWS.git
Edit regex_patterns.txt and configure desired regular expressions (one regex per line), for example;
g[o0]{2}gg?[li1]e
Regular expressions can be built and tested with this example CyberChef Recipe. Caution: Loose regex patterns are likely to cause erroneous matches and subsequent noisy alerts.
Next, edit config.py and set the desired options.
lookback_days = 7 # On first run, iterate over n previous days.
txt_alert_enabled = True # Write results to 'YYYY-MM-DD_Results.txt'
thehive_alert_enabled = False # NOT IN USE - FUTURE FEATURE
thehive_url = 'https://thehive.blah.io' # NOT IN USE - FUTURE FEATURE
webhook_alert_enabled = False # Enable output to a configured webhook.
webhook_url = 'https://mattermost.blah.io' # Mattermost or Slack incoming webhook URL.
email_alert_enabled = False # Send reports via email.
email_srv = 'smtp.blah.io' # SMTP Server/Relay
email_from = 'no-reply@blah.io' # From Address
email_to = 'security@blah.io' # To Address
Set a daily cronjob.
crontab -e
Add an entry to the crontab for DREWS.py. The following example is set to execute every day at 0800 hrs.
|> Minute
| |> Hour
| | |> Day (month)
| | | |> Month
| | | | |> Day (week)
m h d m d command
0 8 * * * /usr/bin/python3 /<path-to-directory>/DREWS/DREWS.py > /<path-to-directory>/DREWS/lastrun.txt
Optional: Direct output to lastrun.txt.
It is recommended to test your regex patterns thoroughly, this CyberChef Recipe can help. Also use a test Slack/Mattermost channel to avoid flooding your ChatOps channel.
DREWS.py can be run manually, output will appear similar to the following;
blah@blah:~/Projects/DREWS$ python3 DREWS.py
____ ____ _______ _______
/ __ \/ __ \/ ____/ | / / ___/
/ / / / /_/ / __/ | | /| / /\__ \
/ /_/ / _, _/ /___ | |/ |/ /___/ /
/_____/_/ |_/_____/ |__/|__//____/
Version 0.9 (MVP)
[!] Initialising runcheck
[!] Initialisation complete.
D-7 : 2020-05-14 Domains: 118951 Results: 0
D-6 : 2020-05-15 Domains: 147890 Results: 1
D-5 : 2020-05-16 Domains: 141381 Results: 1
D-4 : 2020-05-17 Domains: 130792 Results: 0
D-3 : 2020-05-18 Domains: 82749 Results: 0
D-2 : 2020-05-19 Domains: 125215 Results: 0
D-1 : 2020-05-20 Domains: 151783 Results: 0
blah@blah:~/Projects/DREWS$
Running DREWS.py again will result in skipping previously run days. Progress is recorded in the runcheck file.
blah@blah:~/Projects/DREWS$ python3 DREWS.py
____ ____ _______ _______
/ __ \/ __ \/ ____/ | / / ___/
/ / / / /_/ / __/ | | /| / /\__ \
/ /_/ / _, _/ /___ | |/ |/ /___/ /
/_____/_/ |_/_____/ |__/|__//____/
Version 0.9 (MVP)
Runcheck exists, continuing..
Runcheck found 7 previous runs.
D-7 : 2020-05-14 Skipped: MjAyMC0wNS0xNC56aXA=
D-6 : 2020-05-15 Skipped: MjAyMC0wNS0xNS56aXA=
D-5 : 2020-05-16 Skipped: MjAyMC0wNS0xNi56aXA=
D-4 : 2020-05-17 Skipped: MjAyMC0wNS0xNy56aXA=
D-3 : 2020-05-18 Skipped: MjAyMC0wNS0xOC56aXA=
D-2 : 2020-05-19 Skipped: MjAyMC0wNS0xOS56aXA=
D-1 : 2020-05-20 Skipped: MjAyMC0wNS0yMC56aXA=
blah@blah:~/Projects/DREWS$